[Audit Report on the General Control Environment of the Federal Financial System at the Reston General Purpose Computer Center, U.S. Geological Survey]
[From the U.S. Government Printing Office, www.gpo.gov]
Report No. 97-I-98
Title: Audit Report on the General Control Environment of the Federal
Financial System at the Reston General Purpose Computer
Center, U.S. Geological Survey
Date: October 31, 1996
**********DISCLAIMER**********
This file contains an ASCII representation of an OIG report. No attempt has been made to display
graphic images or illustrations. Some tables may be included, but may not resemble those in the
printed version.
A printed copy of this report may be obtained by referring to the PDF file or by calling the Office of
Inspector General, Logistical Services Branch at (202) 219-3840.
******************************
United States Department of the Interior
OFFICE OF INSPECTOR GENERAL
Washington, D.C. 20240
MEMORANDUM
TO: The Secretary
FROM: Wilma A. Lewis
Inspector General
SUBJECT SUMMARY: Final Audit Report for Your Information - "General Control
Environment of the Federal Financial System at the Reston
General Purpose Computer Center, U.S. Geological Survey"
(No. 97-I-98)
Attached for your information is a copy of the subject final audit report. This report presents
a summary of the draft audit report "Stronger Controls Needed Over The Data Processing
Environment At The U.S. Geological Survey, Reston General Purpose Computer Center,"
issued by the Office of Inspector General, U.S. House of Representatives, on September 3,
1996. We were informed by the House's Office of Inspector General that the information
presented in this draft report is the same information that will be presented in their final audit
report. The objective of the audit was to evaluate the effectiveness of the general control
environment surrounding the Federal Financial System and the processing of financial data
for the House.
The House Office of Inspector General's audit report identified 42 weaknesses and made 70
recommendations for corrective actions to the U.S. Geological Survey and one
recommendation for corrective action to both the Geological Survey and the House's Chief
Administrative Officer. The report identified weaknesses in data center management and
operations; mainframe computer system physical and logical security; telecommunications
security; protection of the local area network from unauthorized access and use; and
contingency planning, including backup procedures for preventing data loss and for the
recovery of data in case of a disaster.
The Geological Survey and House management worked collaboratively with our office, the
House's Office of Inspector General, and the contracted auditing team that performed the
review to resolve key issues. As a result of this collaborative effort, the Geological Survey
was able to take immediate corrective actions to resolve the deficiencies that could have
adversely impacted the integrity and security of the processing of the House's financial data
on the Federal Financial System. The Geological Survey concurred with or proposed
alternative recommendations for each of the report's recommendations. Based on the
response, we considered 13 recommendations implemented and 58 recommendations
resolved but not implemented.
If you have any questions concerning this matter, please contact meat (202) 208-5745 or
Mr. Robert J. Williams, Acting Assistant Inspector General for Audits, at (202) 208-4252.
Attachment
H-IN-GSV-001-96
United States Department of the Interior
OFFICE OF THE INSPECTOR GENERAL
Washington, D.C. 20240
AUDIT REPORT
Memorandum
To: Assistant Secretary - Water and Science
From: Acting Assistant Inspector General for Audits
Subject: Audit Report on the General Control Environment of the Federal Financial
System at the Reston General Purpose Computer Center, U.S. Geological
Survey (No. 97-I-98)
INTRODUCTION
This report presents a synopsis of the draft audit report "Stronger Controls Needed Over The
Data Processing Environment At The U.S. Geological Survey, Reston General Purpose
Computer Center," issued by the Office of Inspector General, U.S. House of
Representatives, on September 3, 1996. The audit, which was coordinated through our
office, was conducted by Price Waterhouse, LLP, under contract to the House's Office of
Inspector General. We are issuing this report because we are the cognizant audit agency for
the U.S. Geological Survey and because we want to ensure that the recommendations
contained in this report are included in our audit recommendation tracking system. The
objective of the audit was to evaluate the effectiveness of the general control environment
surrounding the Federal Financial System and the processing of financial data for the House.
