Skip to main content

Internal Control: Improvements Needed in SEC's Accounting and Financial Reporting Process

GAO-08-461R Published: Apr 01, 2008. Publicly Released: Apr 01, 2008.
Jump To:
Skip to Highlights

Highlights

On November 16, 2007, we issued our report on the U.S. Securities and Exchange Commission's (SEC) fiscal years 2007 and 2006 financial statements and on SEC's internal control as of September 30, 2007. We also reported on the results of our tests of SEC's compliance with selected provisions of laws and regulations during fiscal year 2007. The purpose of this report is to present areas of SEC's internal controls identified during our fiscal year 2007 audit that could be improved. This report contains 14 recommendations to SEC to improve these internal controls and procedures. These recommendations are in addition to those we already provided to SEC as a result of our prior audits of SEC's financial statements.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
United States Securities and Exchange Commission To improve its period-end financial reporting process controls, SEC should integrate subsystems that process significant accounting data with the general ledger.
Closed – Implemented
In our fiscal year 2007 audit of the Securities and Exchange Commission's (SEC) financial statements, we found SEC's subsidiary systems for property and equipment and for disgorgements and penalties transactions did not share common data elements and common transaction processing with the general ledger system. As a result, SEC made extensive use of desktop applications and workstations to perform intermediary information processing steps necessary to process these transactions in SEC's general ledger. Our review of these applications found that they lacked the information security controls necessary to prevent or recover from any inadvertent data corruption or to permit independent verification of the processing that has taken place, which increases the risk that transactions are not recorded completely, properly, or consistently. Through our testing of property and equipment and disgorgement and penalties transactions, we noted numerous errors resulting from SEC's reliance on non-integrated subsidiary systems. In our April 2008 report, we recommended that SEC integrate subsystems that process significant data with the general ledger, and until subsystems are fully integrated, the SEC should develop and implement documented data reliability checks for data extracted from nonintegrated subsidiary systems, including spreadsheets. In response to our recommendation, SEC upgraded its core accounting system in fiscal year 2008 and deployed two integrated subsidiary modules to account for (1) disgorgement and penalties accounts receivables and (2) property and equipment transactions. In addition to these system enhancements, SEC developed and implemented weekly, monthly and quarterly reconciliations of data maintained in its case management, accounts receivable module, and general ledger systems. These system enhancements, substantially completed in fiscal year 2009, significantly improved the reliability of disgorgement and penalties accounts receivable and property and equipment transaction data.
United States Securities and Exchange Commission To improve its period-end financial reporting process controls, SEC should, until subsystems are fully integrated, develop and implement documented data reliability checks for data extracted from nonintegrated subsidiary systems, including spreadsheets. These data reliability checks should include supervisory review.
Closed – Implemented
In our fiscal year 2007 audit of the Securities and Exchange Commission's (SEC) financial statements, we found SEC's subsidiary systems for property and equipment and for disgorgements and penalties transactions did not share common data elements and common transaction processing with the general ledger system. As a result, SEC made extensive use of desktop applications and workstations to perform intermediary information processing steps necessary to process these transactions in SEC's general ledger. Our review of these applications found that they lacked the information security controls necessary to prevent or recover from any inadvertent data corruption or to permit independent verification of the processing that has taken place, which increases the risk that transactions are not recorded completely, properly, or consistently. Through our testing of property and equipment and disgorgement and penalties transactions, we noted numerous errors resulting from SEC's reliance on non-integrated subsidiary systems. In our April 2008 report, we recommended that SEC integrate subsystems that process significant data with the general ledger, and until subsystems are fully integrated, the SEC should develop and implement documented data reliability checks for data extracted from nonintegrated subsidiary systems, including spreadsheets. In response to our recommendation, SEC upgraded its core accounting system in fiscal year 2008 and deployed two integrated subsidiary modules to account for (1) disgorgement and penalties accounts receivables and (2) property and equipment transactions. In addition to these system enhancements, SEC developed and implemented weekly, monthly and quarterly reconciliations of data maintained in its case management, accounts receivable module, and general ledger systems. These system enhancements, substantially completed in fiscal year 2009, significantly improved the reliability of disgorgement and penalties accounts receivable and property and equipment transaction data.
United States Securities and Exchange Commission To improve its period-end financial reporting process controls, SEC should prepare written procedures which describe explicitly the steps required to accomplish and document each significant activity in the general ledger closing process and in the generation of the financial statements, including related disclosures.
Closed – Implemented
