Management Report: Improvements Needed in SEC's Internal Controls and Accounting Procedures
GAO-15-387R
Published: Apr 30, 2015. Publicly Released: Apr 30, 2015.
Skip to Highlights
Highlights
What GAO Found
During its audit of the U.S. Securities and Exchange Commission’s (SEC) fiscal year 2014 financial statements, GAO identified continuing and new deficiencies in SEC’s financial reporting controls over its accounting for disgorgement and penalty transactions, which contributed to a significant deficiency in SEC’s internal control over financial reporting as of September 30, 2014. This significant internal control deficiency may adversely affect the accuracy and completeness of information used and reported by SEC’s management. GAO is making 5 new recommendations to address this significant internal control deficiency.
In addition, GAO’s fiscal year 2014 financial audit identified other new deficiencies in SEC’s internal control over financial reporting that while not considered to be material weaknesses or significant deficiencies, either individually or collectively, nonetheless warrant SEC management’s attention. These deficiencies relate to the following:
- reinvestment of disgorgement funds,
- maintaining ongoing accuracy of property and equipment inventory records,
- documenting disposal of property and equipment,
- ensuring existence of capitalized bulk purchases,
- identifying and summarizing uncorrected misstatements, and
- information security.
GAO is making 8 new recommendations to address these deficiencies in SEC’s controls over financial reporting. Further, GAO’s follow-up on the status of recommendations that it made in prior reports to address internal control deficiencies found that SEC took action to fully address 14 of 25 prior years’ recommendations that remained open at the beginning of the fiscal year 2014 audit. Consequently, SEC currently has 24 open recommendations that need to be addressed—the 11 prior recommendations as well as the 13 new ones GAO is making in this report.
In addition, GAO’s follow-up on the status of internal control recommendations that it made in prior reports to address deficiencies in information system controls (information security) found that SEC took action to fully address 37 of 52 prior years’ recommendations that remained open at the beginning of fiscal year 2014. GAO discussed with management the status of the 15 information security-related recommendations that remained open at the conclusion of the fiscal year 2014 audit and found that management is in the process of addressing these remaining open recommendations.
Why GAO Did This Study
During GAO’s audit of SEC’s fiscal year 2014 financial statements, GAO identified continuing and new deficiencies in SEC’s financial reporting controls over its accounting for disgorgement and penalty transactions, which contributed to a significant deficiency in SEC’s internal control over financial reporting as of September 30, 2014. In addition to this significant deficiency, GAO’s fiscal year 2014 financial audit identified other new deficiencies in SEC’s internal control over financial reporting that while not considered to be material weaknesses or significant deficiencies, either individually or collectively, nonetheless warrant SEC management’s attention. The recommendations provided in this report will help improve SEC’s internal control over financial reporting. In addition, this report provides summary information on the status of SEC’s actions to address the open recommendations from prior GAO reports.
Recommendations
GAO is making 13 new recommendations to address deficiencies in SEC’s controls over financial reporting. The SEC Chair stated that SEC is working diligently to address the findings and recommendations contained in the report and that SEC remains committed to investing the time and resources necessary to maintain strong internal controls over financial reporting.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| United States Securities and Exchange Commission | The U.S. Securities and Exchange Commission should direct the COO and CFO to inform responsible personnel through a memorandum or a directive that an incorrect customer number could result in an accounts receivable amount being recorded twice. |
Closed – Implemented
During our fiscal year 2014 financial statement audit of the Securities and Exchange Commission (SEC), we found that SEC recorded certain disgorgement and penalty receivables to incorrect customer numbers in the general ledger. In response to our recommendation, in April 2015, SEC updated its procedures to increase the scope of the staff's review of new receivables to include reviews of all sections of the form used to establish new receivables, thereby emphasizing that the staff should perform more detailed reviews of these forms. In prior versions of the review procedures, staff were only directed to audit certain sections of the form (because others sections are automatically populated), but new procedures require a review of all sections of the form. The revised procedures emphasize the need to properly review each field, and ensure that the customer number field is correct. If fully and effectively implemented, these revised processes should decrease the risk of misstatements of disgorgement and penalty amounts, which are reported in SEC's balance sheet and custodial statement of activity.
