Management Report: Areas for Improvement in the Federal Reserve Banks' Information System Controls

What GAO Found

During GAO's audit of the Schedules of Federal Debt managed by the Department of the Treasury's (Treasury) Bureau of the Fiscal Service (Fiscal Service) for the fiscal years ended September 30, 2017, and 2016, GAO identified two new information system general control deficiencies related to systems maintained and operated by the Federal Reserve Banks (FRB) on behalf of Treasury that are relevant to the Schedule of Federal Debt. One of these deficiencies related to access controls and the other related to configuration management. In a separately issued LIMITED OFFICIAL USE ONLY report, GAO communicated to FRB management detailed information regarding the new information system general control deficiencies and made two recommendations to address them.

In addition, during GAO's follow-up on the status of FRBs' corrective actions to address information system control deficiencies and associated recommendations contained in GAO's prior years' reports that were open as of September 30, 2016, GAO determined that corrective actions were complete for the recommendation related to access controls and that corrective actions were in progress for the remaining open recommendation related to configuration management. In the LIMITED OFFICIAL USE ONLY report, GAO communicated detailed information regarding actions taken by FRBs to address the control deficiencies related to the recommendations that were open as of September 30, 2016.

GAO identified new deficiencies in information system controls that along with unresolved control deficiencies from prior audits collectively represent a significant deficiency in Fiscal Service's internal control over financial reporting relevant to the Schedule of Federal Debt. We also identified deficiencies in information system controls over key financial systems maintained and operated by FRBs on behalf of Treasury that are relevant to the Schedule of Federal Debt. However, such deficiencies in FRB information system controls did not contribute individually or collectively to the significant deficiency we identified. The potential effect of these new and continuing control deficiencies on the Schedule of Federal Debt financial reporting for fiscal year 2017 was mitigated primarily by FRBs' program of monitoring user and system activity and Fiscal Service's compensating management and reconciliation controls designed to detect potential misstatements of the Schedule of Federal Debt. Nevertheless, these control deficiencies increase the risk of unauthorized access to, modification of, or disclosure of sensitive data and programs, and therefore warrant the attention and action of management. 

Why GAO Did This Study

GAO is required to audit the consolidated financial statements of the U.S. government. Because of the significance of the federal debt held by the public to the government-wide financial statements, GAO audits Fiscal Service's Schedules of Federal Debt annually. As part of these audits, GAO performs a review of information system controls over key financial systems maintained and operated by FRBs on behalf of Treasury that are relevant to the Schedule of Federal Debt. This report presents the two new deficiencies identified during GAO's fiscal year 2017 testing of information system controls over key financial systems maintained and operated by FRBs on behalf of Treasury that are relevant to the Schedule of Federal Debt. This report also includes the results of GAO's fiscal year 2017 follow-up on the status of FRBs' corrective actions to address information system control deficiencies and associated recommendations contained in GAO's prior years' reports that were open as of September 30, 2016.