REPORT OF AUDIT OF THE OFFICE OF DATA PROCESSING AS OF 30 JUNE 1978

Inr PWV R4rei ror,1175/11) r - - Approved Fteleaie.:2001/08/14 : CIA-RDP81-00111/R0001000 000E3;8' NIMAMUM FOR: Chief, Audit Staff, OIG PROM: Thomas B. Yale Director of Finance 2 4 OCT 1,978 SUBJECT: Report of Audit of the Office of Data Processing as of 30 June 1978 1. The position of the Office of Finance is not to adopt the audit recomendation as stated in paragraphs 33, 34, and 35 of subject audit report. Our position is based on the propriety of obligations as they relate to the establishment of liabilities that far exceed authorized budgets. In as much as this Agency's appropriation is governed by one year money we feel the establishment of liabilities covering in some instances contracts encaassing a period of six years is not sound. The wording used, within the contracts in question, Alternate Purchase Plans (APP) further draws attention to the questionable propriety. These contracts are written giving the Agency many escapes with wording such as "No funds are currently legally obligated." "....subject to the availability funds....," "No legal liability on the part of the Government for payment of any money In excess of that amount currently obligated shall arise unless and until funds are made available to the contracting officer...." It should be noted, we have no problem with the implied ownership and in fact the APP contracts acknowledge that throughout the period of the agreements or until all equipment is returned all risk and cost of ownership shall be on the Agency. The very words "or until all equipment is returned" implies owner- ship remains with the vendor until we have paid in full. What we do fail to see is how the adoption of the audit recommendation strengthens the Agency financial picture or in fact provides better property accountability controls. As a matter of interest we have checked with our counterparts in other agencies to determine how they treat such contracts. Each advised they do not capitalize assets and establish liabilities when they Implement similar contracts. Air Force, for example, uses ono year OW money and they too feel that to sat up liabilities extending beyond authorized obligation authorities is suspect. 2. The GAD report "Accounting for Automatic Data Processing Costs Need heproleuenW' B-115369 dated 7 February 1978, acknowledges that the reason for capitalizing the purchase price of Automatic Data Processing Approved For Release cCd'' 130003-8 t.S1A ?se oved For Reiease1jjIST 410 ?-? t ;i 0U3JL ? Equipment is for coot accoMg, In that report the GAO accepts the fact that imost igenc es do not have cost accounting systems and are not ready for the boXtrownotion.of tko-sogoiramit for capital- ization of ADP Oqiiiipment. Distribution: Orig & 1 - Addressee DDA 1 D/F 1 - ODP 1 - Reg. 2 - P&SSIFIChrono) OF/P&SS/AC:tjo (24 Oct. FLI`j;r-7, TbowaLB. Yale Themes B. Yale VI? 7 v7,1 r v e? Approved Foreease 2001/08/14: CIA-RDP81-00142.01000 SENDER WILL CHECK CLASSIFICATION TOP ANO BOTTOM UNCLASSIFIED CONFIDENTIAL SECRET OFFICIAL ROUTING SLIP TO NAME AND ADORESS DATE INITIALS 1 ite.;414 nr, 25 ;9713 ACTION DIRECT REPLY ? PREPARE REPLY APPROVAL DISPATCH RECOMMENDATION COMMENT FILE RETURN CONCURRENCE INFORMATION SIGNATURE Remarks: , i )' A /I _,.--, _. ;i,e1-7/ 11,i 4 ,......-.L 4.------ , ,t ?.4.-e-e--------/ a--'---to-s---- 'fl------ ...._____ _ .,. .... . _, SEP 197 FOLD HERE TO RE*T_IPTO SENDER FROM: NAME. ADDRESS AND PRONE NO. DATE UNCLASSIFIED F I CONFIDENTIAL J SECRET .01:21:6;00. 237 Us. previous editions (40) I. Distribution: Orig-RS - D/ODP w/cy of 8 Sep 78 memo to Finance ? T - DIE w/atts 1 - AD/Log w/atts Subj Watts Atts:ivloe+-1 iiiiri:14A&216tARYE1/3141:GCf4-613ki-MNiRolibqiig3g031-Igi t of 0 DP as of Memo dtd 8 Sep 78 to D/ODP via IG fr C/AS, same subj (ODA 78-3584) ApproNied For ase 2001/08/14: CIA-RDP81-0014200100030003-8 * 4105P/ 8 SEP 1978 MEMORANDUM FOR: Director of Finance THROUGH : Inspector General 5X1A FROM SUBJECT PROPPlitii Staff, OIG Report of Audit of the Office of Data Processing as of 30 June 1978(S) 1. (U) Paragraph 3 below contains a request for your action. 2. (U) The following paragraphs are extracted from subject Report of Audit: 'Agency Assets and Liabilities Understated 33. (S) The general ledger account 1723, Property in Use-Other, values ODP property at $108 million. However, the eventual total cost of owned equipment currently in the two 25X1Acomputer centers will be million. The discrepancy between the actual value of owned equipment and the amount currently shown in the general ledgers is due to the current policy of not recording the cost of equipment until it is completely paid for. 25X1A 34. (S) The Agency has alternate annual payment contracts with the International Business Machines Corporation (IBM), and several third party leasing firms for the purchase of seven large computer systems. These contracts 25X1A total million and are to be paid over a multi-year 25xiAperiod. To date million has been paid on these contracts. 35. (S) Whether these contracts are viewed as a lease with intent to purchase ,or as an outright purchase with time payments they should be recorded in the accounting system. The General Accounting Office's 'Policy And Procedures Manual For Guidance to Federal Agencies Title II Accounting' (August 1972), gives the following guidelines for property acquired under lease-purchase arrangements: E2 IMPLET CL BY 010572 SECRET 1 Approved For Release 2001/08/14 : CIA-RDP81-00142R000100030003-8 25X1A 25X1A Approved For ease 2001/08/14: CIA-RDP81-001421100100030003-8 C R 'The total cost shall be capitalized when the property is accepted from the contractor or when the option to purchase equipment is exercised, rather than period- ically as payments are made or when title passes to the Government'. 