oversight

Financial Management Service: Significant Weaknesses in Computer Controls

Published by the Government Accountability Office on 1999-10-04.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                United States General Accounting Office

GAO             Report to the Secretary of the Treasury




October 1999
                FINANCIAL
                MANAGEMENT
                SERVICE

                Significant
                Weaknesses in
                Computer Controls




GAO/AIMD-00-4
United States General Accounting Office                                                Accounting and Information
Washington, D.C. 20548                                                                      Management Division



                                    B-283555                                                                           Leter




                                    October 4, 1999

                                    The Honorable Lawrence H. Summers
                                    The Secretary of the Treasury

                                    Dear Mr. Secretary:

                                    In connection with fulfilling our requirement to audit the U.S. government’s
                                    fiscal year 1998 financial statements, we reviewed the general and
                                    application computer controls over key financial systems maintained and
                                    operated by the Department of the Treasury’s Financial Management
                                    Service (FMS). On August 31, 1999, we issued a “Limited Official Use”
                                    report to you detailing the results of our review. This excerpted version of
                                    the report for public release summarizes the weaknesses we identified and
                                    the recommendations we made.

                                    This report discusses the results of our fiscal year 1998 tests of the
                                    effectiveness of general and application controls that support key FMS
                                    automated financial systems and our follow-up on the status of FMS’
                                    corrective actions to address weaknesses identified in our fiscal year 1997
                                    audit.1 These systems, some of which are operated and maintained by
                                    contractors and the Federal Reserve Banks (FRB), are critical to FMS’
                                    mission of serving as the government’s financial manager, central disburser,
                                    collections agent, and reporter of financial information. We have issued a
                                    separate report to the Board of Governors of the Federal Reserve System
                                    on the results of our testing of the general and application controls over
                                    key FMS systems that the FRBs maintain and operate.

                                    As discussed in this report, we identified computer control weaknesses at
                                    FMS and its contractor data centers that place its financial systems at
                                    significant risk of unauthorized disclosure and modification of sensitive
                                    data and programs, misuse or damage to computer resources, or disruption
                                    of critical operations. Also, the pervasiveness of these weaknesses places
                                    billions of dollars of payments and collections at risk of fraud.




                                    1
                                     Financial Management Service: Areas for Improvement in Computer Controls (GAO/AIMD-
                                    99-10, October 20, 1998).




                                    Page 1                                        GAO/AIMD-00-4 FMS Computer Controls
                   B-283555




                   While performing our work, we communicated detailed information
                   regarding our findings to FMS management. This report provides an overall
                   assessment and summary of FMS’ computer control weaknesses and
                   recommendations to you as the agency head.



Results in Brief   The pervasive weaknesses we identified in FMS’ computer controls at each
                   of its data centers during our fiscal year 1998 audit renders FMS’ overall
                   security control environment ineffective in identifying, deterring, and
                   responding to computer control weaknesses in a timely manner. Our
                   follow-up on the status of FMS’ corrective actions to address weaknesses
                   identified in our fiscal year 1997 audit found that FMS had only corrected
                   or mitigated the risks associated with 24 of 72 computer control
                   weaknesses discussed in our “Limited Official Use” report issued on
                   July 31, 1998.

                   During the fiscal year 1998 audit, we found new general computer control
                   weaknesses in entitywide security planning and management, access
                   controls, system software, and application software development and
                   change controls. We also identified weaknesses in the authorization
                   controls over all six of the key FMS financial applications we reviewed. In
                   addition, we identified an accuracy control weakness over one of the six
                   key FMS financial applications and a completeness control weakness over
                   another one of the six key FMS financial applications.

                   Because of the weaknesses in computer controls that we identified,
                   including the lack of an effective entitywide security planning and
                   management program, billions of dollars of payments and collections are at
                   significant risk of loss or fraud, vast amounts of sensitive data are at risk of
                   inappropriate disclosure, and critical computer-based operations are
                   vulnerable to serious disruptions. Accordingly, as reported for fiscal year
                   1997, we continue to consider FMS’ computer control problems a material
                   weakness.2 FMS has also recognized the serious nature of these problems
                   and has reported these matters in its Federal Managers’ Financial Integrity
                   Act (FMFIA) report for fiscal year 1998.



                   2
                    A material weakness is a condition in which the design or operation of one or more of the
                   internal control components does not reduce to a relatively low level the risk that errors or
                   irregularities in amounts that would be material to the financial statements may occur and
                   not be detected promptly by employees in the normal course of performing their duties.




