Department of Health and Human Services

Office of Inspector General -- AUDIT

"Report on Policies and Procedures Placed in Operation and Tests of Operating Effectiveness for the Division of Computer Research and Technology, National Institutes of Health," (A-17-97-00013)

January 30, 1998


Complete Text of Report is available in PDF format (3.2 mb). Copies can also be obtained by contacting the Office of Public Affairs at 202-619-1343.

EXECUTIVE SUMMARY:

The Department of Health and Human Services (HHS) Division of Computer Research and Technology (DCRT) provides a variety of data processing services on a fee-for-service basis to the National Institutes of Health and other HHS agencies. Ernst & Young's (E&Y), certified public accountants, under contract with the HHS Office of Inspector General, reviewed DCRT's policies and procedures to determine whether: (1) the description of DCRT policies and procedures presents fairly, in all material respects, the aspects of DCRT's policies and procedures that may be relevant to a user organization's internal control structure, (2) the control structure policies and procedures were suitably designed to achieve the control objectives specified in the descriptions, and (3) such policies and procedures had been placed in operation as of September 30, 1997.

The E&Y determined that DCRT is not able to control monitoring and administration of computer machine room access privileges. This resulted in the policies and procedures not being suitably designed to achieve the control objective that states, "Control structure policies and procedures provide reasonable assurance that physical access to the computer center and other sensitive areas, and operations of the computer and related processing equipment is restricted to appropriately authorized individuals."

The E&Y concluded that the description of DCRT operations presents fairly, in all material respects, the relevant aspects of DCRT's policies and procedures placed in operation as of September 30, 1997. Also, E&Y concluded that the control structure policies and procedures, except for the matters described in the preceding paragraph, are suitably designed to provide reasonable assurance that the specified control objectives would be achieved. Lastly, E&Y concluded that the control policies and procedures tested were operating with sufficient effectiveness, except for the matters described in the second paragraph above, to provide reasonable, but not absolute, assurance that the control objectives specified were achieved during the specified period.