GAO-03-524R, Bureau of the Public Debt: Areas for Improvement in Computer Controls


This is the accessible text file for GAO report number GAO-03-524R 
entitled 'Bureau of the Public Debt: Areas for Improvement in Computer 
Controls' which was released on May 01, 2003.

This text file was formatted by the U.S. General Accounting Office 
(GAO) to be accessible to users with visual impairments, as part of a 
longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov.

May 1, 2003:

The Honorable Van Zeck:

Commissioner:

Bureau of the Public Debt:

Subject: Bureau of the Public Debt: Areas for Improvement in Computer 
Controls:

Dear Mr. Zeck:

In connection with fulfilling our requirement to audit the financial 
statements of the U.S. government,[Footnote 1] we audited and reported 
on the Schedules of Federal Debt Managed by the Bureau of the Public 
Debt (BPD) for the fiscal years ended September 30, 2002 and 
2001.[Footnote 2] As part of these audits, we performed a review of the 
general and application computer controls over key BPD financial 
systems.

The Department of the Treasury is authorized by Congress to borrow 
money on the credit of the United States to fund federal operations. 
Treasury is responsible for prescribing the debt instruments and 
otherwise limiting and restricting the amount and composition of the 
debt. BPD is responsible for issuing and redeeming debt instruments, 
paying interest to investors, and accounting for the resulting debt. In 
addition, BPD has been given the responsibility for issuing Treasury 
securities to trust funds for trust fund receipts not needed for 
current benefits and expenses.

We use a risk-based, rotation approach for testing general and 
application computer controls. The data center and each key application 
is subjected every 3 years to a full-scope review that includes testing 
in all of the computer control areas defined in the Federal Information 
System Controls Audit Manual.[Footnote 3] Areas considered to be of 
higher risk are subject to more frequent review. We performed our work 
at the BPD data center from April 2002 through October 2002. Our work 
was performed in accordance with U.S. generally accepted government 
auditing standards. We requested comments on a draft of this report 
from the Commissioner of the Bureau of the Public Debt. The comments 
are summarized later in this report.

As noted above, our review addressed both general and application 
computer controls. General computer controls are the structure, 
policies, and procedures that apply to an entity's overall computer 
operations. General computer controls establish the environment in 
which application systems and controls operate. An effective general 
control environment helps (1) ensure that an adequate entitywide 
security management program is in place, (2) protect data, files, and 
programs from unauthorized access, modification, disclosure, and 
destruction, (3) limit and monitor access to programs and files that 
control computer hardware and secure applications, (4) prevent the 
introduction of unauthorized changes to systems and applications 
software, (5) prevent any one individual from controlling key aspects 
of computer-related operations, and (6) ensure the recovery of computer 
processing operations in case of a disaster or other unexpected 
interruption. An effective application control environment helps ensure 
that transactions performed by individual computer programs are valid, 
properly authorized, and completely and accurately processed and 
reported.

As we reported in connection with our audit of the Schedules of Federal 
Debt for the fiscal years ended September 30, 2002 and 2001,[Footnote 
4] BPD maintained, in all material respects, effective internal 
control, including general and application computer controls, relevant 
to the Schedule of Federal Debt related to financial reporting and 
compliance with applicable laws and regulations as of September 30, 
2002. BPD's internal control provided reasonable assurance that 
misstatements, losses, or noncompliance material in relation to the 
Schedule of Federal Debt for the fiscal year ended September 30, 2002, 
would be prevented or detected on a timely basis. We found matters 
involving computer controls that we do not consider to be reportable 
conditions.[Footnote 5]

Our follow-up on the status of BPD's corrective actions to address 14 
of the 17 open general and application control recommendations 
identified in prior years' audits for which actions were not complete 
as of September 30, 2001, found the following:

As of September 30, 2002, corrective action on 12 recommendations had 
been completed.

For 2 of the recommendations, corrective action for 1 was in progress 
as of September 30, 2002, and for the other, corrective action was 
taken subsequent to that date.

The 3 remaining open recommendations relating to access controls are 
now encompassed in our fiscal year 2002 recommendations.

Our fiscal year 2002 audit procedures identified opportunities to 
strengthen the security of BPD's computer systems that support key 
automated financial systems relevant to BPD's Schedule of Federal Debt. 
In a separately issued Limited Official Use Only report, we 
communicated detailed information regarding our fiscal year 2002 
findings to BPD managers and made 10 recommendations to strengthen 
certain general computer controls in the areas of access and system 
software, many of which BPD has begun to address. In addition, we 
reaffirmed our prior years' recommendation related to service 
continuity.

None of our findings pose significant risks to BPD financial systems. 
In forming our conclusions, we considered the mitigating effects of 
physical security measures, a program of monitoring user and system 
activity, and management and reconciliation controls that are designed 
to detect potential irregularities or improprieties in financial data 
or transactions. Nevertheless, these findings warrant BPD managers' 
action to further limit the risk of inappropriate disclosure and 
modification of sensitive data and programs, misuse of or damage to 
computer resources, or disruption of critical operations.

BPD's comments on a draft of this report are consistent with its prior 
comments on the separately issued Limited Official Use Only version. In 
those comments, the Commissioner of the Bureau of the Public Debt 
stated that 7 of the 10 recommendations have been completely resolved 
and 1 of the remaining improvements will be completed by the end of 
March 2003.[Footnote 6] BPD also stated it intends to resolve the 
remaining issues by the end of this year. We plan to follow up on these 
matters during our audit of the fiscal year 2003 Schedule of Federal 
Debt.

We are sending copies of this report to the Chairmen and Ranking 
Minority Members of the Senate Committee on Governmental Affairs; the 
Subcommittee on Transportation, Treasury and General Government, Senate 
Committee on Appropriations; the House Committee on Government Reform; 
the Subcommittee on Government Efficiency and Financial Management, 
House Committee on Government Reform; and the Subcommittee on 
Transportation, Treasury and Independent Agencies, House Committee on 
Appropriations. We are also sending copies of this report to the 
Secretary of the Department of the Treasury, the Inspector General of 
the Department of the Treasury, and the Director of the Office of 
Management and Budget. Copies will also be made available to others 
upon request. In addition, the report will be available at no charge on 
GAO's Web site at http://www.gao.gov.

If you have any questions regarding this report, please contact Louise 
DiBenedetto, Assistant Director, at (202) 512-6921. Other key 
contributors to this assignment were Mickie Gray, David Hayes, and 
Ronald Parker.

Sincerely yours,

Gary T. Engel:

Director:

Financial Management and Assurance:

(198176):

FOOTNOTES

[1] 31 U.S.C. 331(e) (2000). 

[2] U.S. General Accounting Office, Financial Audit: Bureau of the 
Public Debt's Fiscal Years 2002 and 2001 Schedules of Federal Debt, 
GAO-03-199 (Washington, D.C.: Nov. 1, 2002).

[3] U.S. General Accounting Office, Federal Information System Controls 
Audit Manual, GAO/AIMD-12.19.6 (Washington, D.C.: January 1999).

[4] GAO-03-199.

[5] Reportable conditions are matters coming to our attention that, in 
our judgment, should be communicated because they represent significant 
deficiencies in the design or operation of internal control, which 
could adversely affect the organization's ability to meet the 
objectives of reliable financial reporting and compliance with 
applicable laws and regulations.



[6] According to a BPD official, this improvement was completed as of 
March 31, 2003.