Federal Reserve Banks:
Areas for Improvement in Computer Controls
AIMD-99-280, Sep 15, 1999
Pursuant to a legislative requirement, GAO: (1) followed-up on the status of the Federal Reserve Banks' (FRB) corrective actions to address vulnerabilities identified in GAO's fiscal year (FY) 1997 financial statement audit; and (2) reviewed the general and application controls that support key Financial Management Service (FMS) and Bureau of the Public Debt (BPD) automated financial systems maintained and operated by the FRBs.
GAO noted that: (1) GAO's follow up on the status of the FRBs' corrective actions to address vulnerabilities in GAO's FY 1997 audit found that the FRBs had corrected or mitigated the risks associated with 14 of the 20 general and application control vulnerabilities discussed in GAO's prior report that related to the FRBs visited during its FY 1998 testing; (2) while GAO found that the FRBs had implemented effective general and application controls, the FY 1998 audit procedures identified certain new general control vulnerabilities; (3) these vulnerabilities related to access controls at one of the FRB data centers and access controls, system software, and service continuity at another FRB data center; (4) at a third FRB data center, GAO found vulnerabilities in access controls, application software development and change controls, segregation of duties, service continuity, and the entitywide security planning and management program; (5) GAO identified vulnerabilities in the authorization controls over one key application and vulnerabilities in the authorization and completeness controls over another key application maintained for FMS and BPD; (6) GAO identified vulnerabilities in authorization controls over a third key application maintained for FMS; and (7) while these vulnerabilities do not pose significant risks to the FMS and BPD financial systems, they warrant FRB management's attention and action to decrease the risk of inappropriate disclosure and modification of sensitive data and programs, misuse or damage to computer resources, or disruption of critical operations.
- Closed - implemented
- Closed - not implemented
Recommendation for Executive Action
Recommendation: The Chairman of the Board of Governors of the Federal Reserve System should: (1) assign cognizant FRB officials responsibility and accountability for taking specific actions to correct each of the individual vulnerabilities that were identified during GAO's testing and summarized in the "Limited Official Use" version of this report; and (2) direct the Director of the Division of the Reserve Bank Operations and Payment Systems to monitor the status of all vulnerabilities, including actions taken to correct them.
Agency Affected: Federal Reserve System: Board of Governors
Status: Closed - Implemented
Comments: During GAO's fiscal year 1999 tests of the effectiveness of general and application controls that support key FMS and BPD automated financial systems, it followed up on the status of the FRB's corrective actions to address vulnerabilities identified in GAO's audits for fiscal years 1998 and 1997. GAO found that the FRBs had corrected or mitigated the risks associated with 19 of the 30 general and application control vulnerabilities discussed in prior reports. In commenting on a draft of GAO's fiscal year 1999 report, the Board of Governors of the Federal Reserve System stated that it has corrected or will correct most of the vulnerabilities identified in the report and will study the others before developing and implementing corrective actions. GAO is closing this recommendation because the remaining outstanding actions to correct vulnerabilities identified in this report have been included in the report on fiscal year 1999 testing results issued in May 2000. GAO will follow up on these matters during its ongoing audit of the federal government's fiscal year 2000 financial statements.