                   Page 2                                             GAO/AIMD-00-4 FMS Computer Controls
             B-283555




Background   FMS is the government’s financial manager, central disburser, and
             collections agency as well as its accountant and reporter of financial
             information. For fiscal year 1998, the U.S. government disbursed over
             $1.6 trillion primarily for Social Security and veterans benefit payments,
             IRS tax refunds, federal employee salaries, and vendor billings. With
             several exceptions (the largest being the Department of Defense), FMS
             makes disbursements for most federal agencies.

             FMS is also responsible for administering the federal government’s
             collections system. In fiscal year 1998, the government collected over
             $1.7 trillion from sources such as individual and corporate income tax
             deposits, customs duties, loan repayments, fines, and proceeds from
             leases. FMS maintains a network of about 11,000 financial institutions to
             help collect these revenues.

             In addition, FMS oversees the federal government’s central accounting and
             reporting systems used to reconcile and keep track of the federal
             government’s assets and liabilities. Financial and budget execution
             information from these central systems is used by FMS to publish financial
             reports that are available for use by the Congress, the Office of
             Management and Budget, other federal agencies, and others who make
             financial decisions on behalf of the U.S. government.

             FMS maintains a wide array of financial and information systems to help it
             process and reconcile monies disbursed and collected by the various
             government agencies. Multiple banking, collection, and disbursement
             systems are also used to process agency transactions, record relevant data,
             transfer funds to/from the Treasury, and facilitate the reconciliation of
             these transactions.

             FMS has seven data centers and utilizes data processing services at several
             contractors and the FRBs, which help FMS carry out its financial
             management responsibilities.




             Page 3                                    GAO/AIMD-00-4 FMS Computer Controls
                         B-283555




Objectives, Scope, and   Our objectives were to evaluate and test the effectiveness of the computer
                         controls over FMS’ key financial management systems and to determine
Methodology              the status of the computer control weaknesses identified in our fiscal year
                         1997 audit. We used a risk-based and rotation approach for testing general
                         and application controls. Under that methodology, every 3 years, each data
                         center and key application is subjected to a full-scope review that includes
                         testing in all of the computer control areas defined in our Federal
                         Information System Controls Audit Manual (FISCAM).3 During the interim
                         years, we focus our testing on the FISCAM areas that we have determined
                         to be at greater risk for computer control weaknesses. See appendix I for
                         the scope and methodology of our fiscal year 1998 review at each of the
                         selected data centers4 and for the key applications.

                         During the course of our work, we communicated our findings to FMS
                         management who informed us of the corrective actions they planned or
                         had taken to address the weaknesses we identified. We plan to follow up on
                         these matters during our audit of the U.S. government’s fiscal year 1999
                         financial statements.

                         We performed our work from August 1998 through February 1999. Our
                         work was performed in accordance with generally accepted government
                         auditing standards. We requested comments on a draft of this report from
                         the Department of the Treasury. The FMS Commissioner’s comments are
                         discussed in the “Agency Comments” section of this report.




                         3
                             Federal Information System Controls Audit Manual (GAO/AIMD-12.19.6, January 1999).
                         4
                             The data centers we reviewed consisted of data centers at both FMS and its contractors.




                         Page 4                                               GAO/AIMD-00-4 FMS Computer Controls
                        B-283555




FMS’ Entitywide         As we discussed in our prior year report, the overriding reason that
                        computer control problems exist at FMS is because it does not have an
Security Planning and   effective entitywide computer security planning and management program.
Management Program      An entitywide program for security planning and management is the
                        foundation of an entity’s security control structure and should establish a
Is Not Effective        framework for continual (1) risk assessments, (2) development and
                        implementation of effective security procedures, and (3) monitoring and
                        evaluation of the effectiveness of security procedures. A well-designed
                        entitywide security planning and management program helps to ensure that
                        security controls are adequate, properly implemented, applied consistently
                        across the entity, and responsibilities for security are clearly understood.
                        Our May 1998 best practices guide 5 on information security management
                        practices at leading nonfederal organizations found that organizations
                        successfully managed their information security risks through an ongoing
                        cycle of risk management activities. An effective program would include
                        guidance and procedures for assessing risks, establishing appropriate
                        policies and related controls, and monitoring and evaluating the
                        effectiveness of established controls.

