REPORT OF AUDIT OF THE OFFICE OF DATA PROCESSING AS OF 30 JUNE 1978
Document Type:
Collection:
Document Number (FOIA) /ESDN (CREST):
CIA-RDP81-00142R000100030003-8
Release Decision:
RIPPUB
Original Classification:
S
Document Page Count:
26
Document Creation Date:
December 9, 2016
Document Release Date:
July 23, 2001
Sequence Number:
3
Case Number:
Publication Date:
October 24, 1978
Content Type:
MF
File:
Attachment | Size |
---|---|
CIA-RDP81-00142R000100030003-8.pdf | 1.09 MB |
Body:
Inr PWV
R4rei ror,1175/11) r - -
Approved Fteleaie.:2001/08/14 : CIA-RDP81-00111/R0001000 000E3;8'
NIMAMUM FOR: Chief, Audit Staff, OIG
PROM: Thomas B. Yale
Director of Finance
2 4 OCT 1,978
SUBJECT: Report of Audit of the Office of Data Processing
as of 30 June 1978
1. The position of the Office of Finance is not to adopt the audit
recomendation as stated in paragraphs 33, 34, and 35 of subject audit
report. Our position is based on the propriety of obligations as they
relate to the establishment of liabilities that far exceed authorized
budgets. In as much as this Agency's appropriation is governed by one
year money we feel the establishment of liabilities covering in some
instances contracts encaassing a period of six years is not sound.
The wording used, within the contracts in question, Alternate Purchase Plans
(APP) further draws attention to the questionable propriety. These contracts
are written giving the Agency many escapes with wording such as "No funds are
currently legally obligated." "....subject to the availability funds....,"
"No legal liability on the part of the Government for payment of any money
In excess of that amount currently obligated shall arise unless and until
funds are made available to the contracting officer...." It should be
noted, we have no problem with the implied ownership and in fact the APP
contracts acknowledge that throughout the period of the agreements or until
all equipment is returned all risk and cost of ownership shall be on the
Agency. The very words "or until all equipment is returned" implies owner-
ship remains with the vendor until we have paid in full. What we do fail
to see is how the adoption of the audit recommendation strengthens the
Agency financial picture or in fact provides better property accountability
controls. As a matter of interest we have checked with our counterparts
in other agencies to determine how they treat such contracts. Each advised
they do not capitalize assets and establish liabilities when they Implement
similar contracts. Air Force, for example, uses ono year OW money and they
too feel that to sat up liabilities extending beyond authorized obligation
authorities is suspect.
2. The GAD report "Accounting for Automatic Data Processing Costs
Need heproleuenW' B-115369 dated 7 February 1978, acknowledges that the
reason for capitalizing the purchase price of Automatic Data Processing
Approved For Release
cCd'' 130003-8
t.S1A
?se
oved For Reiease1jjIST
410
?-? t
;i 0U3JL
?
Equipment is for coot accoMg, In that report the GAO
accepts the fact that imost igenc es do not have cost accounting systems
and are not ready for the boXtrownotion.of tko-sogoiramit for capital-
ization of ADP Oqiiiipment.
Distribution:
Orig & 1 - Addressee
DDA
1 D/F 1 - ODP
1 - Reg.
2 - P&SSIFIChrono)
OF/P&SS/AC:tjo (24 Oct.
FLI`j;r-7,
TbowaLB. Yale
Themes B. Yale
VI? 7 v7,1 r
v
e?
Approved Foreease 2001/08/14: CIA-RDP81-00142.01000
SENDER WILL CHECK CLASSIFICATION TOP ANO BOTTOM
UNCLASSIFIED CONFIDENTIAL SECRET
OFFICIAL ROUTING SLIP
TO
NAME AND ADORESS
DATE
INITIALS
1
ite.;414 nr,
25 ;9713
ACTION
DIRECT REPLY
?
PREPARE REPLY
APPROVAL
DISPATCH
RECOMMENDATION
COMMENT
FILE
RETURN
CONCURRENCE
INFORMATION
SIGNATURE
Remarks:
,
i )'
A /I _,.--,
_. ;i,e1-7/ 11,i 4 ,......-.L 4.------ ,
,t
?.4.-e-e--------/ a--'---to-s---- 'fl------ ...._____ _
.,.
.... .
_, SEP 197
FOLD HERE TO RE*T_IPTO SENDER
FROM: NAME. ADDRESS AND PRONE NO.
DATE
UNCLASSIFIED F I CONFIDENTIAL J
SECRET
.01:21:6;00. 237 Us. previous editions
(40)
I.
Distribution:
Orig-RS - D/ODP w/cy of 8 Sep 78 memo to Finance ?
T - DIE w/atts
1 - AD/Log w/atts
Subj Watts
Atts:ivloe+-1
iiiiri:14A&216tARYE1/3141:GCf4-613ki-MNiRolibqiig3g031-Igi t of 0 DP as of
Memo dtd 8 Sep 78 to D/ODP via IG fr C/AS, same subj (ODA 78-3584)
ApproNied For
ase 2001/08/14: CIA-RDP81-0014200100030003-8 *
4105P/
8 SEP 1978
MEMORANDUM FOR: Director of Finance
THROUGH : Inspector General
5X1A FROM
SUBJECT
PROPPlitii Staff, OIG
Report of Audit of the Office of
Data Processing as of 30 June 1978(S)
1. (U) Paragraph 3 below contains a request for your
action.
2. (U) The following paragraphs are extracted from
subject Report of Audit:
'Agency Assets and Liabilities Understated
33. (S) The general ledger account 1723, Property in
Use-Other, values ODP property at $108 million. However, the
eventual total cost of owned equipment currently in the two
25X1Acomputer centers will be million. The discrepancy between
the actual value of owned equipment and the amount currently
shown in the general ledgers is due to the current policy of
not recording the cost of equipment until it is completely
paid for.
25X1A
34. (S) The Agency has alternate annual payment contracts
with the International Business Machines Corporation (IBM),
and several third party leasing firms for
the purchase of seven large computer systems. These contracts
25X1A total million and are to be paid over a multi-year
25xiAperiod. To date million has been paid on these
contracts.
35. (S) Whether these contracts are viewed as a lease
with intent to purchase ,or as an outright purchase with time
payments they should be recorded in the accounting system. The
General Accounting Office's 'Policy And Procedures Manual For
Guidance to Federal Agencies Title II Accounting' (August
1972), gives the following guidelines for property acquired
under lease-purchase arrangements:
E2 IMPLET
CL BY 010572
SECRET 1
Approved For Release 2001/08/14 : CIA-RDP81-00142R000100030003-8
25X1A
25X1A
Approved For ease 2001/08/14: CIA-RDP81-001421100100030003-8
C R
'The total cost shall be capitalized when the property
is accepted from the contractor or when the option to
purchase equipment is exercised, rather than period-
ically as payments are made or when title passes to
the Government'.
'The cost of property acquired under lease-purchase
contracts, which in substance represent installment
purchasing, should include the purchase price under
the contracts and related costs incurred by the
Government'.
'The purchase price included in lease-purchase contracts
for property, which are in substance installment
purchases..., shall be recorded as a liability when the
property is accepted from the contractor or when the
option to purchase equipment is exercised. Such a
liability shall be reduced by periodic payments.'
We believe for alternate annual payment contracts the option
to purchase has been exercised at contract signing even though
payments are spread out over a period of time. In a separate
memorandum to the Director of Finance, we are requesting
action to record the purchase price of the contracts discussed
above for million in the appropriate general ledger
account to capitalize the assets. The remaining liability of
million due the contractors should also be recorded in
an appropriate general ledger account.'
3. (U) We request that action be taken to record the
assets and liabilities as discussed in paragraph 2 above.
Please advise the undersigned of action taken on this matter.
IEEE
Distribution:
Orig 1 - 1)/Fin
DDA
- D/ODP
Approved For Rekage 01/t/4:? CIA-RDP81-00142R000100030003-8 2
25X1A,
Approved For ease 200SIECRETA-RDP81-00142100100030003-8 41'
?r-n-s-Py
MEMORANDUM FOR: Director, Office of l D t a Processing
(A
THROUGH
25X1A FROM
?
?
Inspector General
let, AuditStaff
8 SEP 1978
SUBJECT ?
Report of Audit of Office of Data Processing
as of 30 June 1978 (S)
1. (U) Subject report is attached. Please advise
this office of action taken on the recommendations con-
tained in the report.
2. (U) We appreciate the cooperation extended to
the auditors during the audit.
25X1A
Attachment
Distribution:
Orig. - D/ODP
,r - DDA
? 1 - 0/Compt
1 - OIG E2 IMPDET
? CL BY 010572
Approved For Release 84014M: CIA-RDP81-00142R000100030003-8
'Approved For ease 2001/08/14 ; CIA-RDP81-00142100100030003-8
REPORT OF AUDIT
Office of Data Processing
as of 30 June 1978
SUMMARY
1. (A/IU0) The Office of Data Processing (ODP) generally
is carrying out its assigned tasks and utilizing resources in
an effective manner. Financial controls and procedures are
generally effective and in compliance with applicable
regulations. Since the last audit, ODP has developed computer
systems which are better designed and more efficient to
operate and maintain. User involvement has increased but has
been neither uniform nor complete for all systems under
development. We believe all major user offices should strive
for ADP skills improvement and more participation with ODP in
systems development for their offices. This report includes
comments with recommendations where appropriate, concerning
the following:
- policy for minicomputers
- development of a written disaster recovery
plan for the computer centers
- storage of system software backup tapes and
critical data bases at an offsite location
- strengthening existing and developing new
technical security controls for several
problem areas
- employment of a full-time administrative
assistant in the ODP Security Office
- sanitizing 'scratch' tapes in the Special
Center
- reduction in frequency of tape library
inventories
- weaknesses in access procedures
Ruffing Computer Center
for the
SECRET 1
Approved For Release 2001/08/14 : CIA-RDP81-00142R000100030003-8
25X1A
Approved For lease 2,001/08/14 CIA-RDP81-001424100100030003-8
provisioL --)r more stringent controls over
storage .and distribution of users' computer
outputs
- monitoring terminal usage
- strengthening of controls
bases
in GIMS II data
- improvement in methods for recording time
purchased hardware and establishing cost
for systems development
- strengthening of property controls and
procedures.
