Bureau of the Public Debt

Areas for Improvement in Computer Controls Gao ID: AIMD-99-242 August 6, 1999

A 1997 GAO audit cited several vulnerabilities in the Bureau of the Public Debt's computer systems. (See GAO/AIMD-99-2, Oct. 1998.) These systems, some of which are run by the Federal Reserve Banks, process investments in and redemptions of Treasury securities, generate interest payments, account for the resulting federal debt, and generate financial reports to the public and the federal government. This follow-up report found that the Bureau has addressed most of the vulnerabilities identified in the 1997 audit. However, the Bureau needs to take steps to reduce its risk from threats posed by unintentional errors or omissions or intentional modification, disclosure, or destruction of data and programs by disgruntled employees, intruders, or hackers. For fiscal year 1998, the Bureau has already taken steps to resolve the new vulnerabilities GAO identified, but additional actions are required to fully address the vulnerabilities discussed in this report.

GAO noted that: (1) GAO's followup on the status of BPD's corrective actions to address vulnerabilities identified in GAO's fiscal year (FY) 1997 audit found that BPD had corrected or mitigated the risks associated with 13 of the 21 general and application control vulnerabilities discussed in GAO's prior report; (2) GAO's FY 1998 audit procedures identified certain new general control vulnerabilities in access controls, system software controls, and application software development and change controls; (3) GAO also identified vulnerabilities in the controls for two key BPD financial applications maintained and operated at the BPD data center in Parkersburg, West Virginia, involving authorization, completeness, and accuracy controls; (4) overall, GAO found that BPD general and application controls combined with other management and manual reconciliation controls were effective in ensuring BPD's ability to report reliable financial information and data; (5) although various management and reconciliation controls help BPD detect potential irregularities or improprieties in its financial data or transactions, these types of compensating controls do not prevent certain threats to its computer resources and operating environment from unintentional errors or omissions or intentional modification, disclosure, or destruction of data and programs by disgruntled employees, intruders, or hackers; (6) thus, the vulnerabilities GAO noted increase the risks of inappropriate disclosure and modification of sensitive data and programs, misuse or damage of computer resources, or disruption of critical operations; and (7) BPD informed GAO that it agreed with GAO's findings and that in most cases, it had corrected or is in the process of correcting the vulnerabilities that GAO identified.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Director: Team: Phone:


The Justia Government Accountability Office site republishes public reports retrieved from the U.S. GAO These reports should not be considered official, and do not necessarily reflect the views of Justia.