Federal Reserve Banks
Areas for Improvement in Computer Controls
Gao ID: GAO-02-1018R August 29, 2002
As part of its requirement to audit the U.S. government's fiscal year 2001 financial statements, GAO reviewed the general and application computer controls over key financial systems maintained and operated by the Federal Reserve Banks (FRB) on behalf of the Department of the Treasury's Bureau of the Public Debt (BPD). GAO found that the 12 FRBs perform fiscal agent services on behalf of the U.S. government, including BPD. Five FRB data centers maintain and operate key BPD financial applications relevant to the Schedule of Federal Debt. BPD maintained, in all material respects, effective internal control relevant to the Schedule of Federal Debt related to financial reporting and compliance with applicable laws and regulations as of September 30, 2001. BPD's internal control, which includes the general and application controls implemented by the FRBs over key BPD systems relevant to the Schedule of Federal Debt, provided reasonable assurance that misstatements, losses, or noncompliance material in relation to the Schedule of Federal Debt for fiscal year 2001 would be prevented or detected on a timely basis. A follow-up on the status of the FRB's corrective actions to address vulnerabilities identified in GAO's audit for fiscal year 2000 found that the FRBs had corrected or mitigated the risks associated with 25 of the 29 general and application control vulnerabilities discussed in a prior report and are in the process of addressing the remaining four. None of GAO's findings pose significant risks to BPD financial systems. Nevertheless, they warrant FRB managers' action to further decrease the risk of inappropriate disclosure and modification of sensitive data and programs, misuse of or damage to computer resources, and disruption of critical operations.
GAO-02-1018R, Federal Reserve Banks: Areas for Improvement in Computer Controls
This is the accessible text file for GAO report number GAO-02-1018R
entitled 'Federal Reserve Banks: Areas for Improvement in Computer
Controls' which was released on August 29, 2002.
This text file was formatted by the U.S. General Accounting Office
(GAO) to be accessible to users with visual impairments, as part of a
longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
United States General Accounting Office:
Washington, DC 20548:
August 29, 2002:
Louise L. Roseman, Director:
Division of Reserve Bank Operations and Payment Systems:
Board of Governors of the Federal Reserve System:
Subject: Federal Reserve Banks: Areas for Improvement in Computer
Controls:
Dear Ms. Roseman:
In connection with fulfilling our requirement to audit the U.S.
government‘s fiscal year 2001 financial statements, we reviewed the
general and application computer controls over key financial systems
maintained and operated by the Federal Reserve Banks (FRB) on behalf of
the Department of the Treasury‘s Bureau of the Public Debt (BPD).
[Footnote 1] This report for public release summarizes the results of
our fiscal year 2001 work, including our follow-up on previous years‘
recommendations.
The 12 FRBs perform fiscal agent services on behalf of the U.S.
government, including BPD. The debt-related services primarily consist
of issuing, servicing, and redeeming Treasury securities and processing
secondary market securities transfers. Five FRB data centers maintain
and operate key BPD financial applications relevant to the Schedule of
Federal Debt.
We used a risk-based and rotation approach for testing general and
application controls. Under that methodology, every 3 years each
significant data center and each key application is subjected to a full-
scope review, which includes testing in all the computer control areas
defined in the Federal Information System Controls Audit Manual
(FISCAM). [Footnote 2] In the interim years, we focus our testing on
selected control areas defined in FISCAM. We performed our work at the
FRBs from September 2001 through January 2002. Our work was performed
in accordance with U.S. generally accepted government auditing
standards. We requested comments on a draft of this report from the
Board of Governors of the Federal Reserve System. The comments are
discussed later in this report and are reprinted in the enclosure.
As noted above, our review addressed both general and application
controls. An effective general control environment (1) protects data,
files, and programs from unauthorized access, modification, and
destruction, (2) limits and monitors access to programs and files that
control computer hardware and secure applications; (3) prevents the
introduction of unauthorized changes to systems and applications
software, (4) prevents any one individual from controlling key aspects
of computer-related operations, and (5) ensures the recovery of
computer processing operations in case of disaster or other unexpected
interruption. An effective application control environment helps ensure
that transactions performed by individual computer programs are valid,
properly authorized, and completely and accurately processed and
reported.
As we reported in connection with our audit of the Schedules of Federal
Debt for the fiscal years ended September 30, 2001 and 2000, [Footnote
3] BPD maintained, in all material respects, effective internal control
relevant to the Schedule of Federal Debt related to financial reporting
and compliance with applicable laws and regulations as of September 30,
2001. BPD‘s internal control, which includes the general and
application controls implemented by the FRBs over key BPD systems
relevant to the Schedule of Federal Debt, provided reasonable assurance
that misstatements, losses, or noncompliance material in relation to
the Schedule of Federal Debt for the fiscal year ended September 30,
2001, would be prevented or detected on a timely basis.
Our follow-up on the status of the FRBs‘ corrective actions to address
vulnerabilities identified in our audit for fiscal year 2000 found that
the FRBs had corrected or mitigated the risks associated with 25 of the
29 general and application control vulnerabilities discussed in our
prior report [Footnote 4] and are in the process of addressing the
remaining 4.
