Bureau of Public Debt
Areas for Improvement in Computer Controls
Gao ID: GAO-02-1082R September 18, 2002
The Department of the Treasury is authorized by Congress to borrow money on the credit of the United States to fund operations of the federal government. Within Treasury, the Bureau of the Public Debt (BPD) is responsible for prescribing the debt instruments, limiting and restricting the amount and composition of the debt, paying interest to investors, and accounting for the resulting debt. BPD is also responsible for issuing Treasury securities to trust funds for trust fund receipts not needed for current benefits and expenses. In connection with fulfilling its requirement to audit the U.S. government's fiscal year 2001 financial statements, GAO reviewed the general and application computer controls over key financial systems maintained and operated by BPD. BPD maintained, in all material respects, effective internal control relevant to the Schedule of Federal Debt related to financial reporting and compliance with applicable laws and regulations as of September 30, 2001. BPD's internal control, which includes the general and application controls over key BPD systems relevant to the Schedule of Federal Debt, provided reasonable assurance that misstatements, losses, or noncompliance material in relation to the Schedule of Federal Debt for fiscal year 2001 would be prevented or detected on a timely basis. A follow-up on the status of the BPD's corrective actions to address vulnerabilities identified in GAO's audit for fiscal year 2000 found that the BPD had corrected or mitigated the risks associated with 8 of the 13 general and application control vulnerabilities discussed in a prior report and is in the process of addressing the remaining four. None of GAO's findings pose significant risks to BPD financial systems. Nevertheless, they warrant BPD managers' action to further decrease the risk of inappropriate disclosure and modification of sensitive data and programs, misuse of or damage to computer resources, and disruption of critical operations.
GAO-02-1082R, Bureau of Public Debt: Areas for Improvement in Computer Controls
This is the accessible text file for GAO report number GAO-02-1082R
entitled 'Bureau of the Public Debt: Areas for Improvement in Computer
Controls' which was released on September 18, 2002.
This text file was formatted by the U.S. General Accounting Office
(GAO) to be accessible to users with visual impairments, as part of a
longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
United States General Accounting Office:
Washington, DC 20548:
September 18, 2002:
The Honorable Van Zeck:
Commissioner:
Bureau of the Public Debt:
Subject: Bureau of the Public Debt: Areas for Improvement in Computer
Controls:
Dear Mr. Zeck:
In connection with fulfilling our requirement to audit the U.S.
government‘s fiscal year 2001 financial statements, [Footnote 1] we
reviewed the general and application computer controls over key
financial systems maintained and operated by the Department of the
Treasury‘s Bureau of the Public Debt (BPD). This report for public
release summarizes the results of our fiscal year 2001 work, including
our follow-up on previous years‘ recommendations.
The Department of the Treasury is authorized by Congress to borrow
money on the credit of the United States to fund operations of the
federal government. Within Treasury, BPD is responsible for prescribing
the debt instruments, limiting and restricting the amount and
composition of the debt, paying interest to investors, and accounting
for the resulting debt. BPD is also responsible for issuing Treasury
securities to trust funds for trust fund receipts not needed for
current benefits and expenses.
We used a risk-based and rotation approach for testing general and
application controls. Under that methodology, every 3 years the data
center and all key applications are subjected to a full-scope review,
which includes testing in all the computer control areas defined in the
Federal Information System Controls Audit Manual. [Footnote 2] The
scope of our work for fiscal year 2001 was to follow up on
vulnerabilities identified in our prior years‘ reports and to perform a
full-scope review of BPD‘s entitywide computer control security
program, access controls, application software development and change
controls, systems software, segregation of duties, and service
continuity. We also performed full-scope application controls reviews
over two key applications and limited-scope reviews of another four key
applications. We performed our work at the BPD data center from
September 2001 through January 2002. Our work was performed in
accordance with U.S. generally accepted government auditing standards.
We requested comments on a draft of this report from the Commissioner
of BPD. The comments are summarized later in this report.
