Bureau of the Public Debt: Areas for Improvement in Computer	 
Controls (28-MAY-04, GAO-04-681R).				 
                                                                 
In connection with fulfilling our requirement to audit the	 
financial statements of the U.S. government, we audited and	 
reported on the Schedules of Federal Debt Managed by the Bureau  
of the Public Debt (BPD) for the fiscal years ended September 30,
2003 and 2002.2 As part of these audits, we performed a review of
the general and application computer controls over key BPD	 
financial systems. The Department of the Treasury (Treasury) is  
authorized by the Congress to borrow money on the credit of the  
United States to fund federal operations. Treasury is responsible
for prescribing the debt instruments and otherwise limiting and  
restricting the amount and composition of the debt. BPD, an	 
organizational entity within the Fiscal Service of Treasury, is  
responsible for issuing and redeeming debt instruments, paying	 
interest to investors, and accounting for the resulting debt. In 
addition, BPD has been given the responsibility for issuing	 
Treasury securities to trust funds for trust fund receipts not	 
needed for current benefits and expenses. The scope of our work  
for fiscal year 2003 included a review of the general and	 
application computer controls over key financial management	 
systems maintained and operated by BPD relevant to the Schedule  
of Federal Debt and follow-up on open recommendations from our	 
prior years' reports for which actions were not complete as of	 
September 30, 2002. We use a risk-based, rotation approach for	 
testing general computer controls. Each general control area is  
subjected to a full-scope review, including testing, at least	 
every 3 years. The computer control areas we review are defined  
in the Federal Information System Controls Audit Manual.3 Areas  
considered to be of higher risk are subject to more frequent	 
review. Each key application is subjected every year to a	 
full-scope review. General computer controls are the structure,  
policies, and procedures that apply to an entity's overall	 
computer operations. General computer controls establish the	 
environment in which application systems and controls operate.	 
They include an entitywide security management program, access	 
controls, system software controls, application software	 
development and change controls, segregation of duties, and	 
service continuity controls. An effective general control	 
environment helps (1) ensure that an adequate entitywide security
management program is in place; (2) protect data, files, and	 
programs from unauthorized access, modification, disclosure, and 
destruction; (3) limit and monitor access to programs and files  
that control computer hardware and secure applications; (4)	 
prevent the introduction of unauthorized changes to systems and  
applications software; (5) prevent any one individual from	 
controlling key aspects of computer-related operations; and (6)  
ensure the recovery of computer processing operations in case of 
a disaster or other unexpected interruption. Application controls
relate directly to the individual computer programs that are used
to perform certain types of work, such as generating interest	 
payments or recording transactions in a general ledger. In an	 
effective general control environment, application controls help 
to ensure that transactions are valid, properly authorized, and  
completely and accurately processed and reported.		 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-04-681R					        
    ACCNO:   A10278						        
  TITLE:     Bureau of the Public Debt: Areas for Improvement in      
Computer Controls						 
     DATE:   05/28/2004 
  SUBJECT:   Auditing procedures				 
	     Computer software					 
	     Federal debt					 
	     Financial management				 
	     Financial management systems			 
	     Financial statements				 
	     Internal controls					 
	     Public debt					 
	     Trust funds					 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-04-681R

United States General Accounting Office Washington, DC 20548

May 28, 2004

The Honorable Van Zeck
Commissioner, Bureau of the Public Debt

Subject: Bureau of the Public Debt: Areas for Improvement in Computer
Controls

Dear Mr. Zeck:

In connection with fulfilling our requirement to audit the financial
statements of the U.S. government,1 we audited and reported on the
Schedules of Federal Debt Managed by the Bureau of the Public Debt (BPD)
for the fiscal years ended September 30, 2003 and 2002.2 As part of these
audits, we performed a review of the general and application computer
controls over key BPD financial systems.

The Department of the Treasury (Treasury) is authorized by the Congress to
borrow money on the credit of the United States to fund federal
operations. Treasury is responsible for prescribing the debt instruments
and otherwise limiting and restricting the amount and composition of the
debt. BPD, an organizational entity within the Fiscal Service of Treasury,
is responsible for issuing and redeeming debt instruments, paying interest
to investors, and accounting for the resulting debt. In addition, BPD has
been given the responsibility for issuing Treasury securities to trust
funds for trust fund receipts not needed for current benefits and
expenses.