                        One of the most fundamental elements of an effective entitywide security
                        planning and management program is a current and comprehensive
                        entitywide security policy to communicate security management plans,
                        standards, regulations, or guidelines. An entitywide security policy
                        provides the foundation for a computer security program and helps
                        management ensure that computer controls are working and are reliable,
                        established policies and procedures are followed, identified deficiencies
                        are timely corrected, and errors or fraudulent transactions are timely
                        detected. FMS’ security policies and related procedures have not been
                        formally updated since 1991. FMS has drafted a “Project Manager’s Security
                        Handbook” to provide guidance for the implementation and documentation
                        of its information technology security controls. However, the handbook has
                        not been approved and implemented. Based on the results of our audits
                        over the past 2 years, FMS’ entitywide security control structure has failed
                        to address many of the significant risks associated with its current
                        computing environment.




                        5
                         Information Security Management: Learning From Leading Organizations (GAO/AIMD-98-
                        68, May 1998).




                        Page 5                                        GAO/AIMD-00-4 FMS Computer Controls
                       B-283555




                       Specifically, FMS’ approach to security planning and management lacked

                       • adequate site-specific written policies and procedures to ensure security
                         administration roles and responsibilities are clearly defined and
                         communicated and that procedures are comprehensive and appropriate
                         for the particular computing environment;
                       • management enforcement of established security policies and
                         procedures, such as completing background investigations and security
                         violation monitoring and follow-up; and
                       • adequate training of the data center security administrators to ensure
                         security techniques and parameters are properly administered and
                         applied.

                       These weaknesses in security planning and management expose FMS to
                       the risk that other general control weaknesses could occur and not be
                       detected in a timely manner to prevent unnecessary losses or disruptions.



Serious General        General controls are the structure, policies, and procedures that apply to
                       an entity’s overall computer operations. General controls establish the
Computer Control       environment in which application systems and controls operate. They
Weaknesses Place FMS   include an entitywide security planning and management program, access
                       controls, system software controls, application software development and
Systems and Data at    change controls, segregation of duties, and service continuity controls. An
Significant Risk       effective general control environment would (1) ensure that an adequate
                       computer security planning and management program is in place,
                       (2) protect data, files, and programs from unauthorized access,
                       modification, and destruction, (3) limit and monitor access to programs
                       and files that control computer hardware and secure applications,
                       (4) prevent the introduction of unauthorized changes to systems and
                       applications software, (5) prevent any one individual from controlling key
                       aspects of computer-related operations, and (6) ensure the recovery of
                       computer processing operations in case of a disaster or other unexpected
                       interruption.

                       Our follow-up on the status of FMS’ corrective actions to address
                       weaknesses identified in our fiscal year 1997 audit found that three of the
                       seven data centers had made little or no progress in correcting or
                       mitigating the risks associated with the general computer control
                       weaknesses identified at those data centers. FMS officials stated that older
                       operating systems were being replaced with newer operating systems at
                       two of its data centers. Thus, FMS has elected not to take corrective



                       Page 6                                    GAO/AIMD-00-4 FMS Computer Controls
                  B-283555




                  actions on selected weaknesses at these data centers until the planned
                  migrations are completed. In addition, FMS stated that it is moving one of
                  its key applications to a distributed environment and anticipates this
                  migration to be completed in 2001. Further, FMS expects that these
                  migrations will facilitate the implementation of more effective controls in
                  the future.

                  However, many of the weaknesses we identified in our fiscal year 1997
                  audit at these data centers will not be corrected by moving to new
                  operating environments. For example, service continuity plans still need to
                  be fully developed and tested for its new systems covering all aspects of
                  their mission-critical business functions. More importantly, during system
                  migrations, FMS’ exposure to serious disruption of operations, disclosure
                  of sensitive programs and data, or intrusions by hackers or malicious
                  internal users is increased by the following factors:

                  • the seriousness and pervasiveness of the problems as they exist today,
                  • the absence of essential compensating controls to mitigate the serious
                    risks, and
                  • experienced delays and the possibility of future delays in the
                    implementation of the new systems.

                  As a result, we are repeating those prior year findings related to these data
                  centers that have not been corrected as well as reaffirming the related
                  recommendations discussed in our “Limited Official Use” version of this
                  report.

                  Our fiscal year 1998 review of FMS’ general computer controls identified
                  serious new general control weaknesses in access controls, system
                  software, and application software development and change controls.



Access Controls   Access controls are designed to limit or detect access to computer
                  programs, data, equipment, and facilities to protect these resources from
                  unauthorized modification, disclosure, loss, or impairment. Such controls
                  include logical and physical security controls.

                  Logical security control measures involve the use of computer hardware
                  and security software programs to prevent or detect unauthorized access
                  by requiring users to input unique user identifications (ID), passwords, or
                  other identifiers that are linked to predetermined access privileges. Logical
                  security controls restrict the access of legitimate users to the specific



                  Page 7                                    GAO/AIMD-00-4 FMS Computer Controls
B-283555




systems, programs, and files they need to conduct their work and to
prevent unauthorized users from gaining access to computing resources.

