Audit of Implementation of Electronic Signatures to Support the Electronic Travel Voucher Payment System (ETVPS) and Other Planned Applications

(Audit Report No. 98-052, June 30, 1998)

The Federal Deposit Insurance Corporation (FDIC) Office of Inspector General (OIG) has completed an audit of the implementation of electronic signatures to support the Electronic Travel Voucher Payment System (ETVPS) and other planned systems. The objectives of the audit were to assess whether (1) the project was adhering to generally accepted system development procedures; (2) user requirements have been adequately defined; and (3) system deliverables will satisfy requirements in a cost-effective and timely manner. The objective of this portion of our audit was to determine whether adequate controls and procedures were incorporated in the design of the electronic signature module that the Division of Information Resources Management (DIRM) has selected for corporate-wide use.

FDIC is proposing to use an electronic signature module that may not provide adequate security for corporate-wide use. Despite concerns expressed earlier by our office and commitments from DIRM to address these concerns, DIRM continued with its initial plans regarding electronic signatures without developing a long-range plan and system architecture to fully comply with criteria established by the National Institute of Standards and Technology (NIST) and used by the General Accounting Office (GAO) when sanctioning financial systems that employ electronic signature technology. Further, DIRM's plans for implementing electronic signature technology to support corporate activities were not adequately supported by requirements analyses or documented studies of pilot initiatives. Although the OIG and GAO advised DIRM of criteria for implementing effective electronic signature technology and other federal agency initiatives to develop effective electronic signature modules, DIRM did not develop procurement requirements that incorporated these criteria or maintain contact with the organizations developing alternative electronic signature solutions.

In addition, a lack of adequate coordination within DIRM precluded other system development project efforts requiring electronic signature technology from being included in corporate requirements. This lack of coordination may result in delays in implementing the planned applications, additional costs, and inadequate controls for the planned systems. Use of an electronic signature module that does not comply with GAO's approval criteria could expose FDIC systems to unauthorized use and financial losses and may adversely affect GAO's opinion as to the accuracy and reliability of FDIC's financial statements. The reliability of electronic signatures could also be questioned in legal proceedings involving activities supported by the planned systems.

The report contains three recommendations for improvements to the Director, DIRM. We recommended that the Director establish a formal long-range plan and system architecture to bring FDIC's electronic signature approach into full compliance with NIST standards and GAO requirements; perform an alternatives analysis and cost/benefit analysis comparing available alternatives for providing FDIC's electronic signature needs to determine the most cost-beneficial method for providing FDIC a system that complies with NIST standards; and ensure that all DIRM security personnel and system development project managers communicate on a regular basis to identify future requirements for electronic signatures.

Management provided responses that satisfy the concerns addressed in the audit report and that provided the requisites for management decisions for all three recommendations.