GAO-04-672R, Federal Reserve Banks: Areas for Improvement in Computer Controls


This is the accessible text file for GAO report number GAO-04-672R 
entitled 'Federal Reserve Banks: Areas for Improvement in Computer 
Controls' which was released on May 12, 2004.

This text file was formatted by the U.S. General Accounting Office 
(GAO) to be accessible to users with visual impairments, as part of a 
longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov.

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately.

May 12, 2004:

Louise L. Roseman, Director, 
Division of Reserve Bank Operations and Payment Systems 
Board of Governors of the Federal Reserve System:

Subject: Federal Reserve Banks: Areas for Improvement in Computer 
Controls:

Dear Ms. Roseman:

In connection with fulfilling our requirement to audit the financial 
statements of the U.S. government,[Footnote 1] we audited and reported 
on the Schedules of Federal Debt Managed by the Bureau of the Public 
Debt (BPD) for the fiscal years ended September 30, 2003 and 
2002.[Footnote 2] As part of these audits, we performed a review of the 
general and application computer controls over key financial systems 
maintained and operated by the Federal Reserve Banks (FRB) on behalf of 
the Department of the Treasury's BPD.

Many of the FRBs perform fiscal agent services on behalf of the U.S. 
government, including BPD. The debt-related services primarily consist 
of issuing, servicing, and redeeming Treasury securities and processing 
secondary market securities transfers. In fiscal year 2003, the FRBs 
issued about $4.1 trillion in federal debt securities to the public, 
redeemed about $3.8 trillion of debt held by the public, and processed 
about $125 billion in interest payments on debt held by the public. 
FRBs maintain and operate key financial applications on behalf of BPD 
and an array of financial and information systems to process and 
reconcile monies disbursed and collected on behalf of BPD.

The scope of our work for fiscal year 2003 included a review of the 
general and application computer controls over key financial systems 
maintained and operated by the FRBs on behalf of BPD and follow-up on 
unresolved vulnerabilities identified in prior years' audits of these 
systems. We use a risk-based and rotation approach for testing general 
computer controls. Each general control area is subjected to a full-
scope review, including testing, at least once every 3 years. The 
computer control areas we review are defined in the Federal Information 
System Controls Audit Manual.[Footnote 3] Areas considered to be of 
higher risk are subject to more frequent review. The applications are 
subjected to a full-scope review every year.

General computer controls are intended to (1) protect data, files, and 
programs from unauthorized access, modification, disclosure, and 
destruction; (2) limit and monitor access to programs and files that 
control computer hardware and secure applications; (3) prevent the 
introduction of unauthorized changes to systems and applications 
software; and (4) ensure the recovery of computer processing operations 
in case of a disaster or other unexpected interruption. Application 
computer controls relate directly to the individual computer programs 
that are used to perform certain types of work, such as generating 
interest payments or recording transactions in a general ledger. In an 
effective general control environment, application controls help to 
ensure that transactions are valid, properly authorized, and completely 
and accurately processed and reported. Access controls for specific 
applications should establish individual accountability and proper 
segregation of duties, prevent unauthorized transactions from being 
entered into the application and processed by the computer, limit the 
processing privileges of individuals, and prevent and detect 
inappropriate or unauthorized activities.

We performed our work at certain FRBs from April 2003 through October 
2003 in accordance with U.S. generally accepted government auditing 
standards. We requested comments on a draft of this report from the 
Board of Governors of the Federal Reserve System. The comments are 
summarized later in this report and the written response from the Board 
of Governors is reprinted in the enclosure.

As we reported in connection with our audit of the Schedules of Federal 
Debt for the fiscal years ended September 30, 2003 and 2002, BPD 
maintained, in all material respects, effective internal control, 
including general and application computer controls, relevant to the 
Schedule of Federal Debt related to financial reporting and compliance 
with applicable laws and regulations as of September 30, 2003. BPD's 
internal control provided reasonable assurance that misstatements, 
losses, or noncompliance material in relation to the Schedule of 
Federal Debt for the fiscal year ended September 30, 2003, would be 
prevented or detected on a timely basis. We found matters involving 
computer controls that we do not consider to be reportable 
conditions.[Footnote 4]

In a separately issued Limited Official Use Only report, we 
communicated detailed information regarding our findings to FRB 
managers and made five recommendations that address application 
computer control vulnerabilities related to access controls. In 
addition, our follow-up on the status of the FRBs' corrective actions 
to address unresolved vulnerabilities identified in prior years' audits 
found that the FRBs had taken corrective action for three of the four 
open recommendations discussed in our prior report.[Footnote 5] The one 
remaining open recommendation related to access controls is now 
encompassed in one of the five new detailed recommendations contained 
in the Limited Official Use Only report.

