Independent Accountant's Report

This document is an HTML formatted version of a printed document. The printed document may contain agency comments, charts, photographs, appendices, footnotes and page numbers which may not be reproduced in this electronic version. If you require a printed version of this document contact the United States Securities and Exchange Commission, Office of Inspector General, Mail Stop 11-7, 450 Fifth Street N.W., Washington, D.C. 20549 or call (202) 942-4460.

FINANCIAL MANAGEMENT SYSTEMS CONTROLS

Audit No. 362
January 31, 2003

INDEPENDENT ACCOUNTANT'S REPORT

January 31, 2003

Mr. Walter Stachnik
Inspector General
U.S. Securities and Exchange Commission
450 Fifth Street, NW
Washington, DC 20549

Dear Mr. Stachnik:

We have examined the U.S. Securities and Exchange Commission's (SEC's) written assertion in the Executive Director's Federal Managers Financial Integrity Act (FMFIA) Certification for Fiscal Year 2002. This certification addresses the effectiveness of internal control for the fiscal year ended September 30, 2002, based on criteria established under FMFIA. SEC management is responsible for maintaining effective internal control and for the content of its written assertion. Our responsibility is to express an opinion on whether SEC's system of internal control is effective in all material respects based on our examination.

We conducted our examination in accordance with attestation standards established by the American Institute of Certified Public Accountants and, accordingly, obtained an understanding of SEC's internal control, evaluated the design and operating effectiveness of internal control, and performed such other procedures considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion.

Because of inherent limitations in internal control, misstatements due to error or fraud may occur and not be detected. Also, projections of any evaluation of internal control to future periods are subject to the risk that internal control may become inadequate because of changes in conditions, or that the degree of compliance with policies or procedures may deteriorate.

In our opinion, SEC's internal control for the fiscal year ended September 30, 2002, was effective in all material respects based on criteria established under FMFIA, except for three material weaknesses and one material nonconformance. These are summarized below and detailed in Attachment 1.

MATERIAL WEAKNESSES

Cotton & Company identified the following material weaknesses. SEC management identified and reported the same weaknesses in its Fiscal Year 2002 FMFIA report to the President.

1. Property Accountability

SEC has not developed adequate internal control to identify, track, and report sensitive property, as defined in Securities and Exchange Commission Regulation (SECR) 9-2, Materials Maintenance Management Property Management Program, in its property management system (TRAQ). These sensitive items are non-expendable items that may be converted to private use or have a high potential for theft. Also, management has not enhanced TRAQ for new business requirements or updated Securities and Exchange Commission Manual ( SECM) 9-1, Property Management Program Manual, to establish suitable controls for sensitive property acquired through the use of credit cards.

SECM 9-1 does not incorporate costs of in-house-developed software for capitalization purposes. Additionally, SEC's Office of Information Technology (OIT) and Office of Financial Management (OFM) have not defined procedures for identifying software that falls within the $25,000 capitalization threshold for reporting.

2. Accounting and Control of Disgorgements

SEC has not determined if disgorgements must be accounted for on its general ledger and financial statements. SEC also has not defined its programmatic oversight and monitoring responsibilities associated with the disgorgement program to develop appropriate controls and ensure full financial accountability. Until SEC completes these activities, it cannot define the types of controls needed.

3. Information System and Security Program Controls

SEC's information system and security program continues to be non-compliant with Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources, Appendix III, Security of Federal Automated Information Systems; and with requirements of the Federal Information Security Management Act of 2002 (FISMA). SEC has not clearly delegated authority and responsibility to OIT for monitoring and enforcing compliance of agency-wide information system and security policies and procedures at the program level and has not been provided resources to fulfill these requirements. OIT and the program offices have not certified SEC's network and have not completed necessary risk assessments to certify major applications. Also, SEC's security awareness training policy and procedures do not mandate that all SEC employees and contractor personnel attend security awareness training.

MATERIAL NONCONFORMANCE

Cotton & Company identified the following material nonconformance. SEC management identified and reported the same weaknesses in its Fiscal Year 2002 FMFIA report to the President.

Information in DPTS (Disgorgement Payment Tracking System) is not complete and current, and the system cannot be relied upon for financial accounting and reporting purposes. Although OFM and the Office of the Secretary use DPTS as a financial accounts receivable subsidiary system, it was not designed for this purpose, and SEC has not enhanced it to meet financial reporting and data collection needs.

