Bureau of the Public Debt
Areas for Improvement in Computer Controls
Gao ID: GAO-03-524R May 1, 2003
In connection with fulfilling the requirement to audit the financial statements of the U.S. government, GAO audited and reported on the Schedules of Federal Debt Managed by the Bureau of the Public Debt (BPD) for the fiscal years ended September 30, 2002 and 2001. As part of these audits, GAO performed a review of the general and application computer controls over key BPD financial systems.
As we reported in connection with our audit of the Schedules of Federal Debt for the fiscal years ended September 30, 2002 and 2001, BPD maintained, in all material respects, effective internal control, including general and application computer controls, relevant to the Schedule of Federal Debt related to financial reporting and compliance with applicable laws and regulations as of September 30, 2002. BPD's internal control provided reasonable assurance that misstatements, losses, or noncompliance material in relation to the Schedule of Federal Debt for the fiscal year ended September 30, 2002, would be prevented or detected on a timely basis. We found matters involving computer controls that we do not consider to be reportable conditions. Our follow-up on the status of BPD's corrective actions to address 14 of the 17 open general and application control recommendations identified in prior years' audits for which actions were not complete as of September 30, 2001, found the following: As of September 30, 2002, corrective action on 12 recommendations had been completed. For 2 of the recommendations, corrective action for 1 was in progress as of September 30, 2002, and for the other, corrective action was taken subsequent to that date. The 3 remaining open recommendations relating to access controls are now encompassed in our fiscal year 2002 recommendations.
GAO-03-524R, Bureau of the Public Debt: Areas for Improvement in Computer Controls
This is the accessible text file for GAO report number GAO-03-524R
entitled 'Bureau of the Public Debt: Areas for Improvement in Computer
Controls' which was released on May 01, 2003.
This text file was formatted by the U.S. General Accounting Office
(GAO) to be accessible to users with visual impairments, as part of a
longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
May 1, 2003:
The Honorable Van Zeck:
Commissioner:
Bureau of the Public Debt:
Subject: Bureau of the Public Debt: Areas for Improvement in Computer
Controls:
Dear Mr. Zeck:
In connection with fulfilling our requirement to audit the financial
statements of the U.S. government,[Footnote 1] we audited and reported
on the Schedules of Federal Debt Managed by the Bureau of the Public
Debt (BPD) for the fiscal years ended September 30, 2002 and
2001.[Footnote 2] As part of these audits, we performed a review of the
general and application computer controls over key BPD financial
systems.
The Department of the Treasury is authorized by Congress to borrow
money on the credit of the United States to fund federal operations.
Treasury is responsible for prescribing the debt instruments and
otherwise limiting and restricting the amount and composition of the
debt. BPD is responsible for issuing and redeeming debt instruments,
paying interest to investors, and accounting for the resulting debt. In
addition, BPD has been given the responsibility for issuing Treasury
securities to trust funds for trust fund receipts not needed for
current benefits and expenses.
We use a risk-based, rotation approach for testing general and
application computer controls. The data center and each key application
is subjected every 3 years to a full-scope review that includes testing
in all of the computer control areas defined in the Federal Information
System Controls Audit Manual.[Footnote 3] Areas considered to be of
higher risk are subject to more frequent review. We performed our work
at the BPD data center from April 2002 through October 2002. Our work
was performed in accordance with U.S. generally accepted government
auditing standards. We requested comments on a draft of this report
from the Commissioner of the Bureau of the Public Debt. The comments
are summarized later in this report.
As noted above, our review addressed both general and application
computer controls. General computer controls are the structure,
policies, and procedures that apply to an entity's overall computer
operations. General computer controls establish the environment in
which application systems and controls operate. An effective general
control environment helps (1) ensure that an adequate entitywide
security management program is in place, (2) protect data, files, and
programs from unauthorized access, modification, disclosure, and
destruction, (3) limit and monitor access to programs and files that
control computer hardware and secure applications, (4) prevent the
introduction of unauthorized changes to systems and applications
software, (5) prevent any one individual from controlling key aspects
of computer-related operations, and (6) ensure the recovery of computer
processing operations in case of a disaster or other unexpected
interruption. An effective application control environment helps ensure
that transactions performed by individual computer programs are valid,
properly authorized, and completely and accurately processed and
reported.
