Financial Audit: Securities and Exchange Commission's Financial  
Statements for Fiscal Years 2005 and 2004 (15-NOV-05,		 
GAO-06-239).							 
                                                                 
Established in 1934 to enforce the securities laws and protect	 
investors, the Securities and Exchange Commission (SEC) plays an 
important role in maintaining the integrity of the U.S. 	 
securities markets. Pursuant to the Accountability of Tax Dollars
Act of 2002, the SEC is required to prepare and submit to	 
Congress and the Office of Management and Budget audited	 
financial statements. GAO agreed, under its audit authority, to  
perform the audit of SEC's financial statements. GAO's audit was 
done to determine whether, in all material respects, (1) SEC's	 
fiscal year 2005 financial statements were reliable and (2) SEC's
management maintained effective internal control over financial  
reporting and compliance with laws and regulations. We also	 
tested SEC's compliance with certain laws and regulations.	 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-06-239 					        
    ACCNO:   A41559						        
  TITLE:     Financial Audit: Securities and Exchange Commission's    
Financial Statements for Fiscal Years 2005 and 2004		 
     DATE:   11/15/2005 
  SUBJECT:   Accountability					 
	     Accounting standards				 
	     Auditing standards 				 
	     Financial management				 
	     Financial records					 
	     Financial statement audits 			 
	     Financial statements				 
	     Information security				 
	     Internal controls					 
	     Reporting requirements				 
	     Reports management 				 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-06-239

     

     * Report to the Chairman, U.S. Securities and Exchange Commission
          * November 2005
     * FINANCIAL AUDIT
          * Securities and Exchange Commission's Financial Statements for
            Fiscal Years 2005 and 2004
     * Contents
          * Opinion on Financial Statements
          * Opinion on Internal Control
          * Material Weaknesses
               * Financial Statement Preparation Process
               * Disgorgements and Penalties
               * Information Security
          * Compliance with Laws and Regulations
          * Consistency of Other Information
          * Objectives, Scope, and Methodology
          * SEC Comments and Our Evaluation
     * Management Discussion Analysis
     * Financial Statements
     * Required Supplemental Information
     * Comments from the Securities and Exchange Commission

Report to the Chairman, U.S. Securities and Exchange Commission

November 2005

FINANCIAL AUDIT

Securities and Exchange Commission's Financial Statements for Fiscal Years
2005 and 2004

Contents

November 15, 2005Letter

The Honorable Christopher Cox Chairman U.S. Securities and Exchange
Commission

Dear Mr. Cox:

This report presents our opinion on whether the financial statements of
the Securities and Exchange Commission (SEC) are presented fairly for the
fiscal years ended September 30, 2005, and 2004. This report also presents
(1) our opinion on the effectiveness of SEC's internal control over
financial reporting and compliance as of September 30, 2005, including
weaknesses in financial reporting controls detected during our 2005 audit;
and (2) the results of our tests of SEC's compliance with selected laws
and regulations during 2005.

The Accountability of Tax Dollars Act of 2002 requires that SEC prepare
and submit to Congress and the Office of Management and Budget (OMB)
audited financial statements. GAO agreed, under its audit authority, to
perform the audit of SEC's financial statements. GAO conducted this audit
in accordance with U.S. generally accepted government auditing standards
and OMB audit guidance. This is the second year that SEC has prepared a
complete set of financial statements for audit. A notable achievement
during fiscal year 2005 was SEC's acceleration of its financial reporting.
SEC was able to prepare financial statements that were fairly stated in
all material respects for fiscal year 2005 by November 15, 2005, in
accordance with OMB timeframes. This due date was met through the
tremendous dedication of time and effort from SEC management and staff.

We are sending copies of this report to the Chairman and Ranking Minority
Members of the Senate Committee on Banking, Housing, and Urban Affairs;
the Senate Committee on Homeland Security and Governmental Affairs; the
House Committee on Financial Services; and the House Committee on
Government Reform. We are also sending copies to the Secretary of the
Treasury, the Director of the Office of Management and Budget, and other
interested parties. In addition, this report will be available at no
charge on the GAO Web site at http://www.gao.gov.

