Management Report: Areas for Improvement in the Federal Reserve Banks' Information System Controls
Fast Facts
Every year we audit the federal debt. (As of Sept. 30, 2018, it was a little more than $21.5 trillion).
This year our audit found new weaknesses in the security of the information systems that the Treasury Department uses to keep track of and otherwise manage the debt—including one in a Federal Reserve Bank system that Treasury relies on. This new weakness, along with some unresolved earlier ones, could lead to an increased risk of unauthorized access to Federal Reserve Bank systems.
Image of computer code.
Highlights
What GAO Found
During GAO's audit of the Schedules of Federal Debt managed by the Department of the Treasury's (Treasury) Bureau of the Fiscal Service (Fiscal Service) for the fiscal years ended September 30, 2018, and 2017, GAO identified one new information system general control deficiency related to a system maintained and operated by the Federal Reserve Banks (FRB) that is relevant to the Schedule of Federal Debt. The deficiency is related to configuration management. In a separately issued LIMITED OFFICIAL USE ONLY report, GAO communicated to FRB management detailed information regarding the new information system general control deficiency and made one recommendation to address this control deficiency.
In addition, during GAO's follow-up on the status of FRBs' corrective actions to address information system control deficiencies contained in GAO's prior years' reports that were not remediated as of September 30, 2017, GAO determined that corrective actions were complete for the recommendation related to access controls and that corrective actions were in progress for the remaining two open recommendations related to configuration management. In the LIMITED OFFICIAL USE ONLY report, GAO communicated detailed information regarding actions taken by FRBs to address the control deficiencies contained in GAO's prior years' reports that were not remediated as of September 30, 2017.
GAO continued to identify deficiencies in Fiscal Service's information system controls that, along with unresolved control deficiencies from prior audits, collectively represent a significant deficiency in internal control over financial reporting relevant to the Schedule of Federal Debt. GAO also identified one new and two continuing deficiencies in information system controls over key financial systems maintained and operated by FRBs that are relevant to the Schedule of Federal Debt. However, these deficiencies in FRB controls did not contribute individually or collectively to the significant deficiency we identified. The potential effect of these new and continuing deficiencies on the Schedule of Federal Debt financial reporting for fiscal year 2018 was mitigated primarily by Fiscal Service's compensating management and reconciliation controls designed to detect potential misstatements of the Schedule of Federal Debt. Until these new and continuing control deficiencies are fully addressed, there will be an increased risk of unauthorized access to, modification of, or disclosure of sensitive data and programs.
Why GAO Did This Study
GAO is required to audit the consolidated financial statements of the U.S. government. Because of the significance of the federal debt held by the public to the government-wide financial statements, GAO audits Fiscal Service's Schedules of Federal Debt annually. As part of these audits, GAO performs a review of information system controls over key financial systems maintained and operated by FRBs that are relevant to the Schedule of Federal Debt.
This report presents the new deficiency identified during GAO's fiscal year 2018 testing of information system controls over key financial systems maintained and operated by FRBs that are relevant to the Schedule of Federal Debt. This report also includes the results of GAO's fiscal year 2018 follow-up on the status of FRBs' corrective actions to address information system control deficiencies contained in GAO's prior years' reports that were not remediated as of September 30, 2017.
Recommendations
In a separately issued LIMITED OFFICIAL USE ONLY report, GAO made one recommendation to address the new information system general control deficiency related to configuration management. In commenting on a draft of the separately issued LIMITED OFFICIAL USE ONLY report, the Board of Governors of the Federal Reserve System stated that the agency takes control deficiencies seriously and that FRB management is currently in the process of addressing the new and continuing information system general control deficiencies GAO identified during its fiscal year 2018 audit. GAO plans to follow up to determine the status of corrective actions taken to address these deficiencies and associated recommendations during its audit of the fiscal year 2019 Schedule of Federal Debt.