Management Report: Opportunities for Improvements in FDIC's
Internal Controls and Accounting Procedures (27-JUN-07,
GAO-07-942R).
In February 2007, we issued our opinions on the calendar year
2006 financial statements of the Deposit Insurance Fund (DIF) and
the FSLIC Resolution Fund (FRF). We also issued our opinion on
the effectiveness of the Federal Deposit Insurance Corporation's
(FDIC) internal control over financial reporting (including
safeguarding assets) and compliance as of December 31, 2006, and
our evaluation of FDIC's compliance with significant provisions
of selected laws and regulations for the two funds for the year
ended December 31, 2006. The purpose of this report is to present
issues identified during our audits of the 2006 financial
statements regarding internal controls and accounting procedures
and to recommend actions to address these issues. Although these
issues were not material in relation to the financial statements,
we believe they warrant management's attention.
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-07-942R
ACCNO: A71559
TITLE: Management Report: Opportunities for Improvements in
FDIC's Internal Controls and Accounting Procedures
DATE: 06/27/2007
SUBJECT: Financial institutions
Financial records
Financial statement audits
Financial statements
Internal controls
Risk assessment
Standards
Federal regulations
Strategic planning
Data integrity
Physical security
Policies and procedures
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-07-942R
* [1]PDF6-Ordering Information.pdf
* [2]Order by Mail or Phone
June 27, 2007
Mr. Steven O. App
Deputy to the Chairman and Chief Financial Officer
Federal Deposit Insurance Corporation
Subject: Management Report: Opportunities for Improvements in FDIC's
Internal Controls and Accounting Procedures
Dear Mr. App:
In February 2007, we issued our opinions on the calendar year 2006
financial statements of the Deposit Insurance Fund (DIF) and the FSLIC
Resolution Fund (FRF).^1 We also issued our opinion on the effectiveness
of the Federal Deposit Insurance Corporation's (FDIC) internal control
over financial reporting (including safeguarding assets) and compliance as
of December 31, 2006, and our evaluation of FDIC's compliance with
significant provisions of selected laws and regulations for the two funds
for the year ended December 31, 2006.^2
The purpose of this report is to present issues identified during our
audits of the 2006 financial statements regarding internal controls and
accounting procedures and to recommend actions to address these issues.
Although these issues were not material in relation to the financial
statements, we believe they warrant management's attention. We are making
seven recommendations for strengthening FDIC's internal controls and
accounting procedures. We conducted our audits in accordance with U.S.
generally accepted government auditing standards.
^1On February 8, 2006, the President signed into law the Federal Deposit
Insurance Reform Act of 2005 (the Act). Among its provisions, the Act
called for the merger of the Bank Insurance Fund (BIF) and Savings
Association Insurance Fund (SAIF) into DIF. In accordance with the Act,
the Federal Deposit Insurance Corporation merged BIF and SAIF into the
newly established DIF on March 31, 2006. The financial results of the
newly formed DIF were retrospectively applied as though they had been
combined at the beginning of 2006, as well as for prior periods presented
for comparative purposes.
^2GAO, Financial Audit: Federal Deposit Insurance Corporation Funds' 2006
and 2005 Financial Statements, GAO-07-371 (Washington, D.C.: Feb. 13,
2007).
Results in Brief
During our audits of the 2006 financial statements, we identified several
internal control issues that affected FDIC's accounting for the funds it
administers. Although we do not consider them to be material weaknesses^3
or significant deficiencies,^4 we believe they warrant management's
consideration.
Specifically, we found the following:
o FDIC had inadequate or incomplete written procedures for key
segments of its general ledger monthly closing process and other
financial operations. The absence of adequate written procedures
increases the risk that (1) all necessary steps in the monthly
general ledger closing process and other processes may not be
completely, correctly, and consistently performed and (2)
disruptions and errors may arise when staff changes occur. This,
in turn, could affect the reliability of data presented in FDIC's
financial statements.
o FDIC lacked adequate supervisory reviews of key tasks in the
monthly general ledger closing process and other financial
operations, increasing the risk that errors in preparing financial
statements might not be timely detected and corrected.
o FDIC incorrectly excluded certain receivership data used in the
calculation of loss rates from bank failures, resulting in an
error in these loss rates that could have affected the
accuracy/reliability of the contingent liability presented in the
financial statements.
o FDIC lacked appropriate control to safeguard checks received in
its Dallas mailroom and did not provide proper oversight of
contractor lockbox operations, increasing the risk of theft, loss,
or misappropriation of assets.