'The cost of property acquired under lease-purchase contracts, which in substance represent installment purchasing, should include the purchase price under the contracts and related costs incurred by the Government'. 'The purchase price included in lease-purchase contracts for property, which are in substance installment purchases..., shall be recorded as a liability when the property is accepted from the contractor or when the option to purchase equipment is exercised. Such a liability shall be reduced by periodic payments.' We believe for alternate annual payment contracts the option to purchase has been exercised at contract signing even though payments are spread out over a period of time. In a separate memorandum to the Director of Finance, we are requesting action to record the purchase price of the contracts discussed above for million in the appropriate general ledger account to capitalize the assets. The remaining liability of million due the contractors should also be recorded in an appropriate general ledger account.' 3. (U) We request that action be taken to record the assets and liabilities as discussed in paragraph 2 above. Please advise the undersigned of action taken on this matter. IEEE Distribution: Orig 1 - 1)/Fin DDA - D/ODP Approved For Rekage 01/t/4:? CIA-RDP81-00142R000100030003-8 2 25X1A, Approved For ease 200SIECRETA-RDP81-00142100100030003-8 41' ?r-n-s-Py MEMORANDUM FOR: Director, Office of l D t a Processing (A THROUGH 25X1A FROM ? ? Inspector General let, AuditStaff 8 SEP 1978 SUBJECT ? Report of Audit of Office of Data Processing as of 30 June 1978 (S) 1. (U) Subject report is attached. Please advise this office of action taken on the recommendations con- tained in the report. 2. (U) We appreciate the cooperation extended to the auditors during the audit. 25X1A Attachment Distribution: Orig. - D/ODP ,r - DDA ? 1 - 0/Compt 1 - OIG E2 IMPDET ? CL BY 010572 Approved For Release 84014M: CIA-RDP81-00142R000100030003-8 'Approved For ease 2001/08/14 ; CIA-RDP81-00142100100030003-8 REPORT OF AUDIT Office of Data Processing as of 30 June 1978 SUMMARY 1. (A/IU0) The Office of Data Processing (ODP) generally is carrying out its assigned tasks and utilizing resources in an effective manner. Financial controls and procedures are generally effective and in compliance with applicable regulations. Since the last audit, ODP has developed computer systems which are better designed and more efficient to operate and maintain. User involvement has increased but has been neither uniform nor complete for all systems under development. We believe all major user offices should strive for ADP skills improvement and more participation with ODP in systems development for their offices. This report includes comments with recommendations where appropriate, concerning the following: - policy for minicomputers - development of a written disaster recovery plan for the computer centers - storage of system software backup tapes and critical data bases at an offsite location - strengthening existing and developing new technical security controls for several problem areas - employment of a full-time administrative assistant in the ODP Security Office - sanitizing 'scratch' tapes in the Special Center - reduction in frequency of tape library inventories - weaknesses in access procedures Ruffing Computer Center for the SECRET 1 Approved For Release 2001/08/14 : CIA-RDP81-00142R000100030003-8 25X1A Approved For lease 2,001/08/14 CIA-RDP81-001424100100030003-8 provisioL --)r more stringent controls over storage .and distribution of users' computer outputs - monitoring terminal usage - strengthening of controls bases in GIMS II data - improvement in methods for recording time purchased hardware and establishing cost for systems development - strengthening of property controls and procedures. SCOPE 2. (A/IU0) The audit was conducted under the authority of and included a review of procedures and controls exercised by ODP in the administration of its share of Agency resources. The audit concentrated on: - financial controls and procedures - logistical controls and procedures - administration of project development by Applications and Special Projects Staff - review of missions and procedures of the Ruffing and Special Computer Centers - review of security procedures used in ODP - policy on minicomputers. GENERAL 3. (S) ODP provides centralized computer services to all components of the Agency. They operate two major computer centers: the Ruffing Center which serves most general users, SECRET 2 Approved For Release 2001/08/14: CIA-RDP81-00142R000100030003-8 Approved For lipase 2001/08/14: CIA-RDP81-001428.100030003-8 and the Special Center which serves only the Operations Directorate and COMIREX Automated Management System (CAMS) users. These centers combined own equipment valued at 5X1A approximately million and lease equipment valued ,in the millions. The Office reviews and coordinates user offices' proposals for acquisitions of any computer equipment, software, and other services. ODP has an authorized personnel 25X9 ceiling of to accomplish its mission. 