Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Report on Policies and Procedures Placed in Operation and Tests of Operating Effectiveness for the Division of Computer Research and Technology, National Institutes of Health

Issued on  | Posted on  | Report number: A-17-97-00013

Report Materials

EXECUTIVE SUMMARY:

The Department of Health and Human Services (HHS) Division of Computer Research and Technology (DCRT) provides a variety of data processing services on a fee-for-service basis to the National Institutes of Health and other HHS agencies. Ernst & Young's (E&Y), certified public accountants, under contract with the HHS Office of Inspector General, reviewed DCRT's policies and procedures to determine whether: (1) the description of DCRT policies and procedures presents fairly, in all material respects, the aspects of DCRT's policies and procedures that may be relevant to a user organization's internal control structure, (2) the control structure policies and procedures were suitably designed to achieve the control objectives specified in the descriptions, and (3) such policies and procedures had been placed in operation as of September 30, 1997.

The E&Y determined that DCRT is not able to control monitoring and administration of computer machine room access privileges. This resulted in the policies and procedures not being suitably designed to achieve the control objective that states, "Control structure policies and procedures provide reasonable assurance that physical access to the computer center and other sensitive areas, and operations of the computer and related processing equipment is restricted to appropriately authorized individuals."

The E&Y concluded that the description of DCRT operations presents fairly, in all material respects, the relevant aspects of DCRT's policies and procedures placed in operation as of September 30, 1997. Also, E&Y concluded that the control structure policies and procedures, except for the matters described in the preceding paragraph, are suitably designed to provide reasonable assurance that the specified control objectives would be achieved. Lastly, E&Y concluded that the control policies and procedures tested were operating with sufficient effectiveness, except for the matters described in the second paragraph above, to provide reasonable, but not absolute, assurance that the control objectives specified were achieved during the specified period.

Report Type
Audit
HHS Agencies
Office of the Secretary
Issue Areas
-
Target Groups
-
Financial Groups
-

Notice

This report may be subject to section 5274 of the National Defense Authorization Act Fiscal Year 2023, 117 Pub. L. 263.