Skip to main content

Management Report: Areas for Improvement in the Federal Reserve Banks' Information Systems Controls

GAO-16-601R Published: Jun 06, 2016. Publicly Released: Jun 06, 2016.
Jump To:
Skip to Highlights

Highlights

What GAO Found

During GAO's audit of the Schedules of Federal Debt Managed by the Department of the Treasury's (Treasury) Bureau of the Fiscal Service (Fiscal Service) for the fiscal years ended September 30, 2015, and 2014, GAO identified three new deficiencies in information systems controls over key financial systems maintained and operated by the Federal Reserve Banks (FRB) on behalf of Treasury relevant to the Schedule of Federal Debt. These control deficiencies related to security management and configuration management. In a separately issued Limited Official Use Only report, GAO communicated to FRB management detailed information regarding the three new information systems general control deficiencies and made four recommendations to address these control deficiencies.

In addition, during GAO's follow-up on the status of FRBs' corrective actions to address information systems control-related deficiencies and associated recommendations contained in GAO's prior years' reports that were open as of September 30, 2014, GAO determined that corrective actions were complete for one of the two open recommendations and corrective actions were in progress for the remaining open recommendation related to security management. In the Limited Official Use Only report, GAO communicated detailed information regarding actions taken by FRBs to address the control deficiency related to the open recommendation.

While GAO identified new and continuing control deficiencies relating to information systems relevant to the Schedule of Federal Debt, GAO does not consider them individually or collectively to be material weaknesses or significant deficiencies. Nevertheless, these control deficiencies limit management's ability to determine whether controls are adequate to address security risks and meet the security requirements of information systems, and reasonably assure that information technology products are properly configured to minimize security risks, and therefore warrant the attention and action of management. The potential effect of these new and continuing control deficiencies on the Schedule of Federal Debt financial reporting for fiscal year 2015 was mitigated primarily by FRBs' program of monitoring user and system activity and Fiscal Service's compensating management and reconciliation controls designed to detect potential misstatements of the Schedule of Federal Debt.

Why GAO Did This Study

GAO is required to audit the consolidated financial statements of the U.S. government. Because of the significance of the federal debt held by the public to the government-wide financial statements, GAO audits Fiscal Service's Schedules of Federal Debt annually. As part of these audits, GAO performs a review of information systems controls over key financial systems maintained and operated by FRBs on behalf of Treasury relevant to the Schedule of Federal Debt.

This report presents the deficiencies identified during GAO's fiscal year 2015 testing of information systems controls over key financial systems maintained and operated by FRBs on behalf of Treasury that are relevant to the Schedule of Federal Debt. This report also includes the results of GAO's fiscal year 2015 follow-up on the status of FRBs' corrective actions to address information systems control-related deficiencies and associated recommendations contained in GAO's prior years' reports that were open as of September 30, 2014.

Recommendations

In a separately issued Limited Official Use Only report, GAO made four recommendations to address the three new information systems general control deficiencies related to security management and configuration management. In commenting on a draft of the separately issued Limited Official Use Only report, the Director of Reserve Bank Operations and Payment Systems, on behalf of the Board of Governors of the Federal Reserve System, stated that the agency takes control deficiencies seriously and that FRB management is taking corrective action to address the three new information systems general control deficiencies. The Director further commented that FRB management has since addressed the remaining open recommendation from GAO's prior year's report. GAO plans to follow up to determine the status of corrective actions taken for these matters during its audit of the fiscal year 2016 Schedule of Federal Debt.

Full Report

Office of Public Affairs

Topics

Configuration controlDocumentationFinancial recordsFinancial statement auditsInformation systemsInformation technologyInternal controlsMonitoringSecurity assessmentsComplianceCorrective actionFinancial reportingFinancial systems