Internal Control: Improvements Needed in SEC's Accounting and
Operational Procedures (03-APR-07, GAO-07-482R).
On November 15, 2006, we issued our report on the U.S. Securities
and Exchange Commission's (SEC) fiscal years 2006 and 2005
financial statements and on SEC's internal control as of
September 30, 2006. We also reported on the results of our tests
of SEC's compliance with selected provisions of laws and
regulations during fiscal year 2006. The purpose of this report
is to discuss issues identified during our fiscal year 2006 audit
concerning internal controls and accounting/operational
procedures that could be improved. This report contains six
recommendations to SEC to improve these internal controls and
procedures. These recommendations are in addition to those we
already provided to SEC as a result of our prior audits of SEC's
financial statements
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-07-482R
ACCNO: A67724
TITLE: Internal Control: Improvements Needed in SEC's Accounting
and Operational Procedures
DATE: 04/03/2007
SUBJECT: Accounting standards
Audit reports
Data integrity
Equipment inventories
Financial records
Financial statement audits
Fines (penalties)
Internal controls
Property
Records management
Reporting requirements
Corrective action
Policies and procedures
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-07-482R
* [1]Disgorgements and Penalties
* [2]SEC should continue to build on the significant progress alr
* [3]Property and Equipment
* [4]Payroll System Access, Approval of Time and Attendance Recor
* [5]end of correspond & Test.pdf
* [6]PDF6-Ordering Information.pdf
* [7]Order by Mail or Phone
April 3, 2007
The Honorable Christopher Cox
Chairman
U.S. Securities and Exchange Commission
Subject: Internal Control: Improvements Needed in SEC's Accounting and
Operational Procedures
Dear Mr. Cox:
On November 15, 2006, we issued our report^1 on the U.S. Securities and
Exchange Commission's (SEC) fiscal years 2006 and 2005 financial
statements and on SEC's internal control as of September 30, 2006. We also
reported on the results of our tests of SEC's compliance with selected
provisions of laws and regulations during fiscal year 2006.
The purpose of this report is to discuss issues identified during our
fiscal year 2006 audit concerning internal controls and
accounting/operational procedures that could be improved.^2 This report
contains six recommendations to SEC to improve these internal controls and
procedures. These recommendations are in addition to those we already
provided to SEC as a result of our prior audits of SEC's financial
statements.^3
Results in Brief
Our November 15, 2006, report concluded that based on SEC's efforts to
address concerns with controls over disgorgements and penalties and over
information systems, and based on improvements that we found in these
areas during the fiscal year 2006 audit, we no longer considered these two
previously reported weaknesses to be material weaknesses.^4 However,
because many of these efforts represent compensating controls rather than
permanent systemic solutions, we still considered these areas to be
reportable conditions.^5 We also concluded that SEC had taken sufficient
action in the area of controls over the financial reporting process such
that we no longer consider this issue to be a material weakness or
reportable condition. In addition, we identified a new reportable
condition concerning SEC's controls over recording property and equipment.
1 GAO, Financial Audit: Securities and Exchange Commission's Financial
Statements for Fiscal Years 2006 and 2005, GAO-07-134 (Washington, D.C.:
Nov. 15, 2006).
2 The internal control issues concerning information security are
discussed in a separate report: GAO, Information Security: Sustained
Progress Needed to Strengthen Controls at the Securities and Exchange
Commission, GAO-07-256 (Washington, D.C.: Mar. 27, 2007).
3 Recommendations were addressed in our internal control reports issued as
part of our fiscal year 2004 and 2005 SEC financial statement audits: GAO,
Material Internal Control Issues Reported in SEC's Fiscal Year 2004
Financial Statement Audit Report, GAO-05-691R (Washington, D.C.: July 27,
2005); Management Report: Opportunities for Improvements in SEC's Internal
Controls and Accounting Procedures, GAO-05-693R (Washington, D.C.: Aug.
12, 2005); and Internal Control: Improvements Needed in SEC's Accounting
and Financial Reporting Procedures, GAO-06-459R (Washington, D.C.: Apr.
21, 2006).
4 A material weakness is a condition in which the design or operation of
one or more of the internal control components does not reduce to a
relatively low level the risk that errors, fraud, or noncompliance in
amounts that would be material to the financial statements may occur and
not be detected promptly by employees in the normal course of their
duties.
Tables 1 and 2 of enclosure I indicate the status of recommendations from
our prior audits of SEC's financial statements.^6 As of January 2007, SEC
had taken actions to fully implement 18 of 35 open recommendations from
our audits of the agency's 2004 and 2005 financial statements.
We also identified other internal control issues that although not
considered to be material weaknesses or reportable conditions, we believe
warrant management's consideration. These issues concern (1) payroll
system access, approval of time and attendance records, and process
documentation and (2) comparison of furniture and equipment received and
ordered.
