Skip to main content
Report File
Title Full
FIN MGT: Mgmt Letter for the Deficiencies in Internal Control over Cash Mgmt Systems at the Bureau of the Fiscal Service Identified during the Audit of the Department of the Treasury's Consolidated Financial Statements for Fiscal Years 2024 and 2023
Date Issued
Submitting OIG
Department of the Treasury OIG
Agencies Reviewed/Investigated
Department of the Treasury
Components
Bureau of the Fiscal Service
Report Number
OIG-25-013
Report Type
Audit
Agency Wide
Yes
Number of Recommendations
15
Questioned Costs
$0
Funds for Better Use
$0
Report updated under NDAA 5274
No

Open Recommendations

This report has 15 open recommendations.
Recommendation Number Significant Recommendation Recommended Questioned Costs Recommended Funds for Better Use Additional Details
1-1 Yes $0 $0

The IPA recommended that Fiscal Service management reinforce policy requirements (through training or other means) for removing logical access of terminated and transferred Fiscal Service employees and contractors within 2 business days of their separation date.

1-2 Yes $0 $0

The IPA recommended that Fiscal Service management perform ongoing monitoring to hold responsible control performers accountable for timely completion of such control activities.

2-1 Yes $0 $0

The IPA recommended that Fiscal Service implement policies and controls for performing a user access review and recertification of AS Splunk Administrators supporting CAIA on a quarterly basis.

3-1 Yes $0 $0

Fiscal Service management implement proper segregation of duties to ensure that an independent review of all user's access is performed as part of the semi-annual PAM Mainframe privileged user access review.

3-2 Yes $0 $0

Fiscal Service management enforce accountability of individuals performing user access review control responsibilities in accordance with policies and procedures.

4-1 Yes $0 $0

Fiscal Service finalize policies and procedures to review audit logs of production IBM Database 2 (DB2) servers.

4-2 Yes $0 $0

Fiscal Service implement an oversight process to ensure that designated Fiscal Service management: (1) reviews the security logs for the UNIX and DB2 servers hosting the PIR, JFICS, and SPS applications on a pre-defined frequency, as indicated in the BLSR; (2) formally documents completion of their reviews and any escalations to the Information System Security Officer (ISS); and (3) retains the audit logs and documentation of its reviews for 18 months, as required by the BLSR.

4-3 Yes $0 $0

Fiscal Service periodically review Fiscal Service management's implementation and operation of the review the security audit logs for the UNIX and DB2 servers hosting the PIR, JFICS, and SPS applications to determine that Fiscal Service management completes the reviews on a pre-defined basis, documents completion of the reviews and escalations, and maintains such documentation.

4-4 Yes $0 $0

Fiscal Service establish an effective enforcement process or mechanism to ensure that (1) UNIX and DB2 events and monitoring controls are followed, and (2) Fiscal Service management has confidence it consistently reviews for potential unauthorized or inappropriate activity.

5-1 Yes $0 $0

Fiscal Service develop and implement documentation to assign responsibility for ensuring adequacy of UNIX and database security and baseline settings.

5-2 Yes $0 $0

Fiscal Service update existing UNIX and database configuration security baseline documents to ensure that these documents fully incorporate and enforce the components of the DISA STIGs. Management should document any deviations from the STIGs and note compensating controls that mitigate the security risk to an acceptable level.

5-3 Yes $0 $0

Fiscal Service develop, document, and implement policies, procedures, and controls to conduct periodic reviews of actual UNIX and database settings against the security configuration baselines.

5-4 Yes $0 $0

Fiscal Service provide logging and monitoring of security related events to include the retention of evidence of reviews performed.

5-5 Yes $0 $0

Fiscal Service develop a baseline of essential security settings and specify that baseline as the standard to be observed.

5-6 Yes $0 $0

Fiscal Service implement corrective actions to address all vulnerabilities associated with the baseline enforcement to include removing the three default user accounts on UNIX servers.

Department of the Treasury OIG

United States