Risk & Compliance

GAO Criticizes SEC Internal Controls

In its fiscal year 2005 audit, the congressional watchdog agency found problems very similar to those it reported last year.
Stephen TaubNovember 23, 2005

The Government Accountability Office has asserted that the Securities and Exchange Commission did not maintain effective internal control over financial reporting as of the end of its September 2005 fiscal year.

The congressional watchdog agency cited continued material internal-control weaknesses in the areas of preparing financial statements and related disclosures, recording and reporting disgorgements and penalties, and information security. The GAO added that it would recommend corrective actions in a separate report.

The agency did praise the SEC on a number of issues. It asserted that the commission’s fiscal year 2005 financial statements were fairly presented in all material respects, citing as a “notable achievement” the SEC’s “acceleration of its financial reporting and issuance of its audited financial statements by November 15, 2005.” The GAO acknowledged that in all material respects, the SEC maintained “effective internal control over compliance with laws and regulations” tested as of September 30, and that the GAO did not find reportable instances of noncompliance with laws and regulations it tested. The agency also stated that the commission has improved communication among SEC divisions and improved subsidiary ledgers that support financial-statement amounts.

Even so, the GAO stated: “During our fiscal year 2005 audit, we continued to find inaccuracies in the data that were similar to what we found during the fiscal year 2004 audit.” Last year, it also found “material internal control weaknesses” in the preparation of financial statements, the reporting of disgorgements and penalties, and data security.

The agency reported that the SEC has taken steps to strengthen its information security by increasing staffing, certifying and accrediting applications, and establishing a backup data center. However, most of the weaknesses the GAO identified last year persist, it added, and the GAO identified additional weaknesses, including several important aspects of access control. “Key to SEC’s weakness in information security control is that it has not fully implemented a comprehensive program for security management,” the report stated. “Such a program is fundamental to protecting the integrity, confidentiality, and availability of SEC’s sensitive data.”

The report also noted that the commission has found “inaccuracies” of financial data related to disgorgements and penalties, which it is in the process of correcting. “Contributing to SEC’s control weakness in this area are limitations in SEC’s database used to track disgorgement- and penalty-related activity,” the report stated. “The database is not designed to facilitate accounting and financial reporting, causing SEC to perform extensive, manual procedures to account for this activity.”

The GAO also criticized the SEC’s financial reporting process for continuing to be “largely manual and difficult to follow.” It elaborated that the link between the financial statements and the detailed account balances was not supported by an adequate audit trail, support for certain balances was not readily available, and policies for financial reporting were still incomplete.

In addition, the GAO criticized the SEC’s Office of Financial Management for not having sufficient staff with expertise in financial reporting, “resulting in too many responsibilities vested with too few people, causing problems with segregation of duties, achieving quality assurance reviews, and being able to effectively manage the workload.”