SEC fails own security and accounting tests

The Securities and Exchange Commission (SEC) has weaknesses in its information security and accountancy practices that should prevent fraud and ensure financial accuracy in other companies, according to auditors.

In the first external audit of the organisation, the US Government Accountability Office (GAO) found that the SEC, which supervises public companies' accounting, had failed to implement a "comprehensive monitoring program to identify unusual or suspicious access activities".

In a report published yesterday, the GAO said: "SEC had not consistently implemented effective electronic access controls, including user accounts and passwords, access rights and permissions, network security, or audit and monitoring of security-relevant events to limit and detect access to its critical financial and sensitive systems.

"As a result, sensitive data were at increased risk of unauthorised disclosure, modification, or loss, possibly without being detected."

The GAO, a national watchdog on government spending, also found problems with the SEC's internal financial practices, such as "material weaknesses" in the penalties it hands out to companies.

"[B]ecause of material internal control weaknesses in the areas of recording and reporting disgorgements and penalties, preparing financial statements and related disclosures, and information security, in GAO's opinion, SEC did not maintain effective internal control over financial reporting as of 30 September, 2004."

SEC officials are reported to have expressed regret at the results of the audit, which was carried out last year, but said the organisation would set an example by fixing the problems.

Despite the negative findings, the report also found that the SEC had not broken any compliance regulations.

"SEC did maintain in all material respects effective internal control over compliance with laws and regulations material in relation to the financial statements as of 30 September, 2004."