GAO finds flaw in electronic national debt tracking system

The best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews at Apple podcasts Where Podcast One.

Somehow the national debt has managed to reach $28 trillion. But where is he ? It’s in a set of electronic calendars maintained by the Treasury Department’s Office of the Tax Service. When auditing the government’s financial statements for 2021, the Government Accountability Office found a flaw: a deficiency in information system controls. With what it is and the implications, the Federal Drive with Tom Temin turned to GAO Director of Financial Management and Assurance, Cheryl Clark.

Tom Temin: Mrs Clark. It’s good to have you.

Cheryl Clark: Hi, thanks for inviting me.

Tom Temin: Let’s start with what you were actually looking at, because again, the GAO audits the financial statements of the entire federal government every year. And for that, you have my eternal gratitude and sympathy. But what are you watching at the Office of the Fiscal Service regarding the national debt?

Cheryl Clark: The Treasury borrows money to fund federal debt issuance operations, and the Treasury relies on a number of interconnected financial management systems to process and track the money it borrows, to account for the securities it issues and to manage the federal debt. These systems are maintained and operated by the Treasury Tax Service. And by the Federal Reserve Banks, which serve as fiscal agents in the United States. The Federal Debt Securities themselves live primarily in subsidiary systems that report Federal Debt related transactions that feed into the Tax Services General Ledger. And the general ledger, which records the federal debt and related interest expense, is the primary source of information used by the tax service to prepare the federal debt schedules, which is the type of financial statement that the GAO checks. So it comes through the treasury via a bunch of interconnected systems and spits out in a nice one-page calendar.

Tom Temin: So somewhere at the bottom of that, though, there’s an electronic list of the actual securities that Treasury has sold and to whom and when, etc., etc., isn’t it?

Cheryl Clark: Yes.

Tom Temin: And do we know, just out of curiosity, is it like a blockchain, where all these things live? Because I imagine they would really like these to be non-fungible,

Cheryl Clark: Yes, they live in several subsidiary systems which ultimately, again, like the actual dollar amounts of the debt feed into the general ledger.

Tom Temin: And your report found something, I assume you reported that you found repeatedly over several years, deficiencies in the controls of information systems, and what systems have those deficiencies?

Cheryl Clark: So again, it ends up in the ledger. And we’ve been reporting deficiencies for several years. And collectively, we think these gaps matter. They fall under three main general control areas: Security management, which are controls that provide a framework for security risk. And then there are access control issues, and those controls, of course, limit access or inappropriate access to information. And the third area of ​​general controls that is problematic is configuration management. And these are controls that manage hardware and software in systems. And the reason these gaps are so important is that they pose a risk to data integrity. Someone could enter and access the data, modify it, disclose it, and a lot of it is sensitive. And, you know, it could also cause disruptions to critical operations. These gaps are therefore important for the disclosure of financial information on the debt.

Tom Temin: We speak with Cheryl Clark, she is the Director of Financial Management and Assurance at GAO. So, for example, and I’m making this up and I’m making it known, this is my example, not yours, but could a Russian hacker, for example, walk into this and say, well, let’s give a few hundred billion dollars worth of T links.

Cheryl Clark: Well, I’d rather not speculate what a hacker might do. But obviously, as I said, these weaknesses increase the risk that someone could modify the data and disrupt operations. But I will point out that there are a number of controls in place, for example, the role of the Federal Reserve Banks, that the role that the banks play in issuing and buying back securities, that helps to mitigate the risk because there are reconciliations going on between the activities that the Federal Reserve banks do and then the tax service. So there are mitigating risks. We haven’t elevated that to hardware weakness yet.

Tom Temin: Understood. So the fact that it’s distributed within the system itself to issue those securities and register them is distributed between the government and the Federal Reserve system helps mitigate the risk a bit.

Cheryl Clark: Yes.

Tom Temin: Agreed. Well, you mentioned that this is a recurring gap that you find every year. What does the office say?

Cheryl Clark: Well, actually we had positive discussions more recently with the office, they responded positively to our report. You know, year after year we have seen progress. And these advances have led to incremental improvements. However, addressing this gap will require sustained focus and commitment. But the tax department seems to understand the significance of the issues and has come up with some corrective action plans, which we’ll be looking at in our FY22 audit, which we’ve just started, and I hope those action plans fix will be specific and get to the root of the problems.

Tom Temin: Regarding the issue of configuration management, I assume that at some point there was commercial software, as part of the components here. It looks like the Cybersecurity and Infrastructure Security Agency of the DHS (Department of Homeland Security) might be able to help them here. Did this happen?

Cheryl Clark: No, no, it didn’t come.

Tom Temin: Well, now that’s okay, because everyone’s gonna hear that. And the access control issues that relate to what, who in the Tax Services Office, or I guess, the Treasury Department, authorized access to the system? I imagine something they really need to guard carefully.

Cheryl Clark: Yes, I mean, who has access to the system varies, of course, depending on the system and the business processes that the system supports, for example, access to the tax services general ledger system is limited, usually at tax department and the Federal Reserve Bank employees who are required to enter data, publish data, and perform reconciliations. But yes, access controls are really important to limit or even detect inappropriate access.

Tom Temin: In some respects, these systems in terms of sensitivity and access requirements appear similar to IRS systems for taxpayers. Is this a good analogy?

Cheryl Clark: Oh, yeah, I think I think it’s similar.

Tom Temin: Yes, another function. But nevertheless, there should only be authorized access, and then disclosure, then would be a bad outcome if the wrong person accesses it for the wrong reason. But what to be exact to say also?

Cheryl Clark:
Yes, it’s true. Because these are programs sensitive to sensitive data and general controls, access being one of the general controls, it is important to ensure that financial systems are functioning properly and are secure.

Tom Temin: Alright, so who’s the navel to stick here, then? Is it technical staff from the Tax Service Office? Does he rise to the level of the CIO of the Treasury? Or who do you think really needs to own this and fix it once and for all?

Cheryl Clark: It’s a good question. In the past year, in FY21, a positive initiative is that the tax department created a committee of senior executives to oversee the correction of these weaknesses. I mean, ultimately, the tax department is responsible for solving the problem. But doing this will require successful coordination between a number of organizational units and tax department officials. You know, it’s not a one-time fix, it’s going to take a sustained effort to completely address those weaknesses. And again, in response to our reports, the Tax Service has recognized the need for continued commitment from management to address these weaknesses. I mean, these are long-standing weaknesses that are very complex, they affect multiple financial systems. And it will take time, resources and expertise to fully address these weaknesses.

I mean, one of the things we’re emphasizing on the tax department is the role of the committee that they just established, the role of the committee is very important, but they have to make sure that the committee has the right technical expertise to oversee, question and evaluate these corrective actions. And that’s going to be key to addressing the weaknesses.

Tom Temin: Cheryl Clark is Director of Financial Management and Assurance at the Government Accountability Office. Thanks very much.

Cheryl Clark: Oh you are welcome.

Comments are closed.