Skip to main content

Management Report: Improvements Are Needed in the Bureau of the Fiscal Service's Information Systems Controls

GAO-14-693R Published: Jul 18, 2014. Publicly Released: Jul 18, 2014.
Jump To:
Skip to Highlights

Highlights

What GAO Found

During GAO's audit of the Schedules of Federal Debt Managed by the Department of the Treasury's (Treasury) Bureau of the Fiscal Service (Fiscal Service) for the fiscal years ended September 30, 2013, and 2012, GAO identified 14 new information systems general control deficiencies related to security management, access controls, and configuration management. In a separately issued Limited Official Use Only report, GAO communicated to the Fiscal Service management detailed information regarding the 14 new information systems general control deficiencies and made 16 recommendations to address these control deficiencies.

These new deficiencies in Fiscal Service's information systems controls, along with unresolved control deficiencies from prior audits, collectively represent a significant deficiency in Fiscal Service's internal control over financial reporting. The potential effect of these control deficiencies on the Schedule of Federal Debt financial reporting for fiscal year 2013 was mitigated primarily by Fiscal Service's physical security measures and compensating management and reconciliation controls designed to detect potential misstatements on the Schedule of Federal Debt.

In addition, during GAO's follow-up on the status of Fiscal Service's corrective actions to address information systems control-related deficiencies and associated recommendations contained in GAO's prior years' reports that were open as of September 30, 2012, GAO determined that corrective actions were complete for 7 of the 13 open recommendations and corrective action was in progress for each of the 6 remaining open recommendations related to access controls and configuration management. In the Limited Official Use Only report, GAO communicated detailed information regarding actions taken by the Fiscal Service to address the control deficiencies related to these open recommendations.

Why GAO Did This Study

GAO is required to audit the consolidated financial statements of the U.S. government. Because of the significance of the federal debt held by the public to the government-wide financial statements, GAO audits Fiscal Service's Schedules of Federal Debt annually. As part of these audits, GAO performs a review of information systems controls over key Fiscal Service financial systems relevant to the Schedule of Federal Debt.

This report presents the deficiencies identified during GAO’s fiscal year 2013 testing of information systems controls over key Fiscal Service financial systems that are relevant to the Schedule of Federal Debt. This report also includes the results of GAO’s follow-up on the status of Fiscal Service’s corrective actions to address information systems control-related deficiencies and associated recommendations contained in GAO’s prior years’ reports that were open as of September 30, 2012.

Recommendations

In a separately issued Limited Official Use Only report, GAO made 16 recommendations to address the 14 new information systems general control deficiencies related to security management, access controls, and configuration management. In commenting on a draft of the separately issued Limited Official Use Only report, the Commissioner of the Bureau of the Fiscal Service acknowledged the significant deficiency in internal control over financial reporting and continues to move forward to address this deficiency. The Commissioner further commented that Fiscal Service is committed to having effective internal controls for its information technology systems. Accordingly, Fiscal Service will continue to look for efficient and effective ways to improve and ensure the consistent application of agency-wide security controls over all systems.

Full Report

GAO Contacts

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Public Inquiries

Topics

Access controlComputer securityConfiguration controlFederal debtFinancial management systemsFinancial recordsInformation systemsInternal controlsReporting requirementsRisk managementSecurity policiesSoftwareFinancial reporting