5X1A 4. (S) ODP's operating budget for Fiscal Year 1978 is summarized as follows: DETAILED COMMENTS Minicomputer Policy 5. (A/IU0) In January 1978 ODP formulated its policy for minicomputer use in ODP and, to the extent ODP can impact on it, in the Agency. ODP estimates the number of minicomputer applications are growing at a rate of 30% per year. 6. (A/I1J0) In a 15 July 1977 paper to the Executive Advisory Group (EAG) titled 'Response to Key ADP Issue #3' dealing with the question of centralized versus decentralized computer facilities ODP identified the following advantages which make a decentralized approach attractive: - lower software developmpnt cost SECRET 3 Approved For Release 2001/08/14: CIA-RDP81-00142R000100030003-8 4 Approved For ease 2001/08/14 : CIA-RDP81-00142.100030003-8 ECRET if applications software already exists and is available from the equipment vendor - data privacy for sensitive applications - faster response and possibly better availability and reliability. 7. (A/IUO) Data processing users have recognized these benefits and are seeking their own minicomputer facilities for a variety of applications. This decentralization of computer resources continues with limited Agency-wide coordination and planning. Such an approach risks failure to apply Agency ADP resources efficiently, tolerating inconsistent work standards and quality control, complicating training and maintenance requirements and reducing the interchangability of applications between processors. 8. (A/IU0) ODP recognizes this lack of central comprehensive planning and has previously recommended to the EAG that ODP serve as the Agency's central source of technical support and guidance for the selection and maintenance of a standard minicomputer. ODP has formulated an office policy consistent with this recommendation to: - iMplement and support standard minicomputer hardware and software - use Agency standard terminals in the minicomputer system configurations - provide for minicomputers in their budget (Customers may be required to provide their own machine room or operators or personnel slots for ODP operators.). 9. (A/IU0) Concurrent with the expansion of minicomputer capability ODP Management Staff plans to develop costs of batch and interactive central system service for use in comparing cost of ODP central service versus the cost of acquiring and operating an individual minicomputer in meeting the demands of a particular proposed application. 10. (C) The ODP GIMINI Project is an attempt to identify minicomputer hardware and operating systems which can support GIMS II, the Agency's data base management system for large data bases. ODP plans to allow users with sensitive Approved For Rele?s26011/0?01LF: CIA-RDP81-00142R000100030003-8 4 Approved For ease 2091/08/14: CIA-RDP81-00142410100030003-8 applications, extremely high needs for data privacy or response time/availability concerns to isolate their data base on a minicomputer system rather than use the common direct access storage the general GIMS user is provided. The same GIMS software could be run on both the large central computer and the minicomputer, thus easing transferability of applications. ODP presently favors acquiring minicomputers with operating systems compatible with System 370 to avoid the need for extensive conversion of the minicomputer's operating system to accomodate GIMS. 11. (C) ODP currently has 13 minicomputers: two for message switching, one for the GIMINI project, one for the CAPER applications and Hospitalization/Insurance, and nine for use in the TAD System. ODP requested authority to procure three minicomputers of a standard design in their FY80 budget. This hardware was to be assigned to users applications where the cost was justified. The intent was to then maintain one standard design minicomputer for the development of the next system and maintenance of the current system. The procurement authority requested was rejected in the budget process. This action, along with the rejection of two FY80 personnel slots ODP has requested to develop and maintain these minicomputer has in effect stalled ODP's plans. We believe ODP developed their plans and policies in a reasonable and responsible manner. We fully concur with ODP's position on this matter and their recognition of the need for centralized planning and control of the proliferation of minicomputer systems within the Agency. The importance of an Agency approach to controlled growth of minicomputers is most important in the efficient and effective management of these vital resources. 12. (A/ILIO) The Deputy Director of Central Intelligence (DDCI) in a memorandum dated 26 July 1978, to Executive Advisory Group (EAG) members set forth Agency policy with respect to continuing EAG involvement in the management of Agency ADP resources. This memorandum provides for EAG to, in conjunction with its review of the Agency's Program Plan each year, specifically focus attention on the proposed functional uses of ADP and on major ADP investments. We believe ODP's plan for an Agency minicomputer policy is of such timeliness and importance that it should be considered by the EAG. RECOMMENDATION #1: Present ODP's minicomputer support plan to the EAG for its consideration within the framework of the annual review as directed in the DDCI meomorandum cited above. SECRET 5 Approved For Release 2001/08/14: CIA-RDP81-00142R000100030003-8 Approved For as 2001/08/14. : CIA-RDP81-001421110100030003-8 Provisions for a Disaster Plan 13. (A/IUO) The purpose of a disaster plan is to minimize the magnitude of service interruption in an emergency situation. Currently ODP does not have a written or tested disaster plan. Engineering Division has the general responsibility for recovering from a disaster. This is primarily a technical approach i.e. replacement of hardware, cables, and physical plant. The area that requires extensive attention is the identification of applications critical to the Agency's missions. Areas such as alternatives to processing by computer and what can be run on non-Agency computers should be investigated. 