Our six recommendations follow the sections in which the corresponding
issues are discussed. In commenting on a draft of this report, the
Chairman cited actions taken and in progress with respect to our
recommendations, and indicated that SEC made progress in fiscal year 2006
in addressing its internal control weaknesses and has redoubled its
efforts in fiscal year 2007. The Chairman identified specific actions and
initiatives undertaken since the completion of our fiscal year 2006 audit.
Scope and Methodology
As part of our audit of SEC's fiscal years 2006 and 2005 financial
statements, we evaluated SEC's internal controls and tested its compliance
with selected provisions of laws and regulations. We designed our audit
procedures to test relevant controls over financial reporting, including
those designed to provide reasonable assurance that transactions are
properly recorded, processed, and summarized to permit the preparation of
the financial statements in conformity with U.S. generally accepted
accounting principles, and that assets are safeguarded against loss from
unauthorized acquisition, use, or disposition. This report is based on the
work performed during our audit of SEC's fiscal years 2006 and 2005
financial statements. We requested comments on a draft of this report from
the Chairman of SEC. SEC's written comments are reprinted in enclosure II.
We conducted our audit in accordance with U.S. generally accepted
government auditing standards. Further details on our scope and
methodology are included in our report on the results of our audits of
SEC's fiscal years 2006 and 2005 financial statements^7 and are reproduced
in enclosure III.
5 Reportable conditions are defined as significant deficiencies in the
design or operation of internal control that could adversely affect the
entity's ability to record, process, summarize, and report financial data
consistent with the assertions of management in the financial statements.
6 GAO-05-691R, GAO-05-693R, and GAO-06-459R.
7 GAO-07-134.
Disgorgements and Penalties
As part of its enforcement responsibilities, SEC issues and administers
judgments ordering, among other things, disgorgements, civil monetary
penalties, and interest against violators of federal securities laws.
These transactions involve material amounts of collections and the
recording and reporting of fiduciary and custodial liability balances on
the financial statements.^8
Our audit testing for fiscal year 2006 noted significant management
oversight and efforts to address weaknesses in the internal controls over
recording and reporting disgorgement and penalty information. During the
year, SEC finalized policies and procedures for reporting disgorgement and
penalty activity, improved reconciliations of disgorgement and penalty
transactions, established an internal audit function within the Division
of Enforcement, and had better and more timely coordination between the
two key SEC units responsible for reporting and recording disgorgements
and penalties. Of particular note was a comprehensive initiative SEC
undertook during the year (referred to as the Delinquent Debt Project) to
review and verify all the outstanding disgorgement and penalty debts.
Through this project, SEC identified and corrected numerous errors in the
database used to record and report disgorgements and penalties. These
errors involved amounts due, judgment and due dates, the payees, and
status of the cases. This project also identified steps needed with
respect to collecting or terminating the debts. Because of the limitations
of the current case-tracking system for disgorgements and penalties, SEC's
efforts to determine the reliability of the data were far more than what
would ordinarily be necessary under a more effective system. These efforts
will most likely continue until SEC improves its financial system for
recording and reporting disgorgement and penalty information.
Even with SEC's increased efforts to address concerns over reporting of
disgorgements and penalties, our audit work for fiscal year 2006 continued
to identify risks concerning the completeness of the disgorgement and
penalty receivable amounts. For example, we identified a $21 million
disgorgement case that was erroneously omitted from SEC's disgorgement
receivable balance at June 30, 2006. This is largely because SEC's process
for determining its disgorgement and penalty receivable balances relies
heavily on information being submitted to SEC's Office of Financial
Management (OFM) from individual attorneys working on each case. To
compensate for the risk presented by this process, in fiscal year 2006,
SEC instituted a compensating control in which the Enforcement office
heads were asked to certify the completeness and accuracy of the recorded
disgorgement receivable balances at June 30, 2006, and at fiscal
year-end. Through this certification process, a number of disgorgement
cases were identified as not having current information related to dollar
amounts, due dates, and payees in the case-tracking system used to
establish the amounts receivable at a given date. While none of these
instances resulted in a material misstatement to the receivable balance
reported on the financial statements, relying on a decentralized detective
control such as this certification process requires significant analysis,
data gathering, and follow-up, and increases the risk that disgorgement
and penalty debts and related activity may not get recorded in a timely
manner or in the proper period.
8 Fiduciary activities represent the moneys collected from federal
securities law violators and maintained by SEC to be distributed to harmed
investors. Custodial activities represent the moneys collected by SEC from
violators of federal securities laws that are returned to the Treasury, as
nonfederal individuals or entities do not have an ownership interest in
such amounts.
We are encouraged by SEC's commitment and management attention to
strengthening controls over disgorgement and penalty activity to date, as
well as SEC's planned future actions in this area. As discussed in its
Management's Discussion and Analysis, SEC has designed procedures,
controls, and documentation to track disgorgement and penalty actions from
the time they are approved by the commission to their recording in the
case-tracking system; these controls involve the participation of the
Office of the Secretary and OFM, in addition to the Division of
Enforcement.
