USAID. OFC. OF THE INSPECTOR GENERAL. OFC. OF AUDIT. INFORMATION, TECHNOLOGY & SPECIAL AUDITS DIV.
Audits USAID"s general controls over its mainframe computer systems that support key financial systems.
1999

Abstract
Audit report covers the period ending 3/99. USAID mainframe general controls are not effective. Specifically, (1) entity-wide security program and management, (2) access controls, (3) application software development and change processes, and (4) segregation of computer system duties provide inadequate controls over mainframe operations. However, system software change controls and continuity of service controls are effective. The general control weaknesses pose risks to USAID"s mainframe applications, which include the financial accounting and control, payroll, loan accounting, and letter of credit applications. Because of these weaknesses, USAID lacks assurance that financial data are accurately processed or that financial and system resources are secured. A primary problem is the lack of an agency-wide security program that includes clear security responsibilities and agency-wide security processes. USAID managers have begun taking actions to establish an agency-wide security program and have made initial progress in strengthening USAID"s security posture. However, USAID must successfully complete actions identified in this and other reports to reduce the risks to its sensitive and critical information systems. Even though USAID plans to out-source the letter of credit and loan accounting and to stop using the financial accounting and control systems, the payroll system will remain on the mainframe and will still require effective controls to protect data and resources from unauthorized loss, destruction, or change. To achieve the agency"s security program objectives, senior management needs to be directly involved and committed to correcting the control deficiencies. USAID management agreed that weak general controls over USAID"s mainframe environment are attributable to the lack of an agency-wide security program. Management stated further that it is addressing a broad range of information technology (IT) vulnerabilities and is implementing disciplined practices to correct the problems. Specifically, USAID has awarded a contract to a firm rated high in software engineering and systems integration, and has consolidated as many tasks as possible under the supervision of that PRIME contractor team. Management therefore suggested that some of the draft audit recommendations be expressed as performance-based contract requirements for the PRIME contractor. However, the auditors did not revise the recommendations because they believe that management should decide how to implement them. (Author abstract, modified)
Connected topics
Classification
USAID DEC