|
| United States Securities and Exchange Commission | The U.S. Securities and Exchange Commission should direct the Director of the Division of Enforcement, COO, and CFO to develop policies and procedures requiring the Division of Enforcement to systematically provide OFM with all relevant documentation that could result in adjustments to accounts receivables to allow for timely and accurate recording of such adjustments in the general ledger. |
Closed – Implemented
In response to our recommendation, SEC developed policies and procedures to allow for the timely and accurate recording of adjustments to accounts receivable in the general ledger. Specifically, in March 2015, SEC implemented the Disgorgement and Penalty Request Tracking System to capture, track, and respond to requests sent to the Office of Financial Management (OFM) from Enforcement. In September 2015, SEC updated its policies and procedures to establish a deadline for Enforcement to provide its response to OFM on its review of receivables. The update also required OFM to coordinate with Enforcement to determine the quarterly accrual for accounts receivables. These corrective actions will help ensure the timely and accurate recording of adjustments related to disgorgement and penalty receivables and reduce the risk of errors in SEC's financial statements.
|
| United States Securities and Exchange Commission | The U.S. Securities and Exchange Commission should direct the COO and CFO to develop and implement effective procedures to reasonably assure timely and accurate recording of adjustments to disgorgement and penalty receivables. These procedures should include the following: a. a process for tracking identified final judgments and orders that include language that would necessitate SEC recording both a new accounts receivable amount and an offset amount through recording of the adjustment in the financial system to reasonably assure the timely recording of adjustments and to overcome limitations in SEC's financial systems that do not permit recording of both receivables and any related adjustments at the same time; b. review of receivables and related judgments and orders to reasonably assure that all receivable adjustments, including offsets, are recorded before recording collections; and c. reviews of recorded adjustments against all documentation that the Division of Enforcement sent to OFM relating to a possible adjustment to reasonably assure the completeness of recorded adjustments. |
Closed – Implemented
In response to our recommendation, in April 2015, SEC designed and implemented procedures to reasonably assure timely and accurate recording of adjustments to disgorgement and penalty receivables. Specifically, SEC implemented three new processes. First, SEC implemented a quarterly review of a report from the financial system that lists every disgorgement and penalty receivable for which the associated judgement or order indicates that an offset is allowed. OFM staff work with Enforcement to determine if offsets identified by the report can be recorded and verify that the recording of offsets has been initiated in the financial system. Second, SEC implemented a quarterly process to review collections above certain dollar thresholds to reasonably assure that significant collections are properly classified including determining whether any offsets were properly recorded before recording collections. Third, SEC implemented a sharepoint tracking site to reasonably assure that all documentation that the Division of Enforcement sent to OFM was tracked and processed appropriately. If fully and effectively implemented, these revised procedures will reasonably assure that SEC accurately records adjustments to disgorgement and penalty receivables in a timely manner, thus reducing the risk of misstatements reported in SEC's financial statements.
|
| United States Securities and Exchange Commission | The U.S. Securities and Exchange Commission should direct the COO and CFO to revise existing procedures to include performing daily monitoring to detect any long-term investments that have been redeemed but not immediately reinvested in one-day securities, and to reinvest the funds when such errors are detected. |
Closed – Implemented
In response to our recommendation, SEC revised its formal procedures for monitoring long-term investments in January 2015. The procedures required an SEC accountant to monitor daily investment activity to identify and validate changes to investment balances, and to reinvest matured investments appropriately. The accountant must document this monitoring in an Investment Monitoring Workbook, which is reviewed and approved monthly by designated officials. SEC's improved monitoring procedures should allow SEC to maximize its return on investments.