Physical security controls include locks, guards, badges, alarms, and
similar measures (used alone or in combination) that help to safeguard
computer facilities and resources from intentional or unintentional loss or
impairment by limiting access to the buildings and rooms where they are
housed.

Our review of FMS’ access controls identified a number of weaknesses at
all of the sites we visited. These weaknesses, many of which were included
in our prior year report, included data centers that (1) had weak network
security configurations, (2) granted excessive and powerful systems
privileges to users who did not need such access, (3) did not manage the
administration of passwords and user IDs effectively, (4) were not applying
security system parameters so as to provide optimum security or
appropriate segregation of duties, and (5) were not adequately monitoring
and controlling access to multiple processing environments. For example:

• Messages and data sent and received by the mainframe applications
  through the network were not sufficiently controlled, increasing the risk
  that malicious users could gain unauthorized access to computer
  resources or disrupt operations.
• All users, including programmers and computer operators at one data
  center, had the capability to read sensitive production data, such as
  security-setting tables and tax payment information, increasing the risk
  that sensitive information may be disclosed to unauthorized individuals.
• Certain users had the unrestricted ability to transfer system files across
  the network, increasing the risk that unauthorized individuals could gain
  access to the sensitive data or programs.
• Security software system parameters were not set consistently at the
  data centers or at industry-recommended settings to provide a more
  secure environment, thereby significantly increasing the risk that
  unauthorized system functions could be executed without detection.
• The remote access to the multiple processing environments at two data
  centers was not sufficiently controlled, thereby providing inadequate
  protection from unauthorized access by intruders.

Due to the sensitive nature of the internal network control weaknesses we
identified, these issues are described in the separate “Limited Official Use”
report issued to you on August 31, 1999.




Page 8                                    GAO/AIMD-00-4 FMS Computer Controls
                         B-283555




                         In addition, physical security controls at four of the seven sites we visited
                         were not sufficient to control physical access to these centers. In
                         particular, as we also found in our prior year audit, production staff,
                         terminated employees, vendors, and other individuals without justified
                         business or job-related purposes had unrestricted access to computer
                         facilities, equipment, and tape libraries. In addition, we found at one of
                         these sites that controls and accountability over backup tape inventories
                         were not adequate.

                         The risks created by these access control weaknesses were heightened
                         because FMS was not adequately managing and monitoring user access
                         activities. Program managers and security personnel did not consistently
                         monitor and evaluate user access rights, security violations, and software
                         security settings at all seven sites visited. These access control weaknesses
                         also place FMS at risk that unauthorized activities, such as corruption of
                         financial data, disclosure of sensitive data, or introduction of malicious
                         programs or unauthorized modifications of software, will go undetected.


System Software          System software coordinates and helps control the input, processing,
                         output, and data storage associated with all of the applications that run on
                         a system. System software includes operating system software, system
                         utilities, program library systems, file maintenance software, security
                         software, data communications systems, and database management
                         systems. Controls over access to and modification of system software are
                         essential to protect the overall integrity and reliability of information
                         systems.

                         At several of the seven data centers visited, the software library listings did
                         not agree with the corresponding volume locations or indexes on the
                         systems or contained obsolete or unneeded library members. Such system
                         software control weaknesses increase the risk that standard security
                         software could be bypassed to obtain access to restricted system functions.
                         In addition, the use of such library members could cause unexpected
                         operating results.


Application Software     Controls over the design, development, and modification of application
Development and Change   software help to ensure that all programs and program modifications are
                         properly authorized, tested, and approved. Such controls also help prevent
Controls                 security features from being inadvertently or deliberately turned off and
                         processing irregularities or malicious code from being introduced.



                         Page 9                                     GAO/AIMD-00-4 FMS Computer Controls
                        B-283555




                        We found application software development and change control procedure
                        weaknesses at six of the seven FMS sites we visited. As we reported in the
                        prior year, a significant weakness at most of the sites we visited was that
                        policies and procedures over system design, development, and
                        modification were not established, were inadequate, or were simply not
                        being followed. Specifically,

                        • procedures for making changes to application and system software
                          were not always followed, such as (1) obtaining written authorizations
                          prior to making the changes, (2) developing written test plans,
                          (3) independent testing of changes, or (4) authorizing the migration of
                          application software changes from the test environment to production;
                        • programmers at one data center compile their own source code, which
                          was not independently recompiled to ensure that only authorized
                          changes made to programs were moved into production; and
                        • adequate documentation was not consistently maintained to provide
                          evidence of compliance with established application software
                          development and change control policies and procedures.