As we reported in connection with our audit of the Schedules of Federal
Debt for the fiscal years ended September 30, 2002 and 2001,[Footnote
4] BPD maintained, in all material respects, effective internal
control, including general and application computer controls, relevant
to the Schedule of Federal Debt related to financial reporting and
compliance with applicable laws and regulations as of September 30,
2002. BPD's internal control provided reasonable assurance that
misstatements, losses, or noncompliance material in relation to the
Schedule of Federal Debt for the fiscal year ended September 30, 2002,
would be prevented or detected on a timely basis. We found matters
involving computer controls that we do not consider to be reportable
conditions.[Footnote 5]
Our follow-up on the status of BPD's corrective actions to address 14
of the 17 open general and application control recommendations
identified in prior years' audits for which actions were not complete
as of September 30, 2001, found the following:
As of September 30, 2002, corrective action on 12 recommendations had
been completed.
For 2 of the recommendations, corrective action for 1 was in progress
as of September 30, 2002, and for the other, corrective action was
taken subsequent to that date.
The 3 remaining open recommendations relating to access controls are
now encompassed in our fiscal year 2002 recommendations.
Our fiscal year 2002 audit procedures identified opportunities to
strengthen the security of BPD's computer systems that support key
automated financial systems relevant to BPD's Schedule of Federal Debt.
In a separately issued Limited Official Use Only report, we
communicated detailed information regarding our fiscal year 2002
findings to BPD managers and made 10 recommendations to strengthen
certain general computer controls in the areas of access and system
software, many of which BPD has begun to address. In addition, we
reaffirmed our prior years' recommendation related to service
continuity.
None of our findings pose significant risks to BPD financial systems.
In forming our conclusions, we considered the mitigating effects of
physical security measures, a program of monitoring user and system
activity, and management and reconciliation controls that are designed
to detect potential irregularities or improprieties in financial data
or transactions. Nevertheless, these findings warrant BPD managers'
action to further limit the risk of inappropriate disclosure and
modification of sensitive data and programs, misuse of or damage to
computer resources, or disruption of critical operations.
BPD's comments on a draft of this report are consistent with its prior
comments on the separately issued Limited Official Use Only version. In
those comments, the Commissioner of the Bureau of the Public Debt
stated that 7 of the 10 recommendations have been completely resolved
and 1 of the remaining improvements will be completed by the end of
March 2003.[Footnote 6] BPD also stated it intends to resolve the
remaining issues by the end of this year. We plan to follow up on these
matters during our audit of the fiscal year 2003 Schedule of Federal
Debt.
We are sending copies of this report to the Chairmen and Ranking
Minority Members of the Senate Committee on Governmental Affairs; the
Subcommittee on Transportation, Treasury and General Government, Senate
Committee on Appropriations; the House Committee on Government Reform;
the Subcommittee on Government Efficiency and Financial Management,
House Committee on Government Reform; and the Subcommittee on
Transportation, Treasury and Independent Agencies, House Committee on
Appropriations. We are also sending copies of this report to the
Secretary of the Department of the Treasury, the Inspector General of
the Department of the Treasury, and the Director of the Office of
Management and Budget. Copies will also be made available to others
upon request. In addition, the report will be available at no charge on
GAO's Web site at http://www.gao.gov.
If you have any questions regarding this report, please contact Louise
DiBenedetto, Assistant Director, at (202) 512-6921. Other key
contributors to this assignment were Mickie Gray, David Hayes, and
Ronald Parker.
Sincerely yours,
Gary T. Engel:
Director:
Financial Management and Assurance:
(198176):
FOOTNOTES
[1] 31 U.S.C. 331(e) (2000).
[2] U.S. General Accounting Office, Financial Audit: Bureau of the
Public Debt's Fiscal Years 2002 and 2001 Schedules of Federal Debt,
GAO-03-199 (Washington, D.C.: Nov. 1, 2002).
[3] U.S. General Accounting Office, Federal Information System Controls
Audit Manual, GAO/AIMD-12.19.6 (Washington, D.C.: January 1999).
[4] GAO-03-199.
[5] Reportable conditions are matters coming to our attention that, in
our judgment, should be communicated because they represent significant
deficiencies in the design or operation of internal control, which
could adversely affect the organization's ability to meet the
objectives of reliable financial reporting and compliance with
applicable laws and regulations.
[6] According to a BPD official, this improvement was completed as of
March 31, 2003.