oversight

Federal Reserve Banks: Areas for Improvement in Computer Controls

Published by the Government Accountability Office on 2003-03-14.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

United States General Accounting Office
Washington, DC 20548



          March 14, 2003

          Louise L. Roseman, Director
          Division of Reserve Bank Operations
            and Payment Systems
          Board of Governors of the Federal
            Reserve System

          Subject: Federal Reserve Banks: Areas for Improvement in Computer Controls

          Dear Ms. Roseman:

          In connection with fulfilling our requirement to audit the financial statements of the
          U.S. government, we audited and reported on the Schedules of Federal Debt
                              1



          Managed by the Bureau of the Public Debt (BPD) for the fiscal years ended
          September 30, 2002 and 2001. As part of these audits, we performed a review of the
                                            2



          general and application computer controls over key financial systems maintained and
          operated by the Federal Reserve Banks (FRBs) on behalf of the Department of the
          Treasury’s BPD.

          Many of the FRBs perform fiscal agent services on behalf of the U.S. government,
          including BPD. The debt-related services primarily consist of issuing, servicing, and
          redeeming Treasury securities and processing secondary market securities transfers.
          In fiscal year 2002, the FRBs issued about $3.7 trillion in federal debt securities to the
          public, redeemed about $3.5 trillion of debt held by the public, and processed about
          $139 billion in interest payments on debt held by the public. FRB data centers
          maintain and operate key BPD financial applications and an array of financial and
          information systems to process and reconcile monies disbursed and collected on
          behalf of BPD.

          We use a risk-based, rotation approach for testing general and application computer
          controls. Each significant data center and key application is subjected every three
          years to a full-scope review that includes testing in all the computer control areas
          defined in our Federal Information System Controls Audit Manual. Areas          3



          considered to be of higher risk are subject to more frequent review. We performed
          our work at certain FRBs from May 2002 through October 2002. Our work was
          performed in accordance with U.S. generally accepted government auditing
          1
            31 U.S.C. 331(e) (2000).
          2
            U.S. General Accounting Office, Financial Audit: Bureau of the Public Debt’s Fiscal Years 2002 and
          2001 Schedules of Federal Debt, GAO-03-199 (Washington, D.C.: Nov. 1, 2002).
          3
            U.S. General Accounting Office, Federal Information System Controls Audit Manual, GAO/AIMD-
          12.19.6 (Washington, D.C.: January 1999).

          Page 1                                                 GAO-03-525R Computer Controls at FRBs
standards. We requested comments on a draft of this report from the Board of
Governors of the Federal Reserve System. The comments are summarized later in
this report and are reprinted in the enclosure.

As noted above, our review addressed both general and application computer
controls. General computer controls are the structure, policies, and procedures that
apply to an entity’s overall computer operations. General computer controls establish
the environment in which application systems and controls operate. An effective
general control environment helps (1) ensure that an adequate entitywide program
for security management is in place, (2) protect data, files, and programs from
unauthorized access, modification, disclosure, and destruction, (3) limit and monitor
access to programs and files that control computer hardware and secure
applications, (4) prevent the introduction of unauthorized changes to systems and
applications software, (5) prevent any one individual from controlling key aspects of
computer-related operations, and (6) ensure the recovery of computer processing
operations in case of a disaster or other unexpected interruption. An effective
application control environment helps ensure that transactions performed by
individual computer programs are valid, properly authorized, and completely and
accurately processed and reported.

As we reported in connection with our audit of the Schedules of Federal Debt for the
fiscal years ended September 30, 2002 and 2001, BPD maintained, in all material
                                                         4



respects, effective internal control, including general and application computer
controls, relevant to the Schedule of Federal Debt related to financial reporting and
compliance with applicable laws and regulations as of September 30, 2002. BPD’s
internal control provided reasonable assurance that misstatements, losses, or
noncompliance material in relation to the Schedule of Federal Debt for the fiscal year
ended September 30, 2002, would be prevented or detected on a timely basis. We
found matters involving computer controls that we do not consider to be reportable
conditions.  5




Our follow-up on the status of the FRBs’ corrective actions to address unresolved
vulnerabilities identified in prior years’ audits found that the FRBs had taken
corrective action for five of the nine open recommendations discussed in our prior
report and were in the process of addressing the remaining four. The remaining four
         6



specific technical vulnerabilities relate to the areas of access controls at one data
center and access controls, system software, and service continuity at another data
center.

In a separately issued Limited Official Use Only report, we communicated detailed
information to FRB managers regarding our findings and recommendations that
address the four remaining vulnerabilities. None of our findings pose significant risks

4
  GAO-03-199.
5
  Reportable conditions are matters coming to our attention that, in our judgment, should be
communicated because they represent significant deficiencies in the design or operation of internal
control, which could adversely affect the organization’s ability to meet the objectives of reliable
financial reporting and compliance with applicable laws and regulations.
6
  U.S. General Accounting Office, Federal Reserve Banks: Areas for Improvement in Computer
Controls, GAO-02-1018R (Washington, D.C.: Aug. 29, 2002).

Page 2                                                  GAO-03-525R Computer Controls at FRBs
to the BPD financial systems. Nevertheless, they warrant FRB managers’ action to
further limit the risk of inappropriate disclosure and modification of sensitive data
and programs, misuse of or damage to computer resources, and disruption of critical
operations.

In commenting on a draft of this report, the Board of Governors of the Federal
Reserve System stated that overall it found the review helpful and that the
information in this report and the Limited Official Use Only report will assist the
FRBs in their ongoing efforts to enhance the integrity of their automated systems and
information security practices. The Board of Governors also stated that the four
vulnerabilities remaining as of September 30, 2002, have been or will be corrected
and pledged to monitor the status of uncorrected items.

We are sending copies of this report to the Chairmen and Ranking Minority Members
of the Senate Committee on Governmental Affairs; the Subcommittee on
Transportation, Treasury, and General Government, Senate Committee on
Appropriations; the House Committee on Government Reform; and the
Subcommittee on Transportation, Treasury, Postal Service, and General Government,
House Committee on Appropriations. We are also sending copies of this report to the
Chairman of the Board of Governors of the Federal Reserve System and the Director
of the Office of Management and Budget. Copies will also be made available to
others upon request. In addition, the report will be available at no charge on GAO’s
website at http://www.gao.gov.



If you have any questions regarding this report, please contact Louise DiBenedetto,
Assistant Director, at (202) 512-6921. Other key contributors to this assignment were
Gerald Barnes, Denise Fitzpatrick, Mickie Gray, David B. Hayes, and Ronald Parker.

Sincerely yours,




Gary T. Engel
Director
Financial Management and Assurance

Enclosure




Page 3                                         GAO-03-525R Computer Controls at FRBs
Enclosure

Comments from the Board of Governors of the Federal Reserve System




(198177)



Page 4                                 GAO-03-525R Computer Controls at FRBs