Financial Management Service:

Areas for Improvement in Computer Controls

AIMD-99-10: Published: Oct 20, 1998. Publicly Released: Oct 20, 1998.

Additional Materials:

Contact:

Gary T. Engel
(202) 512-8815
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Pursuant to a legislative requirement, GAO reviewed the effectiveness of general computer controls over key financial systems used by the Financial Management Service (FMS).

GAO noted that: (1) general computer control weaknesses at FMS and its contractor data centers place the data maintained in its financial systems at significant risk of unauthorized modification, disclosure, loss, or impairment; (2) because of the large volume of transactions, the significance of the related amounts involved, and the number of weaknesses identified at the FMS data centers visited, GAO considers FMS' general computer control problems a material weakness; (3) the general control weaknesses GAO found included: (a) inappropriate access to computer programs, data, and equipment; (b) inadequate segregation of duties; (c) improper application software development and change control procedures; and (d) incomplete or untested service continuity and contingency plans; (4) ineffective general computer control weaknesses place billions of dollars of payments and collections at risk of fraud; (5) these weaknesses existed primarily because FMS does not have an effective entitywide computer security planning and management program to ensure that: (a) computer controls are working and are reliable; (b) established policies and procedures are followed; (c) identified deficiencies are timely corrected; and (d) errors or fraudulent transactions are timely detected; (6) FMS has already corrected some of the weaknesses that GAO identified; (7) although FMS management is continuing to correct weaknesses GAO identified, FMS cannot ensure on an ongoing basis that weaknesses will be timely detected and corrected until it has an effective entitywide security management program; and (8) such a program, if implemented effectively across the organization, would go a long way in helping FMS to identify and promptly address its computer control weaknesses.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: During GAO's fiscal year 1998 testing of the effectiveness of FMS general and application controls, GAO followed up on the status of the FMS' corrective actions to address vulnerabilities identified in GAO's audit for fiscal year 1997. GAO found that FMS had corrected or mitigated the risks associated with 24 of the 72 vulnerabilities that were identified in this report. GAO is closing this recommendation because the remaining outstanding corrective actions to correct vulnerabilities identified in this report have been included in the report on fiscal year 1998 testing results issued in October 1999 (GAO/AIMD-00-4).

    Recommendation: To improve weaknesses in general controls cited in GAO's July 31, 1998, limited official use version of this report, the Secretary of the Treasury should direct the Commissioner of FMS, along with the FMS Information Resources Assistant Commissioner, to: (1) correct the individual weaknesses that GAO identified and communicated to FMS management during GAO's testing, which were summarized in the limited official use report; and (2) assign responsibility and accountability for correcting each weakness to designated individuals. These individuals should report to the Commissioner on the status of all weaknesses, including actions taken to correct them.

    Agency Affected: Department of the Treasury

  2. Status: Closed - Implemented

    Comments: During the fiscal year 1998 testing of the effectiveness of FMS general and computer controls, GAO followed up on the status of implementing an effective entitywide security management program. In response to GAO's prior year recommendation, FMS officials have developed and implemented the "Project Manager's Security Handbook" which FMS has designed to provide overall guidance for the implementation and documentation of its information technology security controls. In addition, a security program manual, guidelines, detailed application handbook and user handbook are under development. However, FMS has not fully implemented its policies and procedures developed to date. GAO is closing this recommendation because the remaining outstanding corrective actions needed to correct this weakness have been included in GAO's report on fiscal 1998 testing results issued in October 1999 (GAO/AIMD-00-4).

    Recommendation: To improve weaknesses in general controls cited in GAO's July 31, 1998, limited official use version of this report, the Secretary of the Treasury should direct the Commissioner of FMS, along with the FMS Information Resources Assistant Commissioner, to work with other appropriate assistant commissioners to ensure that an effective entitywide security planning and management program is in place. This program should include the following elements: (1) a strong central security management focal point to ensure that major elements of a risk management program are carried out and to provide a communications link among organizational units; (2) periodic risk assessments and needs determinations; (3) policy and controls implementation; (4) promotion of computer control awareness through training and other attention-getting techniques; and (5) evaluation and monitoring of policy and control effectiveness.

    Agency Affected: Department of the Treasury

  3. Status: Closed - Implemented

    Comments: Subsequent follow-up work has shown that many of the vulnerabilities that were identified at the FRB related to FMS systems have been corrected. Specifically, corrective actions have been taken on the application control vulnerability and 4 of the 5 general controls vulnerabilities identified at the FRBs GAO visited. FRB officials informed GAO that the FRBs had corrected or mitigated the risks associated with the remaining 3 general controls vulnerabilities at the sites GAO did not visit this year. Because these sites were not subject to testing during fiscal year 1998 based on GAO's rotational audit approach, it plans to verify the corrective actions reportedly taken on these three general controls vulnerabilities by the FRBs during its audit of the U.S. government's fiscal year 1999 financial statements. The remaining open general controls vulnerability is not considered as having a significant adverse impact on the FMS systems maintained and operated by the FRBs.

    Recommendation: To improve weaknesses in general controls cited in GAO's July 31, 1998, limited official use version of this report, the Secretary of the Treasury should direct the Commissioner of FMS, along with the FMS Information Resources Assistant Commissioner, to work with the Federal Reserve Banks to implement the corrective actions that GAO identified and communicated to them during GAO's testing related to FMS systems that Federal Reserve Banks support.

    Agency Affected: Department of the Treasury

  4. Status: Closed - Implemented

    Comments: FMS acted on this recommendation and reported that computer control weaknesses exist in its systems. Specifically, FMS reported its computer control problems as a material weakness under the Federal Managers' Financial Integrity Act (FMFIA). In addition, FMS' computer control weaknesses contributed to Treasury's reporting of a material instance of non-conformance under the Federal Financial Management Improvement Act. Both of these issues were included in the fiscal year 1998 Treasury Accountability Report.

    Recommendation: To improve weaknesses in general controls cited in GAO's July 31, 1998, limited official use version of this report, the Secretary of the Treasury should direct the Commissioner of FMS, along with the FMS Information Resources Assistant Commissioner, to identify the computer control weaknesses discussed in the limited official use report as a material weakness in FMS' fiscal year 1998 Federal Managers' Financial Integrity Act report and subsequent reports until they are corrected.

    Agency Affected: Department of the Treasury

 

Explore the full database of GAO's Open Recommendations »

Jul 9, 2014

Jun 19, 2014

May 30, 2014

May 15, 2014

May 13, 2014

May 12, 2014

May 2, 2014

Mar 27, 2014

Mar 13, 2014

Looking for more? Browse all our products here