In our fiscal year 2007 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that SEC did not have detailed written documentation of its methodologies and procedures for the general ledger closing process or generation of the financial statements, increasing the risk of inconsistency, improper reporting, and disruptions resulting from staff turnover. In our April 2008 report to SEC management concerning this weakness, we recommended that SEC prepare written procedures detailing the specific steps required to accomplish and document all significant activities in the general ledger closing process and in the generation of the financial statements, including related disclosures. In response to our recommendation, during fiscal year 2008 SEC issued procedures detailing the specific steps and documentation related to the closing process and generation of financial statements. These procedures if fully and effectively implemented, should significantly improve its internal control over the period-end financial reporting processes.
United States Securities and Exchange Commission To improve its disgorgement and penalties accounts receivable controls, SEC should develop and implement controls over the calculation of disgorgement and penalties accounts receivable, including the reliability of data downloaded from Phoenix and the accuracy of spreadsheet cell formulas and related methodologies.
Closed – Implemented
As part of its enforcement responsibilities, the Securities and Exchange Commission (SEC) orders and administers judgments ordering, among other things, disgorgement and civil monetary penalties against violators of federal securities laws. At September 30, 2007, the gross amount of disgorgements and penalties accounts receivable was $330 million. In our fiscal year 2007 audit of the SEC's financial statements, we found that manual controls, intended to compensate for the lack of an integrated accounting system for disgorgements and penalties, were not effective at ensuring the accuracy of data and spreadsheet formulas used to calculate balance totals. As a result, SEC's accounts receivable for disgorgement and penalty balances at both interim and yearend contained overstatements. In our April 2008 report, we recommended that SEC develop and implement controls over the calculation of disgorgement and penalties accounts receivable, including the reliability of data downloaded from its Phoenix database - which maintains financial data pertaining to disgorgement and penalties - and the accuracy of spreadsheet cell formulas and related methodologies. In response to our recommendation, in fiscal year 2009, the SEC implemented a subsidiary ledger within its core accounting system, Momentum, which eliminated the necessity for manual calculations of receivable balances. In addition, weekly, monthly, and quarterly reconciliations were established to assure the consistency of data maintained in the two systems. These system enhancements and reconciliation procedures significantly improved internal control over SEC's accounting for its disgorgement and penalty accounts receivable balances.
United States Securities and Exchange Commission To improve its accounting for transaction fee revenue controls, SEC should establish and implement detailed written procedures for recording transaction fee revenue and the related receivable, including procedures for recognizing data received after the balance sheet date but prior to issuance of the financial statements.
Closed – Implemented
In our fiscal year 2007 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that SEC did not have written procedures to ensure that its estimates of amounts receivable for fees payable by self-regulatory organizations (SRO) for stock transactions were adjusted to reflect the actual volume of transactions occurring during the month of September as a routine part of its year-end financial reporting process. Specifically, SEC did not adjust its amount receivable to reflect actual transaction volume for the month of September which was reported by the SROs in October, after the balance sheet date but prior to the issuance of the financial statements. As a result, SEC's estimated receivable amount at September 30, 2007 of $100.6 million was not properly adjusted to reflect the $74.4 million of actual transactions reported by the SROs in mid-October. In our April 2008 report to SEC management concerning this weakness, we recommended that SEC establish and implement detailed written procedures for recording transaction fee revenue and the related receivable, including procedures for recognizing data received after the balance sheet date but prior to issuance of the financial statements. In response to our recommendation, during fiscal year 2008 SEC implemented detailed procedures specifying documentation requirements for recording transaction fee revenue and the related receivable and incorporated a procedure for adjusting the Section 31 Fee Receivable Balance into its year end closing schedule. If fully and effectively implemented, these new procedures should enable SEC to significantly improve its process for reporting and accounting for transaction fee revenue.
United States Securities and Exchange Commission To improve its financial statement disclosure preparation controls, SEC should establish and implement detailed written procedures for the preparation and review of the financial statement disclosures, including the comparison of financial statement disclosure amounts to related information presented in the current and previous year financial statements and Management's Discussion and Analysis.
Closed – Implemented