Also, this past year SEC has begun training attorneys handling the cases
on the steps necessary to maintain strong internal controls over updating
and communicating information that could affect financial reporting. In
its Management's Discussion and Analysis, SEC stated that the Division of
Enforcement will continue its efforts to educate all enforcement attorneys
about the additional steps necessary to maintain strong internal controls
at SEC and to ensure transparency and uniformity in the agency's approach
to monetary sanctions.
In addition, in fiscal year 2006, SEC designed a new financial management
system for tracking disgorgements and penalties--known as Phoenix--that
will replace the financial portion of the existing case-tracking system.
SEC expects the new controls discussed above and the new disgorgement
financial system to be fully operational in fiscal year 2007.
Until a permanent and systemic process is fully and effectively
implemented and operational, SEC will not have sufficient assurance over
the accuracy and completeness of its reporting and tracking of
disgorgements and penalties. Therefore, we consider this area to still be
a reportable condition.
SEC should continue to build on the significant progress already made in this
area to fully resolve remaining open recommendations. These recommendations
and the status of their resolution are included in tables 1 and 2 of enclosure
I. We are not making any new recommendations in this area as a result of our
2006 audit of SEC's financial statements.
Property and Equipment
SEC's property and equipment consists of software and general purpose
equipment used by the agency, capital improvements made to buildings
leased by SEC for office space, and internal use software development
costs for projects in development. The reported book value of property and
equipment increased from approximately $73 million at September 30, 2005,
to nearly $104 million at September 30, 2006. The significant increase in
property and equipment is primarily due to SEC occupying new office space
in Washington, D.C., Boston, and New York during fiscal year 2006.
During the course of testing fiscal year 2006 additions, we noted numerous
instances of inaccuracies in recorded acquisition costs and dates for
furniture and equipment purchases, as well as unrecorded capitalization of
furniture and equipment purchases and unrecorded depreciation, and errors
in amounts capitalized for internal use software projects. Specifically,
an inaccurate acquisition cost was recorded for 18 of 51 furniture and
equipment purchases that we reviewed, including 1 for which an inaccurate
date was also recorded. Inaccurate acquisition dates were also recorded
for 17 other items. For the 18 items with an inaccurate cost recorded, we
found the following:
o Amounts recorded for 9 items--8 information technology (IT)
equipment items and 1 bulk purchase of furniture--were based on a
vendor price quote, procurement requisition, or purchase order
rather than a final invoice.
o Amounts recorded for 7 IT equipment items--3 servers, 3 routers,
and a mass storage device--were incomplete because the cost of
equipment components was excluded.
o We could not readily determine the basis of amounts recorded for
2 other IT equipment items (controller and mass storage device).
We also noted that 18 of the 51 items we tested had inaccurate acquisition
dates recorded. Of those 18 items, 15 were copier machines with a date of
October 1, 2005, originally entered instead of the correct date of October
1, 2004. According to SEC staff, this was likely caused by an
administrative error. Based on our follow-up inquiry regarding the copier
machines, we learned that the Office of Administrative Services (OAS) had
already corrected the date for these items (and 15 other copiers not
included in our samples, for a total of 30) in the asset-tracking system
after an inconsistency was noted by OFM staff. Therefore, the dates
recorded as of fiscal year-end were correct, but as a result of the
errors, in fiscal year 2006, SEC recorded depreciation expense that should
have been recorded in fiscal year 2005. Regarding the other 3 items for
which inaccurate acquisition dates were recorded, all were bulk purchases
of furniture with recorded dates that were inconsistent with receipt
documentation. In 2 of the cases, it appeared that the dates recorded were
based on the dates of corresponding purchase orders. In all 3 cases, SEC
corrected the errors after we identified them, and the recorded fiscal
year 2006 depreciation expense was correct.
According to the Associate Executive Director of OAS, actions have already
been taken in response to our acquisition cost/date findings.
Specifically, the OAS Property Specialist is now verifying all costs and
dates before they are entered into the asset-tracking system; in addition,
daily transaction reports are being used to identify errors and
inconsistencies in recorded costs and dates. We plan to evaluate these new
procedures as part of our fiscal year 2007 financial audit.
We identified approximately $6.2 million of fiscal year 2006 furniture and
equipment purchases that was not capitalized as of September 30, 2006.
Most of this amount was for furniture and equipment that SEC purchased for
its new Washington, D.C., office space, with the remaining amount
attributable to a new phone system. Regarding the furniture and equipment
for the new headquarters office space, amounts involved were being tracked
by SEC staff as part of managing the ongoing contractor invoicing process.
However, there was a conscious decision to delay entering these amounts in
SEC's official asset-tracking system until all items constituting the
corresponding bulk purchases had been identified and properly categorized.
