Government Information Security Reform

Contents for GAO Performance and Accountability Report 2001

From the Comptroller General

The Comptroller General’s FMFIA Assurance Statement for Fiscal 2001

GAO at a Glance

Strategic Plan Framework

Performance at a Glance

How to Use This Report

Management’s Discussion and Analysis

Performance and Financial Information

Limitation on Financial Statements

Strategic Goal 1

Strategic Goal 2

Strategic Goal 3

Strategic Goal 4

Strategies and Challenges -- Achieving Our Goals

Data Quality and Program Evaluation

Resources Needed to Achieve Our Fiscal 2003 Performance Goals

Financial Statements

Overview of Financial Statements

Financial Systems and Internal Controls

Government Information Security Reform

Financial Statements

Notes to Financial Statements

Report of the Audit Advisory Committee

Independent Auditor’s Report

Appendix I

Measures and Targets for Fiscal 1998 through 2003

Appendix II

Accomplishments and Other Contributions for Fiscal 2001

Appendix III

Performance on Qualitative Performance Goals for Fiscal 2000 and 2001

Appendix IV

Qualitative Performance Goals for Fiscal 2002 and 2003

Appendix V

Report on the Implementation of the GAO Personnel Flexibility Act of 2000

Appendix VI

List of Acronyms

Financial Systems and Internal Controls

GAO recognizes the importance of strong financial systems and internal controls to ensure our accountability, integrity, and reliability. To achieve a high level of quality, management maintains a quality control program and seeks advice and evaluation from both internal and external sources.

GAO is committed to fulfilling the internal control objectives of 31 U.S.C. 3512, formerly the Federal Managers’ Financial Integrity Act (FMFIA). Although GAO is not subject to FMFIA, we comply voluntarily with the act’s requirements. Our internal controls are designed to provide reasonable assurance that obligations and costs are in compliance with applicable laws and regulations; funds, property, and other assets are safeguarded against loss from unauthorized acquisition, use, or disposition; and revenues and expenditures applicable to GAO’s operations are properly recorded and accounted for to enable our agency to prepare reliable financial reports and maintain accountability over our assets.

GAO’s management assesses compliance with these controls through a series of comprehensive internal reviews, applying the evaluation criteria in OMB’s guidance for implementing FMFIA. The results of these reviews are discussed with GAO’s Audit Advisory Committee, and action is taken to correct deficiencies as they are identified.

GAO has assessed our internal controls as of September 30, 2001, based on the criteria mentioned above for effective internal controls in the federal government. On the basis of this assessment, we believe that we have effective internal controls in place, as of September 30, 2001. Additionally, GAO’s independent auditor found that GAO maintained effective internal controls over financial reporting and compliance with all applicable laws and regulations. Consistent with GAO’s evaluation, the auditor found no material internal control weaknesses.

In addition, GAO is committed to fulfilling the objectives of the Federal Financial Management Improvement Act of 1996. Although not subject to FFMIA, GAO voluntarily complies with its requirements. We believe that we have implemented and maintained financial systems that comply substantially with federal financial management systems requirements, applicable federal accounting standards, and the United States Government Standard General Ledger at the transaction level as of September 30, 2001, and for the fiscal year then ended. GAO made this assessment based on criteria established under FFMIA and guidance issued by OMB. Also, GAO’s auditor reported that GAO had substantially complied with the applicable requirements of FFMIA for the fiscal year ended September 30, 2001.

GAO’s inspector general conducts audits and investigations and functions as an independent fact-gathering and technical adviser to the comptroller general. This year, as a result of the inspector general’s efforts, we have improved our policies and internal controls on the use of purchase and travel cards, oversight of unexpended prior-fiscal-year obligations, administering security clearances, and tracking continuing professional education credits earned by GAO employees.

GAO’s Audit Advisory Committee assists the comptroller general in overseeing the effectiveness of our financial reporting and audit processes, internal controls over financial operations, and processes to ensure compliance with laws and regulations relevant to GAO’s financial operations. The committee consists of Sheldon S. Cohen (chairman), Alan B. Levenson, and Katherine D. Ortega, whose relevant experience was described earlier in this report. The committee’s report follows our financial statements and accompanying notes.

Government Information Security Reform

GAO’s information security program is consistent with the security requirements in the Government Information Security Reform provisions (commonly referred to as “GISRA”) enacted in the Floyd D. Spence National Defense Authorization Act for Fiscal Year 2001. Although GAO is not obligated by law to comply with GISRA, we have made a concerted effort to follow its guidelines and implement its requirements because one of our strategic goals is to be a model federal agency.

To assess whether GAO is consistent with GISRA requirements, we considered the results of (1) internal reviews by program offices and security staff, (2) independent evaluations of our major financial applications by a public accounting firm, and (3) IT control testing of the general support system by GAO’s IT auditors, who are independent of GAO’s IT support function. These reviews and evaluations identified no material weaknesses in GAO’s financial applications and indicated that GAO has made significant efforts to implement GISRA’s requirements. These efforts include establishing a risk-based, agencywide security program; establishing performance measures to ensure that GAO program managers, the chief information officer, and the comptroller general implement and maintain security requirements; providing security training and awareness; establishing the capability to respond to computer security incidents; integrating security into GAO’s capital investment control process; identifying GAO’s critical assets within our enterprise architecture; and ensuring the security of services provided by a contractor or another agency. In addition, GAO continues to provide separate funding for IT security initiatives, training funds for upgrading IT security staff skills, and additional security staff through contractor support.

The various reviews and evaluations, however, identified opportunities for improvement. In response, GAO has undertaken information security projects that include the following:

  • Host-based intrusion detection--We have applied host-based intrusion detection software to GAO’s external servers and will apply this software to internal servers during fiscal 2002.
  • Two-factor user authentication--We have purchased two-factor user authentication technology that uses a combination of the user’s password and a periodically changing numeric token code. This technology will be implemented during fiscal 2002. It is expected to dramatically strengthen GAO’s user authentication by reducing our reliance on user-supplied passwords.
  • IT disaster recovery plan--We have developed an IT disaster recovery plan and contracted for a disaster recovery facility for GAO’s client-server-based systems. We are continuing to work to fully implement and test this plan. In addition, we are testing and implementing new technology that will support our future disaster recovery strategy.

About the Author




Around the Network