14. (A/IU0) The complete spectrum of ADP requirements needs to be reviewed and prioritized. The results should then be matched against the Agency's capability to provide these services in the event of a disaster to one or both computer centers. Alternative processing sites should be identified and the entire disaster recovery plan should be maintained in a current status and tested periodically to validate its effectiveness. RECOMMENDATION #2: Review and prioritize the Agency's emergency ADP requirements and develop a written disaster recovery plan that adquately provides support in the event of a disaster. Also provide for current maintenance and periodic testing of the plan after development. Offsite Storage Requirement 15. (S) Backup copies of ODP system software and critical data bases i.e. CAMS are not stored at an offsite location. One can reason that equipment can be eventually replaced but system software and databases that are destroyed without backup provisions could be lost forever. Storing both the working and backup copies in the same area does not provide adequate safeguards against potential catastrophe. The most common measure taken to provide records backup is to store copies in an offsite location. 16. (S) Once the backup program is established, it is essential to maintain and test it. Having a test team solve actual operational problems using the stored vital records will assure management the program does work. SECRET. 6 Approved For Release 2001/08/14 : CIA-RDP81-00142R000100030003-8 5X1A Approved For ease 20,01/,08/14?: CIA-RDP81-001424100030003-8 RECOMMENDATION #3: Store system software backup tapes and copies of c bases in the and/or exchange e ween e two computer centers. The, stored backup records and programs should also be currently maintained and periodically tested to determine their operational readiness. Technical Security 17. (S) ODP has identified a list of potential security problems with a majority of these items still unresolved. A partial listing of these items are: - a 'Who are You' identification code to determine if proper authorization has been obtained before allowing access to data on VM, GIMS, and COMTEN - 2 Tapes (other government agency tapes) are released without controls to assure that the receiving person is authorized to receive the tape and that the tape does not contain data other than the users - residual data remains on disk data sets when released thereby becoming accessible to the next user - unauthorized users can, by learning data set names, access data sets other than their own - no controls over Systems and Applications programmers to prevent fraudulent or other misuses of systems and data bases - listings containing systems dumps are removed from the computer center without a formal determination being made of the classification of the data listed - no audit trails of abortive attempts to link to M-Disk or logon (sic) the systems - inadequate security control over the printing of classified data on remote printers in customers locations. SECRET 7 Approved For Release 2001/08/14: CIA-RDP81-00142R000100030003-8 n,s? Approved For Riese 2001/08/14: CIA-RDP81-00142410100030003-8 18. (A/IU0) Also, there are some other areas where internal controls need to be strengthened: - during the evening shift in the Special Center and the weekend shifts in the Ruffing Center the computer operators have access to the tape library and can remove and use tapes without recording their use - no scheduled rotational/segregated duties exist in the centers i.e. operators are used as library and point workers during the same shift - when systems and applications software is modified there is little detailed documentation of the steps used during testing and/or the authorization for the changes; additionally there is no documented evaluation of the potential side effects of the changes on the operating environment - there is inadequate compliance with the procedures for security classification labelling on data outputs from VM and Batch. Because of the sensitive nature of the data processed in the Agency, stringent security controls are essential. These controls, if they are to be effective, may be difficult to implement and prove to be encumbering to those who must work within them. 19. (U) There are several alternatives to be considered in strengthening controls in the areas mentioned. They range from accelerated polygraphing of key personnel to a thorough and effective control package which may be operationally restrictive. The ODP security officer should address the security implications in these areas and determine if there is a threat. If, after evaluation, the need is apparent ODP and the Office of Security (OS) should concentrate the required resources to bring these areas under better control. RECOMMENDATION #4: Determine methods for better controls in the areas mentioned. Coordinate this study with the Office of Security. SECRET 8 Approved For Release 2001/08/14 : CIA-RDP81-00142R000100030003-8 ?????????, Approved For Rase 2001/08/14 : CIA-RDP81-00142R0100030003-8 20. (C) ODP and the Office of Security in May 1977 established an ODP/OS Working Group to identify, oversee, and provide recommendations to resolve these technical security risks. However, these problems still persist partly because there isn't a full-time team or individual to actively pursue and resolve these identified areas. 