This report was prepared under the direction of Jeanette M. Franzel,
Director, Financial Management and Assurance, who can be reached at (202)
512-9471 or [email protected]. If I can be of further assistance, please
call me at (202) 512-5500.

Sincerely yours,

David M. Walker Comptroller General of the United States

To the Chairman of the United States Securities and Exchange
CommissionAuditor's Report

In our audits of the United States Securities and Exchange Commission
(SEC) for fiscal years 2005 and 2004, we found

o the financial statements as of and for the fiscal years ended September
30, 2005, and 2004, including the accompanying notes, are presented
fairly, in all material respects, in conformity with U.S. generally
accepted accounting principles;

o SEC did not have effective internal control over financial reporting
(including safeguarding of assets), but had effective control over
compliance with laws and regulations we tested that could have a direct
and material effect on the financial statements as of September 30, 2005;
and

o no reportable noncompliance with laws and regulations we tested.

The following sections discuss in more detail (1) these conclusions as
well as our conclusions on Management's Discussion and Analysis and other
supplementary information and (2) the objectives, scope, and methodology
of our audit.

Opinion on Financial Statements

The SEC's balance sheets as of September 30, 2005, and 2004, and its
related statements of net cost, changes in net position, budgetary
resources, financing, and custodial activity, with accompanying notes for
the fiscal years then ended, are presented fairly, in all material
respects, in conformity with U.S. generally accepted accounting
principles.

However, misstatements may nevertheless occur in other financial
information reported by SEC as a result of the internal control weaknesses
described in this report.

Opinion on Internal Control

This is the second year that SEC has prepared a complete set of financial
statements for audit. Despite the specific issues with internal control
explained below, SEC was able to prepare financial statements that were
fairly stated in all material respects for fiscal years 2005 and 2004. A
notable achievement during fiscal year 2005 was SEC's acceleration of its
financial reporting. SEC was able to issue financial statements that were
fairly stated in all material respects for fiscal year 2005 by November
15, 2005, in accordance with OMB timeframes. This due date was met through
the tremendous dedication of time and effort from SEC management and
staff.

The acceleration did serve to highlight the difficulties in SEC's
financial reporting process and the accounting and reporting for
disgorgements that we identified in our fiscal year 2004 audit. In
addition, SEC continues to have weaknesses in its information security
controls.

Because of the material weaknesses in internal control discussed below, in
our opinion, SEC did not maintain effective internal control over
financial reporting (including safeguarding of assets) as of September 30,
2005, and thus did not provide reasonable assurance that losses and
misstatements material in relation to the financial statements would be
prevented or detected on a timely basis. However, SEC maintained in all
material respects effective internal control over compliance with laws and
regulations as of September 30, 2005, that provided reasonable assurance
that noncompliance with laws and regulations that are direct and material
in relation to the financial statements would be prevented or detected on
a timely basis.1

Material Weaknesses

As a result of our fiscal year 2005 audit, we concluded that SEC continues
to face the following key issues that we reported as part of our audit of
SEC's fiscal year 2004 financial statements, which represent material
weaknesses in internal controls:

o weaknesses in controls over the financial reporting process, resulting
in SEC not being able to prepare reliable and timely financial statements
without extensive and time-consuming manual procedures;

o weaknesses in controls over recording and reporting of disgorgement2 and
penalty3 activity pertaining to those who violate securities laws,
resulting in increased risk of incomplete or inaccurate disgorgement and
penalty data; and

o weaknesses in information security controls, resulting in increased risk
of unauthorized individuals being allowed to access, alter, or abuse
proprietary SEC programs and electronic data and assets.