The scope of our work for fiscal year 2003 included a review of the
general and application computer controls over key financial management
systems maintained and operated by BPD relevant to the Schedule of Federal
Debt and follow-up on open recommendations from our prior years' reports
for which actions were not complete as of September 30, 2002. We use a
risk-based, rotation approach for testing general computer controls. Each
general control area is subjected to a full-scope review, including
testing, at least every 3 years. The computer control areas we review are

3

defined in the Federal Information System Controls Audit Manual. Areas
considered to be of higher risk are subject to more frequent review. Each
key application is subjected every year to a full-scope review.

131 U.S.C. S: 331(e) (2000).
2U.S. General Accounting Office, Financial Audit: Bureau of the Public
Debt's Fiscal Years 2003 and
2002 Schedules of Federal Debt, GAO-04-177 (Washington, D.C.: Nov. 7,
2003).
3U.S. General Accounting Office, Federal Information System Controls Audit
Manual,
GAO/AIMD-12.19.6 (Washington, D.C.: January 1999).

Page 1 GAO-04-681R Computer Controls at BPD

General computer controls are the structure, policies, and procedures that
apply to an entity's overall computer operations. General computer
controls establish the environment in which application systems and
controls operate. They include an entitywide security management program,
access controls, system software controls, application software
development and change controls, segregation of duties, and service
continuity controls. An effective general control environment helps (1)
ensure that an adequate entitywide security management program is in
place; (2) protect data, files, and programs from unauthorized access,
modification, disclosure, and destruction; (3) limit and monitor access to
programs and files that control computer hardware and secure applications;
(4) prevent the introduction of unauthorized changes to systems and
applications software; (5) prevent any one individual from controlling key
aspects of computer-related operations; and (6) ensure the recovery of
computer processing operations in case of a disaster or other unexpected
interruption. Application controls relate directly to the individual
computer programs that are used to perform certain types of work, such as
generating interest payments or recording transactions in a general
ledger. In an effective general control environment, application controls
help to ensure that transactions are valid, properly authorized, and
completely and accurately processed and reported.

We performed our work at the BPD data center from April 2003 through
October 2003. Our work was performed in accordance with U.S. generally
accepted government auditing standards. BPD's comments are summarized
later in this report.

As we reported in connection with our audit of the Schedules of Federal
Debt for the fiscal years ended September 30, 2003 and 2002, BPD
maintained, in all material respects, effective internal control,
including general and application computer controls, relevant to the
Schedule of Federal Debt related to financial reporting and compliance
with applicable laws and regulations as of September 30, 2003. BPD's
internal control provided reasonable assurance that misstatements, losses,
or noncompliance material in relation to the Schedule of Federal Debt for
the fiscal year ended September 30, 2003, would be prevented or detected
on a timely basis. We found matters involving computer controls that we do
not consider to be reportable conditions4 but that nevertheless warrant
BPD management's attention and action.

Our fiscal year 2003 audit procedures identified opportunities to
strengthen the security of certain BPD computer systems that support key
automated financial systems relevant to BPD's Schedule of Federal Debt. In
a separately issued Limited Official Use Only report, we communicated
detailed information regarding our findings to BPD management. Our audit
procedures identified five new control issues for which we made six
recommendations. Four were general control issues

4Reportable conditions are matters coming to our attention that, in our
judgment, should be communicated because they represent significant
deficiencies in the design or operation of internal control, which could
adversely affect the organization's ability to meet the objectives of
reliable financial reporting and compliance with applicable laws and
regulations.

                  Page 2 GAO-04-681R Computer Controls at BPD

that relate to access controls, and one was an application control issue
that relates to the documentation of controls for certain systems.

Our follow-up on the status of BPD's corrective actions to address 12 open
general and application control recommendations identified in prior years'
audits for which actions were not complete as of September 30, 2002, found
the following:

o  As of September 30, 2003, corrective action on 11 of the 12
recommendations had been completed.

o  Corrective action was in progress as of September 30, 2003, on the 1
remaining open recommendation. We therefore reaffirm our prior year's
recommendation related to this issue.

