This is the accessible text file for GAO report number GAO-09-943R 
entitled 'Management Report: Opportunities for Improvements in FDICís 
Internal Controls and Accounting Procedures' which was released on 
September 15, 2009. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

GAO-09-943R: 

United States Government Accountability Office: 
Washington, DC 20548: 

September 15, 2009: 

The Honorable Steven O. App: 
Deputy to the Chairman and Chief Financial Officer: 
Federal Deposit Insurance Corporation: 

Subject: Management Report: Opportunities for Improvements in FDICís 
Internal Controls and Accounting Procedures: 

Dear Mr. App: 
In May 2009, we issued our opinions on the calendar year 2008 financial 
statements of the Deposit Insurance Fund (DIF) and the FSLIC[Footnote 
1] Resolution Fund (FRF). We also issued our opinion on the 
effectiveness of the Federal Deposit Insurance Corporationís (FDIC) 
internal control over financial reporting (including safeguarding 
assets) as of December 31, 2008, and our evaluation of FDICís 
compliance with provisions of selected laws and regulations for the two 
funds for the year ended December 31, 2008.[Footnote 2] 

The purpose of this report is to present issues identified during our 
audit of the 2008 financial statements regarding certain internal 
controls and accounting procedures and to recommend actions to address 
these issues. We are making four recommendations for strengthening 
FDICís internal controls and accounting procedures. 

Results in Brief: 

During our audits of the 2008 financial statements, we identified four 
internal control issues that affected FDICís accounting for the funds 
it administers. Although we do not consider them to be material 
weaknesses or significant deficiencies,[Footnote 3] and thus do not 
consider them to be material in relation to DIFís and FRFís financial 
statements, we believe that they warrant managementís attention and 
action. These issues concern the following: 

* Written policies and procedures were not updated to document FDICís 
new methodology used to determine the estimated cash recovery of 
receivership assets. 

* Controls did not ensure that correct amounts were paid for services 
provided by contractors and that operating expenses were appropriately 
allocated among the funds FDIC administers. 

* Oversight of contracted lockbox operations did not provide adequate 
assurance that controls were effectively designed to minimize the risk 
of loss, theft, and misreporting of receivership receipts. 

* Controls over the processing of receivership receipt transactions did 
not result in transactions being timely applied to the appropriate 
receivership accounts. 

These issues increase the risk that FDIC would not prevent or timely 
detect (1) errors or inconsistencies in valuing failed bank assets, (2) 
erroneous payments and errors in allocating operating expenses, (3) 
loss or theft of receivership receipts processed at a contractor-
operated lockbox facility, or (4) misstatements in receivership 
accounts. 

At the end of our discussion of each of these issues in the following 
sections, we make recommendations for strengthening FDICís internal 
controls or accounting procedures. These recommendations are intended 
to improve managementís oversight and controls, decrease the risk of 
theft or misappropriation of assets, and minimize the risk of 
misstatements in DIFís and FRFís financial statements. 

In its comments, FDIC agreed with our recommendations and described 
actions it has taken or plans to take to address the control weaknesses 
described in this report. At the end of our discussion of each of the 
issues in this report, we have summarized FDICís related comments and 
our evaluation. 

Scope and Methodology: 

As part of our audits of the 2008 and 2007 financial statements of the 
two funds administered by FDIC, we evaluated FDICís internal controls 
and tested its compliance with selected provisions of laws and 
regulations. We designed our audit procedures to test relevant controls 
over financial reporting, including those designed to provide 
reasonable assurance that transactions are properly recorded, 
processed, and summarized to permit the preparation of DIFís and FRFís 
financial statements in conformity with U.S. generally accepted 
accounting principles, and that assets are safeguarded against loss 
from unauthorized acquisition, use, or disposition. 

We requested comments on a draft of this report from the FDIC Deputy to 
the Chairman and Chief Financial Officer. We received written comments 
from FDIC and have reprinted the comments in their entirety in 
enclosure I. We conducted our audits in accordance with U.S. generally 
accepted government auditing standards. Further details on our scope 
and methodology are included in our May 2009 report on the results of 
our audits of the 2008 and 2007 financial statements and are summarized 
in enclosure II. 