BACKGROUND
The Washington Administrative Service Center was
Geological Survey, to direct the Department of the
established in 1987,
Interior's efforts to
within the
standardize
administrative systems. As part of this effort, the Geological Survey purchased the Federal
Financial System from American Management Systems, Inc., in 1987. The Service Center
leases computer space from the Geological Survey's General Purpose Computer Center to
operate the Federal Financial System on the Computer Center's mainframe computer. The
system license purchased by the Geological Survey allows it to provide services to Federal
agencies outside of the Department of the Interior. As such, the Geological Survey is able
to provide the Federal Financial System as an interim financial management system to the
U.S. House of Representatives.
On August 3, 1995, the Committee on House Oversight, U.S. House of Representatives,
passed a resolution mandating the implementation of a new financial management system
for House financial operations. The resolution required that the Chief Administrative
Officer, in consultation with the House's Office of Inspector General, implement the system.
In September 1995, the Chief Administrative Officer entered into an agreement with the
Geological Survey to provide, on an interim basis, the Geological Survey's Federal Financial
System for the processing of the House's financial data. The House's Office of Inspector
General determined that a review of the general control environment of the Federal Financial
System was necessary to "ensure the integrity and security of the financial information to be
processed on the system." As a result, a contract was awarded to Price Waterhouse, LLP,
in March 1996 to perform a review of the policies and general controls of operations of the
Geological Survey's Federal Financial System at the General Purpose Computer Center in
Reston, Virginia.
SCOPE OF AUDIT
Direction for and oversight of the contracted audit were provided by the House's Office of
Inspector General, which coordinated with our office throughout the review. The contracted
audit was made in accordance with the "Government Auditing Standards," issued by the
Comptroller General of the United States. Accordingly, the audit included such tests of
records and other auditing procedures that were considered necessary under the
circumstances. The audit was performed from March through May 1996 at the General
Purpose Computer Center.
The contracted audit included a review of the integrity, confidentiality, and availability of
information resources for processing the House's financial data. The evaluation focused on
general controls, including the following: user authentication; prevention of the system and
data from unauthorized access, modification, and destruction; contingency plans in case of
system destruction; and the backup and recoverability of data, systems, and
telecommunications in case operations are disrupted. To perform this review, the contractor
performed the following tasks:
- Documentation was obtained from and interviews were conducted with officials
responsible for system operations.
- Control techniques consistent with data security standards based on current industry
standards and Government guidelines were identified.
- An understanding of the computing and internal controls related to system data,
including data integrity, security, and availability, was obtained.
- Key management controls and internal controls were assessed and tested.
2
- Third-party audit and security software tools were used to perform automated testing
techniques.
In addition, computer and information systems audit guidelines were used in evaluating the
effectiveness of the Computer Center's management and operations.
As part of the review, the internal controls related to the integrity, confidentiality, and
availability of the mainframe computer were evaluated. The contracted audit disclosed
internal control weaknesses related to the operating system, system access, security program
and functions, network controls, and business continuity planning. These weaknesses are
discussed in the Results of Audit section of this report. The recommendations, if
implemented, should improve controls in these areas.
PRIOR AUDIT COVERAGE
The General Accounting Office had not issued any reports relating to operations of the
Computer Center or its Federal Financial System. Our office, however, has issued one report
during the past 5 years relating to the Geological Survey's Federal Financial System.
The September 1992 report "Implementation of the Federal Financial System, U.S.
Geological Survey" (No. 92-1-14 18) stated that the Federal Financial System had not been
implemented effectively and did not meet the requirements contained in the Joint Financial
Management Improvements Program's "Core Financial System Requirements." These
conditions occurred, according to the report, because the Geological Survey did not comply
with Office of Management and Budget and Departmental guidelines for establishing and
maintaining an integrated financial management system. The report also identified
inadequate physical security at the Reston Automated Data Processing Facility. The
Geological Survey generally agreed with our 19 recommendations and initiated actions to
correct the deficiencies identified.