While the application computer control vulnerabilities reported do not 
pose significant risks to the financial systems maintained and operated 
by the FRBs on behalf of BPD, they warrant FRB managers' action to 
decrease the risk of unauthorized access or data misuse.

We recommend that the Director of the Division of Reserve Bank 
Operations and Payment Systems assign responsibility and accountability 
for addressing the five recommendations to cognizant FRB officials.

In commenting on a draft of this report, the Board of Governors of the 
Federal Reserve System stated that the information in this report and 
the Limited Official Use Only report will assist the FRBs in their 
ongoing efforts to enhance the integrity of their automated systems and 
information security practices. The Board of Governors also stated that 
the five vulnerabilities remaining as of September 30, 2003, have been 
or will be corrected and pledged to monitor the status of uncorrected 
items. We plan to follow up on these matters during our audit of the 
fiscal year 2004 Schedule of Federal Debt.

In the separately issued Limited Official Use Only report, we requested 
a written statement on actions taken to address these recommendations.

We are sending copies of this report to the Chairmen and Ranking 
Minority Members of the Senate Committee on Governmental Affairs; the 
Subcommittee on Transportation, Treasury and General Government, Senate 
Committee on Appropriations; the House Committee on Government Reform; 
the Subcommittee on Government Efficiency and Financial Management, 
House Committee on Government Reform; and the Subcommittee on 
Transportation and Treasury, and Independent Agencies, House Committee 
on Appropriations. We are also sending copies of this report to the 
Chairman of the Board of Governors of the Federal Reserve System and 
the Director of the Office of Management and Budget. Copies will also 
be made available to others upon request. In addition, the report will 
be available at no charge on GAO's Web site at http://www.gao.gov.

If you have any questions regarding this report, please contact Louise 
DiBenedetto, Assistant Director, at (202) 512-6921. Other key 
contributors to this assignment were Gerald L. Barnes, Dean D. 
Carpenter, Mickie E. Gray, David B. Hayes, and Dawn B. Simpson.

Sincerely yours,

Gary T. Engel, 
Director, 
Financial Management and Assurance:

Enclosure:

Comments from the Board of Governors of the Federal Reserve System:

BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEM:

WASHINGTON, DC 20551:

LOUISE L. ROSEMAN:

DIRECTOR 
DIVISION OF RESERVE BANK OPERATIONS AND PAYMENT SYSTEMS:

March 18, 2004:

Mr. Gary T. Engel Director:

Financial Management and Assurance 
United States General Accounting Office 
441 G Street, N.W.

Washington, D.C. 20548:

Dear Mr. Engel:

We appreciate the opportunity to comment on the General Accounting 
Office's draft report assessing the Federal Reserve Banks' information 
security associated with the applications that support their role as 
fiscal agents of the United States. The GAO's review was performed as 
part of the audit of the U.S. government's fiscal year 2003 financial 
statements.

Overall, we found the review and report helpful. The report provides 
information that will assist the Reserve Banks in their ongoing efforts 
to enhance the integrity of their automated systems and information 
security practices. The Federal Reserve shares lessons 
learned from this review and its internal reviews more broadly within 
the System to improve controls, processes, and internal audit 
procedures.

We agree with GAO's assessment that the Reserve Banks have implemented 
effective controls over these applications. We also agree with the 
GAO's assessment that while the vulnerabilities identified in the 
report do not pose significant risks to the Treasury's financial 
systems, they still warrant management's attention. Of the five 
vulnerabilities in the report that require attention, we have corrected 
or will correct all of them. Federal Reserve Board staff will monitor 
the status of uncorrected items and internal auditors at the Reserve 
Banks will confirm all corrective measures taken.

Signed by Louise L. Roseman: 

[End of section]

(198257):

FOOTNOTES

[1] 31 U.S.C. § 331(e) (2000).

[2] U.S. General Accounting Office, Financial Audit: Bureau of the 
Public Debt's Fiscal Years 2003 and 2002 Schedules of Federal Debt, 
GAO-04-177 (Washington, D.C.: Nov. 7, 2003).

[3] U.S. General Accounting Office, Federal Information System Controls 
Audit Manual, GAO/AIMD-12.19.6 (Washington, D.C.: January 1999).

[4] Reportable conditions are matters coming to our attention that in 
our judgment should be communicated because they represent significant 
deficiencies in the design or operation of internal control, which 
could adversely affect the organization's ability to meet the 
objectives of reliable financial reporting and compliance with 
applicable laws and regulations.

[5] U.S. General Accounting Office, Federal Reserve Banks: Areas for 
Improvement in Computer Controls, GAO-03-333R (Washington, D.C.: Feb. 
10, 2003).