Receivership Asset Valuations: 

During 2008, FDIC changed its valuation methodology for estimating the 
recoveries FDIC expects to receive from the disposition of assets of 
failed financial institutions in receivership. While we concluded based 
on our audit work that the new methodology resulted in reasonable 
estimates, we determined that FDIC had not documented the new process 
to ensure its consistent and proper application in subsequent years. 

When a federally insured financial institution fails, the institution 
is placed into a receivership administered by FDIC. As part of this 
process, FDIC, through the DIF, will either close the institution and 
pay off insured depositors outright, operate the institution until it 
can find another institution to acquire some or all of the failed 
institutionís assets and liabilities, or sell some or all of the failed 
institution to an acquiring institution. The amounts FDIC disburses on 
behalf of the DIF to pay off insured depositors or to pay an acquiring 
institution to assume responsibility for some or all of the failed 
institutionís liabilities represents a claim, or receivable, the DIF 
has against the failed institutionís receivership, which is also 
operated by FDIC. Subsequent to the closing and initial disbursement of 
funds, the FDIC, through DIF, may periodically advance additional funds 
to the failed institution receivership to cover operating costs while 
the assets and liabilities of the receivership are sold or otherwise 
disposed of. These subsequent advances add to the DIFís claim, or 
receivable, against the receivership. Proceeds from the servicing, 
sale, or disposition of the failed institution receivershipís assets 
are used to pay off, or reduce the DIFís outstanding receivable. 

For financial reporting purposes, FDIC must periodically estimate what 
portion of the outstanding balance of the DIFís receivable from 
resolutions is collectible. This estimate is primarily based on the 
amounts FDIC expects DIF will recover through the servicing, sale, and 
disposition of the receivershipís assets. The difference between the 
outstanding receivable balance and the amount FDIC estimates will 
ultimately be collected represents the allowance for losses on the 
receivable to be included in DIFís financial statements. 

In prior years, FDIC used a standardized methodologyóthe Standard Asset 
Valuation Estimation methodology, or SAVEóto estimate the dollar value 
of recoveries from failed institution receivership assets. This 
methodology involved selecting a statistical sample from the complete 
inventory of DIF receivership assets at midyear and, through 
application of a set of procedures, deriving an expected recovery for 
those assets. The results were then statistically projected to the 
population of receivership assets to derive an overall recovery 
estimate for the assets. However, this approach had limitations that 
proved substantial in 2008. Specifically, in order for this approach to 
produce reliable results in time to prepare year-end financial 
statements, the vast majority of the failed institutionsí assets in a 
given year would have to be included in the DIFís inventory of 
receivership assets by midyear. However, in 2008, the vast majority of 
institution failures, and resulting failed institution assets to be 
included in DIFís inventory of receivership assets, did not occur until 
the latter half of the year. As a result, FDIC was unable to use its 
standard methodology to derive the year-end estimated recovery value 
for the DIF receivership assets and related allowance for losses on DIFí
s receivables. 

FDIC developed a new methodology for valuing receivership assets in 
2008 that employed a combination of information on current or pending 
asset sales, failed institution-specific asset valuation data, 
aggregate asset valuation data on several recently failed or troubled 
institutions, and empirical asset recovery data based on historical 
information on institution failures. We reviewed and tested this 
process and concluded that it generated reasonable estimates of asset 
recovery values and, consequently, in a reliable estimate of DIFís 
allowance for losses on its receivables from resolutions for financial 
reporting. However, FDIC had not documented this new process in formal 
guidance for its staff. Standards for Internal Control in the Federal 
Government[Footnote 4] provides that internal controls are to be 
clearly documented in official procedural guidance. FDIC expects the 
rate of failures of financial institutions to continue to be high 
throughout 2009 and into 2010. Consequently, FDIC will likely need to 
continue to utilize this new methodology for the foreseeable future. 
Without clearly documented guidance, which is disseminated to staff 
involved in the estimation process, and effective implementation of 
this guidance, FDIC increases the risk that receivership assets will 
not be valued in a consistent or appropriate manner. This, in turn, 
could impact the consistency and reasonableness of FDICís calculation 
of DIFís allowance for losses on its receivables from resolutions. 

Recommendation: 

We recommend that the Chief Financial Officer (1) document procedural 
guidance for estimating failed financial institution receivership asset 
recoveries to derive the allowance for losses on the DIFís receivables 
from resolutions, (2) disseminate the guidance to appropriate staff, 
and (3) effectively implement the guidance. 

FDIC Comments and Our Evaluation: 

FDIC agreed with this recommendation and stated that the corporation 
would develop procedural guidance that reflects the new methodology for 
estimating receivership asset recoveries used for determining the 
allowance for loss on DIF receivables from resolutions. FDIC further 
stated the updated guidance would be formally implemented and 
disseminated with appropriate staff by September 30, 2009. We will 
evaluate FDICís documentation of the new procedures and its 
implementation thereof during our 2009 financial audit. 

Operating Expenses: 

During our testing of operating expense transactions conducted as part 
of our 2008 audit, we found that FDICís internal controls did not 
effectively ensure that correct amounts were paid for services provided 
by contractors, or that operating expenses were appropriately allocated 
among the funds FDIC administers. We found that a contractor overbilled 
for certain services, and that FDIC inaccurately allocated expenses 
incurred from that contractor between DIF and FRF. 

Specifically, in two of the operating expense transactions we tested, 
we found that a contractor charged FDIC incorrect amounts by using the 
wrong rates in billing for services provided. We notified the FDIC 
official responsible for monitoring and evaluating this contractorís 
performanceó-the oversight manageró-who stated that her review did not 
identify the mistake. FDICís written procedures require that the 
oversight manager review invoices to ensure they are in compliance with 
the terms of the contract. After learning of the error, FDIC reviewed 
other invoices from this contractor and determined that the vendor used 
the wrong billing rates in 43 invoices and that FDIC overpaid the 
vendor about $4,700. 

We also found that FDIC misallocated operating expenses between the DIF 
and FRF. Two of the transactions we tested were for shredding and 
general records services performed by a contractor. To allocate shared 
expenses to each fund, FDIC used a spreadsheet called the fund 
distribution schedule. However, FDIC officials did not properly enter 
invoice information into appropriate sections of the fund distribution 
schedule, resulting in a misallocation of expenses between the DIF and 
FRF. We notified FDIC about the misallocation and the manager agreed 
that the total invoice amounts were entered incorrectly. Based on our 
findings, FDIC reviewed past cost allocations related to services 
provided by this contractor and determined there were errors in 
allocating the expenses from eight invoices. FDIC corrected these 
errors by posting adjustments to the DIF and FRF. The adjustments 
resulted in a $700,000 decrease in DIFís operating expenses and a 
corresponding $700,000 increase in FRFís operating expenses. 

We determined that FDIC did not have documented operating procedures or 
instructions for entering data into the fund distribution schedule, nor 
were there documented procedures for independent review or verification 
of the cost allocations before they were entered into FDICís general 
ledger system. Standards for Internal Control in the Federal Government 
provides that agencies are to implement procedures to ensure the 
accurate and timely recording of transactions and events. This includes 
documenting operating procedures and internal controls. The standards 
also provide that qualified and continuous supervision be provided to 
ensure that internal control objectives are achieved. The lack of 
written instructions and independent review increases the risk that 
FDICís process for allocating shared costs and posting expenses into 
the general ledger will not always timely prevent or detect errors, and 
that operating expenses may be incorrectly classified and presented in 
DIFís and FRFís financial statements. 

Subsequent to the completion of our testing, FDIC issued new procedures 
for the independent review of both invoices and the fund distribution 
schedule. The additional review is intended to provide added assurance 
that all discrepancies in billing rates are identified and the data 
entered into the schedule are accurate. However, the new procedures do 
not contain instructions for entering information into the fund 
distribution schedule. 

Recommendation: 

We recommend that the Chief Financial Officer document and implement 
the procedures to be followed for entering data into the fund 
distribution schedule. 

FDIC Comments and Our Evaluation: 

FDIC agreed with this recommendation and stated that it would revise 
the procedures for the invoice review process for this contract, 
including procedures for entering the invoice data into the fund 
distribution schedule, by September 30, 2009. We will evaluate the 
design and the implementation of these new procedures during our 2009 
financial audit. 

Oversight of Lockbox Bank: 

During our 2008 audit, we found that FDIC did not effectively monitor 
the safeguarding and processing of receivership receipts at the Dallas 
lockbox facility[Footnote 5] operated by JPMorgan Chase Bank, N.A. 
(JPMorgan). As a result, FDIC did not have adequate assurance about 
whether the controls in place at this facility were designed and 
operating effectively to minimize the risk of misappropriation and 
misreporting of receivership receipts. 

FDIC, in its receivership capacity, receives payments either at its 
Dallas field office cashier unit or through the lockbox. Receivership 
receipts include payments on loans serviced by FDIC, proceeds from the 
sale of various assets of failed financial institutions in 
receivership, restitution payments, and amounts from professional 
liability claims. Receipts received at the Dallas lockbox facility are 
processed by JPMorgan. Similarly, receipts that are received at the 
FDIC Dallas field office cashier unit are forwarded to the lockbox 
facility where they are processed. In 2008, the Dallas lockbox 
received, processed, and recorded almost $46 million in FDIC 
receivership receipts. 

We previously reported[Footnote 6] that FDICís policies and procedures 
do not require the examination of internal controls at the Dallas 
lockbox facility to ensure those controls are effective and operating 
as intended. Safeguarding controls over lockbox operations are critical 
in preventing the theft, loss, or misappropriation of cash or checks. 
We recommended that FDIC modify its policies and procedures to require 
regular review and take appropriate actions to address the results of 
examinations of internal controls at the lockbox facility to ensure 
that controls are effective and operating as intended. In response, 
FDIC modified its policies and procedures to 1) regularly obtain 
JPMorganís annual financial audit reports, 2) review them for any 
deficiencies related to controls, and 3) require that any identified 
deficiencies be corrected by JPMorgan in a timely manner. FDIC also 
requested copies of JPMorganís internal audit reports or SAS 70 reports 
[Footnote 7] for the lockbox operation, but the bank reported that it 
had not engaged a public accounting firm to perform a SAS 70 
examination on its cash management product operations and, therefore 
could not provide a SAS 70 report. 

Although FDIC reviews JPMorganís annual report, the accompanying 
auditorís report is limited to an audit of the bankís financial 
reporting and it did not consider the effectiveness of internal 
controls over the Dallas lockbox operations. Additionally, while FDIC 
modified its policies and procedures to require review of these annual 
reports, it did not require obtaining and evaluating internal audit 
reports or other reports covering the internal controls of the lockbox 
facility. During our 2008 audit, FDIC officials stated that they did 
not request internal audit reports specifically related to the lockbox 
operations because in prior years JP Morgan did not share these reports 
due to concern with the possible release of proprietary information. 

Standards for Internal Control in the Federal Government provides that 
agencies are to establish appropriate accounting and physical controls 
to record, secure, and safeguard vulnerable assets. It is FDICís 
responsibility to ensure that all receivership receipts are safeguarded 
and properly recorded. When this assurance is dependent on the internal 
controls of an outside entityóor service provideróit is up to FDIC 
management to monitor whether these controls are effective and 
functioning as intended. This is especially important in this case 
because FDIC does not have a record of all the receivership receipts 
that are sent to the Dallas lockbox, and therefore must fully rely upon 
the internal controls at the lockbox facility to ensure that all cash 
and checks received are protected, fully accounted for, and accurately 
reported. 

Because the annual reports gathered and reviewed by FDIC do not 
evaluate lockbox operations and are not designed to identify weaknesses 
in the design or implementation of the lockbox facilityís internal 
controls, FDIC management does not have information to determine 
whether appropriate and effective controls exist over receivership 
receipts sent to the lockbox. The increasing number of bank failures 
has resulted, and will continue to result, in a growing volume of 
receivership receipts processed at the lockbox facility, thereby 
increasing the importance of effective internal controls over its 
operation. Safeguarding controls are critical in preventing the theft 
of cash or checks. The lack of effective oversight and monitoring of 
safeguarding controls increases the risk of theft, loss, or 
misappropriation of assets. 

Recommendation: 

We recommend that the Chief Financial Officer revise procedures to 
obtain assuranceóthrough such means as SAS 70 reports, internal audit 
reports, and other monitoring processesóthat internal controls over 
receivership receipts are in place and functioning properly at the 
Dallas lockbox facility. 

FDIC Comments and Our Evaluation: 

FDIC agreed with this recommendation. FDIC stated it had requested a 
SAS 70 report from JPMorgan's Customer Representative. However, because 
JPMorgan did not have a SAS 70 assessment of its lockbox operations 
conducted, it provided a letter detailing the specific components of 
the risk management framework over its cash management product 
operations. Further, FDIC stated that on or before December 31, 2009, 
it would revise procedures over the Dallas lockbox facility to include 
requesting the SAS 70 or other similar reports on JPMorgan's lockbox 
services. We will evaluate the effectiveness of FDICís actions during 
our 2009 financial audit. 

Processing Receivership Receipts: 

During our testing of receivership receipts conducted as part of our 
2008 audit, we found that FDIC did not always timely apply payments to 
the appropriate receivership assets (and other) accounts. When FDIC, in 
its receivership capacity, receives a payment, the receipt is deposited 
and initially recorded in the receivershipís general ledger as an asset 
(cash) with an offsetting entry to the cash-in-process suspense account 
(a liability account). Until FDIC determines how to apply the receipt, 
it remains in this account, and other receivership accounts are 
misstated until the receipts are properly applied to those accounts. 

In our sampling of 45 receivership receipts, we found that 7 receipts 
were not cleared from the suspense account and applied to the correct 
accounts within 90 days. As of the date of our testing, these 7 
receipts had been in the suspense account from 118 to 366 days. We also 
reviewed all the receivership receipts in the suspense account as of 
January 2, 2009, and determined that 203 receipts (totaling $12 
million) had been in the suspense account for more than 90 days. While 
FDIC officials we spoke with stated that they try to clear receipts 
from the suspense account within 90 days, FDIC had no written policy 
establishing time frames for how quickly receipts should be cleared 
from the suspense account and applied to the appropriate asset account 
on the receivership books. The officers also stated that the delay in 
applying the payments and clearing these accounts was due to the 
increased workload resulting from the increased number of bank failures 
in 2008. 

Standards for Internal Control in the Federal Government provides that 
agencies are to implement procedures to ensure the timely and accurate 
recording of transactions and events. While there ultimately was no 
impact on DIFís and FRFís financial statements, the lack of a formal 
policy for applying payments in a timely manner increases the risk that 
receivership receipts will not be timely processed, resulting in 
misstating the receivershipís financial records. 

Recommendation: 

We recommend that the Chief Financial Officer document and implement a 
policy regarding a time frame, such as the current target of 90 days, 
by which receivership receipts are to be applied to the appropriate 
receivership accounts. 

FDIC Comments and Our Evaluation: 

FDIC agreed with this recommendation, and stated that by December 31, 
2009, it would document and implement a policy regarding the time frame 
by which receivership receipts are to be applied to the appropriate 
receivership accounts. We will evaluate the effectiveness of FDICís 
actions during our 2009 financial audit. 

This report contains recommendations to you. We would appreciate 
receiving a description and status of your corrective actions within 30 
days of the date of this report. 

This report is intended for use by FDIC management, members of the FDIC 
Audit Committee, and the FDIC Inspector General. We are sending copies 
of this report to the Chairman and Ranking Member of the Senate 
Committee on Banking, Housing, and Urban Affairs; the Chairman and 
Ranking Member of the House Committee on Financial Services; the 
Chairman of the Board of Directors of the Federal Deposit Insurance 
Corporation; the Chairman of the Board of Governors of the Federal 
Reserve System; the Comptroller of the Currency; the Director of the 
Office of Thrift Supervision; the Secretary of the Treasury; the 
Director of the Office of Management and Budget; and other interested 
parties. In addition, this report will be available at no charge on GAOí
s Web site at [hyperlink, http://www.gao.gov]. 

We acknowledge and appreciate the cooperation and assistance provided 
by FDIC management and staff during our audits of FDICís 2008 and 2007 
financial statements. If you have any questions about this report or 
need assistance in addressing these issues, please contact me at (202) 
512-3406 or sebastians@gao.gov. Contact points for our Offices of 
Congressional Relations and Public Affairs may be found on the last 
page of this report. GAO staff who made major contributions to this 
report are William Cordrey, Assistant Director; Gloria Cano; Jody Ecie; 
Gary Chupka; Nina Crocker; Teressa Broadie-Gardner; Angel Sharma; Jay 
Thomas; J. Mark Yoder; and Gregory Ziombra. 