We are making seven recommendations to improve FDIC's internal controls
and accounting procedures. Implementation of these recommendations would
strengthen FDIC's conformance with the internal control standards that
federal agencies are required to follow^5 and minimize the risk of future
misstatements in the two funds' financial statements.
In its comments, FDIC agreed with our recommendations and described
actions it has taken or plans to take to address the control weaknesses
described in this report. At the end of our discussion of each of the
issues in this report, we have summarized FDIC's related comments and our
evaluation.
^3A material weakness is a significant deficiency, or combination of
significant deficiencies, that results in more than a remote likelihood
that a material misstatement of the financial statements will not be
prevented or detected.
^4A significant deficiency is a control deficiency, or combination of
deficiencies, that adversely affects the entity's ability to initiate,
authorize, record, process, or report financial data reliably in
accordance with generally accepted accounting principles such that there
is more than a remote likelihood that a misstatement of the entity's
financial statements that is more than inconsequential will not be
prevented or detected.
^5GAO, Standards for Internal Control in the Federal Government,
GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999).
Scope and Methodology
As part of our audits of the 2006 and 2005 financial statements of the two
funds administered by FDIC, we evaluated FDIC's internal controls and its
compliance with selected provisions of laws and regulations. We designed
our audit procedures to test relevant controls, including those intended
to ensure proper authorization, execution, accounting, and reporting of
transactions.
We requested comments on a draft of this report from the FDIC Deputy to
the Chairman and Chief Financial Officer. We received written comments and
have reprinted the comments in enclosure I. Further details on our scope
and methodology are included in our report on the results of our audits of
the 2006 and 2005 financial statements, and are reproduced in enclosure
II.
General Ledger Closing and Other Financial Processing Procedures
During our observations of FDIC's monthly general ledger closing process
and other financial operations related to the preparation of DIF's and
FRF's financial statements, we identified several critical steps in the
processes in which the documentation of procedures was either inadequate
or incomplete and could be improved. These critical steps involved
activities that were performed outside the automated processes of the
PeopleSoft application within FDIC's financial environment. GAO's
Standards for Internal Control in the Federal Government requires that
internal control procedures be clearly documented in management
directives, policies, or operating manuals. Further, all documentation
should be properly managed and maintained.
Specifically, we observed that there were inadequate written procedures
covering the (1) preparation of the DIF and FRF financial statements, (2)
closing out of terminated receiverships, (3) review of the vendor
maintenance log, and (4) number and types of oversight reports and audit
logs that are used to monitor financial processes, including documentation
of the periodic review of these reports and audit logs.
We also identified the following activities in the monthly general ledger
closing process where the extent of written procedures could be improved:
o Preparation and entering spreadsheet adjustments to the general
ledger for (1) estimated legal contingent liabilities, (2) loan
loss reserve, and (3) accounts payable accruals.
o Preparation and recording entries to the general ledger for the
payroll liability
accruals.
o Preparation of final accounts payable accrual analysis reports.
Additionally, we found that there was incomplete detailed documentation
(run sheets) for automated transactions used to accomplish the monthly
closing process.
According to FDIC officials, the lack of adequate written procedures was
caused by the fact that management attention and resources have been
devoted to higher priorities in ensuring the successful implementation of
the new financial management system. Nonetheless, inadequate or incomplete
written procedures reduce the assurance that critical processes and
operating activities have been completely, correctly, and consistently
performed; increase the risk of disruption and errors when staff changes
occur; and could affect the reliability of data presented in FDIC's
financial statements.
Recommendation
We recommend that FDIC improve its written procedures by describing more
explicitly the steps required to accomplish and document each significant
activity in the monthly general ledger closing process and other financial
operations related to financial statement preparation in order to help
ensure that such steps are completely, consistently, and accurately
performed.
FDIC Comments and Our Evaluation
FDIC agreed with our recommendation. In response to our finding, FDIC
stated that existing procedures and process documentation will be enhanced
to more explicitly capture the key steps and activities required to
support the monthly general ledger closing process and other related
financial operation areas. FDIC further stated that this procedures work
is scheduled to be completed in phases, starting with the most critical
areas by June 30, 2007, and the other processes completed by December 31,
2007. We will evaluate the effectiveness of FDIC's actions during our 2007
financial audit.
