Want CNET to notify you of price drops and the latest stories?

SEC fails own security and accounting tests

National watchdog finds sensitive data at risk and problems with internal financial practices at the SEC.

2 min read
The Securities and Exchange Commission has weaknesses in its information security and accountancy practices that should prevent fraud and ensure financial accuracy in other companies, according to auditors.

In the first external audit of the organization, the U.S. Government Accountability Office found that the SEC, which supervises public companies' accounting, had failed to implement a "comprehensive monitoring program to identify unusual or suspicious access activities."

In a report published Thursday, the GAO said: "The SEC had not consistently implemented effective electronic access controls, including user accounts and passwords, access rights and permissions, network security, or audit and monitoring of security-relevant events to limit and detect access to its critical financial and sensitive systems.

"As a result, sensitive data was at increased risk of unauthorized disclosure, modification, or loss, possibly without being detected."

The GAO, a national watchdog on government spending, also found problems with the SEC's internal financial practices, such as "material weaknesses" in the penalties it hands out to companies.

"Because of material internal control weaknesses in the areas of recording and reporting disgorgements and penalties, preparing financial statements and related disclosures, and information security, in GAO's opinion, (the) SEC did not maintain effective internal control over financial reporting as of 30 September, 2004."

SEC officials are reported to have expressed regret at the results of the audit, which was carried out last year, but said the organization would set an example by fixing the problems.

Despite the negative findings, the report also found that the SEC had not broken any compliance regulations.

"SEC did maintain in all material respects effective internal control over compliance with laws and regulations material in relation to the financial statements as of 30 September, 2004."

Dan Ilett of Silicon.com reported from London.