21. (C) The current ODP Security Officer (SO) is principally involved with day to day adminstrative requirements, ie. obtaining access indicators to the computer centers and initializing ODP related security clearances. This leaves little time for technical security problems. 22. (C) ODP stated during the previous audit that they were in the process of obtaining a full-time technical SO. This has not been accomplished. The justifications given were increases in: ODP personnel and applications - project sensitivity - complexity of the operating environment - compartmentation. The obtaining of this SO was resubmitted for the FY80 budget. This slot was rejected as part of the budget process. The current SO has a part-time ODP adminstrative assistant to handle some of the paperwork. Converting this part-time position to full-time would allow the SO to devote more of his efforts to technically related computer security problems. RECOMMENDATION #5: Consider converting the current part-time adminstative assistant to a full-time position. In addition, formally request technical security assistance from the Office of Security to assure proper attention to these technical security problems. Release of Scratch Tapes 23. (S) Currently Special Center magnetic tapes released to 'scratch' status (tapes made available to another user), are not sanitized. The data left on the tapes by the previous user is potentially available to the next person using that tape. In the Ruffing Center 'scratch' tapes are sanitized via SECRET 9 Approved For Release 2001/08/14 : CIA-RDP81-00142R000100030003-8 Approved Foillleasepp1/0804,: CIA-RDP81-0014000100030003-8 the Data Erase process. Data Erase tapes do not have to be reinitialized (internal labeling) which requires computer operator assistance. The Data Erase process reduces the possibility of exposure of data to unauthorized users. It takes approximately twO to three minutes to Data Erase one tape. The Ruffing Center is on the Tape Management System which effectively identifies the magnetic tapes to be Data Erased. The Special Center tape library will soon be completely converted to the Tape Management System (TMS). With TMS regulating the flow of tapes to be 'scratched' and the .relatively short time it takes to Data Erase, the disruption of the library's operating routine should be minimal. RECOMMENDATION #6: Use Data Erase to sanitize all magnetic tapes that are to be used as 'scratch' tapes in the Special Center. Inventory of Tape Library 24. (A/IU0) A 100% inventory is done every three months in the Ruffing Center and every two months in the Special Center. Because both centers have exceptional records of resolving all discrepancies that do rarely occur we suggested that a semi-annual inventory would be adequate for both tape libraries. This would each year save approximately 200 hours of overtime paid to the inventory participants. It was also suggested that all participants and the center manager sign the inventory memo to add credibility to this document. During the non-inventory months the librarian should continue identifying overdue tapes for . ODP Security Officer intervention. Both centers have agreed to implement the above procedures. Access to Computer Centers 25. (A/IU0) ODP recently obtained additional Headquarters space for the planned collocation of the 'points' (user pickup and servicing areas). Estimates for the date of the relocation ranged from late FY79 through FY81 to not at all. The recommendations in the next three paragraphs are intended for interim action until the final location and configuration of the 'point' has been determined. SECRET 10 Approved For Release 2001/08/14 : CIA-RDP81-00142R000100030003-8 I 5X1A 5X1A Approved Foil lease 220v0811ft, : CIA-RDP81-0014000100030003-8 26. Dunn'-: -Jr review of the centers we observed a large num- of pernnel entering the fluffing Center. The number of. non-fluffing Center personnel with 'E' access indicators seems to be excessive. ('E' indicators are for the Ruffing Center and 'B' indicators are for the Special Center). The current practice of granting access by component rather than by individuals daily need is questionable. Both computer centers' managers stated that they have begun reviewing the individuals' requirements for access. The Special Center has, by their review, indentified people who no longer need automatic access, of which have already had their indicators removed. The fluffing Center should identify those who no longer need automatic access and submit their names to the ODP Security Officer for removal of their 'E' indicators. Personnel with infrequent need can use a no escort badge, effectively reducing the amount of casual traffic in the center. RECOMMENDATION #7: Continue to review the need for 'E' fluffing Center access indicators for non- center personnel and expand the usage of no escort badges for infrequent users. 