Wednesday, March 31, 2010
The GAO released today another report, Management Report: Improvements Needed in SEC's Internal Controls and Accounting Procedures, on its audits over SEC's internal controls and found that previously identified deficiencies had not been corrected. It also noted new problems. The report sets forth a number of recommendations to cure these deficiencies. In an attached letter, SEC Chair outlines improvements that are underway at the agency to correct the failings.
Specifically, the report states:
During our fiscal year 2009 audit of SEC’s controls over financial reporting, we identified six significant deficiencies:
• information security,
• financial reporting process,
• fund balance with Treasury,
• registrant deposits,
• budgetary resources, and
• risk assessment and monitoring processes.
These deficiencies collectively represented a material weakness in internal control. ...
We identified weaknesses in SEC’s information security controls over key financial reporting systems. Specifically, we found that SEC did not adequately:
• segregate computer-related duties and functions;
• restrict user privileges;
• implement patches and current software versions;
• use approved, secure means to transmit data;
• implement configuration management; and
• complete a certification and accreditation of its general ledger system and supporting processes during the fiscal year.
These control weaknesses jeopardize the confidentiality, availability, and integrity of automated information processed by SEC’s financial reporting systems, thereby increasing the risk of material misstatement in financial reporting and the risk of unauthorized modification or destruction of data.