GAO-02-1082R, Bureau of Public Debt: Areas for Improvement in Computer Controls


This is the accessible text file for GAO report number GAO-02-1082R 
entitled 'Bureau of the Public Debt: Areas for Improvement in Computer 
Controls' which was released on September 18, 2002. 

This text file was formatted by the U.S. General Accounting Office 
(GAO) to be accessible to users with visual impairments, as part of a 
longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

United States General Accounting Office: 
Washington, DC 20548: 

September 18, 2002: 

The Honorable Van Zeck: 
Commissioner: 
Bureau of the Public Debt: 

Subject: Bureau of the Public Debt: Areas for Improvement in Computer 
Controls: 

Dear Mr. Zeck: 

In connection with fulfilling our requirement to audit the U.S. 
government’s fiscal year 2001 financial statements, [Footnote 1] we 
reviewed the general and application computer controls over key 
financial systems maintained and operated by the Department of the 
Treasury’s Bureau of the Public Debt (BPD). This report for public 
release summarizes the results of our fiscal year 2001 work, including 
our follow-up on previous years’ recommendations. 

The Department of the Treasury is authorized by Congress to borrow 
money on the credit of the United States to fund operations of the 
federal government. Within Treasury, BPD is responsible for prescribing 
the debt instruments, limiting and restricting the amount and 
composition of the debt, paying interest to investors, and accounting 
for the resulting debt. BPD is also responsible for issuing Treasury
securities to trust funds for trust fund receipts not needed for 
current benefits and expenses. 

We used a risk-based and rotation approach for testing general and 
application controls. Under that methodology, every 3 years the data 
center and all key applications are subjected to a full-scope review, 
which includes testing in all the computer control areas defined in the 
Federal Information System Controls Audit Manual. [Footnote 2] The 
scope of our work for fiscal year 2001 was to follow up on 
vulnerabilities identified in our prior years’ reports and to perform a 
full-scope review of BPD’s entitywide computer control security 
program, access controls, application software development and change 
controls, systems software, segregation of duties, and service 
continuity. We also performed full-scope application controls reviews
over two key applications and limited-scope reviews of another four key 
applications. We performed our work at the BPD data center from 
September 2001 through January 2002. Our work was performed in 
accordance with U.S. generally accepted government auditing standards. 
We requested comments on a draft of this report from the Commissioner 
of BPD. The comments are summarized later in this report. 

As noted above, our review addressed both general and application 
controls. An effective general control environment (1) protects data, 
files, and programs from unauthorized access, modification, and 
destruction; (2) limits and monitors access to programs and files that 
control computer hardware and secure applications; (3) prevents the 
introduction of unauthorized changes to systems and applications 
software; (4) prevents any one individual from controlling key aspects 
of computer-related operations; and (5) ensures the recovery of 
computer processing operations in case of disaster or other unexpected 
interruption. An effective application control environment helps ensure 
that transactions performed by individual computer programs are valid, 
properly authorized, and completely and accurately processed and 
reported. 

As we reported in connection with our audit of the Schedules of Federal 
Debt for the fiscal years ended September 30, 2001, and 2000, [Footnote 
3] BPD maintained, in all material respects, effective internal control 
relevant to the Schedule of Federal Debt related to financial reporting 
and compliance with applicable laws and regulations as of September 30, 
2001. BPD’s internal control, which includes the general and 
application controls over key BPD systems relevant to the Schedule of 
Federal Debt, provided reasonable assurance that misstatement, losses, 
or noncompliance material in relation to the Schedule of Federal Debt 
for the fiscal year ended September 30, 2001, would be prevented or 
detected on timely basis. 

Our follow-up on the status of BPD’s corrective actions to address 
vulnerabilities identified in our fiscal years 1997 through 2000 audits 
found that BPD had corrected or mitigated the risks associated with 8 
of the 13 general and application control vulnerabilities discussed in 
our prior reports and are in the process of addressing the remaining 5. 

