ADP Internal Controls:

Actions To Correct System Weaknesses for Federal Employees' Compensation

IMTEC-88-9: Published: Dec 22, 1987. Publicly Released: Jan 25, 1988.

Additional Materials:

Contact:

Jack L. Brock, Jr
(202) 512-4841
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Pursuant to a congressional request, GAO evaluated the Employment Standards Administration's (ESA) Federal Employees' Compensation Act (FECA) Program, focusing on its: (1) progress in correcting material automatic data processing (ADP) weaknesses identified by the Department of Labor; (2) identification of all material ADP weaknesses; and (3) process for identifying and correcting ADP internal control weaknesses.

GAO found that, although ESA has made progress in correcting its administrative control weaknesses, it has not: (1) expanded the automated medical fee schedule; (2) completed replacement of its computerized system; and (3) corrected security weaknesses that allow inappropriate access to payment systems. GAO found no additional material ADP weaknesses. In addition, GAO found that, although ESA generally complied with applicable guidelines for identifying and correcting ADP weaknesses, it: (1) frequently closed or planned to close material ADP weakness cases before it verified correction of the weaknesses; and (2) made only limited use of the results of FECA district offices' accountability reviews.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: Since February 1988, ADP security has been a part of FECA district office accountability reviews.

    Recommendation: The Secretary of Labor should require the Assistant Secretary, ESA, to make efficient use of limited personnel resources by incorporating accountability reviews as an integral part of identifying and correcting material weaknesses, and evaluate systemic weaknesses identified during these reviews as part of the annual Financial Integrity Act review process for possible inclusion in the ESA annual report to the Secretary of Labor.

    Agency Affected: Department of Labor

  2. Status: Closed - Implemented

    Comments: Labor agreed to verify that corrective actions are in place and are appropriate before closing weakness cases.

    Recommendation: The Secretary of Labor should require the Assistant Secretary, ESA, to ensure that proposed actions to correct material ADP weaknesses are adequate by verifying their implementation and effectiveness before closing the weakness cases.

    Agency Affected: Department of Labor

  3. Status: Closed - Implemented

    Comments: ESA has determined whether specific ADP security weaknesses exist at other FECA district offices through its 1988 accountability review process.

    Recommendation: The Secretary of Labor should ensure that the Assistant Secretary, ESA, provides for adequate internal controls to protect FECA ADP systems and requires that ADP security procedures are followed. As part of this requirement, the Assistant Secretary should ensure that actions are implemented to improve ADP internal controls which determine whether the specific ADP security weaknesses identified at the FECA national office and the Kansas City district office also exist at other FECA district offices, and if so, correct them.

    Agency Affected: Department of Labor

  4. Status: Closed - Implemented

    Comments: Contracts with two major ADP contractors specify security requirements and ESA is developing comprehensive guidance in this area. A request for proposals for ADP field support also contains appropriate requirements, as will future ADP service contracts.

    Recommendation: The Secretary of Labor should ensure that the Assistant Secretary, ESA, provides for adequate internal controls to protect FECA ADP systems and requires that ADP security procedures are followed. As part of this requirement, the Assistant Secretary should ensure that actions are implemented to improve ADP internal controls which determine and implement the level of security clearances needed for contractor personnel working on FECA systems, in accordance with ESA Notice 83-194.

    Agency Affected: Department of Labor

  5. Status: Closed - Implemented

    Comments: Software is now in place, which records unsuccessful attempts to access the national office system and shuts off communication after three such attempts. Monthly reports of unsuccessful attempts are being monitored, and transmission lines are believed to be secure.

    Recommendation: The Secretary of Labor should ensure that the Assistant Secretary, ESA, provides for adequate internal controls to protect FECA ADP systems and require that ADP security procedures are followed. As part of this requirement, the Assistant Secretary should ensure that actions are implemented to improve ADP internal controls which ensure that the FECA national office and Kansas City district office security managers comply with FIPS Publication 83 to monitor unsuccessful attempts to access the FECA system and take corrective actions as necessary.

    Agency Affected: Department of Labor

  6. Status: Closed - Implemented

    Comments: A FECA Data System Enhancement Project has been implemented. The new system uses an operating system designed to support multiple users in a secure environment. The features include user identifiers and passwords, as recommended by GAO.

    Recommendation: The Secretary of Labor should ensure that the Assistant Secretary, ESA, provides for adequate internal controls to protect FECA ADP systems and requires that ADP security procedures are followed. As part of this requirement, the Assistant Secretary should ensure that actions are implemented to improve ADP internal controls which protect system access by providing each authorized FECA user with a unique user identifier and password so that user accountability can be effectively tracked, in accordance with Federal Information Processing Standard (FIPS) Publication 83 and FECA procedures.

    Agency Affected: Department of Labor

  7. Status: Closed - Implemented

    Comments: The Medical Director of the Office of Workers' Compensation Program made several visits concerning state compensation systems, and made inquiries concerning the Health Care Financing System. Labor requested between $8 and $10 million in its 1992 budget to study the feasibility of medical fees for the compensation program. OMB removed the request, and Labor does not plan any further action.

    Recommendation: The Secretary of Labor should reopen the closed corrective action with respect to expanding the automated medical fee schedule to include noncovered provider types, such as hospitals and pharmacies, and direct the Assistant Secretary, ESA, to determine the feasibility of expanding its automated medical fee schedule to include the currently uncovered provider types, as part of completing this corrective action. The Secretary should continue to report this issue as an open corrective action until appropriate internal controls are implemented.

    Agency Affected: Department of Labor

  8. Status: Closed - Implemented

    Comments: ESA reviewed ADP controls as part of its accountability review process during fiscal year 1988. Also, the ESA security plan will incorporate ADP security as part of revised accountability review standards.

    Recommendation: The Secretary of Labor should require the Assistant Secretary, ESA, to ensure that ADP controls are evaluated as part of each FECA accountability review.

    Agency Affected: Department of Labor

 

Explore the full database of GAO's Open Recommendations »

Dec 12, 2014

Dec 9, 2014

Nov 17, 2014

Nov 12, 2014

Nov 10, 2014

Nov 7, 2014

Nov 6, 2014

Looking for more? Browse all our products here