                        Without adequate control over application software development and
                        change control procedures, FMS runs a greater risk that software
                        supporting its operations will not (1) produce reliable data, (2) execute
                        transactions in accordance with applicable laws, regulations, and
                        management policies, or (3) effectively meet operational needs.



Segregation of Duties   Another key control for safeguarding programs and data is to ensure that
                        duties and responsibilities for authorizing, processing, recording, and
                        reviewing data, as well as initiating, modifying, migrating, and testing of
                        programs, are separated to reduce the risk that errors or fraud will occur
                        and go undetected. Duties that should be appropriately segregated include
                        applications and system programming and responsibilities for computer
                        operations, security, and quality assurance. Policies outlining the
                        supervision and assignment of responsibilities to groups and related
                        individuals should be documented, communicated, and enforced.

                        We found that the FMS data centers had taken actions to partially resolve
                        segregation of duty weaknesses we reported in the prior year. However, at
                        two of the seven sites visited, programmers continued to have access rights
                        to production data. Duties that are not appropriately segregated
                        significantly increase the risk that improper program changes could be




                        Page 10                                   GAO/AIMD-00-4 FMS Computer Controls
                     B-283555




                     made or computer data and systems resources could be altered, damaged,
                     or destroyed.


Service Continuity   An organization’s ability to accomplish its mission can be significantly
                     affected if it loses the ability to process, retrieve, and protect information
                     that is maintained electronically. For this reason, organizations should have
                     (1) established procedures for protecting information resources and
                     minimizing the risk of unplanned interruptions and (2) plans for recovering
                     critical operations should interruptions occur. A contingency or disaster
                     recovery plan specifies emergency response, backup operations, and
                     postdisaster recovery procedures to ensure the availability of critical
                     resources and facilitate the continuity of operations in an emergency
                     situation. It addresses how an organization will deal with a full range of
                     contingencies, from electrical power failures to catastrophic events, such
                     as earthquakes, floods, and fires. The plan also identifies essential business
                     functions and ranks resources in order of criticality. To be most effective, a
                     contingency plan should be periodically tested in disaster simulation
                     exercises and employees should be trained in and familiar with its use.

                     Because it is not cost-effective to provide the same level of continuity for
                     all operations, it is important that organizations analyze relevant data and
                     operations to determine which are the most critical and what resources are
                     needed to recover and support them. As discussed in our May 1998 best
                     practices guide, the criticality and sensitivity of various data and
                     operations should be determined and prioritized based on an overall risk
                     assessment of the entity’s operations. Factors to be considered include the
                     importance and sensitivity of the data and other organizational assets
                     handled or protected by the individual operations and the cost of not
                     restoring data or operations promptly.

                     In reviewing FMS’ service continuity controls, we found that our prior year
                     recommendations had been partially addressed. However, FMS’ newly
                     developed central service continuity plan did not prioritize the manner in
                     which key business processes should be brought up in the event of an
                     emergency. In addition, as we reported in the prior year, four of the seven
                     data centers visited had not developed and tested service continuity plans
                     covering all aspects of their mission-critical business functions.
                     Consequently, these FMS data centers are still at risk that in the event of an
                     emergency or disaster, data center personnel may not be prepared to
                     effectively prioritize recovery activities, integrate recovery steps in an
                     effective manner, or fully recover systems.



                     Page 11                                    GAO/AIMD-00-4 FMS Computer Controls
                         B-283555




FMFIA Reporting          FMFIA requires ongoing evaluations of the internal control and accounting
                         systems that protect federal programs against fraud, waste, abuse, and
                         mismanagement. It further requires that the heads of federal agencies
                         report annually to the President and the Congress on the condition of these
                         controls and systems and on their actions to correct the weaknesses
                         identified.

                         During the course of our work, we communicated our general computer
                         control findings to FMS management. As a result, FMS reported its general
                         computer control problems as a material weakness to the Department of
                         the Treasury. The Department of the Treasury reported in its fiscal year
                         1998 Accountability Report that FMS, along with other Treasury
                         components, had a material weakness in general computer controls
                         designed to safeguard data, protect computer application programs,
                         prevent system software from unauthorized access, and ensure continued
                         computer operations.



FMS’ Application         Application controls relate directly to the individual computer programs,
                         which are used to perform a certain type of work, such as generating
Controls Can Be          interest payments or recording transactions in a general ledger. In an
Strengthened             effective general control environment, application controls help to further
                         ensure that transactions are valid, properly authorized, and completely and
                         accurately processed and reported.