For example, DPTS does not accommodate distributed data entry from multiple sources that would enable enforcement and litigation personnel to directly enter disgorgement information in a timely manner. Further, management has not established appropriate communication and coordination controls among program offices to ensure that supporting documentation, such as court decisions, waivers, and administrative decisions, are provided to OFM and the Office of the Secretary to support amounts recorded in DPTS and SEC's general ledger.

Additional findings not considered material weaknesses or material nonconformances are discussed in Attachment 2.

In February, 2003, the Office of Inspector General issued a draft of our report to SEC's management for its review and comment. Management fully concurs with the recommendations and has established divisional task forces to correct the deficiencies noted in this report. We have included management's comments at Attachment 3.

Very truly yours,

COTTON & COMPANY LLP

/s/

Charles Hayward, CPA, CISA, CFE


ATTACHMENT 1
MATERIAL WEAKNESSES AND MATERIAL NONCONFORMANCE

MATERIAL WEAKNESSES

1. Property Accountability

SEC has not developed adequate internal control to identify, track, and report sensitive property, as defined in Securities and Exchange Commission Regulation (SECR) 9-2, Materials Maintenance Management Property Management Program, in its property management system (TRAQ). These sensitive items are non-expendable items that may be converted to private use or have a high potential for theft. Also, management has not enhanced TRAQ for new business requirements or updated Securities and Exchange Commission Manual ( SECM) 9-1, Property Management Program Manual, to establish suitable controls for sensitive property acquired through the use of credit cards.

SECM 9-1, Property Management Program Manual, does not incorporate costs of in-house-developed software for capitalization purposes. Additionally, SEC's Office of Information Technology (OIT) and Office of Financial Management (OFM) have not defined procedures for identifying software that falls within the $25,000 capitalization threshold for reporting.

Office of Management and Budget (OMB) Circular A-123, Management Accountability and Control, requires agencies to establish controls to reasonably ensure that assets are safeguarded against waste, loss, unauthorized use, and misappropriation.

Recommendations

We recommend that the Office of Administrative and Personnel Management (OAPM):

  • Revise SECM 9-1 to incorporate new controls suitable for identifying, tracking, and reporting sensitive property acquired through credit card purchases and to require capitalizing in-house developed software.

  • Develop procedures to enable OIT and other program offices to identify, track, and report in-house costs related to development of new applications and enhancement of existing software such that total costs are identified for comparing with SEC's capitalization threshold.

We also recommend that OIT and OFM define and develop controls to identify software costs for meeting the capitalization threshold.

2. Accounting and Control of Disgorgements

SEC has not determined if disgorgements must be accounted for on its general ledger and financial statements. SEC also has not defined its programmatic oversight and monitoring responsibilities associated with the disgorgement program to develop appropriate controls and ensure full financial accountability. Until SEC completes these activities, it cannot define the types of controls needed.

SEC does record the disgorgement amount in the Disgorgement Payment Tracking System (DPTS) and Momentum, its financial accounting system, as part of miscellaneous receivables. SEC has not, however, developed procedures to obtain information to ensure that disgorgement payments and disbursement activities performed by third parties are properly reflected in its financial system. SEC does not uniformly and consistently track and monitor disgorgements payments made to and by a non-governmental party to ensure full accountability and accurate financial reporting. DPTS records do not indicate if disgorgement payments are to be made to SEC or a third party.

In many SEC district court cases, the courts order defendants to pay disgorgements directly to court-appointed receivers. Sometimes, defendants initially pay disgorgements into a court registry account, and the court later transfers the funds to receivers. Courts typically direct receivers to identify the defrauded investors, determine their appropriate share of the disgorgement fund, and make distributions. In carrying out these duties, the receiver is governed by the court's orders. SEC does not monitor receivers' activities or accounts on a day-to-day basis, although it generally receives notice of and has the right to object to receivers' fee applications, plans of distribution, and anticipated distributions to defrauded investors. The court decides any objections made by SEC.  

OMB Circular A-123 requires agencies to clearly define key areas of authority and responsibility and establish appropriate lines of reporting. Additionally, agencies are required to establish controls appropriate to fulfill its authority and responsibility; ensure reliability of financial reporting, and compliance with laws and regulations; safeguard assets; and prevent or promptly detect unauthorized activities.

Without defining its authority and responsibilities associated with the disgorgement program and activities, SEC cannot assure itself that:

  • Adequate controls are in place to accomplish its responsibilities for each phase of the disgorgement program.

  • All disgorgement transactions are properly accounted for and recorded in DPTS and Momentum in a timely manner.

  • It is taking appropriate and timely action in cases of non-payment.

  • Disgorgement funds are properly disbursed to entitled individual investors.

Recommendations

We recommend that OFM and the Office of the Secretary:

  • Develop controls to properly report disgorgement transactions in DPTS and Momentum.

  • Develop procedures to reconcile DPTS and Momentum monthly.

  • Enhance DPTS to enable it to electronically transfer information between it and Momentum.

We recommend that the Offices of Enforcement and the Secretary:

  • Clearly define SEC authority and responsibilities over the disgorgement payment and disbursement program and activities.

  • Establish controls sufficient to meet these responsibilities.

  • Develop controls to ensure that timely, accurate, and complete financial information is obtained, maintained, and provided to appropriate offices.

3. Information System and Security Program Controls

SEC's information system security program continues to be non-compliant with OMB Circular A-130, Management of Federal Information Resources, Appendix III, Security of Federal Automated Information Resources; and with requirements of the Federal Information Security Management Act of 2002 (FISMA). SEC has not clearly delegated authority and responsibility to OIT for monitoring and enforcing compliance of agency-wide information system and security policies and procedures at the program level and has not been provided resources to fulfill these requirements. OIT and the program offices have not certified SEC's network and have not completed necessary risk assessments to certify major applications . Also, SEC's security awareness training policy and procedures do not mandate that all SEC employees and contractor personnel attend security awareness training.

Although OIT has been delegated responsibilities for developing agency-wide information system and security policies and procedures, security responsibilities for major applications reside with program offices. There is no clearly delegated authority and responsibility for OIT to monitor and enforce compliance at the program level, and OIT has not been provided resources to fulfill these requirements.

FISMA requires agencies to develop and implement a comprehensive information security program and controls to adequately secure information technology from harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction. Further, agencies are required to assess risk and the magnitude of harm, develop appropriate levels of protection, develop and conduct periodic tests of controls, develop internal controls to monitor and enforce compliance, and develop and conduct security awareness training for both agency and contractor personnel.

Weaknesses with SEC's information system and security program controls increase the risks of unauthorized access to and modification of its financial data and applications and improper release of sensitive agency and corporate proprietary information.

Recommendations

We recommend that the Office of the Executive Director:

  • Develop and implement policies that clearly delegate agency-wide information system and security authority and responsibility to OIT with the authority to monitor and enforce compliance at the program office level.

  • Ensure that sufficient resources are provided to the information security program to fulfill its responsibilities.

Further, we recommend that the OIT:

  • Seek the Executive Director's approval to designate a qualified individual as the Senior Agency Security Officer (SASO) to carry out OIT's responsibilities identified in FISMA.

  • Assign the SASO with responsibility to develop the necessary framework and infrastructure to adequately secure SEC's information technology assets.

  • Develop procedures and practices to assist program offices in their efforts to implement effective and efficient security controls at their levels.

  • Complete certification and accreditation of the network and major applications.

MATERIAL NONCONFORMANCE: DISGORGEMENT PAYMENT TRACKING SYSTEM

Information in DPTS is not complete and current, and the system cannot be relied upon for financial accounting and reporting purposes. Although OFM and the Office of the Secretary use DPTS as a financial accounts receivable subsidiary system, it was not designed for this purpose, and SEC has not enhanced it to meet financial reporting and data collection needs. DPTS lacks the accounting structure and means to ensure the accuracy and completeness of the information and provide an audit trail. As a result, accounts receivable balances recorded on SEC's financial records may be misstated.

For example, DPTS does not accommodate distributed data entry from multiple sources that would enable enforcement and litigation personnel to directly enter disgorgement information in a timely manner. Further, management has not established appropriate communication and coordination controls among program offices to ensure that supporting documentation, such as court decisions, waivers, and administrative decisions, are provided to OFM and the Office of the Secretary to support amounts recorded in DPTS and SEC's general ledger.

OMB Circular A-127, Financial Management Systems, requires agencies to establish, implement, and maintain current controls, such as approvals, authorizations, verifications, reconciliations, performance reviews, security, and creation and maintenance of related records. Controls should cover the entire process or lifecycle of a transaction or event from initiation and authorization through its final classification. Additionally, controls should ensure that all transactions are:

  • Promptly recorded to maintain their relevance and value to management in controlling operations and making decisions.

  • Properly documented; documentation should be readily available for examination.

Recommendations

We recommend that OFM and the Offices of Enforcement and the Secretary:

  • Develop procedures to ensure that all enforcement activities resulting in assessment of disgorgements, fines, and penalties are properly documented, reported in a timely manner, and supported by documents that are readily available for examination.