SCOPE
2. (A/IU0) The audit was conducted under the authority of
and included a review of procedures and controls
exercised by ODP in the administration of its share of Agency
resources. The audit concentrated on:
- financial controls and procedures
- logistical controls and procedures
- administration of project development
by Applications and Special Projects
Staff
- review of missions and procedures of
the Ruffing and Special Computer Centers
- review of security procedures used in ODP
- policy on minicomputers.
GENERAL
3. (S) ODP provides centralized computer services to all
components of the Agency. They operate two major computer
centers: the Ruffing Center which serves most general users,
SECRET 2
Approved For Release 2001/08/14: CIA-RDP81-00142R000100030003-8
Approved For lipase 2001/08/14: CIA-RDP81-001428.100030003-8
and the Special Center which serves only the Operations
Directorate and COMIREX Automated Management System (CAMS)
users. These centers combined own equipment valued at
5X1A approximately million and lease equipment valued ,in the
millions. The Office reviews and coordinates user offices'
proposals for acquisitions of any computer equipment,
software, and other services. ODP has an authorized personnel
25X9 ceiling of to accomplish its mission.
5X1A 4. (S) ODP's operating budget for Fiscal Year 1978 is
summarized as follows:
DETAILED COMMENTS
Minicomputer Policy
5. (A/IU0) In January 1978 ODP formulated its policy for
minicomputer use in ODP and, to the extent ODP can impact on
it, in the Agency. ODP estimates the number of minicomputer
applications are growing at a rate of 30% per year.
6. (A/I1J0) In a 15 July 1977 paper to the Executive
Advisory Group (EAG) titled 'Response to Key ADP Issue #3'
dealing with the question of centralized versus decentralized
computer facilities ODP identified the following advantages
which make a decentralized approach attractive:
- lower software developmpnt cost
SECRET 3
Approved For Release 2001/08/14: CIA-RDP81-00142R000100030003-8
4
Approved For ease 2001/08/14 : CIA-RDP81-00142.100030003-8
ECRET
if applications software already
exists and is available from
the equipment vendor
- data privacy for sensitive applications
- faster response and possibly
better availability and reliability.
7. (A/IUO) Data processing users have recognized these
benefits and are seeking their own minicomputer facilities for
a variety of applications. This decentralization of computer
resources continues with limited Agency-wide coordination and
planning. Such an approach risks failure to apply Agency ADP
resources efficiently, tolerating inconsistent work standards
and quality control, complicating training and maintenance
requirements and reducing the interchangability of
applications between processors.
8. (A/IU0) ODP recognizes this lack of central
comprehensive planning and has previously recommended to the
EAG that ODP serve as the Agency's central source of technical
support and guidance for the selection and maintenance of a
standard minicomputer. ODP has formulated an office policy
consistent with this recommendation to:
- iMplement and support standard
minicomputer hardware and
software
- use Agency standard terminals
in the minicomputer system
configurations
- provide for minicomputers in their
budget (Customers may be required
to provide their own machine room
or operators or personnel slots
for ODP operators.).
9. (A/IU0) Concurrent with the expansion of minicomputer
capability ODP Management Staff plans to develop costs of
batch and interactive central system service for use in
comparing cost of ODP central service versus the cost of
acquiring and operating an individual minicomputer in meeting
the demands of a particular proposed application.
10. (C) The ODP GIMINI Project is an attempt to identify
minicomputer hardware and operating systems which can support
GIMS II, the Agency's data base management system for large
data bases. ODP plans to allow users with sensitive
Approved For Rele?s26011/0?01LF: CIA-RDP81-00142R000100030003-8 4
Approved For ease 2091/08/14: CIA-RDP81-00142410100030003-8
applications, extremely high needs for data privacy or
response time/availability concerns to isolate their data base
on a minicomputer system rather than use the common direct
access storage the general GIMS user is provided. The same
GIMS software could be run on both the large central computer
and the minicomputer, thus easing transferability of
applications. ODP presently favors acquiring minicomputers
with operating systems compatible with System 370 to avoid the
need for extensive conversion of the minicomputer's operating
system to accomodate GIMS.
11. (C) ODP currently has 13 minicomputers: two for
message switching, one for the GIMINI project, one for the
CAPER applications and Hospitalization/Insurance, and nine for
use in the TAD System. ODP requested authority to procure
three minicomputers of a standard design in their FY80 budget.
This hardware was to be assigned to users applications where
the cost was justified. The intent was to then maintain one
standard design minicomputer for the development of the next
system and maintenance of the current system. The procurement
authority requested was rejected in the budget process. This
action, along with the rejection of two FY80 personnel slots
ODP has requested to develop and maintain these minicomputer
has in effect stalled ODP's plans. We believe ODP developed
their plans and policies in a reasonable and responsible
manner. We fully concur with ODP's position on this matter
and their recognition of the need for centralized planning and
control of the proliferation of minicomputer systems within
the Agency. The importance of an Agency approach to
controlled growth of minicomputers is most important in the
efficient and effective management of these vital resources.
