IG Deems DHS Financial, Operational Data at RiskAuditors Cite Excessive Unauthorized Access to Key Apps
Auditors from KPMG released its findings to the DHS IG in April, but the inspector general didn't provide a public version, which was redacted, until this past week.
According to the report, the most significant weaknesses included:
- Excessive unauthorized access to key DHS financial applications.
- Configuration management controls that are not fully defined, followed or effective.
- Security management deficiencies in the area of the certification and accreditation process and the lack of adhering to or developing policies and procedures.
- Contingency planning that lacked current, tested contingency plans developed to protect DHS resources and financial applications.
- Lack of proper segregation of duties for roles and responsibilities within financial systems.
Nearly two-thirds of the 161 weaknesses discovered in the fiscal year 2010 audit were identified but not remediated from an FY 2009 audit. "Disagreements with management's self assessment occurred almost entirely at the Federal Emergency Management Agency," the IG audit said.
"Collectively," the IG report said, "the IT control deficiencies limited DHS's ability to ensure that critical financial and operational data were maintained in such a manner to ensure confidentiality, integrity, and availability. In addition, these deficiencies negatively impacted the internal controls over DHS's financial reporting and its operation and we consider them to collectively represent a material weakness for DHS under standards established by the American Institute of Certified Public Accountants and GAO [Government Accountability Office]."
In 2010 as in 2009, the IG said, FEMA's and Immigration and Customs Enforcement's control deficiencies were found to have a more significant impact on the department. FEMA continues to have a high number of significant IT general controls findings that repeat each fiscal year. "These weaknesses affect our ability to fully audit its financial application controls," the IG said. "In addition, ICE has significant weaknesses in its key financial system which has resulted in duplicate payments, and poor configuration and patch management."