Auditors criticize DHS' financial management IT
Information technology systems used to manage the Homeland Security Department’s finances have security weaknesses that could threaten the integrity of the department’s financial data, according to a report recently released by DHS’ inspector general.
According to the results of an investigation by the accounting firm KPMG, despite “significant steps” taken by DHS component agencies to improve the security of financial management systems during fiscal 2007, weaknesses remain.
Hundreds of access control, change control, integration and continuity-of-operations issues that could affect DHS’ financial data were identified by the IT management letter released by the department's IG July 25. The annual report was done by KPMG and is dated Dec. 14, 2007.
KPMG identified 200 outstanding issues for fiscal 2007 that were also mentioned in a similar report for fiscal 2006, as well as more than 60 new IT findings. The firm said more than 30 percent of the previous year’s findings had been resolved.
“The effect of these Information Technology General Controls (ITGC) weaknesses limits DHS’ ability to ensure that critical financial data is reliable and is maintained in a manner to ensure confidentiality, integrity, and availability,” the latest report said.
“Many of these weaknesses, especially those in the area of change control, may result in material errors in DHS’ financial data that are not detected, in a timely manner, in the normal course of business,” KPMG auditors also said.
To improve the financial management systems’ controls, continuity of operations, and departmentwide integration, the firm had a long list of recommendations that included:
- Enforcing controls that meet DHS’ password requirements on all financial systems.
- Requiring a review of operating system logs for suspicious activity and conduct audit log reviews.
- Finalizing procedures regarding Voice over Internet Protocol, wireless technologies and sharing data with external parties.
- Removing excessive access on all DHS financial system software and support files.
- Implementing an operational alternate processing site.
- Finalizing an IT security awareness training program for all contractors and employees.
- Implementing policies and procedures for the review of suspicious system software activity.
KPMG said many of the weaknesses listed came about from legacy systems inherited from DHS component agencies. Those systems did not always incorporate strong security controls, the report said.
The audit blamed DHS for not having a departmentwide method for tracking corrective actions at component agencies and an overall insufficient testing of corrective activities.
“The most prevalent reason as to why these weaknesses are present is the lack of prioritization in taking the necessary actions to improve the IT control environment around the department’s financial management systems,” the report said.
In a response letter, DHS’ chief information security and chief financial officers said they concurred with the recommendations, and had already completed several initiatives in fiscal 2008, including providing field support to components for remediation activities and updating DHS information assurance tools.
Ben Bain is a reporter for Federal Computer Week.