Federal Reserve Banks
Areas for Improvement in Computer Controls
Gao ID: GAO-04-672R May 12, 2004
In connection with fulfilling our requirement to audit the financial statements of the U.S. government, we audited and reported on the Schedules of Federal Debt Managed by the Bureau of the Public Debt (BPD) for the fiscal years ended September 30, 2003 and 2002. As part of these audits, we performed a review of the general and application computer controls over key financial systems maintained and operated by the Federal Reserve Banks (FRB) on behalf of the Department of the Treasury's BPD. Many of the FRBs perform fiscal agent services on behalf of the U.S. government, including BPD. The debt-related services primarily consist of issuing, servicing, and redeeming Treasury securities and processing secondary market securities transfers. In fiscal year 2003, the FRBs issued about $4.1 trillion in federal debt securities to the public, redeemed about $3.8 trillion of debt held by the public, and processed about $125 billion in interest payments on debt held by the public. FRBs maintain and operate key financial applications on behalf of BPD and an array of financial and information systems to process and reconcile monies disbursed and collected on behalf of BPD.
As we reported in connection with our audit of the Schedules of Federal Debt for the fiscal years ended September 30, 2003 and 2002, BPD maintained, in all material respects, effective internal control, including general and application computer controls, relevant to the Schedule of Federal Debt related to financial reporting and compliance with applicable laws and regulations as of September 30, 2003. BPD's internal control provided reasonable assurance that misstatements, losses, or noncompliance material in relation to the Schedule of Federal Debt for the fiscal year ended September 30, 2003, would be prevented or detected on a timely basis. We found matters involving computer controls that we do not consider to be reportable conditions. In a separately issued Limited Official Use Only report, we communicated detailed information regarding our findings to FRB managers and made five recommendations that address application computer control vulnerabilities related to access controls. In addition, our follow-up on the status of the FRBs' corrective actions to address unresolved vulnerabilities identified in prior years' audits found that the FRBs had taken corrective action for three of the four open recommendations discussed in our prior report. The one remaining open recommendation related to access controls is now encompassed in one of the five new detailed recommendations contained in the Limited Official Use Only report. While the application computer control vulnerabilities reported do not pose significant risks to the financial systems maintained and operated by the FRBs on behalf of BPD, they warrant FRB managers' action to decrease the risk of unauthorized access or data misuse.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director:
Team:
Phone:
GAO-04-672R, Federal Reserve Banks: Areas for Improvement in Computer Controls
This is the accessible text file for GAO report number GAO-04-672R
entitled 'Federal Reserve Banks: Areas for Improvement in Computer
Controls' which was released on May 12, 2004.
This text file was formatted by the U.S. General Accounting Office
(GAO) to be accessible to users with visual impairments, as part of a
longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
May 12, 2004:
Louise L. Roseman, Director,
Division of Reserve Bank Operations and Payment Systems
Board of Governors of the Federal Reserve System:
Subject: Federal Reserve Banks: Areas for Improvement in Computer
Controls:
Dear Ms. Roseman:
In connection with fulfilling our requirement to audit the financial
statements of the U.S. government,[Footnote 1] we audited and reported
on the Schedules of Federal Debt Managed by the Bureau of the Public
Debt (BPD) for the fiscal years ended September 30, 2003 and
2002.[Footnote 2] As part of these audits, we performed a review of the
general and application computer controls over key financial systems
maintained and operated by the Federal Reserve Banks (FRB) on behalf of
the Department of the Treasury's BPD.
Many of the FRBs perform fiscal agent services on behalf of the U.S.
government, including BPD. The debt-related services primarily consist
of issuing, servicing, and redeeming Treasury securities and processing
secondary market securities transfers. In fiscal year 2003, the FRBs
issued about $4.1 trillion in federal debt securities to the public,
redeemed about $3.8 trillion of debt held by the public, and processed
about $125 billion in interest payments on debt held by the public.
FRBs maintain and operate key financial applications on behalf of BPD
and an array of financial and information systems to process and
reconcile monies disbursed and collected on behalf of BPD.
The scope of our work for fiscal year 2003 included a review of the
general and application computer controls over key financial systems
maintained and operated by the FRBs on behalf of BPD and follow-up on
unresolved vulnerabilities identified in prior years' audits of these
systems. We use a risk-based and rotation approach for testing general
computer controls. Each general control area is subjected to a full-
scope review, including testing, at least once every 3 years. The
computer control areas we review are defined in the Federal Information
System Controls Audit Manual.[Footnote 3] Areas considered to be of
higher risk are subject to more frequent review. The applications are
subjected to a full-scope review every year.
General computer controls are intended to (1) protect data, files, and
programs from unauthorized access, modification, disclosure, and
destruction; (2) limit and monitor access to programs and files that
control computer hardware and secure applications; (3) prevent the
introduction of unauthorized changes to systems and applications
software; and (4) ensure the recovery of computer processing operations
in case of a disaster or other unexpected interruption. Application
computer controls relate directly to the individual computer programs
that are used to perform certain types of work, such as generating
interest payments or recording transactions in a general ledger. In an
effective general control environment, application controls help to
ensure that transactions are valid, properly authorized, and completely
and accurately processed and reported. Access controls for specific
applications should establish individual accountability and proper
segregation of duties, prevent unauthorized transactions from being
entered into the application and processed by the computer, limit the
processing privileges of individuals, and prevent and detect
inappropriate or unauthorized activities.
We performed our work at certain FRBs from April 2003 through October
2003 in accordance with U.S. generally accepted government auditing
standards. We requested comments on a draft of this report from the
Board of Governors of the Federal Reserve System. The comments are
summarized later in this report and the written response from the Board
of Governors is reprinted in the enclosure.