Although the amounts were ultimately submitted for entry into the tracking
system on September 27, 2006, these amounts were not entered in time to be
reflected in the September 30, 2006, financial statements. Regarding the
phone system, we concluded that the overall purchase, consisting of
multiple components, was not properly identified as an asset that should
be capitalized in accordance with SEC's established criteria.
In addition to the unrecorded furniture and equipment for the new
Washington, D.C., headquarters office space, we also identified an
unrecorded bulk purchase of furniture associated with office space in New
York. Specifically, based on our interim testing of furniture purchased in
February 2006 for the new office space in New York, we determined that
approximately $425,000 of furniture purchased in May 2003 for the previous
space was moved to the new space but had not been capitalized. We were
unable to determine why this purchase had not been recorded in the
asset-tracking system. SEC acknowledged this error and recorded the
furniture in the tracking system during the fourth quarter of fiscal year
2006, more than 3 years after its purchase. As a result, the furniture was
included in SEC's financial statements, but this significant delay
resulted in SEC recording 29 months of prior years' depreciation expense
in fiscal year 2006.
We found errors in nearly half of the capitalized amounts that we tested
for SEC internal use software projects. Specifically, we found errors in 7
of 16 amounts tested. Of the 7 total errors, 4 capitalized amounts were
incomplete and 3 amounts included costs that should not have been
capitalized. The largest error involved an addition of approximately
$360,000, all of which, in accordance with applicable generally accepted
accounting principles, should have been expensed rather than capitalized.
Most of this amount consisted of licenses for the software. One of the
incomplete capitalization amounts resulted from the combination of
transposing an amount from one invoice and inadvertently excluding an
amount from another invoice. Another of the overstated amounts was caused
by including hardware and product support costs that should not have been
capitalized. Most of the 7 errors did not have an impact on amortization
expense because nearly all of the corresponding projects were under
development (software in progress) rather than in production; thus, SEC
had correctly not yet begun amortizing capitalized amounts.
The Office of Information Technology (OIT) provides software project cost
data to OFM based on quarterly data calls to project managers who are
guided by SEC's Capital Asset Policy and OIT's Implementing Instruction
for Software Capitalization. Based on our understanding of OIT's process
for compiling these data, and the large number of errors identified in our
testing, we concluded that (1) there is not a consistent understanding
among project managers of the requirements that should govern their
quarterly data submissions and (2) the data submitted by project managers
are not subject to detailed supervisory review within OIT before being
forwarded to OFM. In response to our findings, OIT officials informed us
that detailed review of quarterly data submissions by the responsible
assistant director would be implemented. We plan to evaluate OIT's
implementation of detailed review during our fiscal year 2007 financial
audit.
Overall, the systemic errors that we found did not materially affect the
balances reported for property and equipment or the corresponding
depreciation and amortization expense amounts in SEC's financial
statements for fiscal year 2006. However, these conditions evidence a
significant deficiency in control over the recording of property and
equipment that while not material, affects the reliability of reported
balances. Without a process that integrates controls over capitalizing and
recording property and equipment purchases, SEC does not have sufficient
assurance over the accuracy and completeness of its reported balances for
property and equipment.
GAO's Standards for Internal Control in the Federal Government^9 provide
an overall framework for establishing and maintaining internal control,
including a discussion of control activities, for example, accurate and
timely recording of transactions. Specifically, transactions should be
accurately and promptly recorded to maintain their relevance and value to
management in controlling operations and making decisions.
In its Management's Discussion and Analysis, SEC acknowledges the need to
strengthen control over this area. Specifically, SEC indicates that it
will update the agency's property management policies in fiscal year 2007
to reflect the current organizational structure and revised business
processes, train staff on the new policies, and increase quality checks
throughout the year. In addition, SEC indicates that it has begun
preparing requirements to replace the agency's current outdated asset
management system to enhance data integrity and maximize integration of
its financial systems. These steps, if properly implemented, would
significantly address the reportable condition. However, as indicated
below, there are additional actions that SEC should take to fully address
the deficiencies in this area.
Recommendations
We recommend that SEC take the following specific actions as part of its
planned corrective measures to improve property and equipment controls:
1. Include, in its updated property management policies, detailed
procedures for recording proper acquisition costs and dates in its
asset-tracking system, and take steps to ensure that these
procedures are being consistently implemented.
2. Implement procedures requiring periodic comparisons of related
details in disbursement and property/equipment subsidiary records
to identify any unrecorded purchases that satisfy established
capitalization criteria.
3. Implement procedures to ensure that internal use software
project managers have a complete and consistent understanding of
the requirements that should govern compilation of cost data
submitted for capitalization, including consideration of joint OIT
and OFM training to software project managers on the requirements
of applicable generally accepted accounting principles.
4. Implement procedures whereby OFM staff routinely review
capitalized amounts for software projects against supporting
documentation to provide additional assurance that the recorded
amounts are accurate and complete.