Authorization Controls   Like general access controls, authorization controls for specific
                         applications should be established to (1) ensure individual accountability
                         and proper segregation of duties, (2) ensure only authorized transactions
                         are entered into the application and processed by the computer, (3) limit
                         the processing privileges of individuals, and (4) prevent and detect
                         inappropriate or unauthorized activities.

                         Our review of FMS’ authorization controls found a number of weaknesses
                         over each of the six key financial applications we tested. These weaknesses
                         included

                         • incomplete, missing, or unapproved user application request forms;
                         • inappropriate access to application functions and privileges that were
                           not required by the users’ job responsibilities and that in some instances
                           also created an inadequate segregation of duties;



                         Page 12                                   GAO/AIMD-00-4 FMS Computer Controls
                        B-283555




                        • terminated or dormant user IDs were not adequately controlled;
                        • users sharing IDs or being assigned multiple IDs without a functional
                          requirement;
                        • security reports not being consistently monitored or followed up on; and
                        • application passwords not being properly managed.

                        The authorization control weaknesses described above increase the risk of
                        unauthorized activities such as inappropriate processing of transactions,
                        unauthorized access or disclosure of sensitive data, corruption of financial
                        data, or a disruption of operations not being prevented.


Accuracy Controls       The recording of valid and accurate data into application systems is
                        essential to an effective system that produces reliable results. Accuracy
                        controls include (1) well-designed data entry processes, (2) data validation
                        and editing to identify erroneous data, (3) reporting, investigating, and
                        correcting erroneous data, and (4) review and reconciliation of output.

                        We found one accuracy control weakness over one key FMS financial
                        application involving transmittal reports that did not reconcile to each
                        other and certain of those reports contained outdated and inaccurate data.
                        Reports that do not reflect valid and accurate data increase the risk that
                        unreliable financial results will be produced by the application.


Completeness Controls   Completeness controls are designed to ensure that all transactions are
                        processed and missing transactions are identified. Common completeness
                        controls include the use of record counts and control totals, computer
                        sequence checking, computer matching of transaction data with data in a
                        master or suspense file, and checking of reports for transaction data.

                        Our review of completeness controls over one key FMS financial
                        application found that there were no automated record counts and control
                        totals to ensure that data transferred from one application to another
                        application were complete.



FRB Computer            Our follow-up work found that the FRBs had corrected or mitigated the
                        risks associated with 14 of the 20 vulnerabilities that were identified in our
Controls Can Be         prior year report and that work is in progress to address the remaining
Improved                vulnerabilities. While we found that the FRBs had implemented effective




                        Page 13                                    GAO/AIMD-00-4 FMS Computer Controls
                  B-283555




                  general and application controls over key FMS systems that the FRBs
                  maintain and operate, our fiscal year 1998 audit procedures identified
                  certain new vulnerabilities in general controls that do not pose significant
                  risks to the FMS financial systems, but nonetheless warrant FRB
                  management’s attention and action. These include vulnerabilities in general
                  controls over (1) access to data, programs, and computing resources,
                  (2) system software, and (3) service continuity. We also found
                  vulnerabilities in authorization controls over two key FMS financial
                  applications and completeness controls over one key FMS financial
                  application. We are providing details of these matters in a separate report
                  to the Board of Governors of the Federal Reserve System along with our
                  recommendations for improvement. FRB management has informed us
                  that the FRBs have taken or plan to take corrective actions to address the
                  vulnerabilities we identified. We plan to follow up on these matters during
                  our audit of the U.S. government’s fiscal year 1999 financial statements.



Conclusion        FMS has not instituted the appropriate preventive measures through its
                  entitywide security planning and management program to further reduce
                  its exposure to the risks of inappropriate disclosure and modification of
                  sensitive information, misuse or damage of computer resources, and
                  disruption of critical operations. Also, the pervasiveness of the computer
                  control weaknesses—both old and new weaknesses—at FMS and its
                  contractor data centers place billions of dollars of payments and
                  collections at risk of fraud. The severity of these risks magnifies as FMS
                  expands its networked environment through the migration of its financial
                  applications from mainframes to distributed environments. Thus, as FMS
                  provides users greater and easier access to larger amounts of data and
                  system resources, well-designed and effective general and application
                  controls are essential if FMS’ operations and computer resources are to be
                  properly protected. It will take a significant and sustained commitment by
                  FMS’ management to fully address its serious computer control
                  weaknesses, including establishing an effective entitywide computer
                  security planning and management program.



