Financial Management Service: Areas for Improvement in Computer Controls

During GAO's fiscal year 1998 testing of the effectiveness of FMS general and application controls, GAO followed up on the status of the FMS' corrective actions to address vulnerabilities identified in GAO's audit for fiscal year 1997. GAO found that FMS had corrected or mitigated the risks associated with 24 of the 72 vulnerabilities that were identified in this report. GAO is closing this recommendation because the remaining outstanding corrective actions to correct vulnerabilities identified in this report have been included in the report on fiscal year 1998 testing results issued in October 1999 (GAO/AIMD-00-4).

During the fiscal year 1998 testing of the effectiveness of FMS general and computer controls, GAO followed up on the status of implementing an effective entitywide security management program. In response to GAO's prior year recommendation, FMS officials have developed and implemented the "Project Manager's Security Handbook" which FMS has designed to provide overall guidance for the implementation and documentation of its information technology security controls. In addition, a security program manual, guidelines, detailed application handbook and user handbook are under development. However, FMS has not fully implemented its policies and procedures developed to date. GAO is closing this recommendation because the remaining outstanding corrective actions needed to correct this weakness have been included in GAO's report on fiscal 1998 testing results issued in October 1999 (GAO/AIMD-00-4).

Subsequent follow-up work has shown that many of the vulnerabilities that were identified at the FRB related to FMS systems have been corrected. Specifically, corrective actions have been taken on the application control vulnerability and 4 of the 5 general controls vulnerabilities identified at the FRBs GAO visited. FRB officials informed GAO that the FRBs had corrected or mitigated the risks associated with the remaining 3 general controls vulnerabilities at the sites GAO did not visit this year. Because these sites were not subject to testing during fiscal year 1998 based on GAO's rotational audit approach, it plans to verify the corrective actions reportedly taken on these three general controls vulnerabilities by the FRBs during its audit of the U.S. government's fiscal year 1999 financial statements. The remaining open general controls vulnerability is not considered as having a significant adverse impact on the FMS systems maintained and operated by the FRBs.

FMS acted on this recommendation and reported that computer control weaknesses exist in its systems. Specifically, FMS reported its computer control problems as a material weakness under the Federal Managers' Financial Integrity Act (FMFIA). In addition, FMS' computer control weaknesses contributed to Treasury's reporting of a material instance of non-conformance under the Federal Financial Management Improvement Act. Both of these issues were included in the fiscal year 1998 Treasury Accountability Report.