  • Implement enhancements to DPTS that:

    • Meet SEC's programmatic, financial accountability, and reporting responsibilities.

    • Provide sufficient audit trails to track activities and hold individuals accountable.

    • Electronically interface and reconcile DPTS with Momentum.

    • Electronically generate appropriate documents to initiate recoveries of unpaid disgorgements, fines, and penalties.

ATTACHMENT 2

COMMENTS ON OTHER MATTERS

1. Independent Review of National Business Center

SEC has not received documentation of independent reviews from its third-party service provider, the U.S. Department of the Interior's National Business Center (NBC), addressing the strength of its internal control structure. Office of Management and Budget (OMB) Circular A-127, Financial Management Systems, requires agencies receiving computer services from other federal agencies or commercial vendors to ensure that systems are maintained appropriately and service providers are periodically reviewed.

Management has been unaware of the requirement and was not sure if Office of Information Technology (OIT) or the Office of Financial Management (OFM) should pursue acquiring a copy of the independent review of NBC's internal control environment.

Internal control weaknesses at NBC may require OFM to develop and implement additional manual controls to compensate for the exposure.

Recommendations

    We recommend OIT and OFM:

  • Coordinate efforts to annually obtain copies of independent internal control reviews performed at NBC.

  • Modify the contract with NBC to require NBC to have an annual independent assessment of its internal control structure and to provide a copy of the assessment.

  • Based on risks and weaknesses identified in the reports, develop as appropriate new manual or automated controls to reduce risks.

2. Segregation of Duties and Supervision Controls

The assistant director and deputy assistant director of OFM have full access privileges within Momentum, SEC's financial accounting system, which would permit them to override automated security and audit tracking controls. Additionally, manual and automated security controls designed to monitor and report on unauthorized activities are ineffective, because the security administrator reports to the director of OFM. The security administrator is not sufficiently knowledgeable of Momentum security controls to effectively detect unauthorized activities.

TRAQ has inadequate controls to properly separate various responsibilities for adding and removing equipment from the inventory and for maintaining the equipment inventory. Office of Administrative and Personnel Management (OAPM) personnel responsible for maintaining the TRAQ database also have control over source documents and are responsible for maintaining paper records for property disposal.

OMB Circular A-123, Management Accountability and Control, requires agencies to establish separation of duties and supervision controls. Key duties and responsibilities of authorizing, processing, recording, and reviewing official agency transactions should be separated among individuals. Managers should exercise appropriate oversight to ensure that individuals do not exceed or abuse their assigned authorities.

OFM management claimed that this level of access was needed to properly maintain the system and perform functions when the financial staff was short handed. Management considered other controls to be sufficient to preclude or detect unauthorized activities.

Users with full access privileges have the ability to originate and pay falsified invoices, electronically divert funds for personal gain, and clear information typically captured in exception reports to thwart investigation of illicit activity.

Recommendations

We recommend that OFM:

  • Obtain technical assistance to determine appropriate account privileges needed by the assistant director and the deputy assistant director to perform their Momentum responsibilities.

  • Provide technical training to the Momentum security administrator.

Further, we recommend that the Office of Administrative and Personnel Management (OAPM):

  • Develop procedures for tracking and maintaining appropriate records for all changes to the property inventory.

  • Develop procedures within TRAQ and the property management program to properly separate duties and responsibilities for all phases of property accountability.

3. System Security Plans

SEC has not established policies and procedures to require development of security plans and ensure compliance with OMB directives. It has a system security plan for only one of its major applications, EDGAR, although its management official did not sign the EDGAR Project Security Plan.

OMB Circular A-130, Management of Federal Information Resources, Appendix III, Security of Federal Automated Information Resources, requires agencies to develop and implement security plans that provide adequate security for each major application. The plan should take into account the security of all systems in which an application will operate. A summary of each security plan is to be incorporated into the agency strategic information resources management plan. The security plan must include the following into an application and its rules, as appropriate:

  • Application Rules (rules of behavior).

  • Specialized Training.

  • Personnel Security (separation of duties, least privilege, and individual accountability).

In Fiscal Year (FY) 2002, OIT in conjunction with program offices developed a schedule for conducting and completing an accreditation and certification for each major application. Once these reviews are completed, security plans will be developed.

Without an approved system security plan, users and others may not be aware of their security requirements, and security risks may not be sufficiently controlled to protect SEC's financial, proprietary, and other sensitive data from unauthorized destruction, modification, or improper release.