Recommendations   In our August 31, 1999, “Limited Official Use” version of this report, we
                  reaffirmed our prior year recommendation that you direct the
                  Commissioner of the Financial Management Service, along with the
                  Assistant Commissioner for Information Resources, to establish an
                  effective entitywide security planning and management program.



                  Page 14                                   GAO/AIMD-00-4 FMS Computer Controls
                  B-283555




                  In addition, we recommended that you direct the Commissioner of the
                  Financial Management Service, along with the Assistant Commissioner for
                  Information Resources, to correct each individual weakness that we
                  identified and address each of the specific recommendations that were
                  summarized in that report.

                  Further, we recommended that you direct the Commissioner of the
                  Financial Management Service, along with the Assistant Commissioner for
                  Information Resources, to work with the FRBs to implement corrective
                  actions to resolve the computer control vulnerabilities related to FMS
                  systems supported by the FRBs that we identified and communicated to
                  the FRBs.



Agency Comments   In commenting on a draft of this report, FMS stated that it recognizes that
                  there continue to be serious weaknesses in computer controls. FMS stated
                  that actions are currently in progress for all of the outstanding weaknesses
                  and indicated that additional actions had been taken since the end of our
                  fieldwork to correct or mitigate many of the weaknesses identified in our
                  fiscal year 1997 audit. FMS has also stated that converting its payment
                  processing systems to newer systems would facilitate the implementation
                  of more effective controls in the future. As we discussed in our report, it is
                  important that FMS ensure that the computer controls over the new
                  operating systems are effectively implemented. We will follow up on these
                  matters during our audit of the federal government’s fiscal year 1999
                  financial statements. In addition to its written comments, the staff of FMS
                  provided technical comments, which have been incorporated as
                  appropriate.

                  We are sending copies of this report to Senator Robert C. Byrd, Senator Ben
                  Nighthorse Campbell, Senator Pete V. Domenici, Senator Byron L. Dorgan,
                  Senator Frank R. Lautenberg, Senator Joseph Lieberman, Senator Daniel
                  Patrick Moynihan, Senator William V. Roth, Jr., Senator Ted Stevens, and
                  Senator Fred Thompson, and to Representative Bill Archer, Representative
                  Dan Burton, Representative Stephen Horn, Representative Steny H. Hoyer,
                  Representative John R. Kasich, Representative Jim Kolbe, Representative
                  David R. Obey, Representative Charles B. Rangel, Representative John M.
                  Spratt, Jr., Representative Jim Turner, Representative C.W. Bill Young, and
                  Representative Henry A. Waxman in their capacities as Chairmen or
                  Ranking Minority Members of Senate or House Committees and
                  Subcommittees. We are also sending copies of this report to Mr. Richard L.
                  Gregg, Commissioner, Financial Management Service; the Honorable



                  Page 15                                    GAO/AIMD-00-4 FMS Computer Controls
B-283555




Jeffrey Rush, Jr., Inspector General, Department of the Treasury; the
Honorable Jacob Lew, Director, Office of Management and Budget; and
other agency officials. Copies will be made available to others upon
request.

If you have any questions regarding this report, please contact me at (202)
512-3406. Key contributors to this assignment were Paula M. Rascona,
Christine A. Robertson, and Gregory C. Wilshusen.

Sincerely yours,




Gary T. Engel
Associate Director
Governmentwide Accounting and
 Financial Management Issues




Page 16                                  GAO/AIMD-00-4 FMS Computer Controls
Page 17   GAO/AIMD-00-4 FMS Computer Controls
Appendix I

Scope and Methodology                                                                                      Appendx
                                                                                                                 Ii




             We used a risk-based and rotation approach for testing general and
             application controls. Under that methodology, every 3 years each data
             center and key application is subjected to a full-scope review that includes
             testing in all of the computer control areas defined in FISCAM. During the
             interim years, we focus our testing on the FISCAM areas that we have
             determined to be at greater risk for computer control weaknesses.

             The scope of our work for fiscal year 1998 included follow-up on
             weaknesses identified in our fiscal year 1997 audit and reviews at FMS data
             centers1 consisting of

             • a focused review at one of the FMS data centers of the three general
               controls areas intended to
               • ensure that an adequate computer security planning and
                  management program is in place;
               • protect data, files, and programs from unauthorized access,
                  modification, and destruction; and
               • limit and monitor access to programs and files that control computer
                  hardware and secure applications;
             • a focused review at another two of the FMS data centers of the two
               general controls areas intended to
               • protect data, files, and programs from unauthorized access,
                  modification, and destruction and
               • limit and monitor access to programs and files that control computer
                  hardware and secure applications; and
             • a focused review at a fourth FMS data center of the general controls
               intended to limit and monitor access to programs and files that control
               computer hardware and secure applications.

