Skip to main content

Management Report: Improvements Needed in the Bureau of the Fiscal Service's Information System Controls

GAO-18-332R Published: Apr 17, 2018. Publicly Released: Apr 17, 2018.
Jump To:
Skip to Highlights

Highlights

What GAO Found

During GAO's audit of the Schedules of Federal Debt managed by the Department of the Treasury's Bureau of the Fiscal Service (Fiscal Service) for the fiscal years ended September 30, 2017, and 2016, GAO identified new deficiencies in information system controls that along with unresolved control deficiencies from prior audits collectively represent a significant deficiency in Fiscal Service's internal control over financial reporting. Specifically, GAO identified eight new deficiencies in information system general controls over key Fiscal Service financial systems that are relevant to the Schedule of Federal Debt. One of these deficiencies related to security management, four related to access controls, and three related to configuration management. In a separately issued LIMITED OFFICIAL USE ONLY report, GAO communicated to Fiscal Service management detailed information regarding the eight new information system general control deficiencies and made 10 recommendations to address them.

In addition, during GAO's follow-up on the status of Fiscal Service's corrective actions to address information system control deficiencies and associated recommendations contained in GAO's prior years' reports that were open as of September 30, 2016, GAO determined that corrective actions were still in progress for all 15 open recommendations related to security management, access controls, configuration management, and segregation of duties. In the LIMITED OFFICIAL USE ONLY report, GAO communicated detailed information regarding actions taken by Fiscal Service to address the control deficiencies related to the recommendations that were open as of September 30, 2016.

The potential effect of these new and continuing deficiencies on the Schedule of Federal Debt financial reporting for fiscal year 2017 was mitigated primarily by Fiscal Service's compensating management and reconciliation controls designed to detect potential misstatements of the Schedule of Federal Debt. Nevertheless, these general control deficiencies, which collectively represent a significant deficiency, increase the risk of unauthorized access to, modification of, or disclosure of sensitive data and programs and disruption of critical operations. 

Why GAO Did This Study

GAO is required to audit the consolidated financial statements of the U.S. government. Because of the significance of the federal debt held by the public to the government-wide financial statements, GAO audits Fiscal Service's Schedules of Federal Debt annually. As part of these audits, GAO performs a review of information system controls over key Fiscal Service financial systems that are relevant to the Schedule of Federal Debt.

This report presents the deficiencies identified during GAO's fiscal year 2017 testing of information system controls over key Fiscal Service financial systems that are relevant to the Schedule of Federal Debt. This report also includes the results of GAO's fiscal year 2017 follow-up on the status of Fiscal Service's corrective actions to address information system control deficiencies and associated recommendations contained in GAO's prior years' reports that were open as of September 30, 2016.

Recommendations

In a separately issued LIMITED OFFICIAL USE ONLY report, GAO made 10 recommendations to address the eight new information system general control deficiencies related to security management, access controls, and configuration management. In commenting on a draft of the separately issued LIMITED OFFICIAL USE ONLY report, Fiscal Service stated that it continues to work to address the 15 prior-year recommendations that remained open as of September 30, 2017, and has established plans to address the 10 new recommendations made in this year's report. GAO plans to follow up to determine the status of corrective actions taken on these recommendations during its audit of the fiscal year 2018 Schedule of Federal Debt.

Full Report

Office of Public Affairs

Topics

AuditsConfiguration controlConsolidated Financial Statements of the U.S. GovernmentFederal debtFinancial reportingFinancial statement auditsFinancial statementsFinancial systemsInformation systemsInternal controlsSensitive data