27. (C) Access to the fluffing Center is monitored by the person manning the tape reception area. This individual has other duties which makes it difficult to visually monitor the doors at all times. To improve the situation ODP has rearranged the furniture to block the direct path to the computer room. This is a step in the right direction but an enhancement to this control is to install a remotely activated gate. This gate would require individuals entering to be visually observed and their need for access established. Once admitted past the gate they would have access to the work area of the 'point', library and computer room. This would permit the center's personnel to do their job without exiting the controlled area. RECOMMENDATION #8: Install a remotely controlled access gate in the fluffing Center 'point' area to limit unchallenged entry to the computer room. 28. (C) ODP is in the process of investigating different devices to provide a secure user pickup and data control. The leading candidate thus far is a badge operated mailbox system. The coded Agency badges would restrict an individual's access to predetermined mailboxes. However, this secure mailbox system is not planned for implementation until the new 'point' SECRET 11 Approved For Release 2001/08/14: CIA-RDP81-00142R000100030003-8 Approved Forelease 2001/08/14: CIA-RDP81-001424100100030003-8 has been ated. Cuci:ently ODP is using as a control tear off sheets f each users listing. The user supposedly signs them when he cks up his output. The 'point' personnel have no knowledge of who is authorized to receive particular outputs or even if the tear off sheets were signed by the user. Any badged personnel can ask for listings from almost any output bin and receive them regardless of whether he has the authorization to receive such information. The Ruffing Center typically collects one box of tear off sheets each day and then forwards these sheets to for storage in archives. The intended purpose of having the tear off sheets was to control who picks up the output by having an ODP operator confirm that each listing is signed for. Due to the volume plus the operator's regular duties this has not been effectively or efficiently done. To date there have been no requests from the users to recall any of these sheets to determine who received a listing. RECOMMENDATION #9: Establish more stringent controls over users receipt of data from the 'point' in the Ruffing Center. Monitoring Terminal Usage 29. (A/IU0) We observed that some users were signing on to terminals but were not using them for periods of over a half hour. This inefficient usage could prevent other users from accessing the systems due to the limited number of terminals which can be signed on simultaneously. Allowing a terminal to be signed on but not in use could be a security risk, potentially permitting unauthorized users access to the systems. 30. (A/IU0) Engineering Division (ED) prepares a computer generated report of terminal usage, primarily used to optimize the system configuration. ED can provide these reports to determine which terminals are not effectively being used. We provided the ODP Security Officer with this information. RECOMMENDATION #10: Provide terminal usage reports to appropriate ODP management person? nel for monitoring efficiency and security of terminal usage. SECRET 12 Approved For Release 2001/08/14 : CIA-RDP81-00142R000100030003-8 ... 25X1A Approved Foe lease 2001/08/14 : CIA-RDP81-0014000100030003-8 Improved Controls in Gims-II Data Bases 31. (A/IU0) In one instance we found an inadaquately tested change to a GINS-Il production data base causing loss of data intregity. In an attempt to prevent another occurence of the problem we discussed with appropriate ODP personnel the need for user approval of system changes to assure data base integrity. 32. (A/IU0) ODP Data Access Center (DAC) personnel are now in the, process of establishing procedures to control changes to GINS-Il production data bases. Included in these procedures will be requirements for: - testing or reviewing test results by the users' Data Base Manager - written notification from the ODP Application's Project Manager to the DAC of any change to the GINS-Il production data base' - written document from the DAC to the user and the Application's Project Manager when the change is installed - documentation of all changes catalogued in the Central Library of Production Division - documentation of emergency changes within 48 hours. These procedures will also help avoid unapproved changes and make the customer more cognizant of the impact of changes on the system. ODP can continue their efforts to assure data and processing integrity in all systems they develop or maintain by strictly enforcing these procedures. RECOMMENDATION #11: Complete development and implement procedures to control systems changes. Agency Assets and Liabilities Understated 33. (S) The general ledger account 1723, Property in Use-Other, values ODP property at million. However, the 25X1A eventual total cost of owned equipment currently in the two 25X1A computer centers will be million. The discrepancy between Approved For ReleaseS20E01i081,1 4E: JIA-RDP81-00142R000100030003-8 13 Approved Folk lease 2001/08/14: CIA-RDP81-00144100100030003-8 the actual value of owned equipment and the amount currently shown in the general ledgers is due to the current policy of not recording the cost of equipment until it is completely paid for. 25X1A 34. (S) The Agency has alternate annual payment contracts with the International Business Machines Corporation (IBM), and several third party leasing firms for e purc ase o seven large computer systems. These contracts 25X1A total million and are to be paid over a multi-year 25X1A period. To date Million has been paid on these contracts. 35. (S) Whether these contracts are viewed as a lease with intent to purchase or as an outright purchase with time payments they should be recorded in the accounting system. The General Accounting Office's 'Policy And Procedures Manual For Guidance to Federal Agencies Title II Accounting' (August 1972), gives the following guidelines for property acquired under lease-purchase arrangements: 'The total cost shall be capitalized when the property is accepted from the contractor or when the option to purchase equipment is exercised, rather than period- ically as payments are made or when title passes to the Government'. 