United States General Accounting Office Washington, DC 20548 May 1, 2003 The Honorable Van Zeck Commissioner Bureau of the Public Debt Subject: Bureau of the Public Debt: Areas for Improvement in Computer Controls Dear Mr. Zeck: In connection with fulfilling our requirement to audit the financial statements of the 1 U.S. government, we audited and reported on the Schedules of Federal Debt Managed by the Bureau of the Public Debt (BPD) for the fiscal years ended 2 September 30, 2002 and 2001. As part of these audits, we performed a review of the general and application computer controls over key BPD financial systems. The Department of the Treasury is authorized by Congress to borrow money on the credit of the United States to fund federal operations. Treasury is responsible for prescribing the debt instruments and otherwise limiting and restricting the amount and composition of the debt. BPD is responsible for issuing and redeeming debt instruments, paying interest to investors, and accounting for the resulting debt. In addition, BPD has been given the responsibility for issuing Treasury securities to trust funds for trust fund receipts not needed for current benefits and expenses. We use a risk-based, rotation approach for testing general and application computer controls. The data center and each key application is subjected every 3 years to a full-scope review that includes testing in all of the computer control areas defined in the Federal Information System Controls Audit Manual.3 Areas considered to be of higher risk are subject to more frequent review. We performed our work at the BPD data center from April 2002 through October 2002. Our work was performed in accordance with U.S. generally accepted government auditing standards. We requested comments on a draft of this report from the Commissioner of the Bureau of the Public Debt. The comments are summarized later in this report. As noted above, our review addressed both general and application computer controls. General computer controls are the structure, policies, and procedures that apply to an entity’s overall computer operations. General computer controls 1 31 U.S.C. 331(e) (2000). 2 U.S. General Accounting Office, Financial Audit: Bureau of the Public Debt’s Fiscal Years 2002 and 2001 Schedules of Federal Debt, GAO-03-199 (Washington, D.C.: Nov. 1, 2002). 3 U.S. General Accounting Office, Federal Information System Controls Audit Manual, GAO/AIMD- 12.19.6 (Washington, D.C.: January 1999). Page 1 GAO-03-524R Computer Controls at BPD establish the environment in which application systems and controls operate. An effective general control environment helps (1) ensure that an adequate entitywide security management program is in place, (2) protect data, files, and programs from unauthorized access, modification, disclosure, and destruction, (3) limit and monitor access to programs and files that control computer hardware and secure applications, (4) prevent the introduction of unauthorized changes to systems and applications software, (5) prevent any one individual from controlling key aspects of computer-related operations, and (6) ensure the recovery of computer processing operations in case of a disaster or other unexpected interruption. An effective application control environment helps ensure that transactions performed by individual computer programs are valid, properly authorized, and completely and accurately processed and reported. As we reported in connection with our audit of the Schedules of Federal Debt for the 4 fiscal years ended September 30, 2002 and 2001, BPD maintained, in all material respects, effective internal control, including general and application computer controls, relevant to the Schedule of Federal Debt related to financial reporting and compliance with applicable laws and regulations as of September 30, 2002. BPD’s internal control provided reasonable assurance that misstatements, losses, or noncompliance material in relation to the Schedule of Federal Debt for the fiscal year ended September 30, 2002, would be prevented or detected on a timely basis. We found matters involving computer controls that we do not consider to be reportable 5 conditions. Our follow-up on the status of BPD’s corrective actions to address 14 of the 17 open general and application control recommendations identified in prior years’ audits for which actions were not complete as of September 30, 2001, found the following: • As of September 30, 2002, corrective action on 12 recommendations had been completed. • For 2 of the recommendations, corrective action for 1 was in progress as of September 30, 2002, and for the other, corrective action was taken subsequent to that date. The 3 remaining open recommendations relating to access controls are now encompassed in our fiscal year 2002 recommendations. Our fiscal year 2002 audit procedures identified opportunities to strengthen the security of BPD’s computer systems that support key automated financial systems relevant to BPD’s Schedule of Federal Debt. In a separately issued Limited Official Use Only report, we communicated detailed information regarding our fiscal year 2002 findings to BPD managers and made 10 recommendations to strengthen certain general computer controls in the areas of access and system software, many of which 4 GAO-03-199. 5 Reportable conditions are matters coming to our attention that, in our judgment, should be communicated because they represent significant deficiencies in the design or operation of internal control, which could adversely affect the organization’s ability to meet the objectives of reliable financial reporting and compliance with applicable laws and regulations. Page 2 GAO-03-524R Computer Controls at BPD BPD has begun to address. In addition, we reaffirmed our prior years’ recommendation related to service continuity. None of our findings pose significant risks to BPD financial systems. In forming our conclusions, we considered the mitigating effects of physical security measures, a program of monitoring user and system activity, and management and reconciliation controls that are designed to detect potential irregularities or improprieties in financial data or transactions. Nevertheless, these findings warrant BPD managers’ action to further limit the risk of inappropriate disclosure and modification of sensitive data and programs, misuse of or damage to computer resources, or disruption of critical operations. BPD’s comments on a draft of this report are consistent with its prior comments on the separately issued Limited Official Use Only version. In those comments, the Commissioner of the Bureau of the Public Debt stated that 7 of the 10 recommendations have been completely resolved and 1 of the remaining 6 improvements will be completed by the end of March 2003. BPD also stated it intends to resolve the remaining issues by the end of this year. We plan to follow up on these matters during our audit of the fiscal year 2003 Schedule of Federal Debt. We are sending copies of this report to the Chairmen and Ranking Minority Members of the Senate Committee on Governmental Affairs; the Subcommittee on Transportation, Treasury and General Government, Senate Committee on Appropriations; the House Committee on Government Reform; the Subcommittee on Government Efficiency and Financial Management, House Committee on Government Reform; and the Subcommittee on Transportation, Treasury and Independent Agencies, House Committee on Appropriations. We are also sending copies of this report to the Secretary of the Department of the Treasury, the Inspector General of the Department of the Treasury, and the Director of the Office of Management and Budget. Copies will also be made available to others upon request. In addition, the report will be available at no charge on GAO’s Web site at http://www.gao.gov. If you have any questions regarding this report, please contact Louise DiBenedetto, Assistant Director, at (202) 512-6921. Other key contributors to this assignment were Mickie Gray, David Hayes, and Ronald Parker. Sincerely yours, Gary T. Engel Director Financial Management and Assurance (198176) 6 According to a BPD official, this improvement was completed as of March 31, 2003. Page 3 GAO-03-524R Computer Controls at BPD
Bureau of the Public Debt: Areas for Improvement in Computer Controls
Published by the Government Accountability Office on 2003-05-01.
Below is a raw (and likely hideous) rendition of the original report. (PDF)