Recommendations

We recommend that OIT:

  • Develop and implement adequate security policies and procedures to safeguard and protect SEC data.

  • Coordinate with the owners of each major application to certify the applications.

  • Develop a schedule to ensure that the network and each major application are re-certified as major changes occur or at least every 3 years.

  • Incorporate security plan summaries into SEC's 5-year strategic plan.

4. Password Policies

Program officials responsible for major applications are not complying with SEC's password policy and security administration practices for the network, Momentum, TRAQ, and DPTS. The following password and security administration requirements established by SEC Information Technology Security Program Technical Bulletin for Identification, Authentication, and Passwords, SECR 24-2.1, dated April 4, 2001, were not being followed:

  • Passwords are required to expire at least every 120 days.

  • Users are to be initially prompted to change the assigned password.

  • Passwords are required to consist of alphanumeric and special characters.

  • Password must be at least 8 characters.

  • Passwords must not be English words or names.

Additionally, it is possible for personnel to circumvent the PC/network security feature to prevent the password-protected screensaver activation feature. We also found that network and application security administrators are not promptly disabling user accounts after a user has officially departed SEC or when an account has not been used for over 90 days.

Management has not established monitoring and enforcement controls to ensure that application system administrators comply with agency standards. Additionally, OIT claims that the use of Net Buoy protocol for the EDGAR client on OS/2 machines causes a password synchronization problem that precludes password changes. OIT currently is investigating the use of Microsoft Active Directory to implement a password change policy in February 2003.

Inadequate password controls increase the risks of unauthorized access to systems and to SEC's financial and sensitive databases. Further, inadequate password controls increase the risks of unauthorized modification and release of data without detection. Poor password controls also increase the risk of individuals masquerading as others, which reduces SEC's ability to identify the individual performing unauthorized activities.

Recommendations

We recommend that the Office of the Executive Director require OIT to conduct periodic tests of network and application security controls and report on the effectiveness of the security program.

We recommend that OIT:

  • Develop procedures to enforce the SEC's passwords policy and perform periodic tests to ensure compliance.

  • Require implementation of password-protected screensavers at the network operating-system level.

  • Coordinate with appropriate program officials to re-program various applications to comply with SECR 24-2.1 .

5. General Ledger

SEC does not have management controls to ensure that its financial management systems comply with requirements of OMB Circular A-127. Balances recorded in SEC's general ledger are not in compliance with the U.S. Standard General Ledger (SGL) and the Financial Accounting Standards Advisory Board (FASAB) accounting standards. The June 30, 2002, trial balance has a number of inappropriate balances in significant accounts, as follows:

  • All of the Salaries and Expense (0100) appropriations have debit balances in Account 3100, Unexpended Appropriations. This account has a normal credit balance.

  • Account 1320, Employee Benefit Contributions Receivable, has a $295,459,183 debit balance. This balance is recorded in appropriation 1099 and appears to be the receivable for disgorgements. According to the SGL, Account 1320 is used for "amount recorded by administering agencies for contributions due from Federal employers and/or covered employees for retirement, health insurance, and life insurance employment benefits." Disgorgements do not meet this definition. In addition, SEC recorded these receivables as Other Revenue (Account 5900), but our discussions with the Division of Enforcement indicate that most disgorgements are not SEC revenue, but are due to other parties.

  • The trial balance has a $217,555,150 balance in Fund Balance with Treasury recorded in a clearing account offset by a credit to Account 2400, Deposit, Suspense Liability. This appears to be filing fees collected, but not yet earned. The SGL defines Account 2400 as "amounts offsetting undeposited collections and collections deposited in deposit funds and clearing accounts, including suspense accounts, awaiting disposition or reclassification." The proper liability account appears to be Account 2310, Advances from Others ("The balance of amounts advanced by other Federal and non-Federal entities for goods and services to be furnished.")

  • The clearing account (UNIDFD) also has a credit balance of $43,404,703 in Account 1310, Accounts Receivable, and a debit balance of $44,908,571 in Account 5900, Other Revenue. Account 1310 typically has a debit balance, and Account 5900 typically has a credit.

  • The June 30, 2002, accounts receivable do not include an accrual for transaction fee income earned but not received. In FY 2001, SEC collected an estimated $1.3 billion in transaction fees paid by stock exchanges twice a year: March 15 (for the preceding September through December) and September 30 (for the preceding January through August). SEC's June 30, 2002, accounts receivable should thus include an accrual for amounts earned from January through June, in accordance with Statement of Federal Financial Accounting Standard (SFFAS) No. 7, Accounting for Revenue and Other Financing Sources.

