Bureau of the Public Debt

Although various management and reconciliation controls help the Bureau of the Public Debt detect potential irregularities or improprieties in its financial data or transactions, such controls do not prevent threats to its computer resources or operating environment from unintentional errors or omissions, or intentional modification, disclosure, or destruction of data and programs by disgruntled employees, intruders, or hackers. These vulnerabilities increase the risk of inappropriate disclosure and modification of sensitive data and programs, misuse or damage of computer resources, or disruption of critical operations. In its fiscal year 1999 audit, GAO identified general control vulnerabilities in the Bureau's entity-wide security management program, access controls, application software development and change controls, and service continuity. The Bureau told GAO that it had corrected or was correcting these vulnerabilities.

GAO noted that: (1) BPD's general and application controls combined with other management and manual reconciliation controls were effective in ensuring BPD's ability to report reliable financial information and data; (2) although various management and reconciliation controls help BPD detect potential irregularities or improprieties in its financial data or transactions, these types of compensating controls do not prevent certain threats to its computer resources or operating environment from unintentional errors or omissions, or intentional modification, disclosure, or destruction of data and programs by disgruntled employees, intruders, or hackers; (3) thus, the vulnerabilities increase the risks of inappropriate disclosure and modification of sensitive data and programs, misuse or damage of computer resources, or disruption of critical operations; (4) BPD informed GAO that it agreed with GAO's findings and that in most cases, it had subsequently corrected or was in the process of correcting vulnerabilities that GAO identified; (5) GAO's fiscal year 1999 audit procedures identified certain general control vulnerabilities in BPD's entitywide security management program, access controls, application software development and change controls, and service continuity; (6) GAO also identified vulnerabilities in the application controls over four key BPD financial applications maintained and operated at the BPD data center; (7) specifically, GAO identified vulnerabilities in the authorization controls over two of the four key BPD financial applications; (8) in addition, GAO identified completeness and accuracy control vulnerabilities over a third key BPD financial application and authorization and accuracy control vulnerabilities over a fourth key BPD financial application; (9) GAO's follow-up on the status of BPD's corrective actions to address vulnerabilities identified in GAO's fiscal years 1998 and 1997 audits found that BPD had corrected or mitigated the risks associated with 5 of the 17 general and application control vulnerabilities discussed in GAO's prior reports; and (10) additionally, BPD is in the process of addressing the remaining 12 general and application control vulnerabilities discussed in GAO's prior years' reports.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Director: Team: Phone: