Government Information Security Reform
Contents for GAO Performance and Accountability Report 2001The Comptroller General’s FMFIA Assurance Statement for Fiscal 2001
Management’s Discussion and Analysis
Performance and Financial Information
Limitation on Financial Statements
Strategies and Challenges -- Achieving Our Goals
Data Quality and Program Evaluation
Resources Needed to Achieve Our Fiscal 2003 Performance Goals
Overview of Financial Statements
Financial Systems and Internal Controls
Government Information Security Reform
Report of the Audit Advisory Committee
Independent Auditor’s Report
Measures and Targets for Fiscal 1998 through 2003
Accomplishments and Other Contributions for Fiscal 2001
Performance on Qualitative Performance Goals for Fiscal 2000 and 2001
Qualitative Performance Goals for Fiscal 2002 and 2003
Report on the Implementation of the GAO Personnel Flexibility Act of 2000
Financial Systems and Internal Controls
GAO recognizes the importance of strong financial systems and internal controls to ensure our accountability, integrity, and reliability. To achieve a high level of quality, management maintains a quality control program and seeks advice and evaluation from both internal and external sources.
GAO is committed to fulfilling the internal control objectives of 31 U.S.C. 3512, formerly the Federal Managers’ Financial Integrity Act (FMFIA). Although GAO is not subject to FMFIA, we comply voluntarily with the act’s requirements. Our internal controls are designed to provide reasonable assurance that obligations and costs are in compliance with applicable laws and regulations; funds, property, and other assets are safeguarded against loss from unauthorized acquisition, use, or disposition; and revenues and expenditures applicable to GAO’s operations are properly recorded and accounted for to enable our agency to prepare reliable financial reports and maintain accountability over our assets.
GAO’s management assesses compliance with these controls through a series of comprehensive internal reviews, applying the evaluation criteria in OMB’s guidance for implementing FMFIA. The results of these reviews are discussed with GAO’s Audit Advisory Committee, and action is taken to correct deficiencies as they are identified.
GAO has assessed our internal controls as of September 30, 2001, based on the criteria mentioned above for effective internal controls in the federal government. On the basis of this assessment, we believe that we have effective internal controls in place, as of September 30, 2001. Additionally, GAO’s independent auditor found that GAO maintained effective internal controls over financial reporting and compliance with all applicable laws and regulations. Consistent with GAO’s evaluation, the auditor found no material internal control weaknesses.
In addition, GAO is committed to fulfilling the objectives of the Federal Financial Management Improvement Act of 1996. Although not subject to FFMIA, GAO voluntarily complies with its requirements. We believe that we have implemented and maintained financial systems that comply substantially with federal financial management systems requirements, applicable federal accounting standards, and the United States Government Standard General Ledger at the transaction level as of September 30, 2001, and for the fiscal year then ended. GAO made this assessment based on criteria established under FFMIA and guidance issued by OMB. Also, GAO’s auditor reported that GAO had substantially complied with the applicable requirements of FFMIA for the fiscal year ended September 30, 2001.
GAO’s inspector general conducts audits and investigations and functions as an independent fact-gathering and technical adviser to the comptroller general. This year, as a result of the inspector general’s efforts, we have improved our policies and internal controls on the use of purchase and travel cards, oversight of unexpended prior-fiscal-year obligations, administering security clearances, and tracking continuing professional education credits earned by GAO employees.
GAO’s Audit Advisory Committee assists the comptroller general in overseeing the effectiveness of our financial reporting and audit processes, internal controls over financial operations, and processes to ensure compliance with laws and regulations relevant to GAO’s financial operations. The committee consists of Sheldon S. Cohen (chairman), Alan B. Levenson, and Katherine D. Ortega, whose relevant experience was described earlier in this report. The committee’s report follows our financial statements and accompanying notes.
Government Information Security Reform
GAO’s information security program is consistent with the security requirements in the Government Information Security Reform provisions (commonly referred to as “GISRAâ€) enacted in the Floyd D. Spence National Defense Authorization Act for Fiscal Year 2001. Although GAO is not obligated by law to comply with GISRA, we have made a concerted effort to follow its guidelines and implement its requirements because one of our strategic goals is to be a model federal agency.
To assess whether GAO is consistent with GISRA requirements, we considered the results of (1) internal reviews by program offices and security staff, (2) independent evaluations of our major financial applications by a public accounting firm, and (3) IT control testing of the general support system by GAO’s IT auditors, who are independent of GAO’s IT support function. These reviews and evaluations identified no material weaknesses in GAO’s financial applications and indicated that GAO has made significant efforts to implement GISRA’s requirements. These efforts include establishing a risk-based, agencywide security program; establishing performance measures to ensure that GAO program managers, the chief information officer, and the comptroller general implement and maintain security requirements; providing security training and awareness; establishing the capability to respond to computer security incidents; integrating security into GAO’s capital investment control process; identifying GAO’s critical assets within our enterprise architecture; and ensuring the security of services provided by a contractor or another agency. In addition, GAO continues to provide separate funding for IT security initiatives, training funds for upgrading IT security staff skills, and additional security staff through contractor support.
The various reviews and evaluations, however, identified opportunities for improvement. In response, GAO has undertaken information security projects that include the following:
- Host-based intrusion detection--We have applied host-based intrusion detection software to GAO’s external servers and will apply this software to internal servers during fiscal 2002.
- Two-factor user authentication--We have purchased two-factor user authentication technology that uses a combination of the user’s password and a periodically changing numeric token code. This technology will be implemented during fiscal 2002. It is expected to dramatically strengthen GAO’s user authentication by reducing our reliance on user-supplied passwords.
- IT disaster recovery plan--We have developed an IT disaster recovery plan and contracted for a disaster recovery facility for GAO’s client-server-based systems. We are continuing to work to fully implement and test this plan. In addition, we are testing and implementing new technology that will support our future disaster recovery strategy.