Financial Audit: Securities and Exchange Commission's Financial
Statements for Fiscal Years 2006 and 2005 (15-NOV-06,
GAO-07-134).
Established in 1934 to enforce the securities laws and protect
investors, the Securities and Exchange Commission (SEC) plays an
important role in maintaining the integrity of the U.S.
securities markets. Pursuant to the Accountability of Tax Dollars
Act of 2002, the SEC is required to prepare and submit to
Congress and the Office of Management and Budget audited
financial statements. GAO agreed, under its audit authority, to
perform the audit of SEC's financial statements. GAO's audit was
done to determine whether, in all material respects, (1) SEC's
fiscal year 2006 financial statements were reliable and (2) SEC's
management maintained effective internal control over financial
reporting and compliance with laws and regulations. GAO also
tested SEC's compliance with certain laws and regulations.
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-07-134
ACCNO: A63446
TITLE: Financial Audit: Securities and Exchange Commission's
Financial Statements for Fiscal Years 2006 and 2005
DATE: 11/15/2006
SUBJECT: Accountability
Accounting standards
Auditing standards
Financial management
Financial records
Financial statement audits
Financial statements
Information security
Internal controls
Program evaluation
Reporting requirements
Reports management
Risk assessment
Securities
Stock exchanges
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-07-134
* [1]Report to the Chairman, United States Securities and Exchange
Commission
* [2]November 2006
* [3]FINANCIAL AUDIT
* [4]Securities and Exchange Commission's Financial Statements for
Fiscal Years 2006 and 2005
* [5]Contents
* [6]Opinion on Financial Statements
* [7]Opinion on Internal Control
* [8]Compliance with Laws and Regulations
* [9]Consistency of Other Information
* [10]Objectives, Scope, and Methodology
* [11]Reportable Conditions
* [12]Disgorgements and Penalties
* [13]Information Security
* [14]Property and Equipment
* [15]SEC Comments and Our Evaluation
* [16]Management's Discussion and Analysis
* [17]Financial Statements
* [18]Comments from the Securities and Exchange Commission
Report to the Chairman, United States Securities and Exchange Commission
November 2006
FINANCIAL AUDIT
Securities and Exchange Commission's Financial Statements for Fiscal Years
2006 and 2005
Contents
Abbreviations
November 15, 2006Letter
The Honorable Christopher Cox Chairman U.S. Securities and Exchange
Commission
Dear Mr. Cox:
This report presents our opinion on whether the financial statements of
the Securities and Exchange Commission (SEC) for the fiscal years ended
September 30, 2006, and 2005 are presented fairly, in all material
respects, in conformity with U.S. generally accepted accounting
principles. This report also presents (1) our opinion on the effectiveness
of SEC's internal control over financial reporting and compliance as of
September 30, 2006, and (2) the results of our evaluation of SEC's
compliance with selected laws and regulations during 2006.
The Accountability of Tax Dollars Act of 2002 requires that SEC prepare
and submit to Congress and the Office of Management and Budget (OMB)
audited financial statements. We decided, under our audit authority, to
audit SEC's financial statements. We conducted this audit in accordance
with U.S. generally accepted government auditing standards and OMB
guidance.
We are sending copies of this report to the Chairman and Ranking Minority
Members of the Senate Committee on Banking, Housing, and Urban Affairs;
the Senate Committee on Homeland Security and Governmental Affairs; the
House Committee on Financial Services; and the House Committee on
Government Reform. We are also sending copies to the Secretary of the
Treasury, the Director of the Office of Management and Budget, and other
interested parties. In addition, this report will be available at no
charge on our Web site at http://www.gao.gov.
This report was prepared under the direction of Jeanette M. Franzel,
Director, Financial Management and Assurance, who can be reached at (202)
512-9471 or [email protected]. If I can be of further assistance,
please call me at (202) 512-5500.
Sincerely yours,
David M. Walker Comptroller General of the United States
To the Chairman of the United States Securities and Exchange
Commission
Auditor's Report
In our audits of the United States Securities and Exchange Commission
(SEC) for fiscal years 2006 and 2005, we found
othe financial statements as of and for the fiscal years ended September
30, 2006, and 2005, including the accompanying notes, are presented
fairly, in all material respects, in conformity with U.S. generally
accepted accounting principles;
oalthough certain internal controls should be improved, SEC had effective
internal control over financial reporting (including safeguarding assets)
and compliance with laws and regulations as of September 30, 2006; and
ono reportable noncompliance with laws and regulations we tested.
