Summary: In connection with fulfilling our requirement to audit the financial statements of the U.S. government, we audited and reported on the Schedules of Federal Debt Managed by the Bureau of the Public Debt (BPD) for the fiscal years ended September 30, 2003 and 2002. As part of these audits, we performed a review of the general and application computer controls over key financial systems maintained and operated by the Federal Reserve Banks (FRB) on behalf of the Department of the Treasury's BPD. Many of the FRBs perform fiscal agent services on behalf of the U.S. government, including BPD. The debt-related services primarily consist of issuing, servicing, and redeeming Treasury securities and processing secondary market securities transfers. In fiscal year 2003, the FRBs issued about $4.1 trillion in federal debt securities to the public, redeemed about $3.8 trillion of debt held by the public, and processed about $125 billion in interest payments on debt held by the public. FRBs maintain and operate key financial applications on behalf of BPD and an array of financial and information systems to process and reconcile monies disbursed and collected on behalf of BPD.
As we reported in connection with our audit of the Schedules of Federal Debt for the fiscal years ended September 30, 2003 and 2002, BPD maintained, in all material respects, effective internal control, including general and application computer controls, relevant to the Schedule of Federal Debt related to financial reporting and compliance with applicable laws and regulations as of September 30, 2003. BPD's internal control provided reasonable assurance that misstatements, losses, or noncompliance material in relation to the Schedule of Federal Debt for the fiscal year ended September 30, 2003, would be prevented or detected on a timely basis. We found matters involving computer controls that we do not consider to be reportable conditions. In a separately issued Limited Official Use Only report, we communicated detailed information regarding our findings to FRB managers and made five recommendations that address application computer control vulnerabilities related to access controls. In addition, our follow-up on the status of the FRBs' corrective actions to address unresolved vulnerabilities identified in prior years' audits found that the FRBs had taken corrective action for three of the four open recommendations discussed in our prior report. The one remaining open recommendation related to access controls is now encompassed in one of the five new detailed recommendations contained in the Limited Official Use Only report. While the application computer control vulnerabilities reported do not pose significant risks to the financial systems maintained and operated by the FRBs on behalf of BPD, they warrant FRB managers' action to decrease the risk of unauthorized access or data misuse.
