This is the accessible text file for GAO report number GAO-08-863R 
entitled 'Management Report: Opportunities for Improvements in FDIC's 
Internal Controls and Accounting Procedures' which was released on July 
11, 2008.

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

GAO-08-863R: 

July 11, 2008: 

The Honorable Steven O. App:
Deputy to the Chairman and Chief Financial Officer: 
Federal Deposit Insurance Corporation: 

The Honorable John F. Bovenzi:
Deputy to the Chairman and Chief Operating Officer: 
Federal Deposit Insurance Corporation: 

Subject: Management Report: Opportunities for Improvements in FDIC's 
Internal Controls and Accounting Procedures: 

In February 2008, we issued our opinions on the calendar year 2007 
financial statements of the Deposit Insurance Fund (DIF) and the FSLIC 
Resolution Fund (FRF). We also issued our opinion on the effectiveness 
of the Federal Deposit Insurance Corporation's (FDIC) internal control 
over financial reporting (including safeguarding assets) and compliance 
as of December 31, 2007, and our evaluation of FDIC's compliance with 
provisions of selected laws and regulations for the two funds for the 
year ended December 31, 2007.[Footnote 1] 

The purpose of this report is to present issues identified during our 
audits of the 2007 financial statements regarding certain internal 
controls and accounting procedures and to recommend actions to address 
these issues. Although these issues were not material in relation to 
the financial statements, we believe that they warrant management's 
attention. We are making five recommendations for strengthening FDIC's 
internal controls and accounting procedures. We conducted our audits in 
accordance with U.S. generally accepted government auditing standards. 

Results in Brief: 

During our audits of the 2007 financial statements, we identified 
internal control issues that affected FDIC's accounting for the funds 
it administers. Although we do not consider them to be material 
weaknesses or significant deficiencies,[Footnote 2] we believe that 
they warrant management's attention and action. 

Specifically, we found the following: 

* FDIC did not properly account for checks received in its Dallas 
mailroom. FDIC also lacked adequate procedures and controls to 
safeguard transported checks for deposit, increasing the risk of theft, 
loss, or misappropriation of these assets. 

* FDIC's process for approving payment transactions in its accounting 
system did not always timely prevent or detect errors in recording 
these transactions, increasing the risk that operating expenses may be 
incorrectly classified and presented in DIF's financial statements. 

At the end of our discussion of each of these issues in the following 
sections, we make recommendations for strengthening FDIC's internal 
controls or accounting procedures. These recommendations are intended 
to bring FDIC into conformance with Standards for Internal Control in 
the Federal Government, which federal agencies are required to follow, 
[Footnote 3] and minimize the risk of future misstatements in the DIF 
and FRF financial statements. 

In its comments, FDIC agreed with our recommendations and described 
actions it has taken or plans to take to address the control weaknesses 
described in this report. At the end of our discussion of each of the 
issues in this report, we have summarized FDIC's related comments and 
our evaluation. 

Scope and Methodology: 

As part of our audits of the 2007 and 2006 financial statements of the 
two funds administered by FDIC, we evaluated FDIC's internal controls 
and its compliance with selected provisions of laws and regulations. We 
designed our audit procedures to test relevant controls, including 
those intended to ensure proper authorization, execution, accounting, 
and reporting of transactions. 

We requested comments on a draft of this report from the FDIC Deputy to 
the Chairman and Chief Financial Officer and the Deputy to the Chairman 
and Chief Operating Officer. We received written comments from FDIC and 
have reprinted the comments in their entirety in enclosure 1. 

Further details on our scope and methodology are included in our report 
on the results of our audits of the 2007 and 2006 financial statements 
and are discussed in enclosure II. 