Sincerely yours, 

Signed by: 

Steven J. Sebastian: 
Director: 
Financial Management and Assurance: 

Enclosures - 2: 

[End of section] 

Enclosure I: Comments from the Federal Deposit Insurance Corporation: 

FDIC: 
Federal Deposit Insurance Corporation: 
Deputy to the Chairman and CFO
550 17th Street NW: 
Washington, D.C. 20429-9990: 	 

September 3, 2009: 

Mr. Steven J. Sebastian: 
Director, Financial Management and Assurance: 
U.S. Government Accountability Office: 
Washington, DC 20548: 

Dear Mr. Sebastian: 

Thank you for providing the U.S. Government Accountability Office's 
(GAO) draft report titled, Management Report: Opportunities for 
Improvements in FDIC's Internal Controls and Accounting Procedures (GAO-
09-943R) for review and comment. The report discusses the matters that 
were identified during the audits of the Federal Deposit Insurance 
Corporation's (FDIC) 2008 financial statements regarding internal 
controls and accounting procedures and the recommendations for 
strengthening them. Although GAO believes that these matters warrant 
management's attention, we are pleased that GAO acknowledged that they 
are not material in relation to the financial statements and does not 
consider them to be material weaknesses or significant deficiencies. 

FDIC appreciates the work that GAO performed on the 2008 audits and 
recognizes the benefit of the recommendations that were made. As stated 
in the report, these recommendations are intended to improve 
management's oversight and controls, decrease the risk of theft or 
misappropriation of assets, and minimize the risk of misstatements in 
FDIC's financial statements. Management fully understands that 
effective internal control helps FDIC achieve its operations, financial 
reporting, and compliance objectives. Our detailed management responses 
are provided in Attachment 1. 

We look forward to continuing our productive working relationship with 
the GAO during the 2009 audits. Please contact James H. Angel, Jr., 
Director, Office of Enterprise Risk Management, at 703-562-6456, if you 
have any questions. 

Sincerely, 

Signed by: 

Steven O. App: 
Deputy to the Chairman and Chief Financial Officer: 

Attachment: 

cc: 
Bret Edwards: 
Mitchell Glassman: 
Arleas Upton Kea: 
James H. Angel, Jr. 
Audit Committee: 

[End of letter] 

Attachment I: FDIC Responses To 2008 GAO Management Report: 

Receivership Asset Valuations: 

GAO reported that written policies and procedures were not updated to 
document FDIC's new methodology used to determine the estimated cash 
recovery of receivership assets. 

Recommendation 1: 

GAO recommended that the FDIC I) document procedural guidance for 
estimating failed financial institution receivership asset recoveries 
to derive the allowance for losses on the Deposit Insurance Fund's 
receivables from resolutions, 2) disseminate the guidance to 
appropriate staff, and 3) effectively implement the guidance. 

Management Response: 

DOF concurs with this recommendation. DOF will work with DRR to ensure 
that DOF and DRR procedural guidance relevant to the estimation of 
receivership asset recoveries used for determining the allowance for 
loss on DIF receivables from resolutions is updated to document the new 
valuation methodology. DOF will ensure that the updated guidance is 
formally implemented and disseminated with appropriate staff. The 
completion date is September 30, 2009. 

Operating Expenses: 

GAO reported that controls did not ensure that correct amounts were 
paid for services provided by contractors and that operating expenses 
were appropriately allocated among the funds FDIC administers. 

Recommendation 2: 

GAO recommended that the FDIC document and implement the procedures to 
be followed for entering data into the fund distribution schedule. 

Management Response: 

DOA concurs with this recommendation. DOA will revise the procedures 
for the invoice review process for this contract to include procedures 
for entering the invoice data into the fund distribution schedule. The 
completion date is September 30, 2009. 

Oversight of Lockbox Bank: 

GAO reported that oversight of contracted lockbox operations did not 
provide adequate assurance that controls were effectively designed to 
minimize the risk of loss, theft, and misreporting of receivership 
receipts. 

Recommendation 3: 

GAO recommended that the FDIC revise procedures to obtain assurance-
through such means as SAS 70 reports, internal audit reports, and other 
monitoring processes-that internal controls over receivership receipts 
are in place and functioning properly at the Dallas lockbox facility. 

Management Response: 

DRR agrees with the recommendation and requested the SAS 70 report from 
JPMorgan Chase's Customer Representative. Because JPMorgan Chase did 
not perform a SAS 70 assessment, they provided a letter which detailed 
the specific components of the risk management framework over the cash 
management product operations. In addition, on or before December 31, 
2009, DRR will revise procedures over the Dallas lockbox facility to 
include requesting the SAS 70 or other similar reports on JPMorgan 
Chase's lockbox services. 

Processing Receivership Receipts: 

Controls over the processing of receivership receipt transactions did 
not result in transactions being timely applied to the appropriate 
receivership accounts. 

Recommendation 4: 

GAO recommended that the FDIC document and implement a policy regarding 
a timeframe, such as the current target of 90 days, by which 
receivership receipts are to be applied to the appropriate receivership 
accounts. 

Management Response: 

DRR agrees with the recommendation. On or before December 31, 2009, DRR 
will document and implement a policy regarding the time frame by which 
receivership receipts are to be applied to the appropriate receivership 
accounts. 

[End of section] 

Enclosure II: Details on Audit Scope and Methodology: 

To fulfill our responsibilities as auditor of the financial statements 
of the two funds administered by the Federal Deposit Insurance 
Corporation (FDIC), we did the following: 

* Examined, on a test basis, evidence supporting the amounts and 
disclosures in the financial statements. 

* Assessed the accounting principles used and significant estimates 
made by FDIC management. 

* Evaluated the overall presentation of the financial statements. 

* Obtained an understanding of FDIC and its operations, including its 
internal control related to financial reporting (including safeguarding 
assets) and compliance with laws and regulations. 

* Assessed the risk that a material misstatement exists. 

* Tested relevant internal controls over financial reporting and 
compliance, and evaluated the design and operating effectiveness of 
FDICís internal control based on the assessed risk. 

* Considered FDICís process for evaluating and reporting on internal 
control based on criteria established by the Federal Managersí 
Financial Integrity Act of 1982. 

* Tested compliance with certain laws and regulations, including 
selected provisions of the Federal Deposit Insurance Act, as amended, 
and the Federal Deposit Insurance Reform Act of 2005. 

* Performed such other procedures as we considered necessary in the 
circumstances. 

[End of section] 

Footnotes: 

[1] The Federal Savings and Loan Insurance Corporation (FSLIC) was a 
government corporation that administered deposit insurance for savings 
and loan institutions in the United States. FSLICís responsibilities 
were transferred to the FDIC in the late 1980s. 

[2] GAO, Financial Audit: Federal Deposit Insurance Corporation Funds' 
2008 and 2007 Financial Statements, [hyperlink, 
http://www.gao.gov/products/GAO-09-535] (Washington, D.C.: May 28, 
2009). 

[3] A significant deficiency is a control deficiency, or combination of 
deficiencies, in internal control that is less severe than a material 
weakness, yet important enough to merit attention by those charged with 
governance. A material weakness is a deficiency, or a combination of 
deficiencies, in internal control such that there is a reasonable 
possibility that a material misstatement of the entityís financial 
statements will not be prevented, or detected and corrected on a timely 
basis. 

[4] GAO, Standards for Internal Control in the Federal Government, 
[hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] 
(Washington, D.C.: November 1999). 

[5] A lockbox bank is a commercial bank with a designated post office 
address to which payments and related documents for FDIC receiverships 
are to be sent. The lockbox bank processes the documents, deposits the 
receipts, and then forwards the documents and data to FDIC. The intent 
of the lockbox program is to accelerate the deposit of receipts and 
increase interest savings, thus enhancing the efficiency of cash 
management. 

[6] GAO, Management Report: Opportunities for Improvementís in FDICís 
Internal Controls and Accounting Procedures, [hyperlink, 
http://www.gao.gov/products/GAO-07-942R] (Washington, D.C.: June 27, 
2007). 

[7] SAS 70 reports refer to reports typically prepared by an 
independent auditor based on a review of the internal controls over an 
entityís servicing operations as discussed in the American Institute of 
Certified Public Accountants (AICPA)'s Statement on Auditing Standards 
(SAS) No. 70, Service Organizations. A service organization provides 
services to the entity whose financial statements are being audited. 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAOís actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAOís Web site, 
[hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional 
information. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: