Federal Reserve Banks:
Areas for Improvement in Computer Controls
GAO-04-672R: Published: May 12, 2004. Publicly Released: May 12, 2004.
In connection with fulfilling our requirement to audit the financial statements of the U.S. government, we audited and reported on the Schedules of Federal Debt Managed by the Bureau of the Public Debt (BPD) for the fiscal years ended September 30, 2003 and 2002. As part of these audits, we performed a review of the general and application computer controls over key financial systems maintained and operated by the Federal Reserve Banks (FRB) on behalf of the Department of the Treasury's BPD. Many of the FRBs perform fiscal agent services on behalf of the U.S. government, including BPD. The debt-related services primarily consist of issuing, servicing, and redeeming Treasury securities and processing secondary market securities transfers. In fiscal year 2003, the FRBs issued about $4.1 trillion in federal debt securities to the public, redeemed about $3.8 trillion of debt held by the public, and processed about $125 billion in interest payments on debt held by the public. FRBs maintain and operate key financial applications on behalf of BPD and an array of financial and information systems to process and reconcile monies disbursed and collected on behalf of BPD.
As we reported in connection with our audit of the Schedules of Federal Debt for the fiscal years ended September 30, 2003 and 2002, BPD maintained, in all material respects, effective internal control, including general and application computer controls, relevant to the Schedule of Federal Debt related to financial reporting and compliance with applicable laws and regulations as of September 30, 2003. BPD's internal control provided reasonable assurance that misstatements, losses, or noncompliance material in relation to the Schedule of Federal Debt for the fiscal year ended September 30, 2003, would be prevented or detected on a timely basis. We found matters involving computer controls that we do not consider to be reportable conditions. In a separately issued Limited Official Use Only report, we communicated detailed information regarding our findings to FRB managers and made five recommendations that address application computer control vulnerabilities related to access controls. In addition, our follow-up on the status of the FRBs' corrective actions to address unresolved vulnerabilities identified in prior years' audits found that the FRBs had taken corrective action for three of the four open recommendations discussed in our prior report. The one remaining open recommendation related to access controls is now encompassed in one of the five new detailed recommendations contained in the Limited Official Use Only report. While the application computer control vulnerabilities reported do not pose significant risks to the financial systems maintained and operated by the FRBs on behalf of BPD, they warrant FRB managers' action to decrease the risk of unauthorized access or data misuse.
Recommendation for Executive Action
Status: Closed - Implemented
Comments: In connection with its ongoing requirement to audit the U.S. government's financial statements, GAO reviewed the status of actions taken to address the information technology control recommendations it made in a related "Limited Official Use" report. As detailed in separate accomplishment reports, GAO found that Federal Reserve Bank management had taken steps to implement the recommendations related to the Bureau of the Public Debt systems.
Recommendation: The Director of the Division of Reserve Bank Operations and Payment Systems should assign responsibility and accountability for addressing the five recommendations to cognizant FRB officials.
Agency Affected: Federal Reserve System