Receivership Receipts (Mailroom and Cashier Controls): 

During our testing of FDIC's internal controls in the mailroom and 
cashier operations of its Dallas field office, we identified 
deficiencies in controls over checks received that increased the risk 
of theft, loss, or misappropriation of receipts. The mailroom of the 
Dallas field office is responsible for opening mail, including checks 
for loan repayments from debtors of failed financial institutions. 
FDIC's Cashiers Unit in the Dallas field office uses a courier service 
to transport these checks daily to a lockbox administered by JPMorgan 
Chase Bank, N.A. (JPMorgan). However, not all checks are sent to the 
Dallas mailroom. Instead, some checks are sent directly to the lockbox. 
The lockbox is emptied several times a day and the checks are deposited 
in an FDIC account at JPMorgan. Each day, JPMorgan forwards to FDIC 
online image copies of the checks deposited that day and all supporting 
documentation received with the checks. For calendar year 2007, the 
mailroom of the Dallas field office directly processed 1,361 checks 
totaling approximately $21.7 million, while the lockbox operation 
processed 1,779 checks totaling approximately $2.5 million. Whether 
checks are received in the mailroom or lockbox, the Cashiers Unit is 
responsible for accounting for all receivership receipts. 

In our tests of controls at FDIC's Dallas field office mailroom and of 
Cashiers Unit operations, we found the following control deficiencies: 

* The mailroom contractor staff did not follow procedures to adequately 
account for checks upon receipt and prior to storing the checks in a 
safe. Specifically, we found that the check log prepared upon 
extraction of receipts from the envelopes was not reconciled to the 
total number of checks and the total dollar value of checks received, 
and the check log was not initialed and dated by the preparer. 
Additionally, mailroom staff did not reconcile the e-mail confirmation 
received from the Cashiers Unit noting checks forwarded to JPMorgan for 
deposit to the check log that was manually completed by the mailroom 
staff. 

* The Cashiers Unit did not have procedures and controls to safeguard 
checks transported via courier from FDIC's Dallas field office to the 
JPMorgan lockbox. Specifically, we found that there were no procedures 
in place requiring the Cashiers Unit staff who handed the daily checks 
to the contract courier to obtain information on the identity of the 
courier or confirm the courier's authorization to pick up and deliver 
the checks. Additionally, the Cashiers Unit staff were not required to 
obtain a receipt from the courier documenting that the checks were 
provided to the courier. Finally, there were no procedures requiring 
the courier to be bonded. A bonded courier would indemnify FDIC for 
monetary losses related to the transported checks. 

Standards for Internal Control in the Federal Government requires 
agencies to establish accounting and physical control to record, 
secure, and safeguard vulnerable assets. Examples include 
accountability and security for, and limited access to, assets such as 
cash, securities, inventories, and equipment that might be vulnerable 
to risk of loss or unauthorized use. Also, these internal control 
standards require internal control procedures to be documented in 
operating manuals. 

The deficiencies we identified in the mailroom were due to the fact 
that the Mail Center Standard Operating Procedures Manual has not been 
revised to incorporate past changes in procedures as well as those 
necessitated by the Dallas field office's move to a new location in 
October 2007, resulting in reconciliation and other procedures not 
being performed. 

FDIC officials stated that going forward, a computer will be placed at 
the mail-opening table so that information from checks received can be 
entered directly into an electronic spreadsheet and reconciled, thus 
eliminating the need for a manual logbook. They also explained that the 
e-mail received from the Cashiers Unit confirming check numbers and 
amounts will be reconciled to the spreadsheet. 

FDIC officials also informed us that for depositing checks with 
JPMorgan, FDIC is working with JPMorgan on implementing remote 
electronic deposits. As such, any checks received in the mailroom will 
be converted to electronic images and electronically sent to JPMorgan 
for deposit. 

Safeguarding controls are critical in preventing the theft of checks. 
The lack of effective safeguarding controls increases the risk of 
theft, loss, or misappropriation of assets. 

