Bureau of the Public Debt: Areas for Improvement in Computer	 
Controls (01-MAY-03, GAO-03-524R).				 
                                                                 
In connection with fulfilling the requirement to audit the	 
financial statements of the U.S. government, GAO audited and	 
reported on the Schedules of Federal Debt Managed by the Bureau  
of the Public Debt (BPD) for the fiscal years ended September 30,
2002 and 2001. As part of these audits, GAO performed a review of
the general and application computer controls over key BPD	 
financial systems.						 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-03-524R					        
    ACCNO:   A06786						        
  TITLE:     Bureau of the Public Debt: Areas for Improvement in      
Computer Controls						 
     DATE:   05/01/2003 
  SUBJECT:   Federal debt					 
	     Application software				 
	     Audit reports					 
	     Computer networks					 
	     Computer security					 
	     Financial management systems			 
	     Financial statement audits 			 
	     General management reviews 			 
	     Internal controls					 
	     Risk management					 
	     Systems evaluation 				 
	     Bureau of the Public Debt Schedule of		 
	     Federal Debt					 
                                                                 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-03-524R

Page 1 GAO- 03- 524R Computer Controls at BPD United States General
Accounting Office Washington, DC 20548 May 1, 2003

The Honorable Van Zeck Commissioner Bureau of the Public Debt

Subject: Bureau of the Public Debt: Areas for Improvement in Computer
Controls Dear Mr. Zeck: In connection with fulfilling our requirement to
audit the financial statements of the U. S. government, 1 we audited and
reported on the Schedules of Federal Debt Managed by the Bureau of the
Public Debt (BPD) for the fiscal years ended September 30, 2002 and 2001.
2 As part of these audits, we performed a review of the general and
application computer controls over key BPD financial systems.

The Department of the Treasury is authorized by Congress to borrow money
on the credit of the United States to fund federal operations. Treasury is
responsible for prescribing the debt instruments and otherwise limiting
and restricting the amount and composition of the debt. BPD is responsible
for issuing and redeeming debt instruments, paying interest to investors,
and accounting for the resulting debt. In addition, BPD has been given the
responsibility for issuing Treasury securities to trust funds for trust
fund receipts not needed for current benefits and expenses.

We use a risk- based, rotation approach for testing general and
application computer controls. The data center and each key application is
subjected every 3 years to a full- scope review that includes testing in
all of the computer control areas defined in the Federal Information
System Controls Audit Manual. 3 Areas considered to be of higher risk are
subject to more frequent review. We performed our work at the BPD data
center from April 2002 through October 2002. Our work was performed in
accordance with U. S. generally accepted government auditing standards. We
requested comments on a draft of this report from the Commissioner of the
Bureau of the Public Debt. The comments are summarized later in this
report.

As noted above, our review addressed both general and application computer
controls. General computer controls are the structure, policies, and
procedures that apply to an entity*s overall computer operations. General
computer controls

1 31 U. S. C. 331( e) (2000). 2 U. S. General Accounting Office, Financial
Audit: Bureau of the Public Debt*s Fiscal Years 2002 and

2001 Schedules of Federal Debt, GAO- 03- 199 (Washington, D. C.: Nov. 1,
2002). 3 U. S. General Accounting Office, Federal Information System
Controls Audit Manual, GAO/ AIMD12. 19.6 (Washington, D. C.: January
1999).

Page 2 GAO- 03- 524R Computer Controls at BPD

establish the environment in which application systems and controls
operate. An effective general control environment helps (1) ensure that an
adequate entitywide security management program is in place, (2) protect
data, files, and programs from unauthorized access, modification,
disclosure, and destruction, (3) limit and monitor access to programs and
files that control computer hardware and secure applications, (4) prevent
the introduction of unauthorized changes to systems and applications
software, (5) prevent any one individual from controlling key aspects of
computer- related operations, and (6) ensure the recovery of computer
processing operations in case of a disaster or other unexpected
interruption. An effective application control environment helps ensure
that transactions performed by individual computer programs are valid,
properly authorized, and completely and accurately processed and reported.

