Federal Reserve Banks

As part of its audit of the U. S. government's fiscal year 1999 financial statements, GAO reviewed the general and application computer controls over key financial systems maintained and operated by the Federal Reserve Banks on behalf of the Department of the Treasury's Financial Management Service (FMS) and the Bureau of the Public Debt (BPD). Overall, GAO found that the Federal Reserve Banks had implemented effective general and application controls. Vulnerabilities identified involved general and application computer controls that were not considered as having a significant adverse impact on key FMS and BPD systems, but nonetheless warrant action. These vulnerabilities relate to the entitywide security management program; access controls; system software; application software development and change controls; and, in one data center, segregation of duties. Although these vulnerabilities do not pose significant risks, corrective action would decrease the risk of inappropriate disclosure and modification of sensitive data, misuse of computer resources, or disruption of critical operations. The Federal Reserve Banks agreed with 17 of GAO's 22 findings, have corrected or are in the process of correcting those findings, and are studying the remaining five findings before undertaking corrective measures.

GAO noted that: (1) while GAO found that the FRBs had implemented effective general and application controls, GAO's fiscal year 1999 audit procedures identified certain general and application control vulnerabilities; (2) these vulnerabilities relate to; (a) the entitywide security management program at a data center; (b) the entitywide security management program, access controls, and system software at a second data center; (c) access controls at one FRB; (d) entitywide security management program and access controls at a third data center; and (e) access controls, system software, application software development and change controls, and segregation of duties at a fourth data center; (3) GAO also identified vulnerabilities relating to authorization controls over two key applications; (4) GAO's follow-up on the status of the FRBs corrective actions to address vulnerabilities identified in GAO's audits for fiscal years 1998 and 1997 found that the FRBs had corrected or mitigated the risks associated with 19 of the 30 general and application control vulnerabilities discussed in GAO's prior reports; (5) while these vulnerabilities do not pose significant risks to the Financial Management Service and Bureau of the Public Debt financial systems, they warrant FRB management's action to decrease the risk of inappropriate disclosure and modification of sensitive data and programs, misuse of or damage to computer resources, or disruption of critical operations; (6) in commenting on a draft of this report and GAO's more detailed Limited Official Use report, the Board of Governors of the FRB informed GAO that it agreed with 17 of GAO's 22 findings and had corrected or was in the process of correcting those findings; and (7) further, the board stated that it is studying the remaining five findings before developing and implementing corrective actions.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Director: Team: Phone: