Government Information Security ReformContents for GAO Performance and Accountability Report 2001
GAO recognizes the importance of strong financial systems and internal controls to ensure our accountability, integrity, and reliability. To achieve a high level of quality, management maintains a quality control program and seeks advice and evaluation from both internal and external sources.
GAO is committed to fulfilling the internal control objectives of 31 U.S.C. 3512, formerly the Federal Managersâ€™ Financial Integrity Act (FMFIA). Although GAO is not subject to FMFIA, we comply voluntarily with the actâ€™s requirements. Our internal controls are designed to provide reasonable assurance that obligations and costs are in compliance with applicable laws and regulations; funds, property, and other assets are safeguarded against loss from unauthorized acquisition, use, or disposition; and revenues and expenditures applicable to GAOâ€™s operations are properly recorded and accounted for to enable our agency to prepare reliable financial reports and maintain accountability over our assets.
GAOâ€™s management assesses compliance with these controls through a series of comprehensive internal reviews, applying the evaluation criteria in OMBâ€™s guidance for implementing FMFIA. The results of these reviews are discussed with GAOâ€™s Audit Advisory Committee, and action is taken to correct deficiencies as they are identified.
GAO has assessed our internal controls as of September 30, 2001, based on the criteria mentioned above for effective internal controls in the federal government. On the basis of this assessment, we believe that we have effective internal controls in place, as of September 30, 2001. Additionally, GAOâ€™s independent auditor found that GAO maintained effective internal controls over financial reporting and compliance with all applicable laws and regulations. Consistent with GAOâ€™s evaluation, the auditor found no material internal control weaknesses.
In addition, GAO is committed to fulfilling the objectives of the Federal Financial Management Improvement Act of 1996. Although not subject to FFMIA, GAO voluntarily complies with its requirements. We believe that we have implemented and maintained financial systems that comply substantially with federal financial management systems requirements, applicable federal accounting standards, and the United States Government Standard General Ledger at the transaction level as of September 30, 2001, and for the fiscal year then ended. GAO made this assessment based on criteria established under FFMIA and guidance issued by OMB. Also, GAOâ€™s auditor reported that GAO had substantially complied with the applicable requirements of FFMIA for the fiscal year ended September 30, 2001.
GAOâ€™s inspector general conducts audits and investigations and functions as an independent fact-gathering and technical adviser to the comptroller general. This year, as a result of the inspector generalâ€™s efforts, we have improved our policies and internal controls on the use of purchase and travel cards, oversight of unexpended prior-fiscal-year obligations, administering security clearances, and tracking continuing professional education credits earned by GAO employees.
GAOâ€™s Audit Advisory Committee assists the comptroller general in overseeing the effectiveness of our financial reporting and audit processes, internal controls over financial operations, and processes to ensure compliance with laws and regulations relevant to GAOâ€™s financial operations. The committee consists of Sheldon S. Cohen (chairman), Alan B. Levenson, and Katherine D. Ortega, whose relevant experience was described earlier in this report. The committeeâ€™s report follows our financial statements and accompanying notes.
Government Information Security Reform
GAOâ€™s information security program is consistent with the security requirements in the Government Information Security Reform provisions (commonly referred to as â€œGISRAâ€) enacted in the Floyd D. Spence National Defense Authorization Act for Fiscal Year 2001. Although GAO is not obligated by law to comply with GISRA, we have made a concerted effort to follow its guidelines and implement its requirements because one of our strategic goals is to be a model federal agency.
To assess whether GAO is consistent with GISRA requirements, we considered the results of (1) internal reviews by program offices and security staff, (2) independent evaluations of our major financial applications by a public accounting firm, and (3) IT control testing of the general support system by GAOâ€™s IT auditors, who are independent of GAOâ€™s IT support function. These reviews and evaluations identified no material weaknesses in GAOâ€™s financial applications and indicated that GAO has made significant efforts to implement GISRAâ€™s requirements. These efforts include establishing a risk-based, agencywide security program; establishing performance measures to ensure that GAO program managers, the chief information officer, and the comptroller general implement and maintain security requirements; providing security training and awareness; establishing the capability to respond to computer security incidents; integrating security into GAOâ€™s capital investment control process; identifying GAOâ€™s critical assets within our enterprise architecture; and ensuring the security of services provided by a contractor or another agency. In addition, GAO continues to provide separate funding for IT security initiatives, training funds for upgrading IT security staff skills, and additional security staff through contractor support.
- Host-based intrusion detection--We have applied host-based intrusion detection software to GAOâ€™s external servers and will apply this software to internal servers during fiscal 2002.
- Two-factor user authentication--We have purchased two-factor user authentication technology that uses a combination of the userâ€™s password and a periodically changing numeric token code. This technology will be implemented during fiscal 2002. It is expected to dramatically strengthen GAOâ€™s user authentication by reducing our reliance on user-supplied passwords.
- IT disaster recovery plan--We have developed an IT disaster recovery plan and contracted for a disaster recovery facility for GAOâ€™s client-server-based systems. We are continuing to work to fully implement and test this plan. In addition, we are testing and implementing new technology that will support our future disaster recovery strategy.