12. (A/ILIO) The Deputy Director of Central Intelligence
(DDCI) in a memorandum dated 26 July 1978, to Executive
Advisory Group (EAG) members set forth Agency policy with
respect to continuing EAG involvement in the management of
Agency ADP resources. This memorandum provides for EAG to, in
conjunction with its review of the Agency's Program Plan each
year, specifically focus attention on the proposed functional
uses of ADP and on major ADP investments. We believe ODP's
plan for an Agency minicomputer policy is of such timeliness
and importance that it should be considered by the EAG.
RECOMMENDATION #1: Present ODP's minicomputer
support plan to the EAG for its consideration
within the framework of the annual review as
directed in the DDCI meomorandum cited above.
SECRET 5
Approved For Release 2001/08/14: CIA-RDP81-00142R000100030003-8
Approved For as 2001/08/14. : CIA-RDP81-001421110100030003-8
Provisions for a Disaster Plan
13. (A/IUO) The purpose of a disaster plan is to minimize
the magnitude of service interruption in an emergency
situation. Currently ODP does not have a written or tested
disaster plan. Engineering Division has the general
responsibility for recovering from a disaster. This is
primarily a technical approach i.e. replacement of hardware,
cables, and physical plant. The area that requires extensive
attention is the identification of applications critical to
the Agency's missions. Areas such as alternatives to
processing by computer and what can be run on non-Agency
computers should be investigated.
14. (A/IU0) The complete spectrum of ADP requirements
needs to be reviewed and prioritized. The results should then
be matched against the Agency's capability to provide these
services in the event of a disaster to one or both computer
centers. Alternative processing sites should be identified
and the entire disaster recovery plan should be maintained in
a current status and tested periodically to validate its
effectiveness.
RECOMMENDATION #2: Review and prioritize the
Agency's emergency ADP requirements and develop
a written disaster recovery plan that adquately
provides support in the event of a disaster.
Also provide for current maintenance and periodic
testing of the plan after development.
Offsite Storage Requirement
15. (S) Backup copies of ODP system software and critical
data bases i.e. CAMS are not stored at an offsite location.
One can reason that equipment can be eventually replaced but
system software and databases that are destroyed without
backup provisions could be lost forever. Storing both the
working and backup copies in the same area does not provide
adequate safeguards against potential catastrophe. The most
common measure taken to provide records backup is to store
copies in an offsite location.
16. (S) Once the backup program is established, it is
essential to maintain and test it. Having a test team solve
actual operational problems using the stored vital records
will assure management the program does work.
SECRET. 6
Approved For Release 2001/08/14 : CIA-RDP81-00142R000100030003-8
5X1A
Approved For ease 20,01/,08/14?: CIA-RDP81-001424100030003-8
RECOMMENDATION #3: Store system software backup
tapes and copies of c bases in the
and/or exchange
e ween e two computer centers. The,
stored backup records and programs should also be
currently maintained and periodically tested to
determine their operational readiness.
Technical Security
17. (S) ODP has identified a list of potential security
problems with a majority of these items still unresolved. A
partial listing of these items are:
- a 'Who are You' identification code to
determine if proper authorization has
been obtained before allowing access to
data on VM, GIMS, and COMTEN
- 2 Tapes (other government agency tapes) are
released without controls to assure that the
receiving person is authorized to receive
the tape and that the tape does not contain
data other than the users
- residual data remains on disk data sets when
released thereby becoming accessible to the
next user
- unauthorized users can, by learning data set
names, access data sets other than their own
- no controls over Systems and Applications
programmers to prevent fraudulent or other
misuses of systems and data bases
- listings containing systems dumps are removed
from the computer center without a formal
determination being made of the classification
of the data listed
- no audit trails of abortive attempts to link
to M-Disk or logon (sic) the systems
- inadequate security control over the printing of
classified data on remote printers in customers
locations.
SECRET 7
Approved For Release 2001/08/14: CIA-RDP81-00142R000100030003-8
n,s?
Approved For Riese 2001/08/14: CIA-RDP81-00142410100030003-8
18. (A/IU0) Also, there are some other areas where
internal controls need to be strengthened:
- during the evening shift in the Special Center
and the weekend shifts in the Ruffing Center
the computer operators have access to the tape
library and can remove and use tapes without
recording their use
- no scheduled rotational/segregated duties
exist in the centers i.e. operators are
used as library and point workers during
the same shift
- when systems and applications software is
modified there is little detailed documentation
of the steps used during testing and/or the
authorization for the changes; additionally
there is no documented evaluation of the
potential side effects of the changes on
the operating environment
- there is inadequate compliance with the
procedures for security classification
labelling on data outputs from VM and
Batch.
Because of the sensitive nature of the data processed in the
Agency, stringent security controls are essential. These
controls, if they are to be effective, may be difficult to
implement and prove to be encumbering to those who must work
within them.
19. (U) There are several alternatives to be considered
in strengthening controls in the areas mentioned. They range
from accelerated polygraphing of key personnel to a thorough
and effective control package which may be operationally
restrictive. The ODP security officer should address the
security implications in these areas and determine if there is
a threat. If, after evaluation, the need is apparent ODP and
the Office of Security (OS) should concentrate the required
resources to bring these areas under better control.
RECOMMENDATION #4: Determine methods for better
controls in the areas mentioned. Coordinate
this study with the Office of Security.
SECRET 8
Approved For Release 2001/08/14 : CIA-RDP81-00142R000100030003-8
?????????,
Approved For Rase 2001/08/14 : CIA-RDP81-00142R0100030003-8
20. (C) ODP and the Office of Security in May 1977
established an ODP/OS Working Group to identify, oversee, and
provide recommendations to resolve these technical security
risks. However, these problems still persist partly because
there isn't a full-time team or individual to actively pursue
and resolve these identified areas.
21. (C) The current ODP Security Officer (SO) is
principally involved with day to day adminstrative
requirements, ie. obtaining access indicators to the computer
centers and initializing ODP related security clearances. This
leaves little time for technical security problems.
22. (C) ODP stated during the previous audit that they
were in the process of obtaining a full-time technical SO.
This has not been accomplished. The justifications given were
increases in:
ODP personnel and applications
- project sensitivity
- complexity of the operating environment
- compartmentation.
The obtaining of this SO was resubmitted for the FY80 budget.
This slot was rejected as part of the budget process. The
current SO has a part-time ODP adminstrative assistant to
handle some of the paperwork. Converting this part-time
position to full-time would allow the SO to devote more of his
efforts to technically related computer security problems.
RECOMMENDATION #5: Consider converting the current
part-time adminstative assistant to a full-time
position. In addition, formally request technical
security assistance from the Office of Security to
assure proper attention to these technical security
problems.
Release of Scratch Tapes
23. (S) Currently Special Center magnetic tapes released
to 'scratch' status (tapes made available to another user),
are not sanitized. The data left on the tapes by the previous
user is potentially available to the next person using that
tape. In the Ruffing Center 'scratch' tapes are sanitized via
SECRET 9
Approved For Release 2001/08/14 : CIA-RDP81-00142R000100030003-8
Approved Foillleasepp1/0804,: CIA-RDP81-0014000100030003-8
the Data Erase process. Data Erase tapes do not have to be
reinitialized (internal labeling) which requires computer
operator assistance. The Data Erase process reduces the
possibility of exposure of data to unauthorized users. It
takes approximately twO to three minutes to Data Erase one
tape. The Ruffing Center is on the Tape Management System
which effectively identifies the magnetic tapes to be Data
Erased. The Special Center tape library will soon be
completely converted to the Tape Management System (TMS).
With TMS regulating the flow of tapes to be 'scratched' and
the .relatively short time it takes to Data Erase, the
disruption of the library's operating routine should be
minimal.
RECOMMENDATION #6: Use Data Erase to sanitize all
magnetic tapes that are to be used as 'scratch'
tapes in the Special Center.
Inventory of Tape Library
24. (A/IU0) A 100% inventory is done every three months
in the Ruffing Center and every two months in the Special
Center. Because both centers have exceptional records of
resolving all discrepancies that do rarely occur we suggested
that a semi-annual inventory would be adequate for both tape
libraries. This would each year save approximately 200 hours
of overtime paid to the inventory participants. It was also
suggested that all participants and the center manager sign
the inventory memo to add credibility to this document. During
the non-inventory months the librarian should continue
identifying overdue tapes for . ODP Security Officer
intervention. Both centers have agreed to implement the above
procedures.
Access to Computer Centers
25. (A/IU0) ODP recently obtained additional Headquarters
space for the planned collocation of the 'points' (user pickup
and servicing areas). Estimates for the date of the
relocation ranged from late FY79 through FY81 to not at all.
The recommendations in the next three paragraphs are intended
for interim action until the final location and configuration
of the 'point' has been determined.
SECRET 10
Approved For Release 2001/08/14 : CIA-RDP81-00142R000100030003-8
I
5X1A
5X1A
Approved Foil lease 220v0811ft, : CIA-RDP81-0014000100030003-8
26. Dunn'-: -Jr review of the centers we observed a
large num- of pernnel entering the fluffing Center. The
number of. non-fluffing Center personnel with 'E' access
indicators seems to be excessive. ('E' indicators are for the
Ruffing Center and 'B' indicators are for the Special Center).
The current practice of granting access by component rather
than by individuals daily need is questionable. Both computer
centers' managers stated that they have begun reviewing the
individuals' requirements for access. The Special Center has,
by their review, indentified people who no longer need
automatic access, of which have already had their
indicators removed. The fluffing Center should identify those
who no longer need automatic access and submit their names to
the ODP Security Officer for removal of their 'E' indicators.
Personnel with infrequent need can use a no escort badge,
effectively reducing the amount of casual traffic in the
center.
RECOMMENDATION #7: Continue to review the need
for 'E' fluffing Center access indicators for non-
center personnel and expand the usage of no escort
badges for infrequent users.
