The Securities and Exchange Commission, which has been after public companies to tighten their internal controls as mandated by Sarbanes-Oxley, needs to do some tightening itself, according to the Government Accountability Office.
A GAO audit of the SEC's fiscal year 2004 financial statements gave the securities regulator a clean audit opinion, but said that the commission didn't maintain effective internal control over financial reporting because of material weaknesses in recording and reporting disgorgements and penalties, preparing financial statements and related disclosures, and information security.
While the commission "made significant progress during the year in building a financial reporting structure for preparing financial statements for audit," the GAO said that it identified inadequate controls over the SEC's disgorgements and civil penalties activities, increasing the risk that such activities won't be properly recorded and reported for management's use in its decision-making.
Inadequate controls over the SEC's financial statement preparation process included a lack of sufficient documented policies and procedures, support and quality assurance reviews, which the GAO said increased the risk that management "will not have reasonable assurance that the balances presented in the financial statements and related disclosures are supported by the SEC's underlying accounting records."
In addition, the SEC hasn't effectively implemented information system controls to protect the confidentiality and availability of financial and sensitive data, increasing the risk of unauthorized disclosure, modification or loss of the data, possibly without detection, according to the GAO.
"The risks created by these information security weaknesses are compounded because the SEC does not have a comprehensive monitoring program to identify unusual or suspicious access activities," the watchdog group said.
In comments responding to the GAO report, the SEC said that it was "pleased" to receive an unqualified opinion on its first-ever financial statements, and acknowledged the material weaknesses in internal control. The commission said that the audit "confirmed many of the findings reported in prior years through the SEC's Federal Managers' Financial Integrity Act and audit programs."
The agency said that it is "moving aggressively" to address and resolve the weaknesses, and said that it will address the information technology security weaknesses and weaknesses related to disgorgements and penalties by fiscal year 2006. The SEC also plans to hire additional staff, formalize policies and procedures for preparing and reviewing financial statements, and establish a formal audit committee to engage in financial reporting issues to address weakness pertaining to preparation of financial statements.