We have reported on these material weaknesses in our prior audit and have
provided SEC recommendations to address these issues.4 SEC has made some
progress in resolving these matters; however, these matters remain as
material weaknesses as of September 30, 2005. These material weaknesses
were considered in determining the nature, timing, and extent of audit
tests applied in our audits of SEC's fiscal year 2005 and 2004 financial
statements, and our opinion on internal control does not affect our
financial audit opinion on the financial statements. The details
surrounding these weaknesses are being reported separately to SEC
management, along with recommendations for corrective actions. Less
significant matters involving SEC's system of internal controls and its
operations will also be reported to SEC separately.

Financial Statement Preparation Process

In response to the findings of our fiscal year 2004 audit, SEC has taken
some steps to address control weaknesses over preparing financial
statements and related disclosures. For example, in August 2005, SEC
drafted some policies and procedures for its financial statement
preparation process. SEC also established a process to improve
communication among other SEC divisions whose work impacts the financial
statements, and SEC has improved its ability to produce subsidiary ledgers
that support financial statement amounts. At the same time, SEC's
financial reporting process continues to be manually intensive and time
consuming, with numerous ad hoc procedures. For certain financial
statement line items and disclosures, the detailed support for the
balances and underlying transactions was not readily available, was
difficult to retrieve, and did not easily facilitate an audit trail. In
addition, SEC is still lacking policies and procedures for recording many
of its activities, such as its process for determining disgorgement and
penalty amounts receivable, for recording investment activity, and for
reconciling certain account balances such as the fiduciary liability. Many
policies and procedures that do exist are still in draft, are complicated
and not easy to follow, or in some cases are outdated or not
comprehensive. In addition, SEC still does not have an easy-to-follow
process for compiling financial statement amounts to enable a cross-walk
from the financial statements to the general ledger and supporting
subsidiary schedules. Furthermore, certain balances on the financial
statements do not readily agree to supporting detail. SEC's Office of
Financial Management, the office charged with SEC's financial reporting
and financial management, does not have sufficient staff with expertise in
financial reporting. As a result, too many responsibilities have been
vested with too few people, causing problems such as inadequate
segregation of duties, inadequate quality assurance reviews, and
difficulties managing the financial reporting workload. Because of these
issues, SEC needed to dedicate considerable time and resources from its
operating divisions to assist its Office of Financial Management in
reconciling the financial statement amounts to its supporting general
ledger balances and other supporting detail. SEC's financial reporting
process can be strengthened by increased interaction with and input from
the program operations' offices responsible for key financial data needed
for financial reporting.

Controls over the financial statement preparation process should be
designed to provide reasonable assurance regarding the reliability of the
balances and disclosures reported in the financial statements and related
notes in conformity with generally accepted accounting principles,
including the maintenance of detailed support that accurately and fairly
reflects the transactions making up the balances in the financial
statements and disclosures. GAO's Standards for Internal Control in the
Federal Government5 provide an overall framework for establishing and
maintaining internal control, including a discussion of control
activities, management review, and documentation of processes and
transactions. A financial statement preparation process with documented
comprehensive policies and procedures, a clear audit trail between the
financial statement balances and the detailed support, and quality
assurance reviews, if properly designed and implemented, should provide
SEC management with reasonable assurance that the balances presented in
the financial statements and related disclosures are supported by SEC's
underlying accounting records. We believe SEC can use the lessons learned
from the fiscal year 2005 financial reporting and audit processes to
further formalize and improve its process for developing and reviewing the
figures needed to compile and prepare its year-end and interim financial
statements.