OFM management also stated that SEC has not properly recorded its capital leases for computer hardware and has also not capitalized software licensing fees and in-house expenses for system development. OFM is currently working with other offices on SECM 9-1, Property Management Program Manual, which will address procedures for identifying and recording capital leases.

OMB Circular A-123, Section II (Establishing Management Controls), requires agencies to establish management controls to ensure that transactions are properly classified and accounted for to provide reliable financial reports.

OMB Circular A-127, Paragraph 7 (Financial Management System Requirements), states that the criteria for recording financial events in all financial management systems must be consistent with accounting transaction definitions and processing rules defined in the SGL. It further states that agency financial management systems must maintain accounting data to permit reporting in accordance with FASAB-recommended accounting standards.

    SEC's focus has been primarily on budgetary accounting, and it has not placed emphasis on ensuring that proprietary accounting transactions are recorded in accordance with applicable requirements. As a result, SEC's financial reports are not presented in accordance with applicable federal accounting requirements.

Recommendations

We recommend that OFM:

  • Develop and implement procedures to ensure that accounting records comply with federal standards and policies.

  • Provide additional technical training to OFM personnel on FASAB standards.

  • Develop formal policies and procedures for reviewing and monitoring general ledger account balances to ensure that all inappropriate balances are researched and corrected.

6. Filing Fees on Deposit

SEC has not established adequate controls over filing fees on deposit. We noted the following discrepancies:

  • In FY 2002, OFM implemented a new Momentum system to track filing fees. Its emphasis has been on correctly recording accounts with current activity. Our review of 1,521 filing fee accounts with deposit balances exceeding $8,000 disclosed that 1,337 accounts (totaling $102 million) had no activity in over 60 days. We further noted that 25 percent of these accounts with $13 million in deposits had no activity in over a year.

  • In FY 2002, SEC implemented a new procedure to send monthly notices informing account holders of their balances. A number of notices were returned as undeliverable. OFM developed a spreadsheet documenting these returned notices, but has taken no action on the accounts.

  • The Office of Filing and Information Services (OFIS) personnel have system rights to change account holder information within Momentum and to move deposits among accounts based on informal documentation, such as e-mails.

SEC management has not developed policies and procedures to:

  • Identify and notify account holders with no recent activity.

  • Define SEC's regulatory and fiduciary responsibilities over filing fees on deposit for an account holder no longer in business.

  • Address the documentation and disposition of undelivered notices.

  • Define documentation requirements needed to support changes to Momentum account holder information and to require formal account holder authorization for movement of balances among accounts.

OMB Circular No. A-123 requires that management controls provide reasonable assurance that assets are safeguarded against waste, loss, unauthorized use, and misappropriation. SEC's failure to develop adequate procedures for handling and recording filing fees on deposit could result in fraud, errors or misstatements occurring and not being detected in a reasonable period of time.

Recommendations

We recommend that the Directors of OFIS and OFM:

  • Define and clarify SEC's regulatory authority and responsibility for unclaimed filing fees on deposit and if necessary seek assistance from the Office of General Counsel.

  • Develop and implement formal policies and procedures to address responsibility for filing fees on deposit to include:

    • Documentation and authorization necessary to change account holder information.

    • Identification and resolution of inactive accounts.

    • Disposition of account balances when SEC cannot identify or contact the rightful fund owner.

7. Transaction Fees

SEC does not have policies and procedures to obtain independent verification of the reasonableness and completeness of transaction fees paid by the stock exchanges. This is the largest

single source of SEC revenue, yet fees are entirely self-reported by the exchanges. SEC does not require stock exchanges to support reported transaction volumes with an independent audit report to verify the accuracy and completeness of the reported transactions and subsequent fee payment.

Stock exchanges report their transaction volume to SEC on a monthly basis (Form R-31, Mandatory Monthly Report of Market Value and Volume of Securities Sales on Exchange) and pay semi-annual fees based on this volume. OFM recalculates the fees to verify accuracy, but uses the monthly reports to perform this recalculation. SEC obtains no third-party verification of the stock exchange transaction volume and thus relies entirely on stock exchanges to report accurately their transaction volume.

OMB Circular A-127 requires that each agency establish internal controls "to ensure resource use is consistent with laws, regulations and policies; resources are safeguarded against waste, loss, and misuse; and reliable data are obtained, maintained, and disclosed in reports."