Supervisory Review of General Ledger Closing and Other Financial
Operations
During our observations of the monthly general ledger closing process and
related activities, we identified several instances in which there was
inadequate supervisory review of key tasks or activities outside the
automated financial processes. Supervisory review of key activities is
important to ensure that errors in the data or processes leading to
preparation of the annual financial statements are timely detected and
corrected. GAO's Standards for Internal Control in the Federal Government
requires agencies to implement internal control procedures to ensure the
accurate and timely recording of transactions and events. In addition,
these standards require that qualified and continuous supervision be
provided to ensure that internal control objectives are achieved.
Specifically, we identified the following activities in the monthly
general ledger closing and related processes where there was inadequate
supervisory review:
o Manual compilation of spreadsheets containing expense accrual
data used to update monthly balances prior to the system upload.
o Manual compilation of final expense accrual analysis reports
prior to distribution.
o Preparation of reports relating to fiscal year comparisons and
the corporate closing trial balance prior to the fiscal year end
system close.
o Changes to business rules that specify how certain financial
transactions are to be processed.
o Override of accounts payable match exception transactions.
According to FDIC officials, the lack of adequate supervisory review was
caused by management's attention being devoted to higher priorities in
ensuring the successful implementation of new financial management
processes and the administrative challenges posed by the merger of the
Bank Insurance Fund and the Savings Association Insurance Fund.
Nonetheless, inadequate supervisory review of the activities noted above
increases the risk to FDIC that errors might not be detected and corrected
in a timely manner. This, in turn, increases the risk of misstatements in
the DIF's and FRF's financial statements.
Recommendation
We recommend that FDIC emphasize to its staff the importance of completing
required supervisory review of key transactions and procedures in the
monthly general ledger closing process and other financial operations to
ensure that they are properly executed and that these reviews are
documented.
FDIC Comments and Our Evaluation
FDIC agreed with our recommendation. FDIC stated that it has and will
continue to emphasize to staff the importance of documented supervisory
review of key tasks and activities. We will evaluate the effectiveness of
FDIC's actions during our 2007 financial audit.
Calculation of Loss Rates for Anticipated Bank Failures
During our testing of contingencies related to the anticipated failures of
insured institutions, we identified an error in one of the statistical
analysis programs FDIC uses to estimate expected loss rates for various
categories of assets. Specifically, FDIC incorrectly excluded certain
asset data for an individual receivership from this statistical program.
GAO's Standards for Internal Control in the Federal Government requires
agencies to implement internal control procedures to ensure the accurate
and timely recording of transactions and events. In addition, these
standards require that qualified and continuous supervision be provided to
ensure that internal control objectives are achieved.
FDIC records a contingent liability and loss provision for DIF-insured
institutions that are likely to fail within 1 year of the financial
statement reporting date, absent some favorable event such as obtaining
additional capital or merging, when the liability becomes probable and
reasonably estimable. The contingent liability is derived by applying
expected failure and loss rates to institutions based on supervisory
ratings, balance sheet characteristics, and projected capital levels.
To derive expected loss rates, FDIC uses historical information from
receiverships to compute actual losses on six categories of assets that
constitute total bank assets: installment loans, commercial loans,
securities, mortgages, other real estate owned, and all other assets.
These actual losses are converted to expected loss rates for each asset
category. These expected loss rates are then applied to the book value of
each asset category of the institution deemed likely to fail to determine
the total loss anticipated from the likely institution failure.
To perform the analysis necessary to derive the expected loss rates and
the contingent liability, FDIC uses statistical programs. However, during
our audit, we found an error in the program used to estimate loss rates on
the six categories of assets. Specifically, FDIC incorrectly included loss
rates on securities of a receivership it intended to exclude, while
mistakenly excluding loss rates of securities of another receivership.
FDIC did not identify this error because it resulted from a transposition
error that was not detected in FDIC's routine review of its statistical
program.
After we brought this error to FDIC's attention, FDIC corrected the error
and recalculated the loss rates for 2006. While this revised calculation
showed that the error had an immaterial effect on the loss rate
computation in this instance, such an error, if undetected and
uncorrected, could have had a significant effect on the calculation of
loss rates and thus on the contingent liability presented in the financial
statements.
Recommendation
We recommend that FDIC emphasize to its staff the importance of thoroughly
verifying the accuracy of all data elements included in the calculation of
loss rates used in estimating the contingent liability for anticipated
failures.