27. (C) Access to the fluffing Center is monitored by the
person manning the tape reception area. This individual has
other duties which makes it difficult to visually monitor the
doors at all times. To improve the situation ODP has
rearranged the furniture to block the direct path to the
computer room. This is a step in the right direction but an
enhancement to this control is to install a remotely activated
gate. This gate would require individuals entering to be
visually observed and their need for access established. Once
admitted past the gate they would have access to the work area
of the 'point', library and computer room. This would permit
the center's personnel to do their job without exiting the
controlled area.
RECOMMENDATION #8: Install a remotely controlled
access gate in the fluffing Center 'point' area to
limit unchallenged entry to the computer room.
28. (C) ODP is in the process of investigating different
devices to provide a secure user pickup and data control. The
leading candidate thus far is a badge operated mailbox system.
The coded Agency badges would restrict an individual's access
to predetermined mailboxes. However, this secure mailbox
system is not planned for implementation until the new 'point'
SECRET 11
Approved For Release 2001/08/14: CIA-RDP81-00142R000100030003-8
Approved Forelease 2001/08/14: CIA-RDP81-001424100100030003-8
has been ated. Cuci:ently ODP is using as a control tear off
sheets f each users listing. The user supposedly signs them
when he cks up his output. The 'point' personnel have no
knowledge of who is authorized to receive particular outputs
or even if the tear off sheets were signed by the user. Any
badged personnel can ask for listings from almost any output
bin and receive them regardless of whether he has the
authorization to receive such information. The Ruffing Center
typically collects one box of tear off sheets each day and
then forwards these sheets to for storage in archives.
The intended purpose of having the tear off sheets was to
control who picks up the output by having an ODP operator
confirm that each listing is signed for. Due to the volume
plus the operator's regular duties this has not been
effectively or efficiently done. To date there have been no
requests from the users to recall any of these sheets to
determine who received a listing.
RECOMMENDATION #9: Establish more stringent
controls over users receipt of data from the
'point' in the Ruffing Center.
Monitoring Terminal Usage
29. (A/IU0) We observed that some users were signing on
to terminals but were not using them for periods of over a
half hour. This inefficient usage could prevent other users
from accessing the systems due to the limited number of
terminals which can be signed on simultaneously. Allowing a
terminal to be signed on but not in use could be a security
risk, potentially permitting unauthorized users access to the
systems.
30. (A/IU0) Engineering Division (ED) prepares a computer
generated report of terminal usage, primarily used to optimize
the system configuration. ED can provide these reports to
determine which terminals are not effectively being used. We
provided the ODP Security Officer with this information.
RECOMMENDATION #10: Provide terminal usage
reports to appropriate ODP management person?
nel for monitoring efficiency and security
of terminal usage.
SECRET 12
Approved For Release 2001/08/14 : CIA-RDP81-00142R000100030003-8
...
25X1A
Approved Foe lease 2001/08/14 : CIA-RDP81-0014000100030003-8
Improved Controls in Gims-II Data Bases
31. (A/IU0) In one instance we found an inadaquately
tested change to a GINS-Il production data base causing loss
of data intregity. In an attempt to prevent another occurence
of the problem we discussed with appropriate ODP personnel the
need for user approval of system changes to assure data base
integrity.
32. (A/IU0) ODP Data Access Center (DAC) personnel are
now in the, process of establishing procedures to control
changes to GINS-Il production data bases. Included in these
procedures will be requirements for:
- testing or reviewing test results by the users'
Data Base Manager
- written notification from the ODP Application's
Project Manager to the DAC of any change to the
GINS-Il production data base'
- written document from the DAC to the user and the
Application's Project Manager when the change
is installed
- documentation of all changes catalogued in the
Central Library of Production Division
- documentation of emergency changes within 48 hours.
These procedures will also help avoid unapproved changes and
make the customer more cognizant of the impact of changes on
the system. ODP can continue their efforts to assure data and
processing integrity in all systems they develop or maintain
by strictly enforcing these procedures.
RECOMMENDATION #11: Complete development
and implement procedures to control systems
changes.
Agency Assets and Liabilities Understated
33. (S) The general ledger account 1723, Property in
Use-Other, values ODP property at million. However, the 25X1A
eventual total cost of owned equipment currently in the two
25X1A computer centers will be million. The discrepancy between
Approved For ReleaseS20E01i081,1 4E: JIA-RDP81-00142R000100030003-8
13
Approved Folk lease 2001/08/14: CIA-RDP81-00144100100030003-8
the actual value of owned equipment and the amount currently
shown in the general ledgers is due to the current policy of
not recording the cost of equipment until it is completely
paid for.
25X1A
34. (S) The Agency has alternate annual payment contracts
with the International Business Machines Corporation (IBM),
and several third party leasing firms for
e purc ase o seven large computer systems. These contracts
25X1A total million and are to be paid over a multi-year
25X1A period. To date Million has been paid on these
contracts.