Recommendations

We recommend that the Office of the Executive Director implement one of the following recommendations to gain assurance that semi-annual transaction fee payments are reasonable and accurate:

  • Develop policies and procedures requiring SEC's program offices to perform periodic reviews of stock exchange records and internal controls used to collect, process, and maintain transaction information supporting their semi-annual transaction fee payments.

  • Develop policies and procedures to require stock exchanges to provide SEC with independent audit reports of their processes and procedures used to collect, process, and maintain transaction information supporting semi-annual transaction fee payments and obtain an assessment of the reliability of internal controls over the information.

8. Receivables to Treasury

OFM prepares the Report on Receivables Due from the Public and submits it to the U.S. Treasury Financial Management Service (FMS). FMS accumulates this information for all federal agencies and reports annually to Congress on government receivables and debt collection activities.

SEC's reported receivables consist almost entirely of disgorgements. OFM accumulates disgorgement receivable amounts on an Excel spreadsheet based on memorandums from the Office of the Secretary. These memorandums are not, however, detailed enough for OFM to accurately report on the age and status of receivables.

Additionally, OFM and the Office of the Secretary have not established reconciliation and other controls to ensure the accuracy and completeness of the information being reported. OFM's March 31, 2002, report to FMS classified the entire receivable amount ($335,715,289) as delinquent. FMS defines a debt as delinquent if "it has not been paid by the payment date or by the end of any grace period contractually provided." OFM aging schedules used to prepare the report for FMS do not identify delinquent amounts.

OMB Circular A-123 requires that agencies incorporate management controls to ensure that transactions are "properly classified and accounted for in order to prepare timely accounts and reliable financial and other reports. The documentation for transactions, management controls, and other significant events must be clear and readily available for examination."

Failure to ensure the accuracy and reliability of receivable amounts reported to FMS could result in inaccurate reporting to Congress on government receivables and debt collection activities.

Recommendations

We recommend that the Office of the Secretary establish procedures to properly age and provide support for disgorgement receivables.

We recommend that OFM establish procedures to ensure that all receivable activity is adequately documented with sufficient detail to support amounts reported to FMS.

9. System Development Life Cycle

SEC has not formally adopted a system development life cycle (SDLC) methodology required to be used for acquiring new software and developing and enhancing existing software. Although OIT uses a spiral model for its system development methodology, SEC has not formally adopted this method. Without formal adoption, SEC program offices are not required to use this method for developing new systems, acquiring commercial off-the-shelf software, or enhancing existing systems.

OMB Circular A-130 requires agencies to plan in an integrated manner for managing information throughout the life cycle of its systems. At each stage of the information life cycle, agencies must consider the effects of decisions and actions on other stages of the life cycle, particularly those concerning information dissemination. Agencies must further consider the effects of their actions on members of the public and ensure consultation with the public as appropriate. SEC management claims that higher priorities have prevented developing and issuing a new policy requiring the use of this SDLC methodology.

Without an SDLC, SEC increases the risks that systems may be designed or acquired with poor logical security controls or with functional capabilities not meeting program office needs. Additionally, unintentional programming errors may go undetected.

Recommendation

We recommend that OIT develop procedures to ensure that all new in-house developed or commercial off-the-shelf applications are compliant with SEC's information security policies before placing them into production.

10. Security Awareness Training

SEC has not developed policies and procedures to ensure that all contractor and agency personnel attend security awareness training as required by FISMA and OMB Circular A-130. Although OIT provided a security awareness training session in FY 2002, the training was attended by 75 percent of

SEC's employees, and contractor personnel were not required to and did not attend. OIT does not offer training on a periodic basis throughout the year. SEC policies do not include contractor personnel to attend training. The policies also do not require new SEC employees or contractor personnel to attend a security awareness training session before or immediately after being granted access to the network or applications.

OMB Circular A-130 requires agencies to provide appropriate training for users of federal information resources. Further, agencies should ensure that all individuals are appropriately trained in how to fulfill their security responsibilities before allowing them access to the system. Such training must assure that employees are versed in the rules of the system, be consistent with guidance issued by NIST [National Institute of Standards and Technology] and OPM [Office of Personnel Management], and apprise them of available assistance and technical security products and techniques. Behavior consistent with the rules of the system and periodic refresher training must be required for continued access to the system.

OIT has not developed and implemented suitable information security policies, procedures, and practices for the following:

  • Ensuring that mandatory security awareness training is provided to all employees and contractor personnel annually.

