GAO-03-525R, Federal Reserve Banks: Areas for Improvement in Computer Controls


This is the accessible text file for GAO report number GAO-03-525R 
entitled 'Federal Reserve Banks: Areas for Improvement in Computer 
Controls' which was released on March 14, 2003.



This text file was formatted by the U.S. General Accounting Office 

(GAO) to be accessible to users with visual impairments, as part of a 

longer term project to improve GAO products’ accessibility. Every 

attempt has been made to maintain the structural and data integrity of 

the original printed product. Accessibility features, such as text 

descriptions of tables, consecutively numbered footnotes placed at the 

end of the file, and the text of agency comment letters, are provided 

but may not exactly duplicate the presentation or format of the printed 

version. The portable document format (PDF) file is an exact electronic 

replica of the printed version. We welcome your feedback. Please E-mail 

your comments regarding the contents or accessibility features of this 

document to Webmaster@gao.gov.



March 14, 2003:



Louise L. Roseman, Director

Division of Reserve Bank Operations

 and Payment Systems

Board of Governors of the Federal

 Reserve System:



Subject: Federal Reserve Banks: Areas for Improvement in Computer 

Controls:



Dear Ms. Roseman:



In connection with fulfilling our requirement to audit the financial 

statements of the U.S. government,[Footnote 1] we audited and reported 

on the Schedules of Federal Debt Managed by the Bureau of the Public 

Debt (BPD) for the fiscal years ended September 30, 2002 and 

2001.[Footnote 2] As part of these audits, we performed a review of the 

general and application computer controls over key financial systems 

maintained and operated by the Federal Reserve Banks (FRBs) on behalf 

of the Department of the Treasury’s BPD.



Many of the FRBs perform fiscal agent services on behalf of the U.S. 

government, including BPD. The debt-related services primarily consist 

of issuing, servicing, and redeeming Treasury securities and processing 

secondary market securities transfers. In fiscal year 2002, the FRBs 

issued about $3.7 trillion in federal debt securities to the public, 

redeemed about $3.5 trillion of debt held by the public, and processed 

about $139 billion in interest payments on debt held by the public. FRB 

data centers maintain and operate key BPD financial applications and an 

array of financial and information systems to process and reconcile 

monies disbursed and collected on behalf of BPD.



We use a risk-based, rotation approach for testing general and 

application computer controls. Each significant data center and key 

application is subjected every three years to a full-scope review that 

includes testing in all the computer control areas defined in our 

Federal Information System Controls Audit Manual.[Footnote 3] Areas 

considered to be of higher risk are subject to more frequent review. We 

performed our work at certain FRBs from May 2002 through October 2002. 

Our work was performed in accordance with U.S. generally accepted 

government auditing standards. We requested comments on a draft of this 

report from the Board of Governors of the Federal Reserve System. The 

comments are summarized later in this report and are reprinted in the 

enclosure.



As noted above, our review addressed both general and application 

computer controls. General computer controls are the structure, 

policies, and procedures that apply to an entity’s overall computer 

operations. General computer controls establish the environment in 

which application systems and controls operate. An effective general 

control environment helps (1) ensure that an adequate entitywide 

program for security management is in place, (2) protect data, files, 

and programs from unauthorized access, modification, disclosure, and 

destruction, (3) limit and monitor access to programs and files that 

control computer hardware and secure applications, (4) prevent the 

introduction of unauthorized changes to systems and applications 

software, (5) prevent any one individual from controlling key aspects 

of computer-related operations, and (6) ensure the recovery of computer 

processing operations in case of a disaster or other unexpected 

interruption. An effective application control environment helps ensure 

that transactions performed by individual computer programs are valid, 

properly authorized, and completely and accurately processed and 

reported.



As we reported in connection with our audit of the Schedules of Federal 

Debt for the fiscal years ended September 30, 2002 and 2001,[Footnote 

4] BPD maintained, in all material respects, effective internal 

control, including general and application computer controls, relevant 

to the Schedule of Federal Debt related to financial reporting and 

compliance with applicable laws and regulations as of September 30, 

2002. BPD’s internal control provided reasonable assurance that 

misstatements, losses, or noncompliance material in relation to the 

Schedule of Federal Debt for the fiscal year ended September 30, 2002, 

would be prevented or detected on a timely basis. We found matters 

involving computer controls that we do not consider to be reportable 

conditions.[Footnote 5]



Our follow-up on the status of the FRBs’ corrective actions to address 

unresolved vulnerabilities identified in prior years’ audits found that 

the FRBs had taken corrective action for five of the nine open 

recommendations discussed in our prior report[Footnote 6] and were in 

the process of addressing the remaining four. The remaining four 

specific technical vulnerabilities relate to the areas of access 

controls at one data center and access controls, system software, and 

service continuity at another data center.



