The U.S. Government Accountability Office (“GAO”), a government watchdog group, recently reported the results of its 2014 audit of the Securities and Exchange Commission (“SEC”) financial statements. The findings included (i) troubling reports of internal control failures at the very agency tasked with policing the reporting activities of others and (ii) warnings of vulnerability to cyber attacks on the highly confidential information stored at the SEC.
The most serious area of deficiency involves financial reporting controls over accounting for disgorgement and penalty transactions. Such deficiencies were so significant that the GAO reported that they may adversely affect the accuracy and completeness of information used and reported by the SEC. Other less serious deficiencies affected a broad scope of areas, such as
- reinvestment of disgorgement funds,
- maintaining ongoing accuracy of property and equipment inventory records,
- documenting disposal of property and equipment,
- ensuring existence of capitalized bulk purchases,
- identifying and summarizing uncorrected misstatements, and
- information security.
The GAO made 13 new recommendations to address SEC control deficiencies with regard to financial reporting, and reiterated 11 recommendations that remained unresolved from prior years. Financial reporting recommendations included:
- Address areas of repetitive errors and develop policies and procedures to allow for timely and accurate adjustments in the general ledger
- Implement additional controls to ensure consistency of asset disposition activities and document any deviations
- Analyze physical inventory count results to validate continued existence and completeness
- Revise current collection procedures to include reviewing the work of shared service providers and comparing the general ledger to supporting documentation
- Develop policies and implement controls for safeguarding of property and equipment, such as confirming physical custody through periodic sampling
In addition, the GAO found that 15 of its prior internal control recommendations with regard to information system controls (information security) were still open, albeit in process. The GAO recommendations regarding information security included:
- Implement requirements for remote authentication of passwords
- Ensure administrative passwords have an expiration date
- Disable or encrypt user sessions to prevent viewing of sensitive information in plain text
While the deficiencies and recommendations described above are specific to the SEC, many of the same issues exist at public or private companies which the SEC regulates. Such entities would similarly benefit from improvement of internal controls over their financial management and accountability for resources, as well as examining their vulnerability to cyber attacks.
Implementation and regular review of the adequacy of a system of internal controls is critical to preventing and detecting fraud. Such processes deter fraudulent activity by decreasing the perceived opportunity to commit fraud and provide information to quickly identify it, if it should occur. As the problems at the federal level demonstrate, these weaknesses can occur even within those who should know better, and internal control processes are worthy of examination on a regular basis.
Fulcrum Inquiry performs internal control assessments and forensic accounting services.