Financial Management Service

Areas for Improvement in Computer Controls Gao ID: AIMD-99-10 October 20, 1998

General computer control weaknesses at the Financial Management Service (FMS)--the government's financial manager, central disburser, and collections agent--and its contractor data centers put its financial systems data at significant risk of unauthorized changes, disclosure, and loss. These weaknesses include (1) inappropriate access to computer programs, data, and equipment; (2) inadequate segregation of duties; (3) improper application software development and change control procedures; and (4) incomplete or untested service continuity and contingency plans. As a result, billions of dollars of payments and collections are vulnerable to fraud. FMS has corrected some of these weaknesses. However, it cannot guarantee that weaknesses will be detected and promptly corrected until it has an effective entitywide security management program.

GAO noted that: (1) general computer control weaknesses at FMS and its contractor data centers place the data maintained in its financial systems at significant risk of unauthorized modification, disclosure, loss, or impairment; (2) because of the large volume of transactions, the significance of the related amounts involved, and the number of weaknesses identified at the FMS data centers visited, GAO considers FMS' general computer control problems a material weakness; (3) the general control weaknesses GAO found included: (a) inappropriate access to computer programs, data, and equipment; (b) inadequate segregation of duties; (c) improper application software development and change control procedures; and (d) incomplete or untested service continuity and contingency plans; (4) ineffective general computer control weaknesses place billions of dollars of payments and collections at risk of fraud; (5) these weaknesses existed primarily because FMS does not have an effective entitywide computer security planning and management program to ensure that: (a) computer controls are working and are reliable; (b) established policies and procedures are followed; (c) identified deficiencies are timely corrected; and (d) errors or fraudulent transactions are timely detected; (6) FMS has already corrected some of the weaknesses that GAO identified; (7) although FMS management is continuing to correct weaknesses GAO identified, FMS cannot ensure on an ongoing basis that weaknesses will be timely detected and corrected until it has an effective entitywide security management program; and (8) such a program, if implemented effectively across the organization, would go a long way in helping FMS to identify and promptly address its computer control weaknesses.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Director: Team: Phone:


The Justia Government Accountability Office site republishes public reports retrieved from the U.S. GAO These reports should not be considered official, and do not necessarily reflect the views of Justia.