Summary: Pursuant to the Accountability for Tax Dollars Act of 2002, the Securities and Exchange Commission (SEC) is required to prepare and submit to Congress and the Office of Management and Budget audited financial statements. GAO agreed, under its audit authority, to perform the initial audit of SEC's financial statements. GAO's audit was done to determine whether, in all material respects, (1) SEC's fiscal year 2004 financial statements were reliable, (2) SEC's management maintained effective internal control over financial reporting and compliance with laws and regulations, and (3) SEC's management complied with applicable laws and regulations. Established in 1934 to enforce the securities laws and protect investors, the SEC plays an important role in maintaining the integrity of the U.S. securities markets. GAO was asked by the Chairman of the Senate Subcommittee on Federal Financial Management, Government Information, and International Security, Committee on Homeland Security and Governmental Affairs, to present the results of its May 26, 2005, report, Financial Audit: Securities and Exchange Commission's Financial Statements for Fiscal Year 2004 (GAO-05-244).
The SEC's first ever financial audit was performed by GAO for fiscal year 2004. In reporting on the results of the audit, GAO issued an unqualified, or clean, opinion on the financial statements of the SEC. This means that SEC's financial statements presented fairly, in all material respects, its financial position as of September 30, 2004, and the results of operations for the year then ended. However, because of material internal control weaknesses in the areas of preparing financial statements and related disclosures, recording and reporting disgorgements and penalties, and information security, GAO issued an adverse opinion on internal controls, concluding that SEC did not maintain effective internal control over financial reporting as of September 30, 2004. However, SEC did maintain, in all material respects, effective internal control over compliance with laws and regulations material in relation to the financial statements as of September 30, 2004. In addition, GAO did not find reportable instances of noncompliance with laws and regulations it tested. It is important to remember that GAO's opinions on SEC's financial statements and internal controls reflect a point in time. SEC prepared its first complete set of financial statements for fiscal year 2004 and made significant progress during the year in building a financial reporting structure for preparing financial statements for audit. However, GAO identified inadequate controls over SEC's financial statement preparation process including a lack of sufficient documented policies and procedures, support, and quality assurance reviews, increasing the risk that SEC management will not have reasonable assurance that the balances presented in the financial statements and related disclosures are supported by SEC's underlying accounting records. In addition, GAO identified inadequate controls over SEC's disgorgements and civil penalties activities, increasing the risk that such activities will not be completely, accurately, and properly recorded and reported for management's use in its decision making. GAO also found that SEC has not effectively implemented information system controls to protect the integrity, confidentiality, and availability of its financial and sensitive data, increasing the risk of unauthorized disclosure, modification, or loss of the data, possibly without detection. The risks created by these information security weaknesses are compounded because the SEC does not have a comprehensive monitoring program to identify unusual or suspicious access activities. SEC agreed with our findings and is currently working to improve controls in all these areas.