FDIC Comments and Our Evaluation
FDIC agreed with our recommendation. FDIC stated that at the time of the
review existing audit procedures required the review of all statistical
programs but focused primarily on program logic. After GAO identified the
error, FDIC modified the review process to also check any hard-coded data
for errors. Additionally, FDIC stated that its staff was apprised of the
new procedures, which became effective January 31, 2007. We will evaluate
the effectiveness of FDIC's actions during our 2007 financial audit.
Receivership Receipts (Mailroom and Cashier Controls)
During our testing of FDIC's internal controls in the mailroom and cashier
operations of its Dallas field office, we identified deficiencies in
controls over checks received that increased the risk of theft, loss, or
misappropriation of receipts. GAO's Standards for Internal Control in the
Federal Government requires agencies to establish physical control to
secure and safeguard vulnerable assets. Examples include security for, and
limited access to, assets such as cash, securities, inventories, and
equipment that might be vulnerable to risk of loss or unauthorized use.
The mailroom of the Dallas field office is responsible for opening mail,
including monetary receipts for receivership activities. These receipts
are in the form of checks that generally consist of loan repayments from
debtors of failed financial institutions. For those checks not received in
the Dallas mailroom, FDIC uses a lockbox administered by JPMorgan Chase
Bank, N.A. (JPMorgan). The lockbox is emptied several times a day and the
checks are deposited in an FDIC account at JPMorgan. Each day, JPMorgan
forwards to FDIC online image copies of the checks deposited that day and
all supporting documentation received with the checks. For calendar year
2006, the mailroom of the Dallas field office directly processed 1,870
checks totaling approximately $31.9 million, while the lockbox operation
processed 1,758 checks totaling approximately $5.2 million. Whether checks
are received in the mailroom or lockbox, the Cashiers Unit is responsible
for accounting for all receivership receipts.
In our tests of controls of FDIC's Dallas field office mailroom and
Cashiers Unit operations, we found the following control deficiencies:
o The mailroom contractor staff did not adequately account for
checks upon receipt and prior to storing the checks in a safe.
Specifically, we found that the check log prepared upon extraction
of receipts from the envelopes was not reconciled to the total
number of checks and the total dollar value of checks received.
Additionally, the check log was not initialed and dated by the
preparer, and a tape recording agreement of checks to the check
log was not prepared. Finally, we observed that the checks were
not locked in a secured bag.
o The file cabinet used by the Cashiers Unit to store checks
overnight requires only one person to open it. We observed that
four individuals had keys and unlimited access to the file
cabinet.
In addition, we found that FDIC's policies and procedures do not require
the examination of any internal audit reviews of internal controls at
JPMorgan's lockbox operation to ensure that these controls are effective
and operating as intended. We were informed that JPMorgan's internal audit
department conducts periodic reviews of lockbox operations using a
risk-based approach. This approach includes an assessment of the key risks
and processes within lockbox operations and an evaluation of associated
controls, as well as an examination of policies and procedures to
determine their overall effectiveness.
JPMorgan's internal audit department completed its most recent review of
lockbox operations in August 2006. However, its reviews are not required
to be obtained and evaluated by FDIC.
Safeguarding controls are critical in preventing the theft of cash or
checks. The lack of effective safeguarding controls increases the risk of
theft, loss, or misappropriation of assets.
Recommendations
To improve physical security in the Dallas field office mailroom and
cashier operations, we recommend that FDIC instruct
o mailroom contractor employees to reconcile checks received to
the check log, initial and date the log, and prepare a tape
recording agreement of the checks to the check log;
o mailroom contractor employees to lock the checks in a secured
bag immediately upon receipt and prior to storing the checks in a
safe; and
o Cashiers Unit employees to store checks overnight in a locked
file cabinet that requires two individuals to open it.
In addition, we recommend that FDIC modify its policies and procedures to
require regular review and take appropriate actions to address the results
of examinations of internal controls at the contractor's lockbox operation
to ensure that controls are effective and operating as intended.
FDIC Comments and Our Evaluation
FDIC agreed with the intent of our recommendations. In response to our
findings related to FDIC's Dallas field office mailroom and Cashiers Unit,
FDIC cited corrective actions completed by January 31, 2007, that address
the issues we identified and are consistent with the intent of our
recommendations. As to FDIC's policies and procedures related to the
internal audit reviews of internal controls at JPMorgan's lockbox
operation, FDIC stated that its policies and procedures will be modified
by June 30, 2007, to request annual audit reports from JPMorgan and for
FDIC to review those reports for possible internal control weaknesses and
proposed corrective actions. We will evaluate the effectiveness of FDIC's
actions during our 2007 financial audit.
------------
This report contains recommendations to you. We would appreciate receiving
a description and status of your corrective actions within 30 days of the
date of this report.
This report is intended for use by FDIC management, members of the FDIC
Audit Committee, and the FDIC Inspector General. We are sending copies of
this report to the Chairman and Ranking Minority Member of the Senate
Committee on Banking, Housing, and Urban Affairs; the Chairman and Ranking
Minority Member of the House Committee on Financial Services; the Chairman
of the Board of Directors of the Federal Deposit Insurance Corporation;
the Chairman of the Board of Governors of the Federal Reserve System; the
Comptroller of the Currency; the Director of the Office of Thrift
Supervision; the Secretary of the Treasury; the Director of the Office of
Management and Budget; and other interested parties. In addition, this
report will be available at no charge on GAO's Web site at
[3]http://www.gao.gov .
We acknowledge and appreciate the cooperation and assistance provided by
FDIC management and staff during our audits of FDIC's 2006 and 2005
financial statements. If you have any questions about this report or need
assistance in addressing these issues, please contact me at (202) 512-3406
or [4][email protected] . Contact points for
our Offices of Congressional Relations and Public Affairs may be found on
the last page of this report. GAO staff who made major contributions to
this report are listed in enclosure III.
Sincerely yours,
Steven J. Sebastian
Director
Financial Management and Assurance
Enclosures - 3
Enclosure I
Comments from the Federal Deposit Insurance Corporation
Enclosure II
Details on Audit Scope and Methodology
To fulfill our responsibilities as auditor of the financial statements of
the two funds administered by FDIC, we did the following:
o examined, on a test basis, evidence supporting the amounts and
disclosures in the financial statements;
o assessed the accounting principles used and significant
estimates made by management;
o evaluated the overall presentation of the financial statements;
o obtained an understanding of internal controls related to
financial reporting (including safeguarding assets) and compliance
with selected laws and regulations;
o tested relevant internal controls over financial reporting and
compliance, and evaluated the design and operating effectiveness
of internal control;
o considered FDIC's process for evaluating and reporting on
internal control based on criteria established by 31 U.S.C. S 3512
(c), (d), (commonly referred to as the Federal Managers' Financial
Integrity Act); and
o tested compliance with applicable laws and regulations,
including selected provisions of the Federal Deposit Insurance
Act, as amended, and the Chief Financial Officers Act of 1990.
Enclosure III
Acknowledgments
The following individuals made major contributions to this report: Gary
Chupka, Assistant Director; Verginie Amirkhanian; Gloria Cano; Nina
Crocker; Mickie Gray; David Hayes; Wing Kwong; Mary Osorno; Eduvina
Rodriguez; and Greg Ziombra.
(196161)
GAO's Mission
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony
The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site ( [5]www.gao.gov ). Each weekday, GAO posts
newly released reports, testimony, and correspondence on its Web site. To
have GAO e-mail you a list of newly posted products every afternoon, go to
[6]www.gao.gov and select "Subscribe to Updates."
Order by Mail or Phone
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:
U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548
To order by Phone: Voice: (202) 512-6000
TDD: (202) 512-2537
Fax: (202) 512-6061
To Report Fraud, Waste, and Abuse in Federal Programs
Contact:
Web site: [7]www.gao.gov/fraudnet/fraudnet.htm
E-mail: [8][email protected]
Automated answering system: (800) 424-5454 or (202) 512-7470
Congressional Relations
Gloria Jarmon, Managing Director, [9][email protected] (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125 Washington,
D.C. 20548
Public Affairs
Paul Anderson, Managing Director, [10][email protected] (202) 512-4800
U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, D.C. 20548
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.
References
Visible links
3. http://www.gao.gov/
4. mailto:[email protected]
5. http://www.gao.gov/
6. http://www.gao.gov/
7. http://www.gao.gov/fraudnet/fraudnet.htm
8. mailto:[email protected]
9. mailto:[email protected]
10. mailto:[email protected]
*** End of document. ***