Federal Reserve Banks: Areas for Improvement in Computer Controls (Letter
Report, 09/15/1999, GAO/AIMD-99-280).

Pursuant to a legislative requirement, GAO: (1) followed-up on the
status of the Federal Reserve Banks' (FRB) corrective actions to address
vulnerabilities identified in GAO's fiscal year (FY) 1997 financial
statement audit; and (2) reviewed the general and application controls
that support key Financial Management Service (FMS) and Bureau of the
Public Debt (BPD) automated financial systems maintained and operated by
the FRBs.

GAO noted that: (1) GAO's follow up on the status of the FRBs'
corrective actions to address vulnerabilities in GAO's FY 1997 audit
found that the FRBs' had corrected or mitigated the risks associated
with 14 of the general and application control vulnerabilities discussed
in GAO's prior report that related to the FRBs visit during its FY 1998
testing; (2) while GAO found that the FRBs had implemented effective
general and application controls, the FY 1998 audit procedures
identified certain new general control vulnerabilities; (3) these
vulnerabilities related to access controls at one of the FRB data
centers and access controls, system software, and service continuity at
another FRB data center; (4) at the third FRB data center, GAO found
vulnerabilities in access controls, application software development and
change controls, segregation of duties, service continuity, and the
entitywide security planning and management program; (5) GAO identified
vulnerabilities in the authorization controls over one key application
and vulnerabilities in the authorization and completeness controls over
another key application maintained for FMS and BPD; (6) GAO identified
vulnerabilities in authorization controls over a third key application
maintained for FMS; and (7) while these vulnerabilities do not pose
significant risks to the FMS and BPD financial systems, they warrant FRB
management's attention and action to decrease the risk of inappropriate
disclosure and modification of sensitive data and programs, misuse or
damage to computer resources, or disruption of critical operations.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  AIMD-99-280
     TITLE:  Federal Reserve Banks: Areas for Improvement in Computer
	     Controls
      DATE:  09/15/1999
   SUBJECT:  Federal reserve banks
	     Financial management systems
	     Internal controls
	     Financial statement audits
	     Federal agency accounting systems