RESULTS OF AUDIT
The House Office of Inspector General's audit report identified 42 weaknesses and made 70
recommendations for corrective actions to the Geological Survey and one recommendation
for corrective action to both the Geological Survey and the House's Chief Administrative
Officer. The report stated that the Geological Survey's General Purpose Computer Center
had operational internal controls that were inadequate. Specifically, weaknesses existed in
data center management and operations; mainframe computer system physical and logical
security; telecommunications security; protection of the local area network from
unauthorized access and use; and contingency planning, including backup procedures for
preventing data loss and for the recovery of data in case of a disaster. The Office of
Management and Budget and the National Institutes of Standards and Technology have
3
issued numerous directives, policies, and guidelines requesting that Federal agencies
establish and implement computer security and controls to improve the safeguarding of
sensitive information in Federal agencies' computer systems. However, the Computer
Center did not fully comply with these criteria because it did not: establish certain formal
data center policies, standards, and procedures; segregate duties adequately; comply with
vendor guidelines for system operations; and develop a formal and comprehensive data
security program. Consequently, the Computer Center was susceptible to: unauthorized
system access and data modification; errors and omissions during system start up and
processing; and unauthorized facility or system access, which could lead to theft or
destruction of hardware, software, and information.
The control deficiencies noted in each of the functional aspects are summarized in the
following paragraphs.
Computer Center Management and Operations
The House's September 3 report identified 8 weaknesses and made 17 recommendations
regarding the Computer Center's management and operations. The report stated that the
Computer Center had weaknesses in its management and operations that "posed significant
risks" to computer system availability, confidentiality, and reliability. These problems
included the following:
- Inconsistent and inadequate security background checks and clearances for Computer
Center government and contractor employees.
- Poor controls over access to key support systems, such as the Internet, DOINET, and
local area networks.
- Inadequate and inconsistently used software program change control procedures.
- Inadequate problem-resolution procedures.
- Lack of control over the labeling and distribution of sensitive computer-generated
printouts.
Mainframe Computer System Physical and Logical Security
The House's September 3 report identified 20 weaknesses and made 32 recommendations
regarding the Computer Center's physical and logical security of its mainframe systems.
The report stated that the Computer Center did not comply with vendor guidelines and
generally accepted industry practices in administering and implementing operating system
4
and access security software controls on its mainframe computer. Some of these deficiencies
included:
- Improper controls over critical operating system components, such as system start-up
parameters and options and the authorized program facility.
- Unrestricted access to and use of powerful system programs, such as the Customer
Information Control System transaction utility programs.
- Inadequate controls over system programmer access to terminals capable of acting as
the master console terminal.
- Inadequate software change control procedures over modifications made to the
Customer Information Control System environment.
- Improper installation of and controls over security access control software.
- Improper controls over programmers and separated/termninated employees.
Telecommunications Security
The House's September 3 report identified one weakness and made two recommendations
regarding the Computer Center's telecommunications security. The report stated that
unrestricted user access through the Internet posed integrity and security risks to internal
systems such as the mainframe computer and certain local area networks.
Local Area Network Protection
The House's September 3 report identified 10 weaknesses and made 17 recommendations
regarding the Computer Center's local area network protection. The report stated that the
Geological Survey did not provide proper controls in administering and managing its local
area networks, which are connected to the mainframe computer that processes Federal
Financial System data. Problems related to the local area networks included the following:
- Inconsistent management and administration practices between three local area network
servers.
- Improper controls over passwords on and general access to a particular local area
network.
- Inadequate controls over powerful access privileges (supervisor privileges) to the local
area network.
5
- Lack of procedures for monitoring local area network access and usage.
- Incomplete and untested contingency, data backup, and data recovery in case of disaster
plans to ensure the timely recovery and resumption of operations.
- Inadequate physical security controls to safeguard key network computer hardware.