|
| United States Securities and Exchange Commission | The U.S. Securities and Exchange Commission should direct the COO and CFO to implement controls, such as periodic reviews of asset dispositions, to help reasonably assure that SEC's procedures for the preparation and maintenance of documentation related to the disposition of assets are consistently implemented and that any deviations from established procedures are documented. |
Closed – Implemented
In December 2014, SEC updated its policy to define the roles and responsibilities of SEC staff for the accountability of assets and to require, in addition to its annual inventory, spot checks of capitalized, accountable, and sensitive assets as requested by management of the Office of Information Technology. In March and September 2015, SEC gave training sessions on asset disposal to information technology and property staff. In November 2016, SEC updated its policy to provide detailed guidance on the disposition of surplus information technology equipment. Our fiscal year 2017 review of asset disposals did not identify any instances where disposed assets were not adequately documented.
|
| United States Securities and Exchange Commission | The U.S. Securities and Exchange Commission should direct the COO and CFO to analyze the results of SEC's wall-to-wall physical inventory count to validate continued existence and completeness of its capitalized bulk purchased assets, as part of the annual physical inventory count procedures. |
Closed – Implemented
In response to our recommendation, in February 2016, SEC updated its guidance over the physical inventory of capital assets, including assets purchased in bulk. SEC performed a physical inventory of capitalized bulk assets from October 2015 to March 2016, analyzed the results of the inventory, and determined the cause of missing assets. SEC formally reported the inventory results to an independent survey officer, who recommended corrective actions. SEC's actions sufficiently address our recommendation.
|
| United States Securities and Exchange Commission | The U.S. Securities and Exchange Commission should direct the COO and CFO to revise current policies and procedures to include sufficient details to provide SEC staff with clear guidance on how to identify prior period uncorrected misstatements and timely communicate such misstatements to OFM for review and evaluation. |
Closed – Implemented
In January 2015, SEC sponsored training for staff to clarify when prior period adjustments should be reported to OFM. Additionally, in April 2016, SEC updated its policy establishing criteria to help staff identify uncorrected misstatement transactions and management review and approval procedures. These corrective actions will help provide reasonable assurance over the accuracy of SEC's financial statements.
|
| United States Securities and Exchange Commission | The U.S. Securities and Exchange Commission should direct the COO and CFO to provide staff training on the revised prior period uncorrected misstatements policies and procedures. |
Closed – Implemented
In January 2015, SEC sponsored training for staff to clarify when prior period adjustments should be reported to OFM. Additionally, in April 2016, SEC updated its policy establishing criteria to help staff identify uncorrected misstatement transactions and management review and approval procedures. These corrective actions will help provide reasonable assurance over the accuracy of SEC's financial statements.
|
| United States Securities and Exchange Commission | The U.S. Securities and Exchange Commission should direct the COO and Chief Information Officer to prioritize resources and efforts to reasonably assure that configuration management policy is followed, specifically with regard to (a) maintaining and monitoring of configuration baselines for financially significant systems and the general support system and (b) documenting data elements necessary for maintaining and monitoring inventories of IT assets for significant systems at SEC data centers. |
Closed – Implemented
In fiscal year 2016, we verified that SEC (1) maintained and monitored configuration baselines through scanning of its systems, and (2) documented in EDGAR system security plan data elements for maintaining and monitoring IT asset inventories.
|
| United States Securities and Exchange Commission | The U.S. Securities and Exchange Commission should direct the COO and Chief Information Officer to implement controls necessary to provide reasonable assurance that: a. password configuration settings in network devices follow administrative requirements for remote authentication, b. expiration days for administrative passwords in the production environment are always set to expire, c. default network protocol on network devices is disabled consistent with the concept of least privilege, and d. user sessions are either disabled or encrypted to prevent viewing of sensitive information in plain text. |
Closed – Implemented
In response to our recommendation, in fiscal year 2016, SEC (1) used authentication mechanism and hashing to strengthen its password configuration to make them less susceptible to guessing, (2) disabled user accounts upon password expiration, (3) disabled network protocol and unnecessary services, and (4) implemented encryption protocol to protect user sessions. SEC's actions address our recommendation.
