Financial Management Service
Significant Weaknesses in Computer Controls Gao ID: AIMD-00-4 October 4, 1999The pervasive weaknesses GAO identified in computer controls at the Treasury Department's Financial Management Service (FMS) during its fiscal year 1998 audit undermine FMS' ability to identify, deter, and respond to computer control weaknesses in a timely manner. GAO found that FMS has corrected the risks associated with only 24 of 72 computer control shortcomings cited in a GAO report issued in July 1998. During the fiscal year 1998 audit, GAO found new general computer control weaknesses in entitywide security planning and management, access controls, systems software, and application software development and change controls. Because of the weaknesses GAO identified, including the lack of an effective entitywide security planning and management program, billions of dollars of payments and collections are at significant risk of loss or fraud, vast amounts of sensitive data are vulnerable to inappropriate disclosure, and critical computer operations could suffer disruptions.
GAO noted that: (1) the pervasive weaknesses GAO identified in FMS' computer controls at each of its data centers during GAO's FY 1998 audit renders FMS' overall security control environment ineffective in identifying, deterring, and responding to computer control weaknesses in a timely manner; (2) GAO's follow up on the status of FMS' corrective actions to address weaknesses identified in GAO's FY 1997 audit found that FMS had only corrected or mitigated the risks associated with 24 of 72 computer control weaknesses discussed in GAO's "Limited Official Use" report issued on July 31, 1998; (3) during the FY 1998 audit, GAO found new general computer control weaknesses in entitywide security planning and management, access controls, system software, and application software development and change controls; (4) GAO also identified weaknesses in the authorization controls over all six of the key FMS financial applications GAO reviewed; (5) in addition, GAO identified an accuracy control weakness over one of the six key FMS financial applications and a completeness control weakness over another one of the six key FMS financial applications; (6) because of the weaknesses in computer controls that GAO identified, including the lack of an effective entitywide security planning and management program, billions of dollars of payments and collections are at significant risk of loss or fraud, vast amounts of sensitive data are at risk of inappropriate disclosure, and critical computer-based operations are vulnerable to serious disruptions; and (7) accordingly, as reported for FY 1997, GAO continues to consider FMS' computer control problems a material weakness.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone: