Federal Reserve Banks: Areas for Improvement in Computer Controls

As part of its requirement to audit the U.S. government's fiscal year 2001 financial statements, GAO reviewed the general and application computer controls over key financial systems maintained and operated by the Federal Reserve Banks (FRB) on behalf of the Department of the Treasury's Bureau of the Public Debt (BPD). GAO found that the 12 FRBs perform fiscal agent services on behalf of the U.S. government, including BPD. Five FRB data centers maintain and operate key BPD financial applications relevant to the Schedule of Federal Debt. BPD maintained, in all material respects, effective internal control relevant to the Schedule of Federal Debt related to financial reporting and compliance with applicable laws and regulations as of September 30, 2001. BPD's internal control, which includes the general and application controls implemented by the FRBs over key BPD systems relevant to the Schedule of Federal Debt, provided reasonable assurance that misstatements, losses, or noncompliance material in relation to the Schedule of Federal Debt for fiscal year 2001 would be prevented or detected on a timely basis. A follow-up on the status of the FRB's corrective actions to address vulnerabilities identified in GAO's audit for fiscal year 2000 found that the FRBs had corrected or mitigated the risks associated with 25 of the 29 general and application control vulnerabilities discussed in a prior report and are in the process of addressing the remaining four. None of GAO's findings pose significant risks to BPD financial systems. Nevertheless, they warrant FRB managers' action to further decrease the risk of inappropriate disclosure and modification of sensitive data and programs, misuse of or damage to computer resources, and disruption of critical operations.