None of our findings pose significant risks to BPD financial systems. In
forming our conclusions, we considered the mitigating effects of physical
security measures, a program of monitoring user and system activity, and
reconciliation controls that are designed to detect potential
irregularities or improprieties in financial data or transactions.
Nevertheless, these findings warrant BPD management's attention and action
to limit the risk of unauthorized access, unauthorized disclosure and
modification of sensitive data and programs, data misuse, or disruption of
critical operations.

We recommend that the Commissioner of the Bureau of the Public Debt direct
the implementation of the six detailed recommendations to appropriate BPD
officials.

BPD provided comments on the detailed findings and recommendations in the
separately issued Limited Official Use Only version. In those comments,
the Commissioner of the Bureau of the Public Debt stated that three of the
six open issues have been completely resolved, and the others are in
progress. BPD also stated that it intends to resolve the three remaining
issues before the end of this year. We plan to follow up on these matters
during our audit of the fiscal year 2004 Schedule of Federal Debt.

In the separately issued Limited Official Use Only report, we noted that
the head of a federal agency is required by 31 U.S.C. 720 to submit a
written statement on actions taken on our recommendations to the Senate
Committee on Governmental Affairs and to the House Committee on Government
Reform not later than 60 calendar days after the date of the report. A
written statement must also be sent to the House and Senate Committees on
Appropriations with the agency's first request for appropriations made
more than 60 calendar days after the date of the report. In that report,
we also requested a copy of your responses.

Page 3 GAO-04-681R Computer Controls at BPD

We are sending copies of this report to the Chairmen and Ranking Minority
Members
of the Senate Committee on Governmental Affairs; the Subcommittee on
Transportation, Treasury and General Government, Senate Committee on
Appropriations; the House Committee on Government Reform; the Subcommittee
on
Government Efficiency and Financial Management, House Committee on
Government Reform; and the Subcommittee on Transportation and Treasury,
and
Independent Agencies, House Committee on Appropriations. We are also
sending
copies of this report to the Secretary of the Treasury, the Inspector
General of the
Department of the Treasury, and the Director of the Office of Management
and
Budget. Copies will also be made available to others upon request. In
addition, the
report will be available at no charge on GAO's Web site at
http://www.gao.gov.

If you have any questions regarding this report, please contact Louise
DiBenedetto,
Assistant Director, at (202) 512-6921. Other key contributors to this
assignment were
Gerald L. Barnes, Mickie E. Gray, David B. Hayes, and Dawn B. Simpson.

Sincerely yours,

Gary T. Engel
Director
Financial Management and Assurance

(198256)

                  Page 4 GAO-04-681R Computer Controls at BPD

                                 GAO's Mission

Obtaining Copies of GAO Reports and Testimony

The General Accounting Office, the audit, evaluation and investigative arm
of Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability of
the federal government for the American people. GAO examines the use of
public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.

The fastest and easiest way to obtain copies of GAO documents at no cost
is through the Internet. GAO's Web site (www.gao.gov) contains abstracts
and fulltext files of current reports and testimony and an expanding
archive of older products. The Web site features a search engine to help
you locate documents using key words and phrases. You can print these
documents in their entirety, including charts and other graphics.

Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document files.
To have GAO e-mail this list to you every afternoon, go to www.gao.gov and
select "Subscribe to e-mail alerts" under the "Order GAO Products"
heading.

Order by Mail or Phone 	The first copy of each printed report is free.
Additional copies are $2 each. A check or money order should be made out
to the Superintendent of Documents. GAO also accepts VISA and Mastercard.
Orders for 100 or more copies mailed to a single address are discounted 25
percent. Orders should be sent to:

U.S. General Accounting Office 441 G Street NW, Room LM Washington, D.C.
20548

To order by Phone: 	Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061

To Report Fraud,	Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm

                  Waste, and Abuse in E-mail: [email protected]

Federal Programs Automated answering system: (800) 424-5454 or (202)
512-7470

Jeff Nelligan, Managing Director, [email protected] (202) 512-4800

Public Affairs 	U.S. General Accounting Office, 441 G Street NW, Room 7149
Washington, D.C. 20548

This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.
*** End of document. ***