- Inconsistent requirements for installing and using virus detection software on fileservers
and workstations.
Contingency Planning, Backup, and Disaster Recovery
The House's September 3 report identified three weaknesses and made three
recommendations regarding the Computer Center's contingency planning, backup, and
disaster recovery procedures. The report stated that the Computer Center's contingency
planning, data backup, and disaster-recovery procedures for the Federal Financial System
mainframe computer were inadequate and did not allow for complete business resumption.
Corrective Actions
The Geological Survey and House management worked collaboratively with our office, the
House's Office of Inspector General, and the contracted auditing firm to resolve key issues.
As a result of this collaborative effort, the Geological Survey was able to take immediate
corrective actions to resolve the deficiencies that could have adversely impacted the integrity
and security of the processing of the House's financial data on the Federal Financial System.
Geological Survey management also initiated efforts to correct the other deficiencies
identified, which were important to the overall integrity and security of data center
operations. In its report, the House's Office of Inspector General stated that it believed that
the "actions taken and the continuing commitment demonstrated" by Geological Survey
management "to resolve the deficiencies identified has greatly reduced the risk" to the
Computer Center's "processing environment."
U.S. Geological Survey Response and Office of Inspector General Reply
The Director, U.S. Geological Survey, responded to the House's draft report on August 20,
1996. Based on this response, we considered 13 recommendations implemented and 58
recommendations resolved but not implemented. The unimplemented recommendations will
be referred to the Assistant Secretary for Policy, Management and Budget for tracking of
implementation (see the Appendix).
The legislation, as amended, creating the Office of Inspector General requires semiannual
reporting to the Congress on all audit reports issued, actions taken to implement audit
6
recommendations, and identification of each significant recommendation on which corrective
action has not been taken.
We appreciate the assistance of U.S. Geological Survey personnel in the conduct of this
audit.
APPENDIX
STATUS OF AUDIT REPORT RECOMMENDATIONS1
Finding/Recommendation
Reference Status Action Required
3E, 7B, 10A, 10B, Implemented. No further action is
13A, 15A, 15B, 18,22, required.
23,25,41, and 42
1A, lB, 2, 3A, 3B, 3C,
3D, 4, 5A, 5B, 5C, 6A,
6B, 8A, 8B, 9A, 9B, 9C,
11A, 11B, 11C, 12,
13B, 14A, 14B, 14C, 16
17, 19, 20A, 20B, 20C, 21
24A, 24B, 26,27,28,
29A, 29B, 30A, 30B,
31A, 31B, 32A, 32B,
33A, 33B, 33C, 33D,
34,35, 36A, 36B, 37,38
39, and 40
Resolved; not
implemented.
No further response to the
Department of the Interior
Office of Inspector General
is required. The
recommendations will be
referred to the Assistant
Secretary for Policy,
Management and Budget
for tracking of
implementation.
lFrom audit report "Stronger Controls Needed Over The Data Processing Environment At The U.S.
Geological
Survey, Reston General Purpose Computer Center," dated September 3, 1996.
8
SHOULD BE REPORTED TO
THE OFFICE OF INSPECTOR GENERAL BY:
Sending written documents to: Calling:
Within the Continental United States
U.S. Departmnent of the Interior Our 24-hour
Office of Inspector General Telephone HOTLINE
1550 WiIson Boulevard 1-800-424-5081 or
Suite 402 (703) 235-9399
Arlington. Virginia 22210
TDD for hearing impaired
(703) 235-9403 or
1-800-354-0996
Outside the Continental United States
U.S. Department of the Interior (703) 235-9221
Office of Inspector General
Eastern Division - Investigations
1550 Wilson Boulevard
Suite 410
Arlington, Virginia 22209
U.S. Department of the Interior (700) 550-7279 or
Office of Inspector General COMM 9-011-671-472-7279
North Pacific Region
238 Archbishop F.C. Flores Street
Suite 807, PDN Building
Agana, Guam 96910
HOTLINE