Two ‘info system control deficiencies’ related to federal securities actions identified in GAO audit of Federal Reserve banks

Two information system general control deficiencies related to management by Federal Reserve banks (FRBs) of fiscal agent services on behalf of the U.S. Treasury were identified in an audit last year by the Government Accountability Office (GAO), the congressional watchdog said Thursday.

The Fed was given 60 days to tell GAO what actions it is taking or plans to take to address the recommendations made in the audit.

The details of the audit, including the recommendations, are contained in a “limited official use only report,” which is not publicly available. However, the GAO did release a nine-page “management report” outlining the scope of its findings of the FRB services.

The report notes that many FRBs provide fiscal agent services on behalf of Treasury, which consist of issuing, servicing, and redeeming Treasury securities held by the public and handling the related transfers of funds.

In fiscal year 2017, the report states, FRBs issued about $8.6 trillion in federal debt securities to the public, redeemed about $8.1 trillion of debt held by the public, and processed about $248 billion in interest payments on debt held by the public. The reserve banks perform the service on behalf of the Treasury’s Bureau of the Fiscal Service.

According to GAO, during an audit of the fiscal service, it found the deficiencies of the systems related to access controls and configuration management used by the FRBs for the Treasury office. GAO also reported that what it found was not the first time such deficiencies had been identified with the FRB systems – including in 2016. GAO noted those deficiencies had been corrected.

However, GAO said, the “new deficiencies in information system controls that along with unresolved control deficiencies from prior audits collectively represent a significant deficiency in Fiscal Service’s internal control over financial reporting relevant to the Schedule of Federal Debt.”

The watchdog agency said that the 2017 “new and continuing information system control deficiencies” increase the risk of “unauthorized access to, modification of, or disclosure of sensitive data and programs.”

“The potential effect of these new and continuing deficiencies on the Schedule of Federal Debt financial reporting for fiscal year 2017 was mitigated primarily by FRBs’ program of monitoring user and system activity and Fiscal Service’s compensating management and reconciliation controls designed to detect potential misstatements of the Schedule of Federal Debt.”

Nevertheless, the report states, the general control deficiencies “warrant the attention and action of management.”

The Federal Reserve, in response, told GAO it takes the control deficiencies seriously and that FRB management “is currently in the process of addressing the new and continuing information system general control deficiencies “ that GAO identified during its fiscal year 2017 audit.

GAO said it plans to follow up to determine the status of corrective actions taken to address these deficiencies and associated recommendations during its audit of the 2018 Schedule of Federal Debt.

Management Report: Areas for Improvement in the Federal Reserve Banks’ Information System Controls