|
| United States Securities and Exchange Commission | The U.S. Securities and Exchange Commission should direct the Director of the Division of Enforcement, Chief Operating Officer (COO), and Chief Financial Officer (CFO) to update current procedures for recording disgorgement and penalty receivable amounts to include new control procedures for consistent and systematic information sharing between SEC's Office of Financial Management's (OFM) and the Division of Enforcement to reasonably assure that OFM is identifying and recording receivables timely and when money is payable to SEC. |
Closed – Implemented
In response to our recommendation, SEC updated procedures for recording disgorgement and penalty receivable amounts to include new control procedures for consistent and systematic information sharing between the Office of Financial management (OFM) and Enforcement to reasonably assure that OFM is identifying and recording receivables timely and when money is payable to SEC. Specifically, SEC issued updates to its policies and procedures between August 2014 and September 2015 to include (1) a requirement for management review of all significant court documents to identify receivables not recorded due to oversight, (2) guidance on when OFM should seek legal advice to determine whether a court order or judgement is final before recording a receivable, (3) a requirement for Enforcement to verify the accuracy and completeness of accounts receivable recorded in the general ledger and deadlines for responding to OFM, and (4) a requirement for OFM deliberations to determine the appropriate accounting response to Enforcement's reviews. SEC's actions sufficiently address our recommendation.
|
| United States Securities and Exchange Commission | The U.S. Securities and Exchange Commission should direct the COO and CFO to revise current collection procedures to include: a. a review of the shared service provider's daily list of recorded collection transactions to reasonably assure that the list is complete and b. a secondary review to reasonably assure that a review of all collections recorded in the general ledger against supporting documentation is performed and that such review is documented. |
Closed – Implemented
In response to our recommendation, in February 2015, SEC revised and implemented collection procedures to address our recommendation. Specifically, SEC developed a database that compares a complete list of disgorgement and penalty collection transactions entered in the general ledger (GL) by its shared service provider against source documentation. The database performs the comparison, and SEC staff reviews the records, researches variances, and coordinates with other staff and the shared service provider to ensure that corrective actions are taken as needed. The SEC staff summarizes the results monthly and their supervisor performs and documents a secondary review which reasonably assures that a review of all collections recorded in the GL against supporting documentation is performed. In addition, SEC implemented a quarterly process to review collections above certain dollar thresholds after the collections have been recorded to the GL to reasonably ensure proper classification. If fully and effectively implemented, these revised processes should decrease the risk that errors in SEC's recorded disgorgement and penalty collection transactions will not be timely detected and corrected.
|
| United States Securities and Exchange Commission | The U.S. Securities and Exchange Commission should direct the COO and CFO to develop policies and implement controls for safeguarding of property and equipment to specifically include the following: a. detailed procedures for ensuring updates to SEC's property register and information technology (IT) inventory system for changes to capitalized property and equipment, such as change in location, are timely and accurately performed and b. effective monitoring control procedures, such as periodic sampling and inventory of property and equipment to reasonably assure the ongoing accuracy of the physical custody and other property and equipment information in SEC's property register and IT inventory system. |
Closed – Implemented
In response to our recommendation, SEC updated its policies in December 2014 and February 2016, to provide guidance on asset accountability controls and the roles and responsibilities of property-accountable personnel. These procedures include detailed procedures for updating SEC's property records, such as requirements to notify property specialists of any changes to the assigned custodian, location, and value of property and equipment. These procedures also include a requirement to perform periodic sampling of sensitive assets in addition to SEC's annual physical inventory to more accurately determine the status and update the records of these assets. We confirmed that SEC performed a periodic sampling of sensitive assets in April 2015 and provided briefings to educate SEC staff on property accountability procedures in September 2015 and June 2016. SEC's actions sufficiently address our recommendation.
|
Full Report
GAO Contacts
Office of Public Affairs
Topics
Accounting proceduresDocumentationEquipment inventoriesFinancial recordsFinancial statementsInformation technologyInternal controlsCorrective actionFinancial reportingPolicies and procedures