The following sections discuss in more detail these conclusions as well as
our conclusions on Management's Discussion and Analysis and other
supplementary information. They also present information on the
objectives, scope, and methodology of our audit and our discussion of SEC
management's comments on a draft of this report.
Opinion on Financial Statements
SEC's balance sheets as of September 30, 2006, and 2005, and its related
statements of net cost, changes in net position, budgetary resources,
financing, and custodial activity, with accompanying notes for the fiscal
years then ended, are presented fairly, in all material respects, in
conformity with U.S. generally accepted accounting principles.
Opinion on Internal Control
Although certain internal controls should be improved, SEC management
maintained, in all material respects, effective internal control over
financial reporting (including safeguarding assets) and compliance as of
September 30, 2006, that provided reasonable assurance that misstatements,
losses, or noncompliance material in relation to the financial statements
would be prevented or detected on a timely basis. Our opinion is based on
criteria established under 31 U.S.C. S 3512 (c), (d) commonly known as the
Federal Managers' Financial Integrity Act (FMFIA) and OMB Circular A-123,
revised June 21, 1995, Management Accountability and Control.
We identified three reportable conditions which, although not material
weaknesses,^1 represent significant deficiencies in the design or
operation of internal control that could adversely affect SEC's ability to
meet its internal control objectives. These conditions, described in more
detail later in this report, concern deficiencies in (1) SEC's reporting
of disgorgements^32 and penalties, (2) information system controls, and
(3) property and equipment controls.
In our 2005 report,^4 we identified material weaknesses in the areas of
SEC's (1) reporting of disgorgements and penalties, (2) information
systems controls, and (3) financial reporting process. Based on SEC's
efforts to address concerns with controls over disgorgements and penalties
and with information systems, and based on improvements we found in these
areas during our fiscal year 2006 audit, we have concluded that these two
previously reported weaknesses are no longer material. Because many of
these efforts represent compensating controls rather than permanent
systemic solutions, deficiencies in the design and operation of internal
control in these areas remain and could adversely affect SEC's recording
and reporting of disgorgements and penalties and its information security.
Therefore we considered these areas to still be reportable conditions.
During our fiscal year 2006 audit, we have also concluded that SEC has
taken sufficient action in the area of controls over the financial
reporting process such that we no longer consider this issue to be a
material weakness or reportable condition.
Although the reportable conditions did not materially affect the 2006
financial statements, misstatements may nevertheless occur in unaudited
financial information reported by SEC, including performance information,
as a result of the internal control weaknesses.
Compliance with Laws and Regulations
Our tests for compliance with selected provisions of laws and regulations
disclosed no instances of noncompliance that would be reportable under
U.S. generally accepted government auditing standards or OMB audit
guidance. However, the objective of our audit was not to provide an
opinion on overall compliance with laws and regulations. Accordingly, we
do not express such an opinion.
Consistency of Other Information
SEC's Management's Discussion and Analysis and other accompanying
information contain a wide range of data, some of which are not directly
related to the financial statements. We did not audit and do not express
an opinion on this information. However, we compared this information for
consistency with the financial statements and discussed the methods of
measurement and presentation with SEC officials. Based on this limited
work, we found no material inconsistencies with the financial statements
or nonconformance with OMB guidance. However, because of the internal
control weaknesses noted above, misstatements may occur in related
performance measures.
Objectives, Scope, and Methodology
SEC management is responsible for (1) preparing the financial statements
in conformity with U.S. generally accepted accounting principles; (2)
establishing, maintaining, and assessing internal control to provide
reasonable assurance that the broad control objectives of FMFIA are met;
and (3) complying with applicable laws and regulations.
We are responsible for obtaining reasonable assurance about whether (1)
the financial statements are presented fairly, in all material respects,
in conformity with U.S. generally accepted accounting principles; and (2)
management maintained effective internal control that provides reasonable,
but not absolute, assurance the following objectives are met:
oFinancial reporting: Transactions are properly recorded, processed, and
summarized to permit the timely and reliable preparation of financial
statements in conformity with U.S. generally accepted accounting
principles, and assets are safeguarded against loss from unauthorized
acquisition, use, or disposition.
oCompliance with applicable laws and regulations: Transactions are
executed in accordance with (1) laws governing the use of budgetary
authority, (2) other laws and regulations that could have a direct and
material effect on the financial statements, and (3) any other laws,
regulations, or governmentwide policies identified by OMB audit guidance.