9 GAO, Standards for Internal Control in the Federal Government,
GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999).
Other Issues
Although not considered to be reportable conditions, the following
weaknesses warrant management's consideration.
Payroll System Access, Approval of Time and Attendance Records, and Process
Documentation
During our fiscal year 2006 audit, we identified an excessive number of
staff in SEC's Office of Human Resources (OHR) with the capability to
initiate and approve both personnel actions and time cards. We also
identified several cases in which administrative officers had approved
time and attendance (T&A) for higher-level employees on a regular basis
during fiscal year 2006. In addition, we determined that SEC lacks formal,
comprehensive documentation of T&A and personnel action processes. We
presented these findings to SEC officials in August 2006. As of the
completion of our audit in November 2006, OHR had taken or planned
corrective actions to address these issues.
SEC uses the Federal Personnel and Payroll System (FPPS), a system
developed and maintained by the Department of the Interior's National
Business Center in Denver, Colorado, to process personnel actions and
payroll transactions. During our audit, we found that all 11 specialists
and 8 assistants within OHR had FPPS access privileges allowing them to
initiate and approve personnel actions for any SEC employee. In addition,
all 19 staff had access privileges to initiate and approve time cards for
employees within the offices that they service, including 3 who could do
so for any SEC employee. According to OHR officials, these access
privileges were put in place primarily for emergency situations where key
staff may be unavailable. This condition introduces a risk factor from a
segregation of duties perspective in that one individual could control all
key aspects of personnel and payroll processing.
In late September 2006, OHR removed certain access privileges for 16 of
its 19 specialists and assistants. The overall result was a reduction in
the number of staff who can both initiate and approve a personnel action
and initiate and approve a time card from 19 to 3. Going forward, OHR is
planning to monitor personnel action processing on a monthly basis by
producing a report of all actions initiated and approved by the same staff
member that will be reviewed and signed by both (1) one of OHR's three
branch chiefs (on a rotating basis) and (2) the assistant director. In
addition, OHR plans to implement branch team leader review of all
personnel actions prior to final processing as an internal operating
procedure.
During our audit, we reviewed 45 payroll expenditures, including testing
for proper T&A approval. We identified 3 cases in which an administrative
officer approved the time card of a higher-level employee. After further
inquiries and testing, we determined that time cards for all three
employees had been improperly approved by an administrative officer on a
regular basis during fiscal year 2006. GAO's guidance on controls over T&A
reporting^10 emphasizes that the integrity of the information in a T&A
reporting system depends largely on the conscientious exercise of the
supervisor (or other official) of his/her approval authority and an
appropriate basis for such approval.
10 GAO, Maintaining Effective Control over Employee Time and Attendance
Reporting, GAO-03-352G (Washington, D.C.: January 2003).
In response to the results of our payroll expenditure testing, OHR issued
two memos in September 2006--one to division directors/office heads and
one to administrative officers--emphasizing that administrative officers
(1) have been given T&A certification authority for emergency situations
only and (2) are not to certify T&A for higher-level officials on an
ongoing basis. While such memos can serve as a useful reminder of current
policy, we emphasized to OHR officials that active monitoring of
compliance with current policy is a critical internal control. In this
regard, OHR is planning to monitor the levels of staff that are approving
time cards, with a focus on organizations in which exceptions were noted.
Consistent with GAO's Standards for Internal Control in the Federal
Government, internal control should be clearly documented and the
documentation readily available for examination. During the course of our
audit, OHR management readily acknowledged the lack of written procedures
governing personnel action and payroll processing. As a result, OHR is
planning to incorporate these areas into a larger initiative to document
"core processes" across its functional areas.
Given our understanding of SEC's overall control environment for personnel
action and payroll processing, and the results of our current and prior
year detail testing in these areas, we concluded that the deficiencies
discussed above do not constitute reportable conditions. However, they are
key components of SEC's system of internal control that warrant
strengthening. The commission acknowledged in its Management's Discussion
and Analysis that actions are needed to strengthen controls in these
areas.
Overall, we are encouraged by the actions taken and planned by SEC to
strengthen these areas. However, continued management attention will be
critical to ensuring that actions already taken are periodically
reassessed for adequacy, and that planned actions are effectively
implemented. We plan to evaluate SEC's corrective actions during our
fiscal year 2007 financial audit.
Recommendation
We recommend that SEC evaluate the overall effectiveness of its actions
taken in response to our findings regarding payroll and personnel action
processing, when fully implemented, to determine whether any
modifications, additional actions, or both are needed.
Comparison of Furniture and Equipment Received and Ordered
In addition to the inaccuracies in recording acquisition costs and dates,
we found that SEC did not have evidence that showed a comparison of the
quantity and type of item received against the corresponding order(s) for
most furniture and equipment items that we tested. Specifically, we
received adequate evidence of this comparison in only 10 of 49 cases
tested for this attribute. Although we concluded that these comparisons
are being performed, consistent with our Standards for Internal Control in
the Federal Government, this fundamental component of procurement control
activities should be consistently documented.
According to SEC's Property Management Program Manual (SECM9-1), upon
receipt of property, staff are to sign and date the shipping receipt to
evidence that the quantity and type of property received agrees with the
corresponding purchase order. According to the Associate Executive
Director of OAS, the current policy is outdated and comparisons are not
being consistently documented in this manner. Therefore, the Associate
Executive Director stated that SECM9-1 will be updated by OAS in
cooperation with OIT's Asset Management Branch. Overall, the outdated
policy and lack of documented evidence of a key control reflect a need for
SEC to improve the "audit trail" for key asset management processes rather
than a significant internal control deficiency.
Recommendation
We recommend that SEC retain, in its updated property management policy, a
procedure to document comparison of quantity and type of item received
with the corresponding purchase order, and take actions to ensure that the
comparisons are being consistently documented.
Agency Comments
In commenting on a draft of this report, the Chairman indicated that SEC
made progress in fiscal year 2006 in addressing its internal control
weaknesses. The Chairman identified specific actions and initiatives
undertaken since the completion of our fiscal year 2006 audit that are not
included in this report. The actions cited by the Chairman include
o implementing the new system (Phoenix) in February 2007 for
tracking disgorgement and penalty receivable and collection
activity;
o implementing--in conjunction with the rollout of the Phoenix
system--new policies and procedures, as well as mandatory
computer-based training modules for mid- and senior-level managers
in the Division of Enforcement;
o hiring a contractor to update SEC's property and equipment
policies and to develop procedures directed at ensuring proper
implementation;
o implementing a semiannual process to compare invoices paid to
property system data to identify any unrecorded purchases that
meet established capitalization criteria; and
o instituting detailed supervisory-level review of all internal
use software capitalization data provided by project managers.
With respect to fiscal year 2007, the Chairman stated that SEC has
redoubled its efforts. Specifically, the Chairman cited plans to improve
the process for recording and reporting disgorgement and penalty activity
by further automation and review of the manual compensating controls
currently in place, provide training to software project managers on
generally accepted accounting principles applicable to internal use
software, and evaluate the effectiveness of revised payroll and personnel
action processes to determine if any modifications are necessary or new
processes needed. We will evaluate SEC's actions and initiatives during
our fiscal year 2007 audit.
SEC's written comments are reprinted in enclosure II of this report.
- - - - -
This report contains recommendations to you. The head of a federal agency
is required by 31 U.S.C. S 720 to submit a written statement on actions
taken on the recommendations to the Senate Committee on Homeland Security
and Governmental Affairs and the House Committee on Oversight and
Government Reform not later than 60 days from the date of this report. A
written statement also must be sent to the House and Senate Committees on
Appropriations with agency's first request for appropriations made more
than 60 days after the date of this report.
This report is intended for use by management of SEC. We are sending
copies of this report to the Chairmen and Ranking Minority Members of the
Senate Committee on Banking, Housing, and Urban Affairs; the Senate
Committee on Homeland Security and Governmental Affairs; the House
Committee on Financial Services; and the House Committee on Oversight and
Government Reform. We are also sending copies to the Secretary of the
Treasury, the Director of the Office of Management and Budget, and other
interested parties. In addition, this report will be available at no
charge on GAO's Web site at http://www.gao.gov .
We acknowledge and appreciate the cooperation and assistance provided by
SEC management and staff during our audit of SEC's fiscal years 2006 and
2005 financial statements. If you have any questions about this report or
need assistance in addressing these
issues, please contact me at (202) 512-9471 or by e-mail at
[email protected] . Contact points for our Offices of Congressional
Relations and Public Affairs may be found on the last page of this report.
Sincerely yours,
Jeanette M. Franzel
Director
Financial Management and Assurance
Enclosures - 3
Enclosure I
Status of Previously Reported Recommendations
This enclosure indicates the status of the U.S. Securities and Exchange
Commission's (SEC) efforts to implement our previous recommendations
related to opportunities for improvements in SEC's internal control and
accounting and financial reporting procedures identified during our audits
of SEC's 2004 and 2005 financial statements.^1 Table 1 lists the
recommendations from our 2004 audit that we previously reported as open at
the conclusion of our 2005 audit. Table 2 lists the recommendations from
our 2005 audit. The status reflects our assessment of whether the issues
that gave rise to the recommendations have been effectively and fully
addressed based on the work performed during our fiscal year 2006
financial audit. As of January 2007, SEC had taken actions to close 18 of
the 35 open recommendations from our audits of the agency's 2004 and 2005
financial statements. Effectively implementing recommendations is critical
for SEC to resolve its financial management challenges.