  • Ensuring that security awareness training is provided to all new employees and new contractors before granting them access to information systems.

  • Developing and implementing rules of behavior for each major application and general support system.

Without effective security awareness training, SEC increases the risks that employees and contractor personnel will not be aware of their computer security responsibilities and may inadvertently increase security risks to SEC's applications and databases.

Recommendations

We recommend that OIT:

  • Revise the Information Technology Security Program to incorporate requirements of OMB Circular A-130 and any other relevant law.

  • Develop and implement a training policy that provides for both security awareness training and specialized training of SEC's employees and contractor personnel.

  • Develop and implement rules of behavior for each major application and general support system.

11. Business Contingency and Disaster Recovery Program and Plans

SEC business contingency and disaster recovery program and plans have the following weaknesses:

  • A complete network recovery test has not been performed to demonstrate that the backup facility has the capacity to accommodate service requirements for key headquarters personnel, as identified in the plan.

  • SEC contingency and disaster recovery plans do not provide for a hot-site capability to relocate essential IT services in a geographical location separate from SEC's headquarters.

  • OIT has not placed a high priority on recovery of critical SEC systems in the event the recovery site cannot support all critical systems.

  • OIT has not provided training to service center personnel to ensure that assigned duties and responsibilities can be carried out with a minimum of disruption.

Although OIT has shown the ability to restore individual applications and servers through its partial tests, these tests do not give assurance that OIT can restore and support critical operations at an alternate site in the event of an emergency.

OMB Circular A-130 requires agencies to assure the ability to recover and provide service sufficient to meet minimal system user needs. Managers must plan how they will perform their missions and recover from the loss of existing application support, whether the loss is the result of an application's inability to function or a general support system failure. Experience has demonstrated that testing a contingency plan significantly improves its viability.

OIT has not performed a complete recovery test as the result of its limited resources. This led to OIT agreeing with its contractor to perform partial network tests, also known as tabletop tests, of the network and systems residing on the network rather than the full recovery test. OIT is also awaiting the outcome of a current business impact analysis (BIA) and risk assessment (RA). OIT will use results to determine a new business requirement for purposes of updating the contingency plan and developing a new program restoration schedule based on the mission critical nature of the applications. Without a current disaster recovery plan, OIT increases the potential for SEC to incur a significant disruption to its mission and to be unable to meet its regulatory requirements to exchanges, corporations, and individual investors. Infrequent or non-testing of the recovery plan and lack of personnel disaster recovery training increases the potential for recovery failures or occurrence of unnecessary network and system downtime.

Recommendations

We recommend that OIT:

  • Coordinate an annual test of the disaster recovery plan to restore the network operating system on the servers.

  • Document disaster recovery plan test results and revise the plan as needed to reflect test results.

  • Provide disaster recovery training to ensure that computer operators and data center personnel are proficient in their responsibilities during an unusual emergency or crisis situation.

  • Develop policies and procedures to periodically reevaluate risk assessment documentation and as new systems are placed into production to ensure that systems are restored based on agreed business-need priorities in the event of an emergency.

  • Seek funding for developing a hot-site outside the immediate geographical area of SEC's headquarters.

12. HOST Travel System

SEC's HOST travel system maintains travel expense records of SEC personnel whose travel expenses will be reimbursed by a third party. OFM is responsible for invoicing the third party based on information contained in HOST. OFM records invoices as accounts receivable in Momentum. OFM is responsible for updating HOST and Momentum for invoice payments received.

Our review of the March 31, 2002, HOST travel report, identified 15 travel records for travel taken in FY 2000 reflecting non-payment by HOST. Further review disclosed that the HOST travel system has not been updated to reflect payments made by third parties.

We reviewed supporting documents and OFM controls and noted discrepancies between invoices and payments. Also, documentation did not provide a clear audit trail of action taken to resolve discrepancies. OFM recognizes that internal controls need to be improved. Additionally, OFM agrees that improvements can be made to document actions taken to resolve discrepancies between invoices and payments received.

OMB Circular A-127 requires that agencies incorporate management controls to ensure that transactions are "properly classified and accounted for in order to prepare timely accounts and reliable financial and other reports. The documentation for transactions, management controls, and other significant events must be clear and readily available for examination."

Without adequate controls, SEC increases the risks of improper and inaccurate billing to third parties.

Recommendation

We recommend that OFM enhance procedures to ensure that HOST and Momentum records are current and agree.

ATTACHMENT 3

MANAGEMENT COMMENTS ON DRAFT AUDIT REPORT