'The cost of property acquired under lease-purchase contracts, which in substance represent installment purchasing, should includethe purchase price under the contracts and related costs incurred by the Government'. 'The purchase price included in lease-purchase contracts for property, which are in substance installment purchases..., shall be recorded as a liability when the property is accepted from the contractor or when the option to purchase equipment is exercised. Such a liability shall be reduced by periodic payments.' We believe for alternate annual payment contracts the option to purchase has been exercised at contract signing even though payments are spread out over a period of time. In a separate memorandum to the Director of Finance, we are requesting 25X1A action to record the purchase price of the contracts discussed 25X1A above for million in the appropriate general ledger account to capitalize the assets. The remaining liability of million due the contractors should also be recorded in an appropriate general ledger account. Approved For Relea6e nowasto aCIA-RDP81-00142R000100030003-8 14 Approved Foeleasg 21001/08/1,i : CIA-RDP81-0014000100030003-8 Identify ADP Se ce and System Development Costs 36. (U) There is increasing Office of Management and Budget (OMB) and Congressional interest in the management and use of ADP resources. A recent report to the Congress by the Comptroller General, 'Accounting for Automatic Data Processing Costs Needs Improvement' (February 1978), states: 'It is essential to keep costs accurately for data processing systems and organizations, as in any other department. Reliable cost data is practically indispensable in making sound decisions on whether to get needed services through procurement from commercial sources or to perform them in-house.' The report goes on to explain the benefits of cost data: 'With good cost accounting and reporting, management can have complete and consistent cost information quickly and economically. This should enable them to: - compare costs among organizations, activities, operations, and projects; - make informed investment decisions by: (1) estimates of the cost of implementing proposals for new systems and facilities, (2) preparation of cost-benefit analysis, and (3) cost comparisons with commercial and other alternatives; - establish the cost of work done and measure productivity; - measure the cost of performance officials; of responsible - make end users and top management conscious the cost of data processing systems and services; - provide the accounting basis for proper charging of appropriation, allotment, and program accounts as well as the billing for intra- and interagency services; and of SECRET 15 Approved For Release 2001/08/14: CIA-RDP81-00142R000100030003-8 Approved Fo&lease 2001/08/14: CIA-RDP81-0014.00100030003-8 -provide the accounting basis for budget justifications and reports to Congress, OMB, GSA, and the public on the cost, custody, and use of the automatic data processing, resources entrusted to them.' 37. (U) ODP provides a complete range of data processing services, from helping users collect requirements to processing and maintaining applications after implementation. ODP distributes the Project Activity Report (PAR) to inform customer management of the value of services used each month. The value or cost of ADP services allocated to a project are based on computer usage and ODP man-hours. This report is also used by ODP management to respond to requests from the EAG, OMB, and other oversight committees. Knowing the Value of ODP services is of interest to users who track and control the growth of their use of ADP resources. But the PAR is misleading when used to report project costs to the OMB or congressional committees. Computer usage costs are calculated using 1972 unit cost statistics. Also, the customer's man-hour and some contractor costs are not included in project costs. 38. (U) A recent GAO publication, 'Illustrative Accounting Procedures for Federal Agencies' (1978), recommends the capitalization of major ADP systems and applications systems whose acquisition or development costs in excess of $100,000. The acquisition or development costs should include: The price of purchased software and the estimated useful value of software obtained by other means, including the cost for preoperation modifications, conversions, testing, and documentation. - Salaries and benefits for agency staff and compensation of contractors and other Government personnel for developing new software and modify- ing software obtained through other means. This would include expenses for analysis, design, programming, documentation, testing, and conversion. It would also include expenses for preparing the computer operating instructions, user procedures manual and other documentation. - Computer operating costs for testing, debugging, and parallel processing. 39. (U) This same GAO report published the results of a survey of 26 Federal organizations providing data processing services. Twelve of the 26 capitalized their hardware, and SECRET Approved Release 201/011 : 16 1A-RDP81-00142R000100030003-8 Approved Folease 2001/08/14: CIA-RDP81-00140)00100030003-8 S E E ten of these capi ,lized their owned operating software. None of the organitions surveyed capitalized their owned applications software. 