GAO finds flaw in national debt electronic tracking system

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Somehow the national debt has managed to reach $28 trillion. But, where is it? It’s in a set of electronic schedules maintained by the Treasury Department’s Bureau of the Fiscal Service. In auditing the government’s financial statements for 2021, the Government Accountability Office found a flaw: a deficiency in the information system controls. With what it is...

READ MORE

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Somehow the national debt has managed to reach $28 trillion. But, where is it? It’s in a set of electronic schedules maintained by the Treasury Department’s Bureau of the Fiscal Service. In auditing the government’s financial statements for 2021, the Government Accountability Office found a flaw: a deficiency in the information system controls. With what it is and the implications, the Federal Drive with Tom Temin turned to the GAO’s director of financial management and assurance, Cheryl Clark.

Interview transcript:

Tom Temin: Ms. Clark. Good to have you on.

Cheryl Clark: Hi, thanks for having me.

Tom Temin: Let’s begin with what it is you actually were looking at because again, the GAO annually audits the financial statements of the entire federal government. And for that you have my undying gratitude and sympathy. But what do you look at at the Bureau of the Fiscal Service with respect to the national debt?

Cheryl Clark: Treasury borrows money to fund federal operations to the issuance of debt instruments, and Treasury relies on a number of interconnected financial management systems to process and track the money it borrows, to account for the securities it issues and to manage the federal debt. These systems are maintained and operated by Treasury’s Fiscal Service. And by the Federal Reserve Banks, which serve as the United States’ fiscal agents. The federal debt securities themselves primarily live in subsidiary systems that report federal debt-related transactions that feed into Fiscal Services’ general ledger. And the general ledger, which accounts for the federal debt and related interest expense is the primary source of information that is used by Fiscal Service to prepare the schedules of federal debt, which is the type of financial statements that GAO audits. So it comes in through Treasury through a bunch of interconnected systems and spits out into a nice one page schedule.

Tom Temin: So somewhere at the bottom of this, though, there is a electronic listing of the actual securities that Treasury has sold and to whom and when, etc, etc, correct?

Cheryl Clark: Yes.

Tom Temin: And do we know, just out of curiosity, is that like a blockchain, where all of these things live? Because I would imagine, they would really want those to be non-fungible,

Cheryl Clark: Yes, they live in several subsidiary systems that ultimately, again, like the actual dollar amounts from the debt feed into the general ledger.

Tom Temin: And your report found something, I guess you have reported that you’ve found repeatedly for several years, deficiencies in the information systems controls, and which systems have these deficiencies?

Cheryl Clark: So this, again, gets at the general ledger. And we have been reporting deficiencies for several years. And collectively, we think these deficiencies are significant. They fall into three main general control areas: security management, which are controls that provide a framework for security risk. And then there’s access control issues, and those controls, of course, limit access, or inappropriate access to the information. And the third area of general controls that’s a concern is configuration management. And those are controls that manage the hardware and the software in the systems. And the reason that these deficiencies are so significant is because they pose a risk to the integrity of the data. Someone could get in and access the data, modify it, disclose it, and a lot of it’s sensitive. And, you know, it also could lead to disruptions of critical operations. So these deficiencies are significant to financial reporting of the debt information.

Tom Temin: We’re speaking with Cheryl Clark, she is the director of financial management and assurance at the GAO. So for example, and I’m making this up and let it be known on the record, it’s my example not yours, but could for example, a Russian hacker get in there and say, well, let’s give ourselves a few hundred billion dollars of T bonds.

Cheryl Clark: Well, I would rather not speculate on what a hacker could do. But obviously, as I said, these weaknesses do increase the risk that someone could modify the data and disrupt operations. But I will point out that there are a number of controls in place, for example, the role of the Federal Reserve Banks, that the role that the banks play in issuing and redeeming securities, it helps mitigate the risk because there are reconciliations going on between the activities that the Federal Reserve banks are doing and then Fiscal Service. So there are some mitigating risks. We have not elevated this to the level of material weakness yet.

Tom Temin: Understood. So the fact that it’s distributed in the system itself for issuing these securities and recording them is a distributed one between the government and the Federal Reserve system helps mitigate the risk a little bit.

Cheryl Clark: Yes.

Tom Temin: All right. Well, you mentioned that this is a recurring deficiency that you find every year. What does the bureau say about it?

Cheryl Clark: Well, actually, we’ve had some positive discussions more recently with the bureau, they responded positively to our report. You know, year after year, we’ve seen progress. And that progress has resulted in incremental improvements. However, resolving this deficiency is going to require a sustained focus and a commitment. But Fiscal Service seems to understand the significance of the issues and has come up with some corrective action plans, which we will be looking at during our fiscal year 22 audit, which we’ve just started, and hopefully those corrective action plans will be specific and get at the root cause of the issues.

Tom Temin: When it gets to the issue of configuration management, I guess at some point, there is commercial software, as part of the components here. It seems like the Cybersecurity and Infrastructure Security Agency over at DHS (Department of Homeland Security) could maybe help them out here. Did that come up?

Cheryl Clark: No, no, that hasn’t come up.

Tom Temin: Well, now it will, because everyone’s gonna hear this. And the access control issues that relates to what who, in the Bureau of the Fiscal Service, or I guess, in the Treasury Department has authorized access to the system? I imagine that something they need to really guard carefully.

Cheryl Clark: Yes, I mean, who has access to the system varies, of course, depending on the system and the business processes that the system is supporting, for example, access to Fiscal Services’ general ledger system is limited, generally to Fiscal Service and the Federal Reserve bank employees who have to enter data, post data and do reconciliations. But yes, access controls are really important to limit or even to detect inappropriate access.

Tom Temin: In some ways, these systems in terms of the sensitivity and access requirements seem similar to the IRS systems about taxpayers. Is that a fair analogy?

Cheryl Clark: Oh, yes, I think I would think that is similar.

Tom Temin: Yeah, a different function. But nevertheless, there has to be only authorized access, and then the disclosure, then would be a bad result of the wrong person accessing it for the wrong reason. But that be accurate to say also?

Cheryl Clark:
Yes, that’s right. Because this is sensitive data sensitive programs, and general controls, access being one of the general controls are important and making sure that the financial systems operate properly and are secure.

Tom Temin: All right, so who is the belly button to push here, then? Is it the technical staff at the Bureau of the Fiscal Service? Does it rise to the Treasury CIO level? Or who do you think needs to really own this and get it fixed once and for all?

Cheryl Clark: That’s a good question. In the past year, in fiscal year 21, a positive move is Fiscal Service established a committee of senior executives who are responsible for overseeing the remediation of these weaknesses. I mean, ultimately, Fiscal Service is responsible for resolving the deficiency. But to do that, it’s going to require successful coordination among a number of Fiscal Service organizational units and officials. You know, this is not a one time fix, it’s going to require a sustained effort to fully remediate these weaknesses. And again, in response to our reports, Fiscal Service acknowledged the need for consistent management commitment to address these weaknesses. I mean, they’re long standing weaknesses that are very complex, they affect multiple financial systems. And it’s going to take some time, resources and expertise to fully remediate these weaknesses.

I mean, one of the things that we emphasize the Fiscal Service is the committee’s role that they just established the committee’s role is very important, but they need to make sure that the committee has the right technical expertise to oversee and to question and to evaluate these corrective actions. And that’s going to be essential to addressing the weaknesses.

Tom Temin: Cheryl Clark is director of financial management and assurance at the Government Accountability Office. Thanks so much.

Cheryl Clark: Oh, you’re welcome.

Related Stories