oversight

Bureau of the Public Debt: Areas for Improvement in Computer Controls

Published by the Government Accountability Office on 2003-05-01.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

United States General Accounting Office
Washington, DC 20548

          May 1, 2003

          The Honorable Van Zeck
          Commissioner
          Bureau of the Public Debt

          Subject: Bureau of the Public Debt: Areas for Improvement in Computer Controls

          Dear Mr. Zeck:

          In connection with fulfilling our requirement to audit the financial statements of the
                           1
          U.S. government, we audited and reported on the Schedules of Federal Debt
          Managed by the Bureau of the Public Debt (BPD) for the fiscal years ended
                                         2
          September 30, 2002 and 2001. As part of these audits, we performed a review of the
          general and application computer controls over key BPD financial systems.

          The Department of the Treasury is authorized by Congress to borrow money on the
          credit of the United States to fund federal operations. Treasury is responsible for
          prescribing the debt instruments and otherwise limiting and restricting the amount
          and composition of the debt. BPD is responsible for issuing and redeeming debt
          instruments, paying interest to investors, and accounting for the resulting debt. In
          addition, BPD has been given the responsibility for issuing Treasury securities to
          trust funds for trust fund receipts not needed for current benefits and expenses.

          We use a risk-based, rotation approach for testing general and application computer
          controls. The data center and each key application is subjected every 3 years to a
          full-scope review that includes testing in all of the computer control areas defined in
          the Federal Information System Controls Audit Manual.3 Areas considered to be of
          higher risk are subject to more frequent review. We performed our work at the BPD
          data center from April 2002 through October 2002. Our work was performed in
          accordance with U.S. generally accepted government auditing standards. We
          requested comments on a draft of this report from the Commissioner of the Bureau of
          the Public Debt. The comments are summarized later in this report.

          As noted above, our review addressed both general and application computer
          controls. General computer controls are the structure, policies, and procedures that
          apply to an entity’s overall computer operations. General computer controls

          1
            31 U.S.C. 331(e) (2000).
          2
            U.S. General Accounting Office, Financial Audit: Bureau of the Public Debt’s Fiscal Years 2002 and
          2001 Schedules of Federal Debt, GAO-03-199 (Washington, D.C.: Nov. 1, 2002).
          3
            U.S. General Accounting Office, Federal Information System Controls Audit Manual, GAO/AIMD-
          12.19.6 (Washington, D.C.: January 1999).

          Page 1                                                     GAO-03-524R Computer Controls at BPD
establish the environment in which application systems and controls operate. An
effective general control environment helps (1) ensure that an adequate entitywide
security management program is in place, (2) protect data, files, and programs from
unauthorized access, modification, disclosure, and destruction, (3) limit and monitor
access to programs and files that control computer hardware and secure
applications, (4) prevent the introduction of unauthorized changes to systems and
applications software, (5) prevent any one individual from controlling key aspects of
computer-related operations, and (6) ensure the recovery of computer processing
operations in case of a disaster or other unexpected interruption. An effective
application control environment helps ensure that transactions performed by
individual computer programs are valid, properly authorized, and completely and
accurately processed and reported.

As we reported in connection with our audit of the Schedules of Federal Debt for the
                                                  4
fiscal years ended September 30, 2002 and 2001, BPD maintained, in all material
respects, effective internal control, including general and application computer
controls, relevant to the Schedule of Federal Debt related to financial reporting and
compliance with applicable laws and regulations as of September 30, 2002. BPD’s
internal control provided reasonable assurance that misstatements, losses, or
noncompliance material in relation to the Schedule of Federal Debt for the fiscal year
ended September 30, 2002, would be prevented or detected on a timely basis. We
found matters involving computer controls that we do not consider to be reportable
            5
conditions.

Our follow-up on the status of BPD’s corrective actions to address 14 of the 17 open
general and application control recommendations identified in prior years’ audits for
which actions were not complete as of September 30, 2001, found the following:

•   As of September 30, 2002, corrective action on 12 recommendations had been
    completed.
•   For 2 of the recommendations, corrective action for 1 was in progress as of
    September 30, 2002, and for the other, corrective action was taken subsequent to
    that date.

The 3 remaining open recommendations relating to access controls are now
encompassed in our fiscal year 2002 recommendations.

Our fiscal year 2002 audit procedures identified opportunities to strengthen the
security of BPD’s computer systems that support key automated financial systems
relevant to BPD’s Schedule of Federal Debt. In a separately issued Limited Official
Use Only report, we communicated detailed information regarding our fiscal year
2002 findings to BPD managers and made 10 recommendations to strengthen certain
general computer controls in the areas of access and system software, many of which

4
 GAO-03-199.
5
 Reportable conditions are matters coming to our attention that, in our judgment, should be
communicated because they represent significant deficiencies in the design or operation of internal
control, which could adversely affect the organization’s ability to meet the objectives of reliable
financial reporting and compliance with applicable laws and regulations.



Page 2                                                     GAO-03-524R Computer Controls at BPD
BPD has begun to address. In addition, we reaffirmed our prior years’
recommendation related to service continuity.

None of our findings pose significant risks to BPD financial systems. In forming our
conclusions, we considered the mitigating effects of physical security measures, a
program of monitoring user and system activity, and management and reconciliation
controls that are designed to detect potential irregularities or improprieties in
financial data or transactions. Nevertheless, these findings warrant BPD managers’
action to further limit the risk of inappropriate disclosure and modification of
sensitive data and programs, misuse of or damage to computer resources, or
disruption of critical operations.

BPD’s comments on a draft of this report are consistent with its prior comments on
the separately issued Limited Official Use Only version. In those comments, the
Commissioner of the Bureau of the Public Debt stated that 7 of the 10
recommendations have been completely resolved and 1 of the remaining
                                                            6
improvements will be completed by the end of March 2003. BPD also stated it
intends to resolve the remaining issues by the end of this year. We plan to follow up
on these matters during our audit of the fiscal year 2003 Schedule of Federal Debt.

We are sending copies of this report to the Chairmen and Ranking Minority Members
of the Senate Committee on Governmental Affairs; the Subcommittee on
Transportation, Treasury and General Government, Senate Committee on
Appropriations; the House Committee on Government Reform; the Subcommittee on
Government Efficiency and Financial Management, House Committee on
Government Reform; and the Subcommittee on Transportation, Treasury and
Independent Agencies, House Committee on Appropriations. We are also sending
copies of this report to the Secretary of the Department of the Treasury, the Inspector
General of the Department of the Treasury, and the Director of the Office of
Management and Budget. Copies will also be made available to others upon request.
In addition, the report will be available at no charge on GAO’s Web site at
http://www.gao.gov.

If you have any questions regarding this report, please contact Louise DiBenedetto,
Assistant Director, at (202) 512-6921. Other key contributors to this assignment were
Mickie Gray, David Hayes, and Ronald Parker.

Sincerely yours,



Gary T. Engel
Director
Financial Management and Assurance

(198176)




6
    According to a BPD official, this improvement was completed as of March 31, 2003.


Page 3                                                     GAO-03-524R Computer Controls at BPD