Bureau of the Public Debt: Areas for Improvement in Computer Controls

Many of the vulnerabilities that were identified at the FRB related to BPD systems have been corrected. Specifically, corrective action has been taken on all 6 of the application control vulnerabilities and 7 of the 13 general controls vulnerabilities identified at the FRBs GAO visited. FRB officials informed GAO that the FRBs had corrected or mitigated the risks associated with the remaining 11 general controls vulnerabilities at the sites GAO did not visit this year. Because these sites were not subject to testing during FY 1998 based on GAO's rotational audit approach, GAO plan to verify the corrective actions reportedly taken on these 11 general controls vulnerabilities by the FRBs during GAO's audit of the U.S. government's FY 1999 financial statements. None of the remaining 6 open general controls vulnerabilities are considered as having a significant adverse impact, either individually or collectively, on the BPD systems maintained and operated by the FRBs.

During GAO's fiscal year 1998 testing of the effectiveness of BPD's general and application controls, GAO followed up on the status of the BPD's corrective actions to address vulnerabilities identified in GAO's audit for fiscal year 1997. GAO found that BPD had corrected or mitigated the risks associated with 15 of the 21 vulnerabilities that were identified in this report. GAO is closing this recommendation because the remaining outstanding corrective actions to correct vulnerabilities identified in this report have been included in the report on fiscal year 1998 testing results issued in August 1999 (GAO/AIMD-99-242).