We identified opportunities to strengthen general and application 
controls. In a separately issued Limited Official Use Only report, we 
communicated detailed information regarding our findings to BPD 
managers and made 18 recommendations to strengthen certain general 
computer controls in the areas of access, system software, application 
software development and change controls, and service continuity and to 
improve application-specific accuracy and authorization controls. None 
of the vulnerabilities we found pose significant risks to BPD financial 
systems. Nevertheless, they warrant BPD managers’ action to further 
decrease the risk of inappropriate disclosure and modification of 
sensitive data and programs and misuse of or damage to computer 
resources, and disruption of critical operations. 

In commenting on a draft of this report, the BPD Commissioner generally 
agreed with our findings. He stated that in many cases, BPD had already 
corrected or has plans to correct the identified problems. 

We are sending copies of this report to the Chairman and Ranking 
Minority Member of the Senate Committee on Governmental Affairs; 
Subcommittee on Treasury and General Government, Senate Committee on 
Appropriations; House Committee on Government Reform; and Subcommittee 
on Treasury, Postal Service, and General Government, House Committee on 
Appropriations. We are also sending copies of this report to the 
Department of the Treasury, the Inspector General of the Department of 
the Treasury, and the Director of the Office of Management and Budget. 
Copies will also be made available to others upon request and are 
available at no charge on GAO’s Web site at [hyperlink, 
http://www.gao.gov]. 

If you have any questions regarding this report, please contact Paula 
M. Rascona, Assistant Director, at (202) 512-9816. Other key 
contributors to this assignment were Louise DiBenedetto, David B. 
Hayes, Greg Wilshusen, and Mickie Gray. 

Sincerely yours, 

Signed by: 

Gary T. Engel: 
Director: 
Financial Management and Assurance: 

[End of correspondence] 

Footnotes: 

[1] 31 U.S.C. 331(e) (2000). 

[2] U.S. General Accounting Office, Federal Information System Controls 
Audit Manual, Volume I: Financial Statement Audits, GAO/AIMD-12.19.6 
(Washington, D.C.: June 2001). 

[3] U.S. General Accounting Office, Financial Audit: Bureau of the 
Public Debt’s Fiscal Years 2001 and 2000 Schedules of Federal Debt, GAO-
02-354 (Washington, D.C.: February 15, 2002). 

[End of section] 

GAO’s Mission: 

The General Accounting Office, the investigative arm of Congress, 
exists to support Congress in meeting its constitutional 
responsibilities and to help improve the performance and accountability 
of the federal government for the American people. GAO examines the use 
of public funds; evaluates federal programs and policies; and provides 
analyses, recommendations, and other assistance to help Congress make 
informed oversight, policy, and funding decisions. GAO’s commitment to 
good government is reflected in its core values of accountability, 
integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through the Internet. GAO’s Web site [hyperlink, 
http://www.gao.gov] contains abstracts and fulltext files of current 
reports and testimony and an expanding archive of older products. The 
Web site features a search engine to help you locate documents using 
key words and phrases. You can print these documents in their entirety, 
including charts and other graphics. 

Each day, GAO issues a list of newly released reports, testimony, and 
correspondence. GAO posts this list, known as “Today’s Reports,” on its 
Web site daily. The list contains links to the full-text document 
files. To have GAO e-mail this list to you every afternoon, go to 
[hyperlink, http://www.gao.gov] and select “Subscribe to daily E-mail 
alert for newly released products” under the GAO Reports heading. 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 

Orders should be sent to: 

U.S. General Accounting Office: 
441 G Street NW, Room LM: 
Washington, D.C. 20548: 

To order by Phone: 
Voice: (202) 512-6000: 
TDD: (202) 512-2537: 
Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 

E-mail: fraudnet@gao.gov: 

Automated answering system: (800) 424-5454 or (202) 512-7470: 

Public Affairs: 
Jeff Nelligan, managing director, NelliganJ@gao.gov: 
(202) 512-4800: 
U.S. General Accounting Office: 
441 G Street NW, Room 7149:
Washington, D.C. 20548: