IG Deems DHS Financial, Operational Data at Risk

Auditors Cite Excessive Unauthorized Access to Key Apps
IG Deems DHS Financial, Operational Data at Risk
The inability of the Department of Homeland Security to implement appropriate IT and application controls has placed at risk the confidentiality, integrity and availability of DHS's financial and operational data, according to an audit conducted for the department's inspector general.

Auditors from KPMG released its findings to the DHS IG in April, but the inspector general didn't provide a public version, which was redacted, until this past week.

According to the report, the most significant weaknesses included:

  • Excessive unauthorized access to key DHS financial applications.
  • Configuration management controls that are not fully defined, followed or effective.
  • Security management deficiencies in the area of the certification and accreditation process and the lack of adhering to or developing policies and procedures.
  • Contingency planning that lacked current, tested contingency plans developed to protect DHS resources and financial applications.
  • Lack of proper segregation of duties for roles and responsibilities within financial systems.

Nearly two-thirds of the 161 weaknesses discovered in the fiscal year 2010 audit were identified but not remediated from an FY 2009 audit. "Disagreements with management's self assessment occurred almost entirely at the Federal Emergency Management Agency," the IG audit said.

"Collectively," the IG report said, "the IT control deficiencies limited DHS's ability to ensure that critical financial and operational data were maintained in such a manner to ensure confidentiality, integrity, and availability. In addition, these deficiencies negatively impacted the internal controls over DHS's financial reporting and its operation and we consider them to collectively represent a material weakness for DHS under standards established by the American Institute of Certified Public Accountants and GAO [Government Accountability Office]."

In 2010 as in 2009, the IG said, FEMA's and Immigration and Customs Enforcement's control deficiencies were found to have a more significant impact on the department. FEMA continues to have a high number of significant IT general controls findings that repeat each fiscal year. "These weaknesses affect our ability to fully audit its financial application controls," the IG said. "In addition, ICE has significant weaknesses in its key financial system which has resulted in duplicate payments, and poor configuration and patch management."

About the Author

Eric Chabrow

Eric Chabrow

Host & Producer, ISMG Security Report; Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow hosts and produces the semi-weekly podcast ISMG Security Report and oversees ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network