In our fiscal year 2007 audit of the Securities and Exchange Commission's (SEC) financial statements, we identified numerous errors in SEC's year-end draft financial statement footnote disclosures, including misstated amounts, improper breakout of line items, and amounts incorrectly brought forward as beginning balances. We also found SEC did not have a documented timeline and process for completing the fiscal year 2007 financial statements and disclosures, including provisions for review of the disclosures. The lack of such an established process prevented SEC finance staff from scheduling sufficient time to carry out thorough and complete reviews of the disclosures and still meet the reporting deadline. In our April 2008 report to SEC management concerning this weakness, we recommended that SEC establish and implement detailed written procedures for the preparation and review of the financial statement disclosures, including the comparison of disclosure amounts to the related information presented in the financial statements and Management's Discussion and Analysis. In response to our recommendation, during fiscal year 2008 SEC established and implemented documented procedures for the preparation of financial statement footnotes. If fully and effectively implemented, these new procedures should enable SEC to significantly improve financial reporting controls over its process for preparing financial statement footnotes.
United States Securities and Exchange Commission To improve its property and equipment controls, in addition to GAO's previous recommendations in this area, SEC should establish and implement controls over invoiced property costs and dates to ensure that property and equipment acquisitions are accurately recorded in the relevant subsidiary ledgers for personal property, leasehold improvement, and software.
Closed – Implemented
In our fiscal year 2007 audit of the Securities and Exchange Commission's (SEC) financial statements, we noted numerous instances of inaccuracies in recorded acquisition dates and costs for property and equipment purchases, as well as errors in amounts capitalized for internal-use software projects thereby misstating SEC's property, plant, and equipment line item and current year expenses. Contributing to these errors was SEC's lack of an integrated subsidiary ledger and formalized processes for comparing quantity and type of items received against the corresponding purchase orders. In our April 2008 report, we recommended that SEC establish and implement controls over invoiced property costs and dates to ensure that property and equipment acquisitions are accurately recorded in the relevant subsidiary ledgers for personal property, leasehold improvement, and software. In response to our recommendation, SEC upgraded its core accounting system in fiscal year 2008 and deployed an integrated subsidiary module to account for property and equipment transactions. Under this new process, substantially completed in fiscal year 2009, the capitalization amounts are automatically populated into the general ledger using the original purchase order, thereby eliminating clerical errors. These system enhancements significantly improved the accuracy of recording and reporting property and equipment transaction data thereby increasing the reliability of related balances presented on its financial statements.
United States Securities and Exchange Commission To improve its property and equipment controls, in addition to GAO's previous recommendations in this area, SEC should establish and implement controls to ensure proper calculation of depreciation and amortization of additions to existing items over the remaining useful lives of the associated items.
Closed – Implemented
In our fiscal year 2007 audit of the Securities and Exchange Commission's (SEC) financial statements, we identified formula errors in SEC's spreadsheet used to calculate depreciation and amortization related to property acquisitions or improvements. In our April 2008 report to SEC management concerning this weakness, we recommended that SEC establish and implement controls to ensure proper calculation of depreciation and amortization of property additions. In July 2008, in response to our recommendation, and as part of the new integrated property and equipment subsidiary ledger, SEC established standard depreciation schedules within its core financial system for the automatic depreciation and amortization of its capitalized assets. Based on our recalculation of accumulated depreciation and amortization of balances at September 30, 2008, we concluded that SEC has established effective controls over such calculations. This automated calculation capability significantly improved property and equipment financial reporting reliability, including controls to assure the accurate calculation of depreciation and amortization of property and equipment additions.
United States Securities and Exchange Commission To improve its budgetary accounting controls, SEC should correct general ledger system configurations to properly account for upward and downward adjustments of prior-years' undelivered orders in accordance with the U.S. Standard General Ledger.
Closed – Implemented
In response to our recommendation, SEC migrated its financial management system to its federal shared service provider's financial management system in April 2012. Additionally, in March 2015, SEC updated its procedures to reflect (1) the newly developed manual process used by its service provider for determining adjustments to SEC's prior years' undelivered obligations, and (2) SEC's monitoring procedures to ensure that its service provider recorded accurate adjustments in SEC's general. The new process and proper implementation of related monitoring control procedures should reduce the risk of misstatements in SEC's Statement of Budgetary Resources.
United States Securities and Exchange Commission To improve its budgetary accounting controls, SEC should establish and implement controls over obligation-related entries (including original obligations, corrections, and deobligations) to ensure the use of correct U.S. Standard General Ledger accounts and the recording of correct amounts.
Closed – Implemented