Disgorgements and Penalties

As part of its enforcement responsibilities, SEC issues and administers
judgments ordering, among other things, disgorgements, civil monetary
penalties, and interest against violators of federal securities laws.
These transactions involve material amounts of collections, and the
recording and reporting of fiduciary and custodial liability balances on
the financial statements.6 As shown in SEC's Statement of Custodial
Activity, SEC collected more than $1.6 billion from federal securities
laws violators during fiscal year 2005. Of that total, approximately $302
million was distributed to harmed investors; $207 million was transferred
to the Treasury; and approximately $1.1 billion is being held by the SEC
for future distribution to harmed investors. In total, SEC held
approximately $1.976 billion in such funds at September 30, 2005, for
future distribution to harmed investors. These amounts are recorded in the
fiduciary liability, investments, and fund balance with Treasury line
items, with additional detail provided in note 18 to the financial
statements. SEC also has recorded fines and penalties receivable of
approximately $1.365 billion, of which it estimates that approximately $96
million will be collectible. These amounts are included in SEC's accounts
receivable and custodial liabilities line items, with additional detail
provided in note 6 to the financial statements.

Since our fiscal year 2004 audit, SEC has undertaken a comprehensive
review of the disgorgement and penalty financial data in its database,
which includes data on over 12,000 parties in SEC enforcement issues.
SEC's review uncovered a significant amount of financial data inaccuracies
which it is still in the process of correcting.

Our audit testing for fiscal year 2005 continued to find similar control
weaknesses and data inaccuracies to the problems we noted during our audit
of SEC's fiscal year 2004 financial statements. Contributing to SEC's
control weaknesses in these areas is that the database SEC uses to record
and report disgorgements and penalties data has limitations and is not
designed to facilitate accounting for and financial reporting of the data.
To compensate for limitations in the disgorgements and penalties database,
SEC staff perform extensive manual procedures to compile quarterly
subsidiary ledgers to update the accounting system for disgorgement- and
penalty-related balances and activity (including cash receipts and
disbursements). As we noted in our fiscal year 2004 audit, while SEC has a
draft policy covering certain aspects of accounting for disgorgements and
penalties, the policy is not comprehensive and does not include the
process and controls for determining the amounts to be recorded for
disgorgements and penalty activity and for reviewing the entries. In
addition, SEC does not have a policy that includes formal procedures to
provide assurance that the cash collections have been properly credited to
the appropriate cases in the appropriate amounts in the related subsidiary
records for investments and fund balance with Treasury. Furthermore, SEC's
policies do not include formal procedures to provide assurance that cash
disbursements are properly tracked in the related subsidiary ledgers that
provide information on the status of each case.

As we have again found during the fiscal year 2005 financial statement
audit, not having comprehensive policies and controls increases the risk
that disgorgement and penalty transactions will not be completely,
accurately, and consistently recorded and reported.

Although we were able to obtain sufficient audit support for SEC's
estimated collectible amount of $96 million, we noted significant errors
and misstatements in the recorded gross accounts receivable balance of
$1.365 billion and the related allowance for loss of $1.269 billion.
Specifically, we noted errors and/or inconsistent treatment in recording
judgment and interest amounts, terminated debts, waivers, and recording of
activity such as amounts paid by defendants. Contributing to these errors
is the lack of a clear policy, communication, and coordination between the
two key SEC units, both responsible for disgorgement and penalty activity,
addressing the supporting documents needed to record the activity, as well
as the lack of follow-up procedures to ensure that the activity is being
recorded in a timely fashion and in the proper reporting period.7 In most
cases, these errors were offsetting through the allowance for loss
account; however, such errors raise concern about the controls over the
reliability of the gross accounts receivable and related allowance amounts
reported in note 6 to the financial statements.

Establishing proper controls and policies and procedures over the
recording of disgorgement and penalty activity and the related collections
and adopting a new accounting system to capture the activity for financial
reporting purposes are necessary to provide reasonable assurance that
disgorgement and penalty transactions are recorded in a complete,
accurate, and timely manner for management's use in decision making and
tracking of operations, and to facilitate the preparation of financial
statements and related disclosures. The process should also include
maintaining supporting documentation that, in reasonable detail, supports
the transactions that are recorded, and monitoring the data input, data
modifications, and the related financial reporting process for
reliability. Due to the importance of these activities to SEC's mission
and the magnitude of the amounts, it is of critical importance that the
internal control weaknesses in this area be addressed.8

