This is the accessible text file for GAO report number GAO-04-681R 
entitled 'Bureau of the Public Debt: Areas for Improvement in Computer 
Controls' which was released on May 28, 2004.

This text file was formatted by the U.S. General Accounting Office 
(GAO) to be accessible to users with visual impairments, as part of a 
longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov.

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately.

May 28, 2004:

The Honorable Van Zeck:

Commissioner, Bureau of the Public Debt:

Subject: Bureau of the Public Debt: Areas for Improvement in Computer 
Controls:

Dear Mr. Zeck:

In connection with fulfilling our requirement to audit the financial 
statements of the U.S. government,[Footnote 1] we audited and reported 
on the Schedules of Federal Debt Managed by the Bureau of the Public 
Debt (BPD) for the fiscal years ended September 30, 2003 and 
2002.[Footnote 2] As part of these audits, we performed a review of the 
general and application computer controls over key BPD financial 
systems.

The Department of the Treasury (Treasury) is authorized by the Congress 
to borrow money on the credit of the United States to fund federal 
operations. Treasury is responsible for prescribing the debt 
instruments and otherwise limiting and restricting the amount and 
composition of the debt. BPD, an organizational entity within the 
Fiscal Service of Treasury, is responsible for issuing and redeeming 
debt instruments, paying interest to investors, and accounting for the 
resulting debt. In addition, BPD has been given the responsibility for 
issuing Treasury securities to trust funds for trust fund receipts not 
needed for current benefits and expenses.

The scope of our work for fiscal year 2003 included a review of the 
general and application computer controls over key financial management 
systems maintained and operated by BPD relevant to the Schedule of 
Federal Debt and follow-up on open recommendations from our prior 
years' reports for which actions were not complete as of September 30, 
2002. We use a risk-based, rotation approach for testing general 
computer controls. Each general control area is subjected to a full-
scope review, including testing, at least every 3 years. The computer 
control areas we review are defined in the Federal Information System 
Controls Audit Manual.[Footnote 3] Areas considered to be of higher 
risk are subject to more frequent review. Each key application is 
subjected every year to a full-scope review.

General computer controls are the structure, policies, and procedures 
that apply to an entity's overall computer operations. General computer 
controls establish the environment in which application systems and 
controls operate. They include an entitywide security management 
program, access controls, system software controls, application 
software development and change controls, segregation of duties, and 
service continuity controls. An effective general control environment 
helps:

(1) ensure that an adequate entitywide security management program is 
in place;

(2) protect data, files, and programs from unauthorized access, 
modification,

disclosure, and destruction; (3) limit and monitor access to programs 
and files that control computer hardware and secure applications; (4) 
prevent the introduction of unauthorized changes to systems and 
applications software; (5) prevent any one individual from controlling 
key aspects of computer-related operations; and:

(6) ensure the recovery of computer processing operations in case of a 
disaster or other unexpected interruption. Application controls relate 
directly to the individual computer programs that are used to perform 
certain types of work, such as generating interest payments or 
recording transactions in a general ledger. In an effective general 
control environment, application controls help to ensure that 
transactions are valid, properly authorized, and completely and 
accurately processed and reported.

We performed our work at the BPD data center from April 2003 through 
October 2003. Our work was performed in accordance with U.S. generally 
accepted government auditing standards. BPD's comments are summarized 
later in this report.

As we reported in connection with our audit of the Schedules of Federal 
Debt for the fiscal years ended September 30, 2003 and 2002, BPD 
maintained, in all material respects, effective internal control, 
including general and application computer controls, relevant to the 
Schedule of Federal Debt related to financial reporting and compliance 
with applicable laws and regulations as of September 30, 2003. BPD's:

internal control provided reasonable assurance that misstatements, 
losses, or noncompliance material in relation to the Schedule of 
Federal Debt for the fiscal year ended September 30, 2003, would be 
prevented or detected on a timely basis. We found matters involving 
computer controls that we do not consider to be reportable 
conditions[Footnote 4] but that nevertheless warrant BPD management's 
attention and action.

