Configuration management still challenges Coast Guard financial systems management


The Coast Guard continued to have poorly designed and operated script change control policies over its core general ledger software during the last fiscal year, although those practices are improving, say auditors in an annual assessment of Coast Guard financial systems.

The audit (.pdf), conducted by KPMG for the Homeland Security Department office of inspector general, says the Coast Guard has taken corrective action to address prior year IT control weaknesses. Auditors say they found 21 weaknesses during fiscal 2012 that limited the service's ability to assure the confidentiality, integrity and availability of its financial systems. Fourteen were repeats, five were new, and two were resolved during fiscal 2012.

A persistent systemic condition has been the script process the Coast Guard uses to update its core general ledger software--so old at this point that it's no longer supported by the vendor that designed it, making script changes necessary to its continued existence. Past financial system audits have noted a lack of consistent testing requirements or prior approval for deploying script updates, as well as lack of documentation.

Among auditors' fiscal 2012 recommendations are that employees should be trained in script testing procedures and to update configuration management procedures to ensure that IT workers obtain all proper reviews and approvals before implementing a change, suggesting a persistence of some prior year problems. But, although script change control continues to be done "poorly," auditors say policies and procedures are "significantly improving."

Other problems noted by auditors include access controls, since some user roles were changed without required approval, and access control recertification, as some key applications don't include a review that would ensure that former employees no longer have active accounts. Duties also aren't segregated properly, auditors say, since the systems administrator and database administration of one system can perform each other's duties.

For more:
- download the report, OIG-13-63 (.pdf)

Related Articles:
Coast Guard CIO continues to lack authority
DHS incremental IT development should be matched by better outcome reporting, says GAO official
A third of DHS major IT development projects over schedule or budget, or both