As we reported in connection with our audit of the Schedules of Federal
Debt for the fiscal years ended September 30, 2002 and 2001, 4 BPD
maintained, in all material respects, effective internal control,
including general and application computer

controls, relevant to the Schedule of Federal Debt related to financial
reporting and compliance with applicable laws and regulations as of
September 30, 2002. BPD*s internal control provided reasonable assurance
that misstatements, losses, or noncompliance material in relation to the
Schedule of Federal Debt for the fiscal year ended September 30, 2002,
would be prevented or detected on a timely basis. We found matters
involving computer controls that we do not consider to be reportable
conditions. 5 Our follow- up on the status of BPD*s corrective actions to
address 14 of the 17 open

general and application control recommendations identified in prior years*
audits for which actions were not complete as of September 30, 2001, found
the following:

As of September 30, 2002, corrective action on 12 recommendations had been
completed. For 2 of the recommendations, corrective action for 1 was in
progress as of

September 30, 2002, and for the other, corrective action was taken
subsequent to that date.

The 3 remaining open recommendations relating to access controls are now
encompassed in our fiscal year 2002 recommendations.

Our fiscal year 2002 audit procedures identified opportunities to
strengthen the security of BPD*s computer systems that support key
automated financial systems relevant to BPD*s Schedule of Federal Debt. In
a separately issued Limited Official Use Only report, we communicated
detailed information regarding our fiscal year 2002 findings to BPD
managers and made 10 recommendations to strengthen certain general
computer controls in the areas of access and system software, many of
which

4 GAO- 03- 199. 5 Reportable conditions are matters coming to our
attention that, in our judgment, should be communicated because they
represent significant deficiencies in the design or operation of internal
control, which could adversely affect the organization*s ability to meet
the objectives of reliable financial reporting and compliance with
applicable laws and regulations.

Page 3 GAO- 03- 524R Computer Controls at BPD

BPD has begun to address. In addition, we reaffirmed our prior years*
recommendation related to service continuity.

None of our findings pose significant risks to BPD financial systems. In
forming our conclusions, we considered the mitigating effects of physical
security measures, a program of monitoring user and system activity, and
management and reconciliation controls that are designed to detect
potential irregularities or improprieties in financial data or
transactions. Nevertheless, these findings warrant BPD managers* action to
further limit the risk of inappropriate disclosure and modification of
sensitive data and programs, misuse of or damage to computer resources, or
disruption of critical operations.

BPD*s comments on a draft of this report are consistent with its prior
comments on the separately issued Limited Official Use Only version. In
those comments, the Commissioner of the Bureau of the Public Debt stated
that 7 of the 10 recommendations have been completely resolved and 1 of
the remaining improvements will be completed by the end of March 2003. 6
BPD also stated it intends to resolve the remaining issues by the end of
this year. We plan to follow up on these matters during our audit of the
fiscal year 2003 Schedule of Federal Debt.

We are sending copies of this report to the Chairmen and Ranking Minority
Members of the Senate Committee on Governmental Affairs; the Subcommittee
on Transportation, Treasury and General Government, Senate Committee on
Appropriations; the House Committee on Government Reform; the Subcommittee
on Government Efficiency and Financial Management, House Committee on
Government Reform; and the Subcommittee on Transportation, Treasury and
Independent Agencies, House Committee on Appropriations. We are also
sending copies of this report to the Secretary of the Department of the
Treasury, the Inspector General of the Department of the Treasury, and the
Director of the Office of Management and Budget. Copies will also be made
available to others upon request. In addition, the report will be
available at no charge on GAO*s Web site at http:// www. gao. gov.

If you have any questions regarding this report, please contact Louise
DiBenedetto, Assistant Director, at (202) 512- 6921. Other key
contributors to this assignment were Mickie Gray, David Hayes, and Ronald
Parker.

Sincerely yours, Gary T. Engel Director Financial Management and Assurance

(198176) 6 According to a BPD official, this improvement was completed as
of March 31, 2003.
*** End of document. ***