Information Security

Effective information system controls are essential to providing
reasonable assurance that financial information and financial assets are
adequately safeguarded from inadvertent or deliberate misuse, fraudulent
use, improper disclosure, or destruction. These controls are part of an
entitywide computer security management program that includes access
controls, system software, application development and change controls,
segregation of duties, and service continuity controls. A comprehensive
entitywide security management program must be established in order to
ensure effective information security controls and to provide a systemic
approach to identifying and addressing security weaknesses. An effective
program would include issuing guidance and implementing procedures for
assessing risks, establishing policies and related controls, raising
awareness of prevailing risks and mitigating controls, evaluating the
effectiveness of established controls, and using the results of
management's evaluation to continuously improve controls.

SEC relies extensively on computerized information systems to process,
account for, and report on its financial activities and make payments. As
part of the financial statement audit, we assessed the effectiveness of
SEC's information system controls using GAO's Federal Information System
Controls Audit Manual9 which contains guidance for reviewing information
system controls that affect the integrity, confidentiality, and
availability of computerized data.

During fiscal year 2005, SEC took steps to strengthen its information
security program by increasing security staffing, certifying and
accrediting several major applications, and instituting a backup data
center. At the same time, most of the information security controls
weaknesses identified in our fiscal year 2004 SEC audit persisted10 and we
identified additional weaknesses. Specifically, SEC had not consistently
implemented effective electronic access controls, including user accounts
and passwords, access rights and permissions, network security, or audit
and monitoring of security-relevant events to limit and detect access to
its critical financial and sensitive systems and information. As a result,
SEC's financial assets are at risk of loss due to access control
weaknesses. In addition, weaknesses in other information security
controls, including physical security, segregation of computer functions,
application change controls, and service continuity, further increase the
risk to SEC's information systems, information, and financial assets. As a
result, sensitive data-including payroll and financial transactions,
personnel data, regulatory, and other mission-critical
information-remained at risk of unauthorized disclosure, modification, or
loss. The details surrounding these weaknesses will be reported separately
to SEC management, along with recommendations for corrective actions.

A key reason for SEC's information security control weaknesses is that SEC
has not fully implemented a comprehensive security management program. SEC
has taken some actions to improve security management such as defining
roles and responsibilities for its central security group. However, it
still needs to take additional steps to fully implement all key elements
of an information security management program. Such a program is critical
to provide SEC with a solid foundation for resolving existing information
security problems and continuously managing information security risks. 
Without effective management of its information security controls, SEC
will not be able to provide reasonable assurance that financial
information and financial assets are adequately safeguarded from misuse,
fraud, improper disclosure, modification, or destruction.

Compliance with Laws and Regulations

Our tests for compliance with selected provisions of laws and regulations
disclosed no instances of noncompliance that would be reportable under
U.S. generally accepted government auditing standards or OMB audit
guidance. However, the objective of our audit was not to provide an
opinion on overall compliance with laws and regulations. Accordingly, we
do not express such an opinion.

Consistency of Other Information

SEC's Management Discussion and Analysis, required supplementary
information, and other accompanying information contain a wide range of
data, some of which are not directly related to the financial statements.
We did not audit and do not express an opinion on this information.
However, we compared this information for consistency with the financial
statements and discussed the methods of measurement and presentation with
SEC officials. Based on this limited work, we found no material
inconsistencies with the financial statements or nonconformance with OMB
guidance.

Objectives, Scope, and Methodology

SEC management is responsible for (1) preparing the financial statements
in conformity with U.S. generally accepted accounting principles; (2)
establishing, maintaining, and assessing internal control to provide
reasonable assurance that the broad control objectives of the Federal
Managers' Financial Integrity Act (FMFIA) are met; and (3) complying with
applicable laws and regulations.