             We limited our work at another three FMS data centers to a follow-up
             review of the status of weaknesses identified in our fiscal year 1997 audit.

             To evaluate these general controls, we identified and reviewed FMS’
             information system general control policies and procedures, conducted
             tests and observed controls in operation, and held discussions with
             officials at selected FMS data centers to determine whether controls were
             in place, adequately designed, and operating effectively. We performed
             penetration testing at four FMS data centers. Our penetration testing was
             expanded this year to also include internal penetration testing procedures.


             1
                 The data centers we reviewed consisted of data centers at both FMS and its contractors.




             Page 18                                              GAO/AIMD-00-4 FMS Computer Controls
Appendix I
Scope and Methodology




Through our internal and external penetration testing, we attempted to
access sensitive data and programs. These attempts were performed with
the knowledge and cooperation of certain FMS officials.

We performed full-scope application controls reviews of five key FMS
applications to determine whether the applications are designed to ensure
that

• access privileges (1) establish individual accountability and proper
  segregation of duties, (2) limit the processing privileges of individuals,
  and (3) prevent and detect inappropriate or unauthorized activities;
• data are authorized, converted to an automated form, and entered into
  the application accurately, completely, and timely;
• data are properly processed by the computer and files are updated
  correctly;
• erroneous data are captured, reported, investigated, and corrected; and
• files and reports generated by the application represent transactions
  that actually occur and accurately reflect the results of processing, and
  reports are controlled and distributed to the authorized users.

The scope of our work over certain key modules of a sixth key FMS
application focused on the following two application control areas to
determine whether the applications are designed to ensure that

• access privileges (1) establish individual accountability and proper
  segregation of duties, (2) limit the processing privileges of individuals,
  and (3) prevent and detect inappropriate or unauthorized activities and
• data are authorized, converted to an automated form, and entered into
  the application accurately, completely, and timely.

Because the FRBs are integral to the operations of FMS, we followed up on
the status of the FRB’s corrective actions to address vulnerabilities
identified in our fiscal year 1997 audit. We assessed general controls over
FMS systems that the FRBs maintain and operate. We also evaluated
application controls over three key FMS financial applications maintained
and operated by the FRBs.

To assist in our evaluation and testing of computer controls, we contracted
with the independent public accounting firm PricewaterhouseCoopers LLP.
We determined the scope of our contractor’s audit work, monitored its
progress, and reviewed the related working papers to ensure that the
resulting findings were adequately supported.



Page 19                                   GAO/AIMD-00-4 FMS Computer Controls
                   Appendix I
                   Scope and Methodology




                   During the course of our work, we communicated our findings to FMS
                   management who informed us that the FMS has taken or plans to take
                   corrective actions to address the weaknesses we identified. We plan to
                   follow up on these matters during our audit of the U.S. government’s fiscal
                   year 1999 financial statements.

                   We performed our work from August 1998 through February 1999. Our
                   work was performed in accordance with generally accepted government
                   auditing standards.




(919391)   Leter   Page 20                                  GAO/AIMD-00-4 FMS Computer Controls
Ordering Information

The first copy of each GAO report and testimony is free.
Additional copies are $2 each. Orders should be sent to the
following address, accompanied by a check or money order made
out to the Superintendent of Documents, when necessary, VISA and
MasterCard credit cards are accepted, also.

Orders for 100 or more copies to be mailed to a single address are
discounted 25 percent.

Orders by mail:

U.S. General Accounting Office
P.O. Box 37050
Washington, DC 20013

or visit:

Room 1100
700 4th St. NW (corner of 4th and G Sts. NW)
U.S. General Accounting Office
Washington, DC

Orders may also be placed by calling (202) 512-6000
or by using fax number (202) 512-6061, or TDD (202) 512-2537.

Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any list
from the past 30 days, please call (202) 512-6000 using a touchtone
phone. A recorded menu will provide information on how to obtain
these lists.

For information on how to access GAO reports on the INTERNET,
send an e-mail message with “info” in the body to:

info@www.gao.gov

or visit GAO’s World Wide Web Home Page at:

http://www.gao.gov
United States                       Bulk Rate
General Accounting Office      Postage & Fees Paid
Washington, D.C. 20548-0001           GAO
                                 Permit No. GI00
Official Business
Penalty for Private Use $300

Address Correction Requested