Management Report: Areas for Improvement in the Bureau of the Fiscal Service's Information Systems Controls

What GAO Found

During GAO's audit of the Schedules of Federal Debt managed by the Department of the Treasury's Bureau of the Fiscal Service (Fiscal Service) for the fiscal years ended September 30, 2016, and 2015, GAO identified nine new deficiencies in information systems general controls over key Fiscal Service financial systems that are relevant to the Schedule of Federal Debt. These control deficiencies related to access controls, configuration management, and segregation of duties. In a separately issued Limited Official Use Only report, GAO communicated to Fiscal Service management detailed information regarding the nine new information systems general control deficiencies and made 11 recommendations to address them.

In addition, during GAO's follow-up on the status of Fiscal Service's corrective actions to address information systems control-related deficiencies and associated recommendations contained in GAO's prior years' reports that were open as of September 30, 2015, GAO determined that corrective actions were complete for 6 of the 10 open recommendations and that corrective actions were in progress for the 4 remaining open recommendations related to security management, configuration management, and segregation of duties.

While GAO identified new and continuing control deficiencies relating to information systems that are relevant to the Schedule of Federal Debt, GAO does not consider them individually or collectively to be material weaknesses or significant deficiencies. The potential effect of these control deficiencies on the Schedule of Federal Debt financial reporting for fiscal year 2016 was mitigated primarily by Fiscal Service's compensating management and reconciliation controls designed to detect potential misstatements on the Schedule on Federal Debt. Nevertheless, these control deficiencies increase the risk of unauthorized access to, modification of, or disclosure of sensitive data and programs and disruption of critical operations, and therefore warrant the attention and action of management. In a separately issued Limited Official Use Only report, GAO made 11 recommendations to address the nine new information systems general control deficiencies related to access controls, configuration management, and segregation of duties. 

Why GAO Did This Study

GAO is required to audit the consolidated financial statements of the U.S. government. Because of the significance of the federal debt held by the public to the government-wide financial statements, GAO audits Fiscal Service's Schedules of Federal Debt annually. As part of these audits, GAO performs a review of information systems controls over key Fiscal Service financial systems that are relevant to the Schedule of Federal Debt.

This report presents the deficiencies identified during GAO's fiscal year 2016 testing of information systems controls over key Fiscal Service financial systems that are relevant to the Schedule of Federal Debt. This report also includes the results of GAO's fiscal year 2016 follow-up on the status of Fiscal Service's corrective actions to address information systems control-related deficiencies and associated recommendations contained in GAO's prior years' reports that were open as of September 30, 2015.