Bureau of the Public Debt
Areas for Improvement in Computer Controls
Gao ID: GAO-04-681R May 28, 2004
In connection with fulfilling our requirement to audit the financial statements of the U.S. government, we audited and reported on the Schedules of Federal Debt Managed by the Bureau of the Public Debt (BPD) for the fiscal years ended September 30, 2003 and 2002. As part of these audits, we performed a review of the general and application computer controls over key BPD financial systems.
As we reported in connection with our audit of the Schedules of Federal Debt for the fiscal years ended September 30, 2003 and 2002, BPD maintained, in all material respects, effective internal control, including general and application computer controls, relevant to the Schedule of Federal Debt related to financial reporting and compliance with applicable laws and regulations as of September 30, 2003. BPD's internal control provided reasonable assurance that misstatements, losses, or noncompliance material in relation to the Schedule of Federal Debt for the fiscal year ended September 30, 2003, would be prevented or detected on a timely basis. We found matters involving computer controls that we do not consider to be reportable conditions but that nevertheless warrant BPD management's attention and action. Our follow-up on the status of BPD's corrective actions to address 12 open general and application control recommendations identified in prior years' audits for which actions were not complete as of September 30, 2002. As of September 30, 2003, corrective action on 11 of the 12 recommendations had been completed. Corrective action was in progress as of September 30, 2003, on the 1 remaining open recommendation.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director:
Team:
Phone:
GAO-04-681R, Bureau of the Public Debt: Areas for Improvement in Computer Controls
This is the accessible text file for GAO report number GAO-04-681R
entitled 'Bureau of the Public Debt: Areas for Improvement in Computer
Controls' which was released on May 28, 2004.
This text file was formatted by the U.S. General Accounting Office
(GAO) to be accessible to users with visual impairments, as part of a
longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
May 28, 2004:
The Honorable Van Zeck:
Commissioner, Bureau of the Public Debt:
Subject: Bureau of the Public Debt: Areas for Improvement in Computer
Controls:
Dear Mr. Zeck:
In connection with fulfilling our requirement to audit the financial
statements of the U.S. government,[Footnote 1] we audited and reported
on the Schedules of Federal Debt Managed by the Bureau of the Public
Debt (BPD) for the fiscal years ended September 30, 2003 and
2002.[Footnote 2] As part of these audits, we performed a review of the
general and application computer controls over key BPD financial
systems.
The Department of the Treasury (Treasury) is authorized by the Congress
to borrow money on the credit of the United States to fund federal
operations. Treasury is responsible for prescribing the debt
instruments and otherwise limiting and restricting the amount and
composition of the debt. BPD, an organizational entity within the
Fiscal Service of Treasury, is responsible for issuing and redeeming
debt instruments, paying interest to investors, and accounting for the
resulting debt. In addition, BPD has been given the responsibility for
issuing Treasury securities to trust funds for trust fund receipts not
needed for current benefits and expenses.
The scope of our work for fiscal year 2003 included a review of the
general and application computer controls over key financial management
systems maintained and operated by BPD relevant to the Schedule of
Federal Debt and follow-up on open recommendations from our prior
years' reports for which actions were not complete as of September 30,
2002. We use a risk-based, rotation approach for testing general
computer controls. Each general control area is subjected to a full-
scope review, including testing, at least every 3 years. The computer
control areas we review are defined in the Federal Information System
Controls Audit Manual.[Footnote 3] Areas considered to be of higher
risk are subject to more frequent review. Each key application is
subjected every year to a full-scope review.
General computer controls are the structure, policies, and procedures
that apply to an entity's overall computer operations. General computer
controls establish the environment in which application systems and
controls operate. They include an entitywide security management
program, access controls, system software controls, application
software development and change controls, segregation of duties, and
service continuity controls. An effective general control environment
helps:
(1) ensure that an adequate entitywide security management program is
in place;
(2) protect data, files, and programs from unauthorized access,
modification,
disclosure, and destruction; (3) limit and monitor access to programs
and files that control computer hardware and secure applications; (4)
prevent the introduction of unauthorized changes to systems and
applications software; (5) prevent any one individual from controlling
key aspects of computer-related operations; and:
(6) ensure the recovery of computer processing operations in case of a
disaster or other unexpected interruption. Application controls relate
directly to the individual computer programs that are used to perform
certain types of work, such as generating interest payments or
recording transactions in a general ledger. In an effective general
control environment, application controls help to ensure that
transactions are valid, properly authorized, and completely and
accurately processed and reported.
We performed our work at the BPD data center from April 2003 through
October 2003. Our work was performed in accordance with U.S. generally
accepted government auditing standards. BPD's comments are summarized
later in this report.