1 GAO, Material Internal Control Issues Reported in SEC's Fiscal Year 2004
Financial Statement Audit Report, GAO-05-691R (Washington, D.C.: July 27,
2005); Management Report: Opportunities for Improvements in SEC's Internal
Controls and Accounting Procedures, GAO-05-693R (Washington, D.C.: Aug.
12, 2005); and Internal Control: Improvements Needed in SEC's Accounting
and Financial Reporting Procedures, GAO-06-459R (Washington, D.C.: Apr.
21, 2006).
Table 1: Recommendations from 2004 Audit Reported as Open at Conclusion of
2005 Audit
Audit area/recommendation Audit Status of
area/recommendation Audit area/recommendation recommendation Status
of recommendation
Status of
recommendation
Closed Closed Open Open
Closed Open
Disgorgements and penalties
1. Implement a system that is integrated with X
the accounting system or that provides the
necessary input to the accounting system to
facilitate timely, accurate, and efficient
recording and reporting of disgorgement and
penalty activity.
2. Review the disgorgement and penalty X
judgments and subsequent activities documented
in each case file by defendant to determine
whether the individual amounts recorded in the
case-tracking system are accurate and reliable.
3. Implement controls so that the ongoing X
activities involving disgorgements and
penalties are properly, accurately, and timely
recorded in the accounting system.
4. Strengthen coordination, communication, and X
data flow among staff of SEC's Division of
Enforcement and Office of Financial Management
(OFM) who share responsibility for recording
and maintaining disgorgement and penalty data.
5. Develop and implement written policies X
covering the procedures, documentation,
systems, and responsible personnel involved in
recording and reporting disgorgement and
penalty financial information. The written
procedures should also address quality control
and managerial review responsibilities and
documentation of such a review.
Financial statement preparation and reporting
6. Develop written policies and procedures that X
provide sufficient guidance for the year-end
closing of the general ledger as well as the
preparation and analysis of quarterly and
annual financial statements.
7. Prepare a crosswalk between the financial X
statements and the source systems, general
ledger accounts, and the various account
queries and analyses that make up key balances
in the financial statements.
8. Maintain subsidiary records or ledgers for X
all significant accounts and disclosures so
that the amounts presented in the financial
statements and footnotes can be supported by
the collective transactions making up the
balances.
9. Perform monthly reconciliations of X
subsidiary records and summary account
balances.
10. Consider a "formal closing" of all accounts X
at an interim date(s), which will reduce the
level of accounting activity and analysis
required at year-end. The formal closing
entails ensuring that all transactions are
recorded in the proper period through month's
end.
11. Require supervisory review for all entries X
posted to the general ledger and financial
statements, including closing entries. A
supervisor should review revisions to
previously approved entries and revised
financial statements and footnotes. All entries
and reviews should be documented.
12. Establish milestones for preparing and X
reviewing the financial statements by setting
dates for critical phases such as closing the
general ledger; preparing financial statements,
footnotes, and the performance and
accountability report; and performing specific
quality control review procedures.
13. Utilize established tools (i.e., checklists X
and implementation guides) available for
assistance in compiling and reviewing financial
statements.
14. Maintain documentation supporting all X
information included in the financial
statements and footnotes. This documentation
should be more self-explanatory than what has
been retained in the past. The documentation
should be at a level of detail to enable a
third party, such as an auditor, to use the
documentation for substantiating reported data
without extensive explanation or re-creation by
the original preparer.
15. Take advantage of in-house resources and X
expertise in establishing financial reporting
policies, internal controls, and business
practices, as well as in the review of
financial statement and footnote presentation.
16. Develop or acquire an integrated financial X
management system to provide timely and
accurate recording of financial data for
financial reporting and management decision
making.
Cash receipts
17. Periodically reconcile the cash receipts X
log to the documentation supporting the deposit
amount in the general ledger.
Property and equipment leases
18. Review all existing leases for property and X
equipment to determine if they should be
capitalized or expensed and make any necessary
adjustments to the related general ledger
balances.
19. Develop policies and procedures to properly X
account for future property and equipment
leases on an ongoing basis.
Federal Personnel and Payroll System data
20. Periodically reconcile its active employees X
to Federal Personnel and Payroll System (FPPS).
To do this, consideration should be given to
maintaining an independent database of active
employees and other payroll-related
information, wherein active employee data could
be readily compared with and reconciled to
FPPS-generated payroll records. This
reconciliation should be documented.
Closing recommendations to address Federal Managers' Financial Integrity
Act weaknesses
21. Require documented support and review of X
SEC's corrective actions to provide evidence
that actions taken in response to audit
recommendations fully correct identified
deficiencies prior to closing out the audit
issues in the tracking system.
Source: GAO.
Note: Recommendations made in GAO-05-691R and GAO-05-693R.
