Bureau of the Public Debt:

Areas for Improvement in Computer Controls

AIMD-99-2: Published: Oct 14, 1998. Publicly Released: Oct 14, 1998.

Additional Materials:

Contact:

Gary T. Engel
(202) 512-8815
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Pursuant to a legislative requirement, GAO reviewed the general and application controls that support key automated financial systems maintained and operated by the Bureau of the Public Debt (BPD).

GAO noted that: (1) overall, GAO found that BPD implemented effective computer controls; however, GAO identified certain vulnerabilities in general controls involving: (a) access to data and programs; (b) physical access; (c) contingency planning; and (d) security management; (2) GAO also identified vulnerabilities in the controls for two key BPD financial applications maintained and operated at the BPD data center in Parkersburg, West Virginia; (3) addressing these vulnerabilities requires: (a) strengthening access controls by further restricting system access rights and improving security monitoring; and (b) managing accuracy controls more effectively by ensuring that established procedures are followed to prevent unauthorized deletion of exception reports; (4) in most cases, BPD has corrected or is correcting the vulnerabilities that GAO identified; (5) GAO provided a general summary of the vulnerabilities that existed on September 30, 1997; (6) those that GAO verified had been fully resolved subsequent to September 30, 1997, GAO has so noted; and (7) GAO will review the status of BPD's other corrective actions as part of its fiscal year 1998 financial audits.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: During GAO's fiscal year 1998 testing of the effectiveness of BPD's general and application controls, GAO followed up on the status of the BPD's corrective actions to address vulnerabilities identified in GAO's audit for fiscal year 1997. GAO found that BPD had corrected or mitigated the risks associated with 15 of the 21 vulnerabilities that were identified in this report. GAO is closing this recommendation because the remaining outstanding corrective actions to correct vulnerabilities identified in this report have been included in the report on fiscal year 1998 testing results issued in August 1999 (GAO/AIMD-99-242).

    Recommendation: To improve areas of vulnerability in general controls and application controls over BPD's financial systems cited in GAO's July 31, 1998, limited official use version of this report, the Secretary of the Treasury should direct the Commissioner of the Bureau of the Public Debt to correct each individual vulnerability GAO identified and communicated to BPD during GAO's testing and summarized in the limited official use report, and assign responsibility and accountability for correcting each vulnerability to designated individuals. These individuals should report regularly to the Commissioner on the status of all vulnerabilities, including actions taken to correct them.

    Agency Affected: Department of the Treasury

  2. Status: Closed - Implemented

    Comments: Many of the vulnerabilities that were identified at the FRB related to BPD systems have been corrected. Specifically, corrective action has been taken on all 6 of the application control vulnerabilities and 7 of the 13 general controls vulnerabilities identified at the FRBs GAO visited. FRB officials informed GAO that the FRBs had corrected or mitigated the risks associated with the remaining 11 general controls vulnerabilities at the sites GAO did not visit this year. Because these sites were not subject to testing during FY 1998 based on GAO's rotational audit approach, GAO plan to verify the corrective actions reportedly taken on these 11 general controls vulnerabilities by the FRBs during GAO's audit of the U.S. government's FY 1999 financial statements. None of the remaining 6 open general controls vulnerabilities are considered as having a significant adverse impact, either individually or collectively, on the BPD systems maintained and operated by the FRBs.

    Recommendation: To improve areas of vulnerability in general controls and application controls over BPD's financial systems cited in GAO's July 31, 1998, limited official use version of this report, the Secretary of the Treasury should direct the Commissioner of the Bureau of the Public Debt to work with the Federal Reserve Banks (FRB) to implement corrective actions to improve the computer control vulnerabilities related to BPD systems supported by FRBs that GAO identified and communicated to FRBs during its testing.

    Agency Affected: Department of the Treasury

 

Explore the full database of GAO's Open Recommendations »

Sep 20, 2016

Sep 6, 2016

Aug 19, 2016

Aug 12, 2016

Jul 29, 2016

Jul 28, 2016

Jul 13, 2016

Jul 11, 2016

Jun 13, 2016

Looking for more? Browse all our products here