Our fiscal year 2003 audit procedures identified opportunities to 
strengthen the security of certain BPD computer systems that support 
key automated financial systems relevant to BPD's Schedule of Federal 
Debt. In a separately issued Limited Official Use Only report, we 
communicated detailed information regarding our findings to BPD 
management. Our audit procedures identified five new control issues for 
which we made six recommendations. Four were general control issues 
that relate to access controls, and one was an application control 
issue that relates to the documentation of controls for certain 
systems.

Our follow-up on the status of BPD's corrective actions to address 12 
open general and application control recommendations identified in 
prior years' audits for which actions were not complete as of September 
30, 2002, found the following:

As of September 30, 2003, corrective action on 11 of the 12 
recommendations had been completed.

Corrective action was in progress as of September 30, 2003, on the 1 
remaining open recommendation. We therefore reaffirm our prior year's 
recommendation related to this issue.

None of our findings pose significant risks to BPD financial systems. 
In forming our conclusions, we considered the mitigating effects of 
physical security measures, a program of monitoring user and system 
activity, and reconciliation controls that are designed to detect 
potential irregularities or improprieties in financial data or 
transactions. Nevertheless, these findings warrant BPD management's 
attention and action to limit the risk of unauthorized access, 
unauthorized disclosure and modification of sensitive data and 
programs, data misuse, or disruption of critical operations.

We recommend that the Commissioner of the Bureau of the Public Debt 
direct the implementation of the six detailed recommendations to 
appropriate BPD officials.

BPD provided comments on the detailed findings and recommendations in 
the separately issued Limited Official Use Only version. In those 
comments, the Commissioner of the Bureau of the Public Debt stated that 
three of the six open issues have been completely resolved, and the 
others are in progress. BPD also stated that it intends to resolve the 
three remaining issues before the end of this year. We plan to follow 
up on these matters during our audit of the fiscal year 2004 Schedule 
of Federal Debt.

In the separately issued Limited Official Use Only report, we noted 
that the head of a federal agency is required by 31 U.S.C. 720 to 
submit a written statement on actions taken on our recommendations to 
the Senate Committee on Governmental Affairs and to the House Committee 
on Government Reform not later than 60 calendar days after the date of 
the report. A written statement must also be sent to the House and 
Senate Committees on Appropriations with the agency's first request for 
appropriations made more than 60 calendar days after the date of the 
report. In that report, we also requested a copy of your responses.

We are sending copies of this report to the Chairmen and Ranking 
Minority Members of the Senate Committee on Governmental Affairs; the 
Subcommittee on Transportation, Treasury and General Government, Senate 
Committee on Appropriations; the House Committee on Government Reform; 
the Subcommittee on Government Efficiency and Financial Management, 
House Committee on Government Reform; and the Subcommittee on 
Transportation and Treasury, and Independent Agencies, House Committee 
on Appropriations. We are also sending copies of this report to the 
Secretary of the Treasury, the Inspector General of the Department of 
the Treasury, and the Director of the Office of Management and Budget. 
Copies will also be made available to others upon request. In addition, 
the report will be available at no charge on GAO's Web site at http://
www.gao.gov.

If you have any questions regarding this report, please contact Louise 
DiBenedetto, Assistant Director, at (202) 512-6921. Other key 
contributors to this assignment were Gerald L. Barnes, Mickie E. Gray, 
David B. Hayes, and Dawn B. Simpson.

Sincerely yours,

Signed by: 

Gary T. Engel:

Director:

Financial Management and Assurance:

(198256):

FOOTNOTES

[1] 31 U.S.C.  331(e) (2000).

[2] U.S. General Accounting Office, Financial Audit: Bureau of the 
Public Debt's Fiscal Years 2003 and 2002 Schedules of Federal Debt, 
GAO-04-177 (Washington, D.C.: Nov. 7, 2003).

[3] U.S. General Accounting Office, Federal Information System Controls 
Audit Manual,

GAO/AIMD-12.19.6 (Washington, D.C.: January 1999). 

[4] Reportable conditions are matters coming to our attention that, in 
our judgment, should be communicated because they represent significant 
deficiencies in the design or operation of internal control, which 
could adversely affect the organization's ability to meet the 
objectives of reliable financial reporting and compliance with 
applicable laws and regulations.