35. (S) Whether these contracts are viewed as a lease
with intent to purchase or as an outright purchase with time
payments they should be recorded in the accounting system. The
General Accounting Office's 'Policy And Procedures Manual For
Guidance to Federal Agencies Title II Accounting' (August
1972), gives the following guidelines for property acquired
under lease-purchase arrangements:
'The total cost shall be capitalized when the property
is accepted from the contractor or when the option to
purchase equipment is exercised, rather than period-
ically as payments are made or when title passes to
the Government'.
'The cost of property acquired under lease-purchase
contracts, which in substance represent installment
purchasing, should includethe purchase price under
the contracts and related costs incurred by the
Government'.
'The purchase price included in lease-purchase contracts
for property, which are in substance installment
purchases..., shall be recorded as a liability when the
property is accepted from the contractor or when the
option to purchase equipment is exercised. Such a
liability shall be reduced by periodic payments.'
We believe for alternate annual payment contracts the option
to purchase has been exercised at contract signing even though
payments are spread out over a period of time. In a separate
memorandum to the Director of Finance, we are requesting
25X1A action to record the purchase price of the contracts discussed
25X1A above for million in the appropriate general ledger
account to capitalize the assets. The remaining liability of
million due the contractors should also be recorded in
an appropriate general ledger account.
Approved For Relea6e nowasto aCIA-RDP81-00142R000100030003-8 14
Approved Foeleasg 21001/08/1,i : CIA-RDP81-0014000100030003-8
Identify ADP Se ce and System Development Costs
36. (U) There is increasing Office of Management and
Budget (OMB) and Congressional interest in the management and
use of ADP resources. A recent report to the Congress by the
Comptroller General, 'Accounting for Automatic Data Processing
Costs Needs Improvement' (February 1978), states:
'It is essential to keep costs accurately for data
processing systems and organizations, as in any
other department. Reliable cost data is practically
indispensable in making sound decisions on whether
to get needed services through procurement from
commercial sources or to perform them in-house.'
The report goes on to explain the benefits of cost data:
'With good cost accounting and reporting, management
can have complete and consistent cost information
quickly and economically. This should enable them
to:
- compare costs among organizations, activities,
operations, and projects;
- make informed investment decisions by:
(1) estimates of the cost of implementing
proposals for new systems and facilities,
(2) preparation of cost-benefit analysis, and
(3) cost comparisons with commercial and other
alternatives;
- establish the cost of work done and measure
productivity;
- measure the cost of performance
officials;
of responsible
- make end users and top management conscious
the cost of data processing systems and
services;
- provide the accounting basis for proper
charging of appropriation, allotment, and
program accounts as well as the billing for
intra- and interagency services; and
of
SECRET 15
Approved For Release 2001/08/14: CIA-RDP81-00142R000100030003-8
Approved Fo&lease 2001/08/14: CIA-RDP81-0014.00100030003-8
-provide the accounting basis for budget
justifications and reports to Congress, OMB,
GSA, and the public on the cost, custody,
and use of the automatic data processing,
resources entrusted to them.'
37. (U) ODP provides a complete range of data processing
services, from helping users collect requirements to
processing and maintaining applications after implementation.
ODP distributes the Project Activity Report (PAR) to inform
customer management of the value of services used each month.
The value or cost of ADP services allocated to a project are
based on computer usage and ODP man-hours. This report is
also used by ODP management to respond to requests from the
EAG, OMB, and other oversight committees. Knowing the Value
of ODP services is of interest to users who track and control
the growth of their use of ADP resources. But the PAR is
misleading when used to report project costs to the OMB or
congressional committees. Computer usage costs are calculated
using 1972 unit cost statistics. Also, the customer's
man-hour and some contractor costs are not included in project
costs.
38. (U) A recent GAO publication, 'Illustrative
Accounting Procedures for Federal Agencies' (1978), recommends
the capitalization of major ADP systems and applications
systems whose acquisition or development costs in excess of
$100,000. The acquisition or development costs should
include:
The price of purchased software and the estimated
useful value of software obtained by other means,
including the cost for preoperation modifications,
conversions, testing, and documentation.
- Salaries and benefits for agency staff and
compensation of contractors and other Government
personnel for developing new software and modify-
ing software obtained through other means. This
would include expenses for analysis, design,
programming, documentation, testing, and conversion.
It would also include expenses for preparing the
computer operating instructions, user procedures
manual and other documentation.
- Computer operating costs for testing, debugging,
and parallel processing.
39. (U) This same GAO report published the results of a
survey of 26 Federal organizations providing data processing
services. Twelve of the 26 capitalized their hardware, and
SECRET
Approved Release 201/011 : 16
1A-RDP81-00142R000100030003-8
Approved Folease 2001/08/14: CIA-RDP81-00140)00100030003-8
S E E
ten of these capi ,lized their owned operating software. None
of the organitions surveyed capitalized their owned
applications software.
40. (S) During 1977 ODP presented 21 major application
systems to the EAG for review. ODP estimated development and
operating costs for these systems would consume over $42
million in ODP resources. These estimates do not identify
accurately ODP development costs nor do they include the
users' costs. Information about expenditures of this
magnitude, particularly when requested by oversight
committees, must be accurate and timely. At this time, we do
not recommend capitalization of operating or applications
software; however we do believe cost accounting procedures
must be developed to identify the cost of these systems as if
they were to be capitalized. ODP has initiated an internal
office requirement to study this problem and obtain outside
contractors assistance in upgrading their current cost system.
