Federal Reserve Banks

Areas for Improvement in Computer Controls Gao ID: AIMD-99-280 September 15, 1999

This report follows up on efforts by the Federal Reserve Banks to address vulnerabilities that GAO cited in a fiscal year 1997 audit. (See GAO/AIMD-99-6, Oct. 1998.) GAO also discusses the effectiveness of general and application controls that support key automated financial systems at the Treasury's Financial Management Service and the Bureau of the Public Debt--systems that are run by the Federal Reserve Banks. Overall, GAO found that the Federal Reserve Banks had implemented effective general and application controls. However, GAO identified vulnerabilities involving general and application computer controls--shortcomings that, although not having a significant adverse impact on key systems at the Financial Management Service and the Bureau of the Public Debt, did warrant attention and action from the Federal Reserve Banks.

GAO noted that: (1) GAO's follow up on the status of the FRBs' corrective actions to address vulnerabilities in GAO's FY 1997 audit found that the FRBs had corrected or mitigated the risks associated with 14 of the 20 general and application control vulnerabilities discussed in GAO's prior report that related to the FRBs visited during its FY 1998 testing; (2) while GAO found that the FRBs had implemented effective general and application controls, the FY 1998 audit procedures identified certain new general control vulnerabilities; (3) these vulnerabilities related to access controls at one of the FRB data centers and access controls, system software, and service continuity at another FRB data center; (4) at a third FRB data center, GAO found vulnerabilities in access controls, application software development and change controls, segregation of duties, service continuity, and the entitywide security planning and management program; (5) GAO identified vulnerabilities in the authorization controls over one key application and vulnerabilities in the authorization and completeness controls over another key application maintained for FMS and BPD; (6) GAO identified vulnerabilities in authorization controls over a third key application maintained for FMS; and (7) while these vulnerabilities do not pose significant risks to the FMS and BPD financial systems, they warrant FRB management's attention and action to decrease the risk of inappropriate disclosure and modification of sensitive data and programs, misuse or damage to computer resources, or disruption of critical operations.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Director: Team: Phone:


The Justia Government Accountability Office site republishes public reports retrieved from the U.S. GAO These reports should not be considered official, and do not necessarily reflect the views of Justia.