Exhibit I – Significant Deficiencies

Financial Management Systems Need Improvement (New Condition)

Effective Information Technology (IT) general controls add assurance that data used to prepare and report financial information and statements is complete, reliable, and has integrity. Our fiscal year 2008 IT assessment, performed in support of the fiscal year 2008 consolidated financial statement audit, was focused on the IT general controls over the USPTO’s major financial management systems and supporting network infrastructure, using GAO’s Federal Information System Controls Audit Manual (FISCAM) as a guide.

In close concert with an organization’s entity-wide information security program, access controls for general support systems and financial systems should provide reasonable assurance that computer resources such as data files, application programs, and computer-related facilities and equipment are protected against unauthorized modification, disclosure, loss, or impairment. Access controls are facilitated by an organization’s entity-wide security program. Such controls include physical controls and logical controls.

The objectives of limiting access are to ensure that users have only the access needed to perform their duties; that access to very sensitive resources, such as security software programs, is limited to very few individuals; and that employees are restricted from performing incompatible functions or functions beyond their responsibility. This is reiterated by Federal guidelines. For example, OMB Circular A-130 and supporting National Institute of Standards and Technology (NIST) security publications provide guidance related to the maintenance of technical access controls. In addition, the Department of Commerce IT Security Program Policy and Minimum Implementation Standards contain many requirements for operating USPTO IT devices in a secure manner.

During fiscal year 2008, we noted that access controls should be improved, primarily in the areas of: (1) applying consistently patch management practices to protect system devices against external and internal vulnerabilities, (2) managing user accounts to appropriately disable inactive accounts at the network and financial application levels, (3) strengthening access authorizations and recertification efforts, (4) strengthening network, financial application, and database password controls, (5) monitoring data center access, (6) evidencing follow-up investigations performed for suspected security violations, and (7) maintaining an up-to-date IT Security Handbook, Incident Response Procedures, and Audit and Accountability Policy. We recognize that the USPTO has certain compensating controls in place to help reduce the risk of the identified vulnerabilities, and we have considered such compensating controls as part of our financial statement audit.

Recommendations

Specific recommendations are included in a separate, limited-distribution IT general controls report, issued as part of the fiscal year 2008 consolidated financial statement audit.

Management’s Response

Management agreed with our findings, conclusions, and recommendations related to improving the USPTO’s financial management systems controls. The USPTO is in the process of developing corrective action plans to address the recommendations presented in the separate limited distribution IT general controls report.

Receipts Accounting Segregation of Duties (New Condition)

The Government Accountability Office’s Standards of Internal Control in the Federal Government provides that internal control should provide reasonable assurance that the agency’s objectives are achieved, including efficiency and effectiveness of operations, reliability of financial reporting, compliance with laws and regulations, and safeguarding of assets. Segregation of duties is a significant control activity, that when properly implemented, reduces the risk of inaccurate accounting transactions and of the misappropriation of assets.

The USPTO did not maintain adequate segregation of duties over responsibilities in receipts accounting and customer deposit accounts, which has a balance of $101.5 million at September 30, 2008. Specifically, we identified the following responsibilities which should be, but were not, segregated between different individuals in order to maintain an effective control environment:

• Customer deposit account maintenance, including establishment of new accounts, changing existing account information, and closing accounts.
• Transferring funds between the suspense account and customer deposit accounts and fee accounts.
• Initiation of customer deposit account refunds.
• Opening, logging and recording customer deposit account checks received through the mail.
• Receiving and responding to customer account questions and complaints.

Recommendation

We recommend that USPTO and Office of Finance management perform an internal review over responsibilities throughout the receipts accounting function, to ensure that appropriate segregation of duties is maintained. This should include, but not be limited to, the specific responsibilities noted within this finding.

Management’s Response

Management agreed with our findings, conclusions, and recommendations related to improving the USPTO’s controls over the customer deposit accounting function. The USPTO is in the process of developing a corrective action plan to address the recommendations identified.

Is there a question about what the USPTO can or cannot do that you cannot find an answer for? Send questions about USPTO programs and services to the USPTO Contact Center (UCC). You can suggest USPTO webpages or material you would like featured on this section by E-mail to the webmaster@uspto.gov. While we cannot promise to accommodate all requests, your suggestions will be considered and may lead to other improvements on the website.