We are also responsible for (1) testing compliance with selected
provisions of laws and regulations that could have a direct and material
effect on the financial statements and for which OMB audit guidance
requires testing and (2) performing limited procedures with respect to
certain other information appearing in SEC's Performance and
Accountability Report. In order to fulfill these responsibilities, we
oexamined, on a test basis, evidence supporting the amounts and
disclosures in the financial statements;
oassessed the accounting principles used and significant estimates made by
SEC management;
oevaluated the overall presentation of the financial statements;
oobtained an understanding of internal control related to financial
reporting (including safeguarding of assets) and compliance with laws and
regulations (including execution of transactions in accordance with budget
authority);
oobtained an understanding of the design of internal controls related to
the existence and completeness assertions relating to performance measures
as reported in Management's Discussion and Analysis, and determined
whether they have been placed in operation;
otested relevant internal controls over financial reporting and compliance
with applicable laws and regulations, and evaluated the design and
operating effectiveness of internal control;
oconsidered SEC's process for evaluating and reporting on internal control
and financial management systems under FMFIA; and
otested compliance with selected provisions of the following laws and
their related regulations:
othe Securities Exchange Act of 1934, as amended;
othe Securities Act of 1933, as amended;
othe Antideficiency Act;
olaws governing the pay and allowance system for SEC employees; and
othe Prompt Payment Act.
We did not evaluate all internal controls relevant to operating objectives
as broadly defined by FMFIA, such as those controls relevant to preparing
statistical reports and ensuring efficient operations. We limited our
internal control testing to controls over financial reporting and
compliance. Because of inherent limitations in internal control,
misstatements due to error or fraud, losses, or noncompliance may
nevertheless occur and not be detected. We also caution that projecting
our evaluation to future periods is subject to the risk that controls may
become inadequate because of changes in conditions or that the degree of
compliance with controls may deteriorate.
We did not test compliance with all laws and regulations applicable to
SEC. We limited our tests of compliance to those required by OMB audit
guidance and other laws and regulations that had a direct and material
effect on, or that we deemed applicable to, SEC's financial statements for
the fiscal year ended September 30, 2006. We caution that noncompliance
may occur and not be detected by these tests and that such testing may not
be sufficient for other purposes.
We performed our work in accordance with U.S. generally accepted
government auditing standards and OMB audit guidance.
SEC's management provided comments on a draft of this report. They are
discussed and evaluated in a later section of this report and are
reprinted in appendix I.
Reportable Conditions
We identified three reportable conditions which, although not material
weaknesses, represent significant deficiencies in the design or operation
of internal control that could adversely affect SEC's ability to meet its
internal control objectives. These conditions concern deficiencies in (1)
SEC's reporting of disgorgements and penalties, (2) information system
controls, and (3) property and equipment controls, which are summarized
below.
Additional details surrounding these reportable conditions, along with
recommendations for corrective action, are being reported separately to
SEC management. Less significant matters involving SEC's system of
internal controls and its operations will also be reported to SEC
separately.
Disgorgements and Penalties
As part of its enforcement responsibilities, SEC issues and administers
judgments ordering, among other things, disgorgements, civil monetary
penalties, and interest against violators of federal securities laws.
These transactions involve material amounts of collections, and the
recording and reporting of fiduciary and custodial liability balances on
the financial statements.^5
Our audit testing during fiscal year 2006 noted significant management
oversight and efforts to address weaknesses in the internal controls over
recording and reporting disgorgement and penalty information. During the
year, SEC finalized policies and procedures for reporting disgorgement and
penalty activity; improved reconciliations of disgorgement and penalty
transactions; established an internal audit function within the Division
of Enforcement; and had better and more timely coordination between the
two key SEC units responsible for reporting and recording disgorgements
and penalties. Of particular note was a comprehensive initiative SEC
undertook during the year to review and verify all of the outstanding
disgorgement and penalty debts. Through this project, SEC identified and
corrected numerous errors in the database used to record and report
disgorgements and penalties. These errors involved amounts due, judgment
and due dates, the payees, and status of the cases. This project also
identified steps needed with respect to collecting or terminating the
debts. Because of the limitations of the current case tracking system for
disgorgements and penalties, SEC's efforts far exceeded what would have
otherwise been necessary to determine the reliability of the data. These
efforts will most likely continue until SEC improves its financial system
for recording and reporting disgorgement and penalty information.
