During previous audits, the GAO identified information security gaps affecting internal control over financial reporting at the Federal Reserve Banks, which maintain and operate financial systems on behalf of the Bureau of the Public Debt.
While the GAO’s audit for fiscal year 2011 did not identify any new security vulnerabilities, it found that a number of existing gaps had not been fixed by the banks, although corrective actions are planned or in progress.
“Additional actions are needed to fully address the open information systems control recommendations from our prior years’ audits”, the government watchdog noted. “Until these information systems control deficiencies are fully addressed, there will be an increased risk that internal control deficiencies may exist and remain unidentified and an increased risk of unauthorized access, loss, or disclosure; modification of sensitive data and programs; and disruption of critical operations”, the audit concluded.
In response, the Director of the Reserve Bank Operations and Payment Systems commented that the banks continue to make progress in addressing the information security control issues identified by the GAO.
The director said that the banks “intend to implement corrective actions for one of the two remaining [gaps] by September 2012 as part of a transition to a new information security program, and complete actions to address the other [gap] in 2013.”