In a separately issued Limited Official Use Only report, we 

communicated detailed information to FRB managers regarding our 

findings and recommendations that address the four remaining 

vulnerabilities. None of our findings pose significant risks to the BPD 

financial systems. Nevertheless, they warrant FRB managers’ action to 

further limit the risk of inappropriate disclosure and modification of 

sensitive data and programs, misuse of or damage to computer resources, 

and disruption of critical operations.



In commenting on a draft of this report, the Board of Governors of the 

Federal Reserve System stated that overall it found the review helpful 

and that the information in this report and the Limited Official Use 

Only report will assist the FRBs in their ongoing efforts to enhance 

the integrity of their automated systems and information security 

practices. The Board of Governors also stated that the four 

vulnerabilities remaining as of September 30, 2002, have been or will 

be corrected and pledged to monitor the status of uncorrected items.



We are sending copies of this report to the Chairmen and Ranking 

Minority Members of the Senate Committee on Governmental Affairs; the 

Subcommittee on Transportation, Treasury, and General Government, 

Senate Committee on Appropriations; the House Committee on Government 

Reform; and the Subcommittee on Transportation, Treasury, Postal 

Service, and General Government, House Committee on Appropriations. We 

are also sending copies of this report to the Chairman of the Board of 

Governors of the Federal Reserve System and the Director of the Office 

of Management and Budget. Copies will also be made available to others 

upon request. In addition, the report will be available at no charge on 

GAO’s website at http://www.gao.gov.



If you have any questions regarding this report, please contact Louise 

DiBenedetto, Assistant Director, at (202) 512-6921. Other key 

contributors to this assignment were Gerald Barnes, Denise Fitzpatrick, 

Mickie Gray, David B. Hayes, and Ronald Parker.



Sincerely yours,



Gary T. Engel

Director

Financial Management and Assurance:



Signed by Gary T. Engel:



Enclosure:



Comments from the Board of Governors of the Federal Reserve System:



BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEM:



WASHINGTON, 0. C. 20551:



VISE L. ROSEMAN:



DIRECTOR, DIVISION OF RESERVE BANK OPERATIONS AND PAYMENT SYSTEMS:



January 24, 2003:



Mr. Gary T. Engel Director:



Financial Management and Assurance United States General Accounting 

Office 441 G Street, N.W.



Washington, D.C. 20548:



Dear Mr. Engel:



We appreciate the opportunity to comment on the General Accounting 

Office’s draft report assessing the Federal Reserve Banks’ information 

Security associated with the applications that support their role as 

fiscal agents of the United States. The GAO’s review was performed as 

part of the audit of the U.S. government’s fiscal year 2002 financial 

statements.



Overall, we found the review and report helpful. The report provides 

information that will assist the Reserve Banks in their ongoing efforts 

to enhance the integrity of their automated systems and information 

security practices. The Federal Reserve shares lessons learned from 

this review and its internal reviews more broadly within the System to 

improve controls, processes and internal audit procedures.



We agree with GAO’s assessment that the Reserve Banks have implemented 

effective controls over these applications. We also agree with the 

GAO’s assessment that while the vulnerabilities identified in the 

report do not pose significant risks to the Treasury’s financial 

systems, they still warrant management’s attention. Of the four 

vulnerabilities in the report that require attention, we have corrected 

or will correct all of them. Federal Reserve Board staff will monitor 

the status of uncorrected items. Internal auditors at the Reserve Banks 

will confirm all corrective measures taken.



Sincerely,



Signed by Louise L. Roseman



[End of section]



(198177):



FOOTNOTES



[1] 31 U.S.C. 331(e) (2000).



[2] U.S. General Accounting Office, Financial Audit: Bureau of the 

Public Debt’s Fiscal Years 2002 and 2001 Schedules of Federal Debt, 

GAO-03-199 (Washington, D.C.: Nov. 1, 2002).



[3] U.S. General Accounting Office, Federal Information System Controls 

Audit Manual, GAO/AIMD-12.19.6 (Washington, D.C.: January 1999).



[4] GAO-03-199.



[5] Reportable conditions are matters coming to our attention that, in 

our judgment, should be communicated because they represent significant 

deficiencies in the design or operation of internal control, which 

could adversely affect the organization’s ability to meet the 

objectives of reliable financial reporting and compliance with 

applicable laws and regulations.



[6] U.S. General Accounting Office, Federal Reserve Banks: Areas for 

Improvement in Computer Controls, GAO-02-1018R (Washington, D.C.: Aug. 

29, 2002).