Financial Systems and Internal Controls

October 27 - GAO recognizes the importance of strong financial systems and internal controls to ensure our accountability, integrity, and reliability. To achieve a high level of quality, management maintains a quality control program and seeks advice and evaluation from both internal and external sources.

See Also: Addressing the Identity Risk Factor in the Age of 'Need It Now'

GAO is committed to fulfilling the internal control objectives of 31 U.S.C. 3512, formerly the Federal Managersâ Financial Integrity Act (FMFIA). Although GAO is not subject to FMFIA, we comply voluntarily with the actâs requirements. Our internal controls are designed to provide reasonable assurance that obligations and costs are in compliance with applicable laws and regulations; funds, property, and other assets are safeguarded against loss from unauthorized acquisition, use, or disposition; and revenues and expenditures applicable to GAOâs operations are properly recorded and accounted for to enable our agency to prepare reliable financial reports and maintain accountability over our assets.

GAOâs management assesses compliance with these controls through a series of comprehensive internal reviews, applying the evaluation criteria in OMBâs guidance for implementing FMFIA. The results of these reviews are discussed with GAOâs Audit Advisory Committee, and action is taken to correct deficiencies as they are identified.

GAO has assessed our internal controls as of September 30, 2001, based on the criteria mentioned above for effective internal controls in the federal government. On the basis of this assessment, we believe that we have effective internal controls in place, as of September 30, 2001. Additionally, GAOâs independent auditor found that GAO maintained effective internal controls over financial reporting and compliance with all applicable laws and regulations. Consistent with GAOâs evaluation, the auditor found no material internal control weaknesses.

In addition, GAO is committed to fulfilling the objectives of the Federal Financial Management Improvement Act of 1996. Although not subject to FFMIA, GAO voluntarily complies with its requirements. We believe that we have implemented and maintained financial systems that comply substantially with federal financial management systems requirements, applicable federal accounting standards, and the United States Government Standard General Ledger at the transaction level as of September 30, 2001, and for the fiscal year then ended. GAO made this assessment based on criteria established under FFMIA and guidance issued by OMB. Also, GAOâs auditor reported that GAO had substantially complied with the applicable requirements of FFMIA for the fiscal year ended September 30, 2001.

GAOâs inspector general conducts audits and investigations and functions as an independent fact-gathering and technical adviser to the comptroller general. This year, as a result of the inspector generalâs efforts, we have improved our policies and internal controls on the use of purchase and travel cards, oversight of unexpended prior-fiscal-year obligations, administering security clearances, and tracking continuing professional education credits earned by GAO employees.

GAOâs Audit Advisory Committee assists the comptroller general in overseeing the effectiveness of our financial reporting and audit processes, internal controls over financial operations, and processes to ensure compliance with laws and regulations relevant to GAOâs financial operations. The committee consists of Sheldon S. Cohen (chairman), Alan B. Levenson, and Katherine D. Ortega, whose relevant experience was described earlier in this report. The committeeâs report follows our financial statements and accompanying notes.

 

Government Information Security Reform

 

GAOâs information security program is consistent with the security requirements in the Government Information Security Reform provisions (commonly referred to as â-GISRAâ") enacted in the Floyd D. Spence National Defense Authorization Act for Fiscal Year 2001. Although GAO is not obligated by law to comply with GISRA, we have made a concerted effort to follow its guidelines and implement its requirements because one of our strategic goals is to be a model federal agency.

To assess whether GAO is consistent with GISRA requirements, we considered the results of (1) internal reviews by program offices and security staff, (2) independent evaluations of our major financial applications by a public accounting firm, and (3) IT control testing of the general support system by GAOâs IT auditors, who are independent of GAOâs IT support function. These reviews and evaluations identified no material weaknesses in GAOâs financial applications and indicated that GAO has made significant efforts to implement GISRAâs requirements. These efforts include establishing a risk-based, agencywide security program; establishing performance measures to ensure that GAO program managers, the chief information officer, and the comptroller general implement and maintain security requirements; providing security training and awareness; establishing the capability to respond to computer security incidents; integrating security into GAOâs capital investment control process; identifying GAOâs critical assets within our enterprise architecture; and ensuring the security of services provided by a contractor or another agency. In addition, GAO continues to provide separate funding for IT security initiatives, training funds for upgrading IT security staff skills, and additional security staff through contractor support.

The various reviews and evaluations, however, identified opportunities for improvement. In response, GAO has undertaken information security projects that include the following:

  • Host-based intrusion detection--We have applied host-based intrusion detection software to GAOâs external servers and will apply this software to internal servers during fiscal 2002.
  • Two-factor user authentication--We have purchased two-factor user authentication technology that uses a combination of the userâs password and a periodically changing numeric token code. This technology will be implemented during fiscal 2002. It is expected to dramatically strengthen GAOâs user authentication by reducing our reliance on user-supplied passwords.
  • IT disaster recovery plan--We have developed an IT disaster recovery plan and contracted for a disaster recovery facility for GAOâs client-server-based systems. We are continuing to work to fully implement and test this plan. In addition, we are testing and implementing new technology that will support our future disaster recovery strategy.

Visit the GAO for the full report


About the Author




Around the Network