Table 2: Recommendations from 2005 Audit
Audit area/recommendation Audit area/recommendation Status of
recommendation Status
of recommendation
Closed Open Open
Closed
Financial statement preparation and reporting
1. Staff OFM with the collective knowledge, X
skills, and experience necessary to achieve
effective implementation of internal control over
the financial statement preparation and reporting
process.
2. Finalize formal, written policies and X
procedures governing financial reporting
processes and related internal control and
quality assurance, including the basic
documentation, audit trails, and crosswalks
needed to support financial statement amounts, to
facilitate management review of financial
information.
3. Formalize and place into operation a senior X
management council or committee to oversee
financial reporting activities; provide advice;
and regularly review the agency's financial
information, operations, and policies.
4. Determine cutoff dates for significant account X
balances that are both appropriate and practical
to facilitate interim financial reporting and
meeting year-end financial reporting deadlines.
5. Prepare interim footnote disclosures to X
facilitate meeting year-end financial reporting
deadlines.
Disgorgements and penalties
Develop, document in writing, and implement
comprehensive policies, procedures, and controls
over disgorgement and penalty transactions that
include the following (see items 6-9):
6. An accounting policy for disgorgements and X
penalties that will provide SEC management with
reasonable assurance that the subsidiary ledger
for disgorgement/penalty receivables is accurate
and complete.
7. The type of documentation and procedures X
needed to record the termination or waiver of a
debt and the proper notification and
communication for approved terminations and
waivers, such that management has assurance that
only valid and approved terminations are
recorded.
8. The recording of activity by case for X
fiduciary balances, including monthly
reconciliations and management review, to ensure
that balances by case are accurate.
9. The initiation, recording, and monitoring of X
investments, including the monthly reconciliation
of investment activity, to provide assurance that
these fiduciary amounts are accurate and
complete.
Responsibilities of contracting officer's technical representative (COTR)
10. Clarify guidance regarding policies and X
procedures (as described in SECR10-8 and
SECR10-15) for the COTR's responsibilities and
take actions to help ensure existing policies and
procedures are being followed consistently.
Internal review of filing fee calculations
11. Take action to help ensure that its policy on X
recalculating fee-bearing filing amounts is
consistently followed.
12. Take action to help ensure that the X
recalculation of the required filing fees is
clearly documented.
Compliance with Prompt Payment Act
13. Incorporate a review of the invoice receipt X
date as part of its daily review of Momentum
(SEC's general ledger) invoice entries to ensure
the invoice receipt dates are accurately entered
into Momentum.
14. Take action to help ensure that the policy X^a
requiring the timely return of improper invoices
to the vendor to allow for timely payment is
followed.
Source: GAO.
Note: Recommendations from GAO-06-459R.
^aSEC has taken actions to address this recommendation. We plan to
evaluate the effectiveness of these actions during our 2007 audit.
Enclosure II
Comments from the U.S. Securities and Exchange Commission
Enclosure III
Details on Audit Scope and Methodology^1
To fulfill our responsibilities as auditor of the financial statements of
SEC, we did the following:
o Examined, on a test basis, evidence supporting the amounts and
disclosures in the financial statements.
o Assessed the accounting principles used and significant
estimates made by management.
o Evaluated the overall presentation of the financial statements.
o Obtained an understanding of internal controls related to
financial reporting and compliance with laws and regulations.
o Obtained an understanding of the recording, processing, and
summarizing of performance measures as reported in Management's
Discussion and Analysis.
o Tested relevant internal controls over financial reporting and
compliance, and evaluated the design and operating effectiveness
of internal control.
o Considered SEC's process for evaluating and reporting on
internal control and financial management systems under the
Federal Managers' Financial Integrity Act of 1982.
o Tested compliance with selected provisions of the following laws
and regulations: the Securities Exchange Act of 1934, as amended;
the Securities Act of 1933, as amended; the Anti-Deficiency Act;
laws governing the pay and allowance system for SEC employees; and
the Prompt Payment Act.
We requested comments on a draft of this report from the Chairman of SEC.
We received written comments from SEC. We conducted our audit in
accordance with U.S. generally accepted government auditing standards.
(194648)
1 For further explanation of our audit scope and methodology, see the
financial audit report (GAO-07-134).
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.
GAO's Mission
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony
The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site ( www.gao.gov ). Each weekday, GAO posts
newly released reports, testimony, and correspondence on its Web site. To
have GAO e-mail you a list of newly posted products every afternoon, go to
www.gao.gov and select "Subscribe to Updates."
Order by Mail or Phone
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:
U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548
To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061
To Report Fraud, Waste, and Abuse in Federal Programs
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail:
[email protected] Automated answering system: (800) 424-5454 or (202)
512-7470
Congressional Relations
Gloria Jarmon, Managing Director, [email protected] (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125 Washington,
D.C. 20548
Public Affairs
Paul Anderson, Managing Director, [email protected] (202) 512-4800
U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, D.C. 20548
*** End of document. ***