Even with SEC's increased efforts to address concerns over reporting of
disgorgements and penalties, our audit work during fiscal year 2006
continued to identify risks concerning the completeness of the
disgorgements and penalties receivable amounts. For example, we identified
a $21 million disgorgement case that was erroneously omitted from SEC's
disgorgement receivable balance at June 30, 2006. This is largely because
SEC's process for determining its disgorgement and penalty receivable
balances relies heavily on information being submitted to the Office of
Financial Management from individual attorneys working on each case. To
compensate for the risk presented by this process, in fiscal year 2006 SEC
instituted a compensating control in which the Enforcement office heads
were asked to certify the completeness and accuracy of the recorded
disgorgement receivable balances at June 30, 2006, and at fiscal year
end. Through this certification process, a number of cases were identified
as not having current information related to dollar amounts, due dates,
and payees, in the case tracking system used to establish the amounts
receivable at a given date. While none of these instances resulted in a
significant misstatement to the receivable balance reported on the
financial statements, relying on a decentralized detective control such as
this certification process requires significant analysis, data gathering,
and follow up, and increases the risk that disgorgement and penalty debts
and related activity may not get recorded in a timely manner or in the
proper period.
We are encouraged by SEC's commitment and management attention to
strengthening controls over disgorgement and penalty activity to date, as
well as SEC's planned future actions in this area. As discussed in it's
Management's Discussion and Analysis, SEC has designed procedures and
documentation to track disgorgement and penalty actions from the time they
are approved by the Commission to their recording in the case tracking
system. Also this past year, SEC has begun training attorneys handling the
cases on the steps necessary to maintain strong internal controls over
updating and communicating information that could impact financial
reporting. In addition, in fiscal year 2006 SEC designed a new financial
management system for tracking disgorgements and penalties that will
replace the financial portion of the existing case tracking system. SEC
expects these new controls and the new disgorgement financial system to be
fully operational in fiscal year 2007. Until a permanent and systemic
process is fully implemented and operational, SEC does not have sufficient
assurance over the accuracy and completeness of its reporting and tracking
of disgorgements and penalties.
Information Security
SEC relies extensively on computerized information systems to process,
account for, and report on its financial activities and make payments. In
order to provide reasonable assurance that financial information and
financial assets are adequately safeguarded from inadvertent or deliberate
misuse, fraudulent use, improper disclosure, or destruction, effective
information security controls are essential. These controls include
security management, access controls, change management, segregation of
duties, and continuity planning. Although SEC has made important progress
in strengthening its controls over financial systems and information and
in implementing an agencywide information security program, SEC still
needs to implement key elements of the program to remediate existing
weaknesses and provide assurance that new weaknesses do not emerge.
SEC has mitigated 51 of 64 control weaknesses that were previously
reported as unresolved at the time of our prior review. For example, SEC
completed actions to establish policies and procedures for risk
management, ensure that all users complete security training, and
implement an incident response program. SEC also took corrective action to
improve its systems' access rights and permissions, user accounts and
passwords, network security, and auditing and monitoring of
security-related events. In addition, SEC took immediate steps to address
11 of 15 new weaknesses related to access controls and segregation of
duties that we identified during the course of this year's audit.
While we have seen important efforts to improve its information security
program, 17 control weaknesses still exist at SEC. For example, SEC has
not mitigated weaknesses with user account and password management,
provided adequate segregation of system administrative functions, or
effectively protected and controlled physical access to its facilities. As
a result, sensitive data--including payroll and financial transactions,
personnel data, and regulatory and other mission-critical
information--remains at risk of unauthorized disclosure, modification, or
loss. Until SEC consistently implements all key elements of its
information security program, SEC will not have sufficient assurance that
financial information and financial assets are adequately safeguarded from
inadvertent or deliberate misuse, fraudulent use, improper disclosure, or
destruction.
Property and Equipment
SEC's property and equipment consists of software and general purpose
equipment used by the agency, capital improvements made to buildings
leased by SEC for office space, and internal-use software development
costs for projects in development. The reported book value of property and
equipment increased from approximately $73 million at September 30, 2005,
to nearly $104 million at September 30, 2006. The significant increase in
property and equipment is primarily due to SEC occupying new office space
in Washington, D.C., Boston, and New York during fiscal year 2006.
During the course of testing fiscal year 2006 additions, we noted numerous
instances of inaccuracies in recorded acquisition costs and dates for
furniture and equipment purchases, as well as unrecorded furniture and
equipment purchases, and errors in amounts capitalized for internal use
software projects. These systemic errors did not materially affect the
balances reported for property and equipment or the corresponding
depreciation/amortization expense amounts in SEC's financial statements
for fiscal year 2006; however, these conditions evidence a significant
deficiency in control over the recording of property and equipment that
impacts the reliability of its recorded balances for property and
equipment. Without a process that integrates controls over capitalizing
and recording property and equipment purchases, SEC does not have
sufficient assurance over the accuracy and completeness of its reported
balances for property and equipment.