As we reported in connection with our audit of the Schedules of Federal
Debt for the fiscal years ended September 30, 2003 and 2002, BPD
maintained, in all material respects, effective internal control,
including general and application computer controls, relevant to the
Schedule of Federal Debt related to financial reporting and compliance
with applicable laws and regulations as of September 30, 2003. BPD's
internal control provided reasonable assurance that misstatements,
losses, or noncompliance material in relation to the Schedule of
Federal Debt for the fiscal year ended September 30, 2003, would be
prevented or detected on a timely basis. We found matters involving
computer controls that we do not consider to be reportable
conditions.[Footnote 4]
In a separately issued Limited Official Use Only report, we
communicated detailed information regarding our findings to FRB
managers and made five recommendations that address application
computer control vulnerabilities related to access controls. In
addition, our follow-up on the status of the FRBs' corrective actions
to address unresolved vulnerabilities identified in prior years' audits
found that the FRBs had taken corrective action for three of the four
open recommendations discussed in our prior report.[Footnote 5] The one
remaining open recommendation related to access controls is now
encompassed in one of the five new detailed recommendations contained
in the Limited Official Use Only report.
While the application computer control vulnerabilities reported do not
pose significant risks to the financial systems maintained and operated
by the FRBs on behalf of BPD, they warrant FRB managers' action to
decrease the risk of unauthorized access or data misuse.
We recommend that the Director of the Division of Reserve Bank
Operations and Payment Systems assign responsibility and accountability
for addressing the five recommendations to cognizant FRB officials.
In commenting on a draft of this report, the Board of Governors of the
Federal Reserve System stated that the information in this report and
the Limited Official Use Only report will assist the FRBs in their
ongoing efforts to enhance the integrity of their automated systems and
information security practices. The Board of Governors also stated that
the five vulnerabilities remaining as of September 30, 2003, have been
or will be corrected and pledged to monitor the status of uncorrected
items. We plan to follow up on these matters during our audit of the
fiscal year 2004 Schedule of Federal Debt.
In the separately issued Limited Official Use Only report, we requested
a written statement on actions taken to address these recommendations.
We are sending copies of this report to the Chairmen and Ranking
Minority Members of the Senate Committee on Governmental Affairs; the
Subcommittee on Transportation, Treasury and General Government, Senate
Committee on Appropriations; the House Committee on Government Reform;
the Subcommittee on Government Efficiency and Financial Management,
House Committee on Government Reform; and the Subcommittee on
Transportation and Treasury, and Independent Agencies, House Committee
on Appropriations. We are also sending copies of this report to the
Chairman of the Board of Governors of the Federal Reserve System and
the Director of the Office of Management and Budget. Copies will also
be made available to others upon request. In addition, the report will
be available at no charge on GAO's Web site at http://www.gao.gov.
If you have any questions regarding this report, please contact Louise
DiBenedetto, Assistant Director, at (202) 512-6921. Other key
contributors to this assignment were Gerald L. Barnes, Dean D.
Carpenter, Mickie E. Gray, David B. Hayes, and Dawn B. Simpson.
Sincerely yours,
Gary T. Engel,
Director,
Financial Management and Assurance:
Enclosure:
Comments from the Board of Governors of the Federal Reserve System:
BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEM:
WASHINGTON, DC 20551:
LOUISE L. ROSEMAN:
DIRECTOR
DIVISION OF RESERVE BANK OPERATIONS AND PAYMENT SYSTEMS:
March 18, 2004:
Mr. Gary T. Engel Director:
Financial Management and Assurance
United States General Accounting Office
441 G Street, N.W.
Washington, D.C. 20548:
Dear Mr. Engel:
We appreciate the opportunity to comment on the General Accounting
Office's draft report assessing the Federal Reserve Banks' information
security associated with the applications that support their role as
fiscal agents of the United States. The GAO's review was performed as
part of the audit of the U.S. government's fiscal year 2003 financial
statements.
Overall, we found the review and report helpful. The report provides
information that will assist the Reserve Banks in their ongoing efforts
to enhance the integrity of their automated systems and information
security practices. The Federal Reserve shares lessons
learned from this review and its internal reviews more broadly within
the System to improve controls, processes, and internal audit
procedures.
We agree with GAO's assessment that the Reserve Banks have implemented
effective controls over these applications. We also agree with the
GAO's assessment that while the vulnerabilities identified in the
report do not pose significant risks to the Treasury's financial
systems, they still warrant management's attention. Of the five
vulnerabilities in the report that require attention, we have corrected
or will correct all of them. Federal Reserve Board staff will monitor
the status of uncorrected items and internal auditors at the Reserve
Banks will confirm all corrective measures taken.
Signed by Louise L. Roseman:
[End of section]
(198257):
FOOTNOTES
[1] 31 U.S.C. § 331(e) (2000).
[2] U.S. General Accounting Office, Financial Audit: Bureau of the
Public Debt's Fiscal Years 2003 and 2002 Schedules of Federal Debt,
GAO-04-177 (Washington, D.C.: Nov. 7, 2003).
[3] U.S. General Accounting Office, Federal Information System Controls
Audit Manual, GAO/AIMD-12.19.6 (Washington, D.C.: January 1999).
[4] Reportable conditions are matters coming to our attention that in
our judgment should be communicated because they represent significant
deficiencies in the design or operation of internal control, which
could adversely affect the organization's ability to meet the
objectives of reliable financial reporting and compliance with
applicable laws and regulations.
[5] U.S. General Accounting Office, Federal Reserve Banks: Areas for
Improvement in Computer Controls, GAO-03-333R (Washington, D.C.: Feb.
10, 2003).
