Oops.
From a report by the US Government Accountability Office –the Congressional watchdog charged with investigating how taxpayers money is spent:
In GAO’s opinion, SEC’s fiscal years 2009 and 2008 financial statements are fairly presented in all material respects. However, in GAO’s opinion, SEC did not have effective internal control over financial reporting as of September 30, 2009. Recommendations for corrective action will be included in a separate report.
Needless to say, the SEC is responsible for ensuring that public companies make appropriate financial disclosures, among other things. It also runs things like the EDGAR system, which collates statements and disclosures from companies and other entities required to disclose them — an important resource for independent investors, journalists and just about everyone in the financial industry.
And yet the report continues:
During this year’s audit, we identified six significant deficiencies that collectively represent a material weakness in SEC’s internal control over financial reporting. The significant deficiencies involve SEC’s internal control over (1) information security, (2) financial reporting process, (3) fund balance with Treasury, (4) registrant deposits, (5) budgetary resources, and (6) risk assessment and monitoring processes. These internal control weaknesses give rise to significant management challenges that have reduced assurance that data processed by SEC’s information systems are reliable and appropriately protected; impaired management’s ability to prepare its financial statements without extensive compensating manual procedures; and resulted in unsupported entries and errors in the general ledger.
. . .
Since our 2004 audit of SEC’s financial statements, we have consistently reported significant deficiencies in SEC’s information security controls. SEC has made progress in mitigating certain control weaknesses that we have previously reported, such as (1) designating a senior agency information security officer who will be responsible for managing SEC’s information security program, (2) assigning a configuration manager to manage configuration for the general ledger system, (3) completing and approving physical security standards and procedures, and (4) completing the annual testing of security controls for the general ledger application and general support system. However, during fiscal year 2009, key information security control weaknesses remain that continued to jeopardize the confidentiality, availability, and integrity of information processed by SEC’s key systems, increasing the risk of material misstatement for financial reporting. For example, in some instances SEC did not adequately (1) segregate computer-related duties and functions; (2) restrict user privileges; (3) implement patches and current software versions; (4) use approved, secure means to transmit data; (5) implement configuration management; and (6) complete a certification and accreditation of its general ledger supporting processes during fiscal year 2009.
We continued to identify ineffective information system controls for the Electronic Data Gathering, Analysis, and Retrieval (EDGAR) and Fee Momentum systems. EDGAR performs automated collection, validation, indexing, acceptance, and forwarding of submissions by companies and others who are required by law to file forms with SEC, and is the source of revenue data for material filing fee transactions. Fee Momentum is EDGAR’s subsystem that maintains the accounting information related to filing fees and is integrated through an interface with SEC’s general ledger system. For both EDGAR and Fee Momentum, SEC did not adequately (1) restrict user access privileges; (2) restrict remote access; (3) implement appropriate password settings; (4) implement policies and procedures for granting access; (5) verify that access requests were reviewed and approved; (6) consistently apply patches and current versions; (7) implement an audit trail showing system user activities; and (8) ensure the approved, secure transmission of data. We believe the risk of misstatements in SEC’s financial reporting is heightened as a result of these weaknesses.
Eep!
For its part the SEC, according to the Blog of the Legal Times, says these are issues which have been building for years, and that while some of them can and will be addressed quickly, others will take more time to solve.
In the meantime then — there are many more SEC schadenfreude giggles in the full report.
Related links:
SEC wishlist: Derivatives data with which to pursue derivatives fraud – FT Alphaville
Footnoted.org – A website dedicated to examining company SEC filings
SECWatch.com – Proprietary tools for navigating SEC filings