In a separately issued Limited Official Use Only report, we
communicated detailed information regarding our findings to FRB
managers and made 9 recommendations to improve certain computer
controls in the areas of access, system software, and service
continuity. None of our findings pose significant risks to BPD financial
systems. Nevertheless, they warrant FRB managers‘ action to further
decrease the risk of inappropriate disclosure and modification of
sensitive data and programs, misuse of or damage to computer resources,
and disruption of critical operations.
In commenting on a draft of this report, the Board of Governors of the
Federal Reserve System stated that overall it found the review helpful
and that the information in the report will assist the Federal Reserve
System in its ongoing efforts to enhance the integrity of its automated
systems and information security practices. The board agreed with our
assessment that FRBs have implemented effective computer controls and
that while the vulnerabilities identified do not pose significant risks
to Treasury‘s financial systems, they warrant FRB management‘s
attention. The board stated that it has corrected or will correct all
the vulnerabilities we identified.
We will follow up on these matters during our audit of the federal
government‘s 2002 financial statements.
We are sending copies of this report to the Chairman and Ranking
Minority Member of the Senate Committee on Governmental Affairs;
Subcommittee on Treasury and General Government, Senate Committee on
Appropriations; House Committee on Government Reform; and Subcommittee
on Treasury, Postal Service, and General Government, House Committee on
Appropriations. We are also sending copies of this report to the
Chairman of the Board of Governors of the Federal Reserve System and
the Director of the Office of Management and Budget. Copies will also
be made available to others upon request. In addition, the report will
be available at no charge on GAO‘s Web site at [hyperlink,
http://www.gao.gov].
If you have any questions regarding this report, please contact Paula
M. Rascona, Assistant Director, at (202) 512-9816. Other key
contributors to this assignment were Louise DiBenedetto, David B.
Hayes, Greg Wilshusen, and Mickie Gray.
Sincerely yours,
Signed by:
Gary T. Engel:
Director:
Financial Management and Assurance:
[End of correspondence]
Enclosure:
Comments from the Board of Governors of the Federal Reserve System:
Board Of Governors Of The Federal Reserve System:
Louise L. Roseman:
Director, Division Of Reserve Bank Operations And Payment Systems:
Washington, D.C. 20551:
July 18, 2002:
Mr. Gary T. Engel:
Director:
Financial Management and Assurance:
United States General Accounting Office:
441 G Street, N.W.
Washington, D.C. 20548:
Dear Mr. Engel:
We appreciate the opportunity to comment on the General Accounting
Office's draft report assessing the Federal Reserve Banks' information
security associated with the applications that support their role as
fiscal agents of the United States. The GAO's review was performed as
part of the audit of the U.S. government's fiscal year 2001 financial
statements.
Overall, we found the review and report helpful. The report provides
information that will assist the Federal Reserve System in its ongoing
efforts to enhance the integrity of its automated systems and
information security practices. The Federal Reserve shares lessons
learned from this review and its internal reviews with appropriate
Federal Reserve staff to improve controls, processes and internal audit
procedures more broadly within the System.
We agree with GAO's assessment that the Federal Reserve has implemented
effective controls over these applications. We also agree with the
GAO's assessment that while the vulnerabilities identified in the
report do not pose significant risks to the Treasury's financial
systems, they still warrant management's attention. Of the nine
vulnerabilities in the report that require attention, we have corrected
or will correct all of them. Federal Reserve Board staff will monitor
the status of uncorrected items. Internal auditors at the Reserve Banks
will confirm all corrective measures taken.
Sincerely,
Signed by:
Louise L. Roseman:
[End of enclosure]
Footnotes:
[1] 31 U.S.C. 331(e) (2000).
[2] U.S. General Accounting Office, Federal Information System Controls
Audit Manual, Volume I: Financial Statement Audits, GAO/AIMD-12.19.6
(Washington, D.C.: Jan. 1999).
[3] U.S. General Accounting Office, Financial Audit: Bureau of the
Public Debt‘s Fiscal Years 2001 and 2000 Schedules of Federal Debt, GAO-
02-354 (Washington, D.C.: Feb. 15, 2002).
[4] U.S. General Accounting Office, Federal Reserve Banks: Areas for
Improvement in Computer Controls, GAO-02-266R (Washington, D.C.: Dec.
2001).
[End of section]
GAO‘s Mission:
The General Accounting Office, the investigative arm of Congress,
exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO‘s commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO‘s Web site [hyperlink,
http://www.gao.gov] contains abstracts and fulltext files of current
reports and testimony and an expanding archive of older products. The
Web site features a search engine to help you locate documents using
key words and phrases. You can print these documents in their entirety,
including charts and other graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as ’Today‘s Reports,“ on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
[hyperlink, http://www.gao.gov] and select ’Subscribe to daily E-mail
alert for newly released products“ under the GAO Reports heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. General Accounting Office:
441 G Street NW, Room LM:
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director, NelliganJ@gao.gov:
(202) 512-4800:
U.S. General Accounting Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548: