The Fiscal Year 2019 audit of the Treasury Department found enough control issues with the department’s government-wide cash management and Federal debt IT systems to warrant a management report on the deficiencies from Treasury’s inspector general and auditor KPMG.
The report, released December 16, found some internal control issues that had been identified in previous years and new issues that prompted concerns with the Bureau of Fiscal Service, the unit responsible for the management of government-wide cash reserves and the Federal debt.
“Although Fiscal Service made progress in addressing prior year deficiencies, Fiscal Service did not consistently implement adequate controls over the government-wide cash and the Federal debt information systems or controls did not operate effectively,” the report states.
In particular, the audit highlighted identity and credential access management (ICAM) as an area of concern. For the Fiscal Service’s mainframe environment, controls were not fully validated, least-privilege principles were not followed, and logging and monitoring controls were not fully implemented. On the bureau’s UNIX environment, user access review was not consistently performed, audit log policies were only completed late in the fiscal year, and improvements were needed in reviewing and recertifying developer access. Similar recommendations emerged for the Treasury Web Application Infrastructure, the Treasury Oracle Financials environment, and the Secure Payment System environment.
In addition to ICAM-related recommendations, the report highlights the need for consistent implementation of security software configurations, better documentation of security controls, password controls, and baseline compliance with established policies.
In total, the report makes 67 recommendations across 17 categories for the Fiscal Service and Treasury. The report does not include any information on the department’s response to the recommendations.