In our fiscal year 2007 audit of the Securities Exchange Commission's (SEC) financial statements, we noted approximately $76 million in general ledger posting errors, including both upward and downward adjustments to prior year undelivered orders. In addition, we noted numerous instances in which SEC recorded original obligations at incorrect amounts in the general ledger. In our April 2008 report, we recommended that SEC establish and implement controls over obligation-related entries (including original obligations, corrections, and deobligations) to ensure the use of correct U.S. Standard General Ledger accounts and the recording of correct amounts. In response to our recommendation, the SEC reviewed the general ledger posting logic in June 2009 and made revisions as necessary. Our subsequent review of SEC's posting logic for budgetary transactions identified no exceptions. As a result of these actions, SEC has enhanced its accounting for budgetary transactions and thereby reduced the risk that the amounts recorded in the general ledger and reported on SEC's Statement of Budgetary Resources are misstated.
United States Securities and Exchange Commission To improve its budgetary accounting controls, SEC should clarify administrative control of funds guidance and document the responsibilities of the staff performing obligation-related activities with regard to recording obligations in accordance with the recording statute.
Closed – Implemented
In our fiscal year 2007 audit of the Securities and Exchange Commission's (SEC) financial statements, we noted that SEC lacked procedures for documenting monitoring of time card certifications and any identified exceptions. Specifically, during our fiscal year 2007 audit, we observed that SEC did not consistently monitor time card certifications and did not document when, or what, they were monitoring with respect to time card certifications or the results of what they found. We concluded that the lack of documentation of these control procedures may delay or prevent SEC management from identifying any breakdown in time card certifications or any instances of employees certifying higher-level officials' time cards on an other than emergency basis. Consistent with GAO's Standards for Internal Control in the Federal Government, internal control should be clearly documented, and the documentation readily available for examination. In April 2008, we recommended that SEC establish and implement procedures for documenting evidence of monitoring of time card certifications to include procedures to document any identified exceptions. In response to our recommendation, during fiscal year 2011, SEC's Office of Human Resources formally issued and implemented its Time and Attendance processes in SEC Regulation 6-2, Sections G, H, I, and O. These new procedures describe processes for timecard certification and reviews of the certifications to ensure that any exceptions are identified. As a result of these improvements, SEC management has reduced the risk that time card certification monitoring control objectives may become ineffective.
United States Securities and Exchange Commission To improve its budgetary accounting controls, SEC should establish and implement controls to ensure that SEC staff adheres to existing policies and procedures to prevent violations of the recording statute.
Closed – Implemented
In fiscal year 2012, SEC migrated its core financial management system and the processing of its financial transactions to a shared service provider's financial system, which is also integrated with the service provider's contract writing system. SEC implemented a process flow which requires the responsible contracting officer to release a contract in the contract writing system concurrent with the signing of a binding agreement. The release of the agreement in the contract writing system results in the recording of the obligation in the financial system. As a result, SEC has significantly reduced the risk of violations with respect to the recording statute.
United States Securities and Exchange Commission To improve its payroll controls, in addition to GAO's previous recommendations in this area, SEC should establish and implement procedures for documenting evidence of monitoring of time card certifications and include procedures to document any identified exceptions.
Closed – Implemented
In response to our recommendation, during fiscal year 2011, SEC's Office of Human Resources formally issued and implemented its Time and Attendance processes in SEC Regulation 6-2, Sections G, H, I, and O. These new procedures describe processes for timecard certification and reviews of the certifications to ensure that any exceptions are identified. As a result of these improvements, SEC management has reduced the risk that time card certification monitoring control objectives may become ineffective.
United States Securities and Exchange Commission To improve its payroll controls, in addition to GAO's previous recommendations in this area, SEC should segregate key responsibilities over the approval of personnel actions so that no one individual approves his own personnel action.
Closed – Implemented
In our fiscal year 2007 audit of the Securities and Exchange Commission's (SEC) financial statements, we identified an employee who approved a valid personnel action for an increase in his own salary without evidence of additional review from another level of management. In our April 2008 report, we recommended that SEC segregate key responsibilities over the approval of personnel actions so that no one individual approves his own personnel action. In response to our recommendation, SEC's Office of Human Resources (OHR) implemented a personnel action workflow in 2009 to describe the required steps in its process. In addition, OHR assigned an OHR analyst to review the processing of personnel actions of staff with "superuser" rights. Further, OHR issued a directive in 2009 addressing T&A administration matters, including appropriate certification and approval of employees' T&A transactions. As a result, SEC strengthened the overall control environment for personnel action and payroll processing and reduced the risk of fraudulent approval of employee personnel actions.

Full Report

Office of Public Affairs

Topics

AccountabilityAccounting standardsAuditing standardsData integrityDocumentationFederal regulationsFinancial managementFinancial management systemsFinancial recordsFinancial statement auditsFinancial statementsInformation securityInternal controlsPolicy evaluationProgram evaluationRecords managementReporting requirementsReports managementSecuritiesSystems integrationPolicies and procedures