40. (S) During 1977 ODP presented 21 major application systems to the EAG for review. ODP estimated development and operating costs for these systems would consume over $42 million in ODP resources. These estimates do not identify accurately ODP development costs nor do they include the users' costs. Information about expenditures of this magnitude, particularly when requested by oversight committees, must be accurate and timely. At this time, we do not recommend capitalization of operating or applications software; however we do believe cost accounting procedures must be developed to identify the cost of these systems as if they were to be capitalized. ODP has initiated an internal office requirement to study this problem and obtain outside contractors assistance in upgrading their current cost system. RECOMMENDATION #12: Continue efforts to update cost accounting procedures to accurately and completely identify the current cost of ADP computer systems software. Property Procedures 41. (A/IUO) A complete physical inventory of Type II Property has not been conducted since 30 June 1975. A partial inventory was taken at the time the current Logistics Officer assumed accountability on 19 July 1976. Existing Consolidated Memoranda of Receipt are two or more years out of date and no longer reflect the current physical disposition of ODP property particularly office equipment. ODP has begun an intensive effort to revise and correct ODP property accounting procedures. They have requested and received Office of Logistics agreement to provide assistance to jointly solve their property accounting problems. RECOMMENDATION #13: Continue the coordinated effort with the Office of Logistics to jointly solve ODP's property accounting problems. In- sure that a complete physical inventory is conducted in accordance with Doc- ument any descrepancies revealed as a result of the inventory as prescribed by the regulations. Approved For Releass 20012'0/W1# :?IA-RDP81-00142R000100030003-8 17 25X1A Approved Fo.lease 2001/08/14: CIA-RDP81-00140300100030003-8 42. (A/IDO) Recording of Type II Property transactions in many instances lags too far behind actual receipt of the property. Part of the problem lies in the delay in forwarding receiving reports from the Support Staff to the Logistics Officer. In addition, the Logistics Officer is not 'always recording documents on a timely basis. RECOMMENDATION #14: Take actions required to assure recording of Type II Property transactions on a more timely basis. 43. (A/IU0) Duplicate automated and manual systems exist to record financial and technical information about hardware. Support Staff enters puchase prices or the monthly rental payment amount ,into both Engineering Division's Engineering Management Information System (EMIS) and into their own purchase, lease and maintenance contract files. In addition, Environment and Configuration Management Branch maintains a manual file of utility and technical requirements of each hardware item. Supporting redundant data bases consumes resources and delays information flow between all participants in equipment transactions. Inconsistencies exist between systems. RECOMMENDATION #15: Determine the present capa- bility of EMIS to serve as a central data base for all hardware transactions, both engineering and financial. Identify the information needs of various components and determine whether EMIS can be enhanced to the point where it satisfies the needs identified. If EMIS is enhanced research and verify to supporting documentation any missing data. Consider recording ODP's office equipment on the data base in addition to currently listed major hardware items. 44. (C) The Budget and Finance group of Management Staff is not able to validate the balance of their unliquidated obligations. The Encumbrance Activity Report continues to show as open requisitions those which have been filled and paid by the Agency. This problem arises outside of ODP's control and is likewise a problem for other. offices. We will address the issue further in our audit of the Office of Logistics. SECRET 18 Approved For Release 2001/08/14: CIA-RDP81-00142R000100030003-8 ? IT' ATINTL Approved For tease 2001/08/14: CIA-RDP81-0014200100030003-8 Report of Audit of ODP Executive /DDA Mr. May DirectoriODP VIA TUBE DDIA Registry He ae-el 13, DD/A 78-3584/2 Danny: I am sure you recall seeing the Audit Staff Report request that Agency assets and liabili- ties in the ADP field should be recorded differently so as not to be understated. I re- call asking you some time ago if this gave you any trouble and you responded that it would not. To close the loop, I thought you might be interested in Tom Yale's response to the Audit Staff showing why a change in recording assets and liabili- ties should not be madit.TATINTL Att Distribution: Orig - Mr. May w/att 1 DDA Chrono DDA Subj 1 - RPZ Chrono EO/DDA;se 21 Nov 78 Approved For Release 2001/08/14: CIA-RDP81-00142R000100030003-8 0 -4111t Ift roveci;la liatM2001/08/14: CIA-RDIZI1-& 46630003-8 0 SECRET ATERNAL .1. ... . , . . ROUTING AND RECORD SHEET '--SUBJECT: (Optional) Report of Audit of the Office of Data Processing as of 30 June 1978 FROM; Thomas B. Yale Director of Finance 1212 Key Bldg. EXTENSION NO. DATE 2 4 OCT 1978 STATINT TO: (Officer designation, room number, and building) DATE OFFICER'S INITIALS COMMENTS (Number each comment to show from whom hs whom. Draw a line across column after each comment.) ) RECEIVED FORWARDED #5,)//DDA 7D24 Headquarters 2. 1L7 397 4. _ 5. 6. 7. 8. 9. ? 10. 11. 12. 13. 14. 15. FORM Ain uslautopErettaveleasnotedimidafTwoprtioott&T mayl000nftnna. 3-62 10 I V USE ONLY EzruNCLASSIFIED