DHS IG: Weak internal controls put financial data at risk
The integrity of the Homeland Security Department's financial data is at increased risk because of weak information technology internal controls related to financial management systems, the DHS Office of Inspector General has said in a report.
The report covers the IT management controls that support the department's financial statement for fiscal 2006. Internal controls reduce the risk of error or fraud in financial reporting.
This is not the first time the IG has pointed out these weaknesses, which were the result of DHS not prioritizing the necessary corrective actions.
The department has excessive access to and inadequate logical security controls for its key financial applications and support systems, in addition to incorrect or ineffective application change control processes, the IG said in the report.
"The effect of these numerous IT weaknesses identified during our testing reduces the reliability of DHS' financial data," DHS IG Richard Skinner said in the report. The weaknesses limit DHS' ability to ensure the confidentiality, integrity and availability of critical financial and operational data.
Many of these weaknesses may result in material errors in DHS' financial data that are not detected in a timely manner in the normal course of business. That means DHS must operate manual controls to reduce that risk, the report states.
"Since manual controls are operated by people, there cannot be a reasonable expectation that they would be able to be in place at all times and in all areas," Skinner stated.
Last year, DHS improved its results toward complying with the Federal Information Security Management Act. Meanwhile, a few DHS component agencies took actions to improve their IT environments and address IT control issues.
The IG identified more than 200 separate findings covering all DHS agencies. DHS closed about 44 percent of the prior year's IT findings, but the IG uncovered 150 new ones through testing this year.
The IG audited the financial systems of the U.S. Citizen and Immigration Services agency, which is owned and serviced by the Immigration and Customs Enforcement agency.
DHS inherited many of its component agencies' weaknesses, including system development activities that did not incorporate strong security controls from the outset, which will take several years to fully address. Many of the larger agencies have decentralized IT and financial system support.
The fact that DHS does not have an integrated financial system with the embedded functionality required by the Office of Management and Budget is the major factor for the department's financial management weaknesses, the IG said.
DHS outlined a plan to fix the internal control weaknesses in a response letter from Robert West, its chief information security officer. For example, the department will develop procedures by November for testing internal controls for its designated financial systems. Component agencies will perform monitoring of key controls by March 2008.
In June, DHS said it will move its agencies to one of two certified financial systems under the Transformation and Systems Consolidation program. DHS will migrate its small agencies to either a version of Oracle Federal Financials that the Transportation Security Administration uses or a version of SAP that the Customs and Border Protection uses. The Government Accountability Office has said DHS does not have a detailed enough strategy for the migration.