As we reported in connection with our audit of the Schedules of Federal
Debt for the fiscal years ended September 30, 2003 and 2002, BPD
maintained, in all material respects, effective internal control,
including general and application computer controls, relevant to the
Schedule of Federal Debt related to financial reporting and compliance
with applicable laws and regulations as of September 30, 2003. BPD's:
internal control provided reasonable assurance that misstatements,
losses, or noncompliance material in relation to the Schedule of
Federal Debt for the fiscal year ended September 30, 2003, would be
prevented or detected on a timely basis. We found matters involving
computer controls that we do not consider to be reportable
conditions[Footnote 4] but that nevertheless warrant BPD management's
attention and action.
Our fiscal year 2003 audit procedures identified opportunities to
strengthen the security of certain BPD computer systems that support
key automated financial systems relevant to BPD's Schedule of Federal
Debt. In a separately issued Limited Official Use Only report, we
communicated detailed information regarding our findings to BPD
management. Our audit procedures identified five new control issues for
which we made six recommendations. Four were general control issues
that relate to access controls, and one was an application control
issue that relates to the documentation of controls for certain
systems.
Our follow-up on the status of BPD's corrective actions to address 12
open general and application control recommendations identified in
prior years' audits for which actions were not complete as of September
30, 2002, found the following:
As of September 30, 2003, corrective action on 11 of the 12
recommendations had been completed.
Corrective action was in progress as of September 30, 2003, on the 1
remaining open recommendation. We therefore reaffirm our prior year's
recommendation related to this issue.
None of our findings pose significant risks to BPD financial systems.
In forming our conclusions, we considered the mitigating effects of
physical security measures, a program of monitoring user and system
activity, and reconciliation controls that are designed to detect
potential irregularities or improprieties in financial data or
transactions. Nevertheless, these findings warrant BPD management's
attention and action to limit the risk of unauthorized access,
unauthorized disclosure and modification of sensitive data and
programs, data misuse, or disruption of critical operations.
We recommend that the Commissioner of the Bureau of the Public Debt
direct the implementation of the six detailed recommendations to
appropriate BPD officials.
BPD provided comments on the detailed findings and recommendations in
the separately issued Limited Official Use Only version. In those
comments, the Commissioner of the Bureau of the Public Debt stated that
three of the six open issues have been completely resolved, and the
others are in progress. BPD also stated that it intends to resolve the
three remaining issues before the end of this year. We plan to follow
up on these matters during our audit of the fiscal year 2004 Schedule
of Federal Debt.
In the separately issued Limited Official Use Only report, we noted
that the head of a federal agency is required by 31 U.S.C. 720 to
submit a written statement on actions taken on our recommendations to
the Senate Committee on Governmental Affairs and to the House Committee
on Government Reform not later than 60 calendar days after the date of
the report. A written statement must also be sent to the House and
Senate Committees on Appropriations with the agency's first request for
appropriations made more than 60 calendar days after the date of the
report. In that report, we also requested a copy of your responses.
We are sending copies of this report to the Chairmen and Ranking
Minority Members of the Senate Committee on Governmental Affairs; the
Subcommittee on Transportation, Treasury and General Government, Senate
Committee on Appropriations; the House Committee on Government Reform;
the Subcommittee on Government Efficiency and Financial Management,
House Committee on Government Reform; and the Subcommittee on
Transportation and Treasury, and Independent Agencies, House Committee
on Appropriations. We are also sending copies of this report to the
Secretary of the Treasury, the Inspector General of the Department of
the Treasury, and the Director of the Office of Management and Budget.
Copies will also be made available to others upon request. In addition,
the report will be available at no charge on GAO's Web site at http://
www.gao.gov.
If you have any questions regarding this report, please contact Louise
DiBenedetto, Assistant Director, at (202) 512-6921. Other key
contributors to this assignment were Gerald L. Barnes, Mickie E. Gray,
David B. Hayes, and Dawn B. Simpson.
Sincerely yours,
Signed by:
Gary T. Engel:
Director:
Financial Management and Assurance:
(198256):
FOOTNOTES
[1] 31 U.S.C. § 331(e) (2000).
[2] U.S. General Accounting Office, Financial Audit: Bureau of the
Public Debt's Fiscal Years 2003 and 2002 Schedules of Federal Debt,
GAO-04-177 (Washington, D.C.: Nov. 7, 2003).
[3] U.S. General Accounting Office, Federal Information System Controls
Audit Manual,
GAO/AIMD-12.19.6 (Washington, D.C.: January 1999).
[4] Reportable conditions are matters coming to our attention that, in
our judgment, should be communicated because they represent significant
deficiencies in the design or operation of internal control, which
could adversely affect the organization's ability to meet the
objectives of reliable financial reporting and compliance with
applicable laws and regulations.