RECOMMENDATION #12: Continue efforts to update cost
accounting procedures to accurately and completely
identify the current cost of ADP computer systems
software.
Property Procedures
41. (A/IUO) A complete physical inventory of Type II
Property has not been conducted since 30 June 1975. A partial
inventory was taken at the time the current Logistics Officer
assumed accountability on 19 July 1976. Existing Consolidated
Memoranda of Receipt are two or more years out of date and no
longer reflect the current physical disposition of ODP
property particularly office equipment. ODP has begun an
intensive effort to revise and correct ODP property accounting
procedures. They have requested and received Office of
Logistics agreement to provide assistance to jointly solve
their property accounting problems.
RECOMMENDATION #13: Continue the coordinated
effort with the Office of Logistics to jointly
solve ODP's property accounting problems. In-
sure that a complete physical inventory is
conducted in accordance with Doc-
ument any descrepancies revealed as a result of
the inventory as prescribed by the regulations.
Approved For Releass 20012'0/W1# :?IA-RDP81-00142R000100030003-8 17
25X1A
Approved Fo.lease 2001/08/14: CIA-RDP81-00140300100030003-8
42. (A/IDO) Recording of Type II Property transactions in
many instances lags too far behind actual receipt of the
property. Part of the problem lies in the delay in forwarding
receiving reports from the Support Staff to the Logistics
Officer. In addition, the Logistics Officer is not 'always
recording documents on a timely basis.
RECOMMENDATION #14: Take actions required to
assure recording of Type II Property transactions
on a more timely basis.
43. (A/IU0) Duplicate automated and manual systems exist
to record financial and technical information about hardware.
Support Staff enters puchase prices or the monthly rental
payment amount ,into both Engineering Division's Engineering
Management Information System (EMIS) and into their own
purchase, lease and maintenance contract files. In addition,
Environment and Configuration Management Branch maintains a
manual file of utility and technical requirements of each
hardware item. Supporting redundant data bases consumes
resources and delays information flow between all participants
in equipment transactions. Inconsistencies exist between
systems.
RECOMMENDATION #15: Determine the present capa-
bility of EMIS to serve as a central data base
for all hardware transactions, both engineering
and financial. Identify the information needs
of various components and determine whether EMIS
can be enhanced to the point where it satisfies
the needs identified. If EMIS is enhanced research
and verify to supporting documentation any missing
data. Consider recording ODP's office equipment
on the data base in addition to currently listed
major hardware items.
44. (C) The Budget and Finance group of Management Staff
is not able to validate the balance of their unliquidated
obligations. The Encumbrance Activity Report continues to
show as open requisitions those which have been filled and
paid by the Agency. This problem arises outside of ODP's
control and is likewise a problem for other. offices. We will
address the issue further in our audit of the Office of
Logistics.
SECRET 18
Approved For Release 2001/08/14: CIA-RDP81-00142R000100030003-8
?
IT' ATINTL
Approved For tease 2001/08/14: CIA-RDP81-0014200100030003-8
Report of Audit of ODP
Executive /DDA
Mr. May
DirectoriODP
VIA TUBE
DDIA Registry
He ae-el 13,
DD/A 78-3584/2
Danny:
I am sure you recall seeing
the Audit Staff Report request
that Agency assets and liabili-
ties in the ADP field should
be recorded differently so as
not to be understated. I re-
call asking you some time ago
if this gave you any trouble
and you responded that it would
not.
To close the loop, I thought
you might be interested in
Tom Yale's response to the
Audit Staff showing why a change
in recording assets and liabili-
ties should not be madit.TATINTL
Att
Distribution:
Orig - Mr. May w/att
1 DDA Chrono
DDA Subj
1 - RPZ Chrono
EO/DDA;se 21 Nov 78
Approved For Release 2001/08/14: CIA-RDP81-00142R000100030003-8
0 -4111t Ift roveci;la liatM2001/08/14: CIA-RDIZI1-& 46630003-8 0 SECRET
ATERNAL
.1. ... . ,
. . ROUTING AND RECORD SHEET
'--SUBJECT: (Optional)
Report of Audit of the Office of Data Processing as of 30 June 1978
FROM; Thomas B. Yale
Director of Finance
1212 Key Bldg.
EXTENSION
NO.
DATE 2 4 OCT 1978 STATINT
TO: (Officer designation, room number, and
building)
DATE
OFFICER'S
INITIALS
COMMENTS (Number each comment to show from whom
hs whom. Draw a line across column after each comment.)
)
RECEIVED
FORWARDED
#5,)//DDA
7D24 Headquarters
2.
1L7
397
4.
_
5.
6.
7.
8.
9.
?
10.
11.
12.
13.
14.
15.
FORM Ain uslautopErettaveleasnotedimidafTwoprtioott&T mayl000nftnna.
3-62 10 I V USE ONLY EzruNCLASSIFIED