This is the accessible text file for GAO report number GAO-04-681R entitled 'Bureau of the Public Debt: Areas for Improvement in Computer Controls' which was released on May 28, 2004. This text file was formatted by the U.S. General Accounting Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. May 28, 2004: The Honorable Van Zeck: Commissioner, Bureau of the Public Debt: Subject: Bureau of the Public Debt: Areas for Improvement in Computer Controls: Dear Mr. Zeck: In connection with fulfilling our requirement to audit the financial statements of the U.S. government,[Footnote 1] we audited and reported on the Schedules of Federal Debt Managed by the Bureau of the Public Debt (BPD) for the fiscal years ended September 30, 2003 and 2002.[Footnote 2] As part of these audits, we performed a review of the general and application computer controls over key BPD financial systems. The Department of the Treasury (Treasury) is authorized by the Congress to borrow money on the credit of the United States to fund federal operations. Treasury is responsible for prescribing the debt instruments and otherwise limiting and restricting the amount and composition of the debt. BPD, an organizational entity within the Fiscal Service of Treasury, is responsible for issuing and redeeming debt instruments, paying interest to investors, and accounting for the resulting debt. In addition, BPD has been given the responsibility for issuing Treasury securities to trust funds for trust fund receipts not needed for current benefits and expenses. The scope of our work for fiscal year 2003 included a review of the general and application computer controls over key financial management systems maintained and operated by BPD relevant to the Schedule of Federal Debt and follow-up on open recommendations from our prior years' reports for which actions were not complete as of September 30, 2002. We use a risk-based, rotation approach for testing general computer controls. Each general control area is subjected to a full- scope review, including testing, at least every 3 years. The computer control areas we review are defined in the Federal Information System Controls Audit Manual.[Footnote 3] Areas considered to be of higher risk are subject to more frequent review. Each key application is subjected every year to a full-scope review. General computer controls are the structure, policies, and procedures that apply to an entity's overall computer operations. General computer controls establish the environment in which application systems and controls operate. They include an entitywide security management program, access controls, system software controls, application software development and change controls, segregation of duties, and service continuity controls. An effective general control environment helps: (1) ensure that an adequate entitywide security management program is in place; (2) protect data, files, and programs from unauthorized access, modification, disclosure, and destruction; (3) limit and monitor access to programs and files that control computer hardware and secure applications; (4) prevent the introduction of unauthorized changes to systems and applications software; (5) prevent any one individual from controlling key aspects of computer-related operations; and: (6) ensure the recovery of computer processing operations in case of a disaster or other unexpected interruption. Application controls relate directly to the individual computer programs that are used to perform certain types of work, such as generating interest payments or recording transactions in a general ledger. In an effective general control environment, application controls help to ensure that transactions are valid, properly authorized, and completely and accurately processed and reported. We performed our work at the BPD data center from April 2003 through October 2003. Our work was performed in accordance with U.S. generally accepted government auditing standards. BPD's comments are summarized later in this report. As we reported in connection with our audit of the Schedules of Federal Debt for the fiscal years ended September 30, 2003 and 2002, BPD maintained, in all material respects, effective internal control, including general and application computer controls, relevant to the Schedule of Federal Debt related to financial reporting and compliance with applicable laws and regulations as of September 30, 2003. BPD's: internal control provided reasonable assurance that misstatements, losses, or noncompliance material in relation to the Schedule of Federal Debt for the fiscal year ended September 30, 2003, would be prevented or detected on a timely basis. We found matters involving computer controls that we do not consider to be reportable conditions[Footnote 4] but that nevertheless warrant BPD management's attention and action. Our fiscal year 2003 audit procedures identified opportunities to strengthen the security of certain BPD computer systems that support key automated financial systems relevant to BPD's Schedule of Federal Debt. In a separately issued Limited Official Use Only report, we communicated detailed information regarding our findings to BPD management. Our audit procedures identified five new control issues for which we made six recommendations. Four were general control issues that relate to access controls, and one was an application control issue that relates to the documentation of controls for certain systems. Our follow-up on the status of BPD's corrective actions to address 12 open general and application control recommendations identified in prior years' audits for which actions were not complete as of September 30, 2002, found the following: As of September 30, 2003, corrective action on 11 of the 12 recommendations had been completed. Corrective action was in progress as of September 30, 2003, on the 1 remaining open recommendation. We therefore reaffirm our prior year's recommendation related to this issue. None of our findings pose significant risks to BPD financial systems. In forming our conclusions, we considered the mitigating effects of physical security measures, a program of monitoring user and system activity, and reconciliation controls that are designed to detect potential irregularities or improprieties in financial data or transactions. Nevertheless, these findings warrant BPD management's attention and action to limit the risk of unauthorized access, unauthorized disclosure and modification of sensitive data and programs, data misuse, or disruption of critical operations. We recommend that the Commissioner of the Bureau of the Public Debt direct the implementation of the six detailed recommendations to appropriate BPD officials. BPD provided comments on the detailed findings and recommendations in the separately issued Limited Official Use Only version. In those comments, the Commissioner of the Bureau of the Public Debt stated that three of the six open issues have been completely resolved, and the others are in progress. BPD also stated that it intends to resolve the three remaining issues before the end of this year. We plan to follow up on these matters during our audit of the fiscal year 2004 Schedule of Federal Debt. In the separately issued Limited Official Use Only report, we noted that the head of a federal agency is required by 31 U.S.C. 720 to submit a written statement on actions taken on our recommendations to the Senate Committee on Governmental Affairs and to the House Committee on Government Reform not later than 60 calendar days after the date of the report. A written statement must also be sent to the House and Senate Committees on Appropriations with the agency's first request for appropriations made more than 60 calendar days after the date of the report. In that report, we also requested a copy of your responses. We are sending copies of this report to the Chairmen and Ranking Minority Members of the Senate Committee on Governmental Affairs; the Subcommittee on Transportation, Treasury and General Government, Senate Committee on Appropriations; the House Committee on Government Reform; the Subcommittee on Government Efficiency and Financial Management, House Committee on Government Reform; and the Subcommittee on Transportation and Treasury, and Independent Agencies, House Committee on Appropriations. We are also sending copies of this report to the Secretary of the Treasury, the Inspector General of the Department of the Treasury, and the Director of the Office of Management and Budget. Copies will also be made available to others upon request. In addition, the report will be available at no charge on GAO's Web site at http:// www.gao.gov. If you have any questions regarding this report, please contact Louise DiBenedetto, Assistant Director, at (202) 512-6921. Other key contributors to this assignment were Gerald L. Barnes, Mickie E. Gray, David B. Hayes, and Dawn B. Simpson. Sincerely yours, Signed by: Gary T. Engel: Director: Financial Management and Assurance: (198256): FOOTNOTES  31 U.S.C. § 331(e) (2000).  U.S. General Accounting Office, Financial Audit: Bureau of the Public Debt's Fiscal Years 2003 and 2002 Schedules of Federal Debt, GAO-04-177 (Washington, D.C.: Nov. 7, 2003).  U.S. General Accounting Office, Federal Information System Controls Audit Manual, GAO/AIMD-12.19.6 (Washington, D.C.: January 1999).  Reportable conditions are matters coming to our attention that, in our judgment, should be communicated because they represent significant deficiencies in the design or operation of internal control, which could adversely affect the organization's ability to meet the objectives of reliable financial reporting and compliance with applicable laws and regulations.