We are responsible for obtaining reasonable assurance about whether (1)
the financial statements are presented fairly, in all material respects,
in conformity with U.S. generally accepted accounting principles; and (2)
management maintained effective internal control that provides reasonable,
but not absolute, assurance the following objectives are met.

o Financial reporting: Transactions are properly recorded, processed, and
summarized to permit the timely and reliable preparation of financial
statements in conformity with U.S. generally accepted accounting
principles, and assets are safeguarded against loss from unauthorized
acquisition, use, or disposition.

o Compliance with laws and regulations: Transactions are executed in
accordance with (1) laws governing the use of budgetary authority, (2)
other laws and regulations that could have a direct and material effect on
the financial statements, and (3) any other laws, regulations, or
governmentwide policies identified by OMB audit guidance.

We are also responsible for (1) testing compliance with selected
provisions of laws and regulations that could have a direct and material
effect on the financial statements and for which OMB audit guidance
requires testing and (2) performing limited procedures with respect to
certain other information appearing in SEC's Performance and
Accountability Report. In order to fulfill these responsibilities, we

o examined, on a test basis, evidence supporting the amounts and
disclosures in the financial statements;

o assessed the accounting principles used and significant estimates made
by SEC management;

o evaluated the overall presentation of the financial statements;

o obtained an understanding of internal control related to financial
reporting (including safeguarding of assets) and compliance with laws and
regulations (including execution of transactions in accordance with budget
authority);

o obtained an understanding of the recording, processing, and summarizing
of performance measures as reported in Management's Discussion and
Analysis;

o tested relevant internal controls over financial reporting and
compliance with laws and regulations, and evaluated the design and
operating effectiveness of internal control;

o considered SEC's process for evaluating and reporting on internal
control and financial management systems under the FMFIA; and

o tested compliance with selected provisions of the following laws and
their related regulations:

o the Securities Exchange Act of 1934, as amended;

o the Securities Act of 1933, as amended;

o the Antideficiency Act;

o laws governing the pay and allowance system for SEC employees; and

o the Prompt Payment Act.

We did not evaluate all internal controls relevant to operating objectives
as broadly defined by the FMFIA, such as those controls relevant to
preparing statistical reports and ensuring efficient operations. We
limited our internal control testing to controls over financial reporting
and compliance. Because of inherent limitations in internal control,
misstatements due to error or fraud, losses, or noncompliance may
nevertheless occur and not be detected. We also caution that projecting
our evaluation to future periods is subject to the risk that controls may
become inadequate because of changes in conditions or that the degree of
compliance with controls may deteriorate.

We did not test compliance with all laws and regulations applicable to
SEC. We limited our tests of compliance to those required by OMB audit
guidance and other laws and regulations that had a direct and material
effect on, or that we deemed applicable to, SEC's financial statements for
the fiscal year ended September 30, 2005. We caution that noncompliance
may occur and not be detected by these tests and that such testing may not
be sufficient for other purposes.

We performed our work in accordance with U.S. generally accepted
government auditing standards and OMB audit guidance.

SEC Comments and Our Evaluation

In commenting on a draft of this report, the SEC Chairman was pleased to
receive an unqualified opinion on SEC's financial statements. The Chairman
also acknowledged the material weaknesses in internal control and stated
that resolving the weaknesses will be his highest operational priority.
The Chairman stated that SEC plans to address the internal control
weakness concerning the preparation of financial statements by fully
documenting and integrating into agency operations the disciplined
procedures and policies needed to complete accurate and timely financial
statements. In addition, SEC established a formal financial management
review committee to provide advice and to regularly review the agency's
financial operations and policies. SEC plans to address the internal
control weaknesses related to disgorgements and penalties through the
replacement of the financial system it uses to track disgorgement and
penalty data. In addition, SEC plans to strengthen controls over the
processes for tracking the investment and distribution of funds to harmed
investors. To address the internal control weaknesses concerning
information technology security that were identified in fiscal year 2004,
SEC plans to complete action plans that were put in place following our
fiscal year 2004 audit, including finalization of policies and operating
procedures and procedures underlying the overall security management
program. SEC also plans to begin defining actions and milestones for
resolving additional weaknesses identified during this year's audit.