GAO's Standards for Internal Control in the Federal Government^6 provide
an overall framework for establishing and maintaining internal control,
including a discussion of control activities, an example of which is
accurate and timely recording of transactions. Specifically, transactions
should be accurately and promptly recorded to maintain their relevance and
value to management in controlling operations and making decisions. In its
Management's Discussion and Analysis, SEC acknowledges the need to
strengthen control over this area.
SEC Comments and Our Evaluation
In commenting on a draft of this report, SEC's Chairman said he was
pleased to receive an unqualified opinion on SEC's financial statements,
and that there were no material weaknesses in internal control. The
Chairman acknowledged that further improvements are needed and discussed
ongoing and planned efforts to improve controls over disgorgements and
penalties, information security, and property management, three areas
which we identified as reportable conditions in this year's audit. The
Chairman stated that SEC intends to fully remediate all three reportable
conditions before the end of fiscal year 2007. SEC's commitment to
enhancing its internal controls to ensure reliability of financial
reporting, soundness of operations, and public confidence in the agency's
mission is key to the Chairman's statement that SEC must lead by example
when it comes to compliance with the internal control requirements of the
federal and private sectors.
The complete text of SEC's comments is reprinted in appendix I.
David M. Walker
Comptroller General of the United States
November 6, 2006
Management's Discussion and Analysis
Financial Statements
Appendix I
Comments from the Securities and Exchange Commission
(194571)
www.gao.gov/cgi-bin/getrpt?GAO-07-134 .
To view the full product, including the scope
and methodology, click on the link above.
For more information, contact Jeanette Franzel, 202-512-9471,
[email protected].
Highlights of [22]GAO-07-134 , a report to Chairman of the Securities and
Exchange Commission
November 2006
FINANCIAL AUDIT
Securities and Exchange Commission's Financial Statements for Fiscal Years
2006 and 2005
Established in 1934 to enforce the
securities laws and protect
investors, the Securities and
Exchange Commission (SEC) plays
an important role in maintaining
the integrity of the U.S. securities
markets.
Pursuant to the Accountability of
Tax Dollars Act of 2002, the SEC is
required to prepare and submit to
Congress and the Office of
Management and Budget audited
financial statements. GAO agreed,
under its audit authority, to
perform the audit of SEC's
financial statements. GAO's audit
was done to determine whether, in
all material respects, (1) SEC's
fiscal year 2006 financial
statements were reliable and (2) SEC's management maintained effective
internal control over financial reporting and compliance with laws and
regulations. GAO also tested SEC's compliance with certain laws and
regulations.
In GAO's opinion, SEC's fiscal year 2006 and 2005 financial statements
were fairly presented in all material respects. A notable achievement
during fiscal year 2006 was the significant efforts SEC made in addressing
the material weaknesses reported in GAO's previous years' financial
statement audits of SEC. As a result, GAO concluded that, although certain
controls should be improved, SEC had effective internal control over
financial reporting and compliance with laws and regulations. GAO did not
find reportable instances of noncompliance with the laws and regulations
it tested.
In its 2005 report, GAO identified material weaknesses in the areas of
SEC's (1) reporting of disgorgements and penalties, (2) information
systems controls, and (3) financial reporting process. Based on SEC's
efforts to address concerns with controls over disgorgements and penalties
and with information systems, and based on improvements GAO found in these
areas during its fiscal year 2006 audit, GAO has concluded that these two
previously reported weaknesses are no longer material. Because many of
these efforts represent compensating controls rather than permanent
systemic solutions, deficiencies in the design and operation of internal
control in these areas remain and could adversely affect SEC's recording
and reporting of disgorgements and penalties and its information security.
Therefore GAO considered these areas to still be reportable conditions. In
addition to reportable conditions over reporting of disgorgements and
penalties and information systems controls, during this year's audit, GAO
identified a new reportable condition concerning SEC's controls over
recording property and equipment.
It is important that SEC sustain its commitment to strengthening internal
controls to reduce the risks of inaccurate or incomplete reported
disgorgements and penalties amounts. SEC also needs to implement key
elements of its agencywide information security program to remediate
existing weaknesses and have sufficient assurance that financial
information and financial assets are adequately safeguarded from
inadvertent or deliberate misuse, fraudulent use, improper disclosure, or
destruction. Finally, SEC needs to improve controls over the recording of
property and equipment transactions in order to have sufficient assurance
over the accuracy and completeness of these reported balances.
In commenting on a draft of this report, SEC's Chairman emphasized his
commitment to further enhancing internal controls to ensure reliability of
financial reporting, soundness of operations, and public confidence in the
agency's mission.
References
Visible links
22. http://www.gao.gov/cgi-bin/getrpt?GAO-07-134
*** End of document. ***