As noted above, our review addressed both general and application
controls. An effective general control environment (1) protects data,
files, and programs from unauthorized access, modification, and
destruction; (2) limits and monitors access to programs and files that
control computer hardware and secure applications; (3) prevents the
introduction of unauthorized changes to systems and applications
software; (4) prevents any one individual from controlling key aspects
of computer-related operations; and (5) ensures the recovery of
computer processing operations in case of disaster or other unexpected
interruption. An effective application control environment helps ensure
that transactions performed by individual computer programs are valid,
properly authorized, and completely and accurately processed and
reported.
As we reported in connection with our audit of the Schedules of Federal
Debt for the fiscal years ended September 30, 2001, and 2000, [Footnote
3] BPD maintained, in all material respects, effective internal control
relevant to the Schedule of Federal Debt related to financial reporting
and compliance with applicable laws and regulations as of September 30,
2001. BPD‘s internal control, which includes the general and
application controls over key BPD systems relevant to the Schedule of
Federal Debt, provided reasonable assurance that misstatement, losses,
or noncompliance material in relation to the Schedule of Federal Debt
for the fiscal year ended September 30, 2001, would be prevented or
detected on timely basis.
Our follow-up on the status of BPD‘s corrective actions to address
vulnerabilities identified in our fiscal years 1997 through 2000 audits
found that BPD had corrected or mitigated the risks associated with 8
of the 13 general and application control vulnerabilities discussed in
our prior reports and are in the process of addressing the remaining 5.
We identified opportunities to strengthen general and application
controls. In a separately issued Limited Official Use Only report, we
communicated detailed information regarding our findings to BPD
managers and made 18 recommendations to strengthen certain general
computer controls in the areas of access, system software, application
software development and change controls, and service continuity and to
improve application-specific accuracy and authorization controls. None
of the vulnerabilities we found pose significant risks to BPD financial
systems. Nevertheless, they warrant BPD managers‘ action to further
decrease the risk of inappropriate disclosure and modification of
sensitive data and programs and misuse of or damage to computer
resources, and disruption of critical operations.
In commenting on a draft of this report, the BPD Commissioner generally
agreed with our findings. He stated that in many cases, BPD had already
corrected or has plans to correct the identified problems.
We are sending copies of this report to the Chairman and Ranking
Minority Member of the Senate Committee on Governmental Affairs;
Subcommittee on Treasury and General Government, Senate Committee on
Appropriations; House Committee on Government Reform; and Subcommittee
on Treasury, Postal Service, and General Government, House Committee on
Appropriations. We are also sending copies of this report to the
Department of the Treasury, the Inspector General of the Department of
the Treasury, and the Director of the Office of Management and Budget.
Copies will also be made available to others upon request and are
available at no charge on GAO‘s Web site at [hyperlink,
http://www.gao.gov].
If you have any questions regarding this report, please contact Paula
M. Rascona, Assistant Director, at (202) 512-9816. Other key
contributors to this assignment were Louise DiBenedetto, David B.
Hayes, Greg Wilshusen, and Mickie Gray.
Sincerely yours,
Signed by:
Gary T. Engel:
Director:
Financial Management and Assurance:
[End of correspondence]
Footnotes:
[1] 31 U.S.C. 331(e) (2000).
[2] U.S. General Accounting Office, Federal Information System Controls
Audit Manual, Volume I: Financial Statement Audits, GAO/AIMD-12.19.6
(Washington, D.C.: June 2001).
[3] U.S. General Accounting Office, Financial Audit: Bureau of the
Public Debt‘s Fiscal Years 2001 and 2000 Schedules of Federal Debt, GAO-
02-354 (Washington, D.C.: February 15, 2002).
[End of section]
GAO‘s Mission:
The General Accounting Office, the investigative arm of Congress,
exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO‘s commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO‘s Web site [hyperlink,
http://www.gao.gov] contains abstracts and fulltext files of current
reports and testimony and an expanding archive of older products. The
Web site features a search engine to help you locate documents using
key words and phrases. You can print these documents in their entirety,
including charts and other graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as ’Today‘s Reports,“ on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
[hyperlink, http://www.gao.gov] and select ’Subscribe to daily E-mail
alert for newly released products“ under the GAO Reports heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. General Accounting Office:
441 G Street NW, Room LM:
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director, NelliganJ@gao.gov:
(202) 512-4800:
U.S. General Accounting Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548: