ADP Internal Controls: Actions To Correct System Weaknesses for Federal Employees' Compensation
IMTEC-88-9
Published: Dec 22, 1987. Publicly Released: Jan 25, 1988.
Skip to Highlights
Highlights
Pursuant to a congressional request, GAO evaluated the Employment Standards Administration's (ESA) Federal Employees' Compensation Act (FECA) Program, focusing on its: (1) progress in correcting material automatic data processing (ADP) weaknesses identified by the Department of Labor; (2) identification of all material ADP weaknesses; and (3) process for identifying and correcting ADP internal control weaknesses.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Labor | The Secretary of Labor should reopen the closed corrective action with respect to expanding the automated medical fee schedule to include noncovered provider types, such as hospitals and pharmacies, and direct the Assistant Secretary, ESA, to determine the feasibility of expanding its automated medical fee schedule to include the currently uncovered provider types, as part of completing this corrective action. The Secretary should continue to report this issue as an open corrective action until appropriate internal controls are implemented. |
Closed – Implemented
The Medical Director of the Office of Workers' Compensation Program made several visits concerning state compensation systems, and made inquiries concerning the Health Care Financing System. Labor requested between $8 and $10 million in its 1992 budget to study the feasibility of medical fees for the compensation program. OMB removed the request, and Labor does not plan any further action.
|
| Department of Labor | The Secretary of Labor should ensure that the Assistant Secretary, ESA, provides for adequate internal controls to protect FECA ADP systems and requires that ADP security procedures are followed. As part of this requirement, the Assistant Secretary should ensure that actions are implemented to improve ADP internal controls which protect system access by providing each authorized FECA user with a unique user identifier and password so that user accountability can be effectively tracked, in accordance with Federal Information Processing Standard (FIPS) Publication 83 and FECA procedures. |
Closed – Implemented
A FECA Data System Enhancement Project has been implemented. The new system uses an operating system designed to support multiple users in a secure environment. The features include user identifiers and passwords, as recommended by GAO.
|
| Department of Labor | The Secretary of Labor should ensure that the Assistant Secretary, ESA, provides for adequate internal controls to protect FECA ADP systems and require that ADP security procedures are followed. As part of this requirement, the Assistant Secretary should ensure that actions are implemented to improve ADP internal controls which ensure that the FECA national office and Kansas City district office security managers comply with FIPS Publication 83 to monitor unsuccessful attempts to access the FECA system and take corrective actions as necessary. |
Closed – Implemented
Software is now in place, which records unsuccessful attempts to access the national office system and shuts off communication after three such attempts. Monthly reports of unsuccessful attempts are being monitored, and transmission lines are believed to be secure.
|
| Department of Labor | The Secretary of Labor should ensure that the Assistant Secretary, ESA, provides for adequate internal controls to protect FECA ADP systems and requires that ADP security procedures are followed. As part of this requirement, the Assistant Secretary should ensure that actions are implemented to improve ADP internal controls which determine and implement the level of security clearances needed for contractor personnel working on FECA systems, in accordance with ESA Notice 83-194. |
Closed – Implemented
Contracts with two major ADP contractors specify security requirements and ESA is developing comprehensive guidance in this area. A request for proposals for ADP field support also contains appropriate requirements, as will future ADP service contracts.
|
| Department of Labor | The Secretary of Labor should ensure that the Assistant Secretary, ESA, provides for adequate internal controls to protect FECA ADP systems and requires that ADP security procedures are followed. As part of this requirement, the Assistant Secretary should ensure that actions are implemented to improve ADP internal controls which determine whether the specific ADP security weaknesses identified at the FECA national office and the Kansas City district office also exist at other FECA district offices, and if so, correct them. |
Closed – Implemented
ESA has determined whether specific ADP security weaknesses exist at other FECA district offices through its 1988 accountability review process.
|
| Department of Labor | The Secretary of Labor should require the Assistant Secretary, ESA, to ensure that proposed actions to correct material ADP weaknesses are adequate by verifying their implementation and effectiveness before closing the weakness cases. |
Closed – Implemented
Labor agreed to verify that corrective actions are in place and are appropriate before closing weakness cases.
|
| Department of Labor | The Secretary of Labor should require the Assistant Secretary, ESA, to make efficient use of limited personnel resources by incorporating accountability reviews as an integral part of identifying and correcting material weaknesses, and evaluate systemic weaknesses identified during these reviews as part of the annual Financial Integrity Act review process for possible inclusion in the ESA annual report to the Secretary of Labor. |
Closed – Implemented
Since February 1988, ADP security has been a part of FECA district office accountability reviews.
|
| Department of Labor | The Secretary of Labor should require the Assistant Secretary, ESA, to ensure that ADP controls are evaluated as part of each FECA accountability review. |
Closed – Implemented
ESA reviewed ADP controls as part of its accountability review process during fiscal year 1988. Also, the ESA security plan will incorporate ADP security as part of revised accountability review standards.
|
Full Report
Office of Public Affairs
Topics
Accounting systemsFederal employee disability programsFinancial management systemsFunds managementInternal controlsMaterialityProgram evaluationReporting requirementsSystems evaluationElectronic data processing