The complete text of SEC's response is included in appendix I.

David M. Walker Comptroller General of the United States

November 10, 2005

Management Discussion Analysis

Financial Statements

Required Supplemental Information

Comments from the Securities and Exchange CommissionAppendix I

(194502)

www.gao.gov/cgi-bin/getrpt? GAO-06-239 .

To view the full product, including the scope

and methodology, click on the link above.

For more information, contact Jeanette Franzel at (202) 512-9471 or
[email protected].

Highlights of GAO-06-239 , a report to Chairman of the Securities and
Exchange Commission

November 2005

FINANCIAL AUDIT

Securities and Exchange Commission's Financial Statements for Fiscal Years
2005 and 2004

Established in 1934 to enforce the

securities laws and protect

investors, the Securities and

Exchange Commission (SEC) plays

an important role in maintaining

the integrity of the U.S. securities

markets.

Pursuant to the Accountability of

Tax Dollars Act of 2002, the SEC is

required to prepare and submit to

Congress and the Office of

Management and Budget audited

financial statements. GAO agreed,

under its audit authority, to

perform the audit of SEC's

financial statements. GAO's audit

was done to determine whether, in

all material respects, (1) SEC's

fiscal year 2005 financial

statements were reliable and (2) SEC's management maintained effective
internal control over financial reporting and compliance with laws and
regulations. We also tested SEC's compliance with certain laws and
regulations.

In GAO's opinion, SEC's fiscal year 2005 financial statements were fairly
presented in all material respects. A notable achievement during fiscal
year 2005 was SEC's acceleration of its financial reporting and issuance
of its audited financial statements by November 15, 2005. However, because
of continued material internal control weaknesses in the areas of
preparing financial statements and related disclosures, recording and
reporting disgorgements and penalties, and information security, in GAO's
opinion, SEC did not maintain effective internal control over financial
reporting as of September 30, 2005. Recommendations for corrective actions
will be included in a separate report. SEC did maintain in all material
respects effective internal control over compliance with laws and
regulations we tested as of September 30, 2005, and GAO did not find
reportable instances of noncompliance with laws and regulations it tested.

For the preparation of its financial statements, SEC has drafted some
policies and procedures, improved communication among SEC divisions, and
improved subsidiary ledgers that support financial statement amounts.
However, SEC's financial reporting process continues to be largely manual
and difficult to follow. The link between the financial statements and the
detailed account balances was not supported by an adequate audit trail;
support for certain balances was not readily available; and policies for
financial reporting were still incomplete. SEC's Office of Financial
Management does not have sufficient staff with expertise in financial
reporting, resulting in too many responsibilities vested with too few
people, causing problems with segregation of duties, achieving quality
assurance reviews, and being able to effectively manage the workload.

In the area of disgorgements and penalties, SEC has undertaken a
comprehensive review of related financial data and has identified many
inaccuracies which it is in the process of correcting. Contributing to
SEC's control weakness in this area are limitations in SEC's database used
to track disgorgement- and penalty-related activity. The database is not
designed to facilitate accounting and financial reporting causing SEC to
perform extensive, manual procedures to account for this activity. During
our fiscal year 2005 audit, we continued to find inaccuracies in the data
that were similar to what we found during the fiscal year 2004 audit.

SEC has taken steps to strengthen its information security by increasing
staffing, certifying and accrediting applications, and establishing a
backup data center. However, most of the weaknesses identified in our
fiscal year 2004 audit persisted, and we identified additional weaknesses,
including several important aspects of access control. Key to SEC's
weakness in information security control is that it has not fully
implemented a comprehensive program for security management. Such a
program is fundamental to protecting the integrity, confidentiality, and
availability of SEC's sensitive data.
*** End of document. ***