Coast Guard has IT internal control problems, audit says

The Coast Guard performed slightly better in its fiscal 2009 audit of IT controls, but an audit still found problems.

The deficiencies included gaps in security management, access controls and configuration management.

Weaknesses in the Coast Guard’s information technology system configurations and security contributed to a Homeland Security Department-level material weakness in IT controls, according to a new audit.

DHS Assistant Inspector General Frank Deffer released the IT Management Letter for the Coast Guard on April 30. The letter was authored by the accounting firm KPMG LLP as part of an audit of the guard's parent department, DHS, in fiscal 2009.

Despite the improvements to the Coast Guard’s finances and account management controls, and completion of certification and accreditation for its core financial systems, the audit identified 20 IT deficiencies, of which 11 were new findings and nine were repeat weaknesses.


Related story:

Auditors: Coast Guard, FEMA weak on controls


“These IT control deficiencies limited Coast Guard’s ability to ensure that critical financial and operational data were maintained in such a manner to ensure confidentiality, integrity, and availability,” KPMG wrote. “In addition, these deficiencies negatively impacted the internal controls over Coast Guard financial reporting and its operation and we consider them to contribute to a material weakness at the department level.”

The audit also noted that the Coast Guard does not fully comply with the requirements of Federal Financial Management Improvement Act.

The problems included inadequately designed procedures for changes to IT applications, unverified access controls, weaknesses in civilian and contractor background investigations, a lack of physical security and security awareness, and gaps in role-based training for managers.

“These deficiencies may increase the risk that the confidentiality, integrity, and availability of system controls and Coast Guard financial data could be exploited thereby compromising the integrity of financial data used by management and reported in the DHS consolidated financial statements,” the audit states.

Coast Guard officials agreed with the findings and recommendations.

The fiscal 2009 audit showed an improvement over the Coast Guard’s fiscal 2008 audit that revealed 22 IT-related deficiencies, of which 21 were new findings.