Recommendations: 

To improve accounting and safeguards for receipts in the Dallas field 
office mailroom and cashier operations, we recommend that you: 

* ensure that mailroom contractor staff follow procedures for entering 
information from checks received into an electronic spreadsheet and 
perform necessary reconciliations; 

* review the Mail Center Standard Operating Procedures Manual and make 
necessary revisions to reflect current procedures and controls over 
mailroom check processing; 

* establish procedures to require remote electronic deposits and thus 
eliminate the need for a courier service and the risks associated with 
using a courier; and: 

* until such time as FDIC implements a remote electronic deposit 
process, require Cashiers Unit staff to verify the identity of the 
courier, obtain a receipt for the checks, and ensure that the courier 
is bonded. 

FDIC Comments and Our Evaluation: 

FDIC agreed with our recommendations. In response to our findings 
related to accounting for checks received in its Dallas field office 
mailroom, FDIC cited corrective actions completed by April 30, 2008, 
that address the issues we identified. As to the review and revision of 
the Mail Center Standard Operating Procedures Manual, FDIC stated that 
the completion date will be December 31, 2008. With respect to our 
findings related to the risks of using a courier, FDIC responded that 
it expects to begin using a Remote Capture service by July 30, 2008, 
which will eliminate the need for a courier. In the interim, FDIC 
commented that it has implemented procedures requiring Cashiers Unit 
staff to verify the identity of the courier and obtain receipts for 
checks. FDIC also commented that the courier is bonded. We will 
evaluate the effectiveness of FDIC's actions during our 2008 financial 
audit. 

Operating Expense Coding: 

During our testing of operating expense transactions, we identified an 
invoice related to an expense transaction that was incorrectly coded. 
After we brought this error to the attention of the responsible FDIC 
oversight manager, she identified a second invoice that was incorrectly 
coded. These two invoice payments were made through the Intra- 
government Payments and Collections (IPAC) process. The oversight 
manager has the primary responsibility for approving expense payments, 
but the Division of Finance (DOF) also has the responsibility to 
accurately and timely record the transactions. When IPAC payments are 
involved, DOF staff are required to prepare the payment voucher and 
forward it to the responsible oversight manager for review and 
approval. 

The two errors resulted from (1) DOF staff entering incorrect account 
codes on payment vouchers for recording the transactions in the 
accounting system and (2) the oversight manager responsible for 
approving the payments not detecting the coding error and erroneously 
approving the voucher. These errors resulted in the wrong expense 
account being charged, but in each case did not affect the operating 
expense line item on DIF's income statement since the affected accounts 
were both expense accounts. 

Internal control standards require agencies to implement procedures to 
ensure the accurate and timely recording of transactions and events. In 
addition, these standards require that qualified and continuous 
supervision be provided to ensure that internal control objectives are 
achieved. Lack of supervision and effective implementation of 
procedures increases the risk that expenses may be incorrectly 
classified, which could affect the accurate presentation of operating 
expenses in DIF's financial statements. 

Recommendation: 

To minimize the risk of charging expenses to the wrong account, we 
recommend that you issue written notification to all individuals 
involved with processing IPAC transactions reminding them of their 
responsibility to properly review and accurately record these 
transactions. 

FDIC Comments and Our Evaluation: 

FDIC agreed with our recommendation. FDIC stated that by June 25, 2008, 
it issued e-mails to the disbursement staff and the oversight managers 
reminding them of their responsibility to properly review and 
accurately record transactions to minimize the risk of charging 
expenses to the wrong account. We will evaluate the effectiveness of 
FDIC's actions during our 2008 financial audit. 

This report contains recommendations to you. We would appreciate 
receiving a description and status of your corrective actions within 30 
days of the date of this report. 

This report is intended for use by FDIC management, members of the FDIC 
Audit Committee, and the FDIC Inspector General. We are sending copies 
of this report to the Chairman and Ranking Member of the Senate 
Committee on Banking, Housing, and Urban Affairs; the Chairman and 
Ranking Member of the House Committee on Financial Services; the 
Chairman of the Board of Directors of the Federal Deposit Insurance 
Corporation; the Chairman of the Board of Governors of the Federal 
Reserve System; the Comptroller of the Currency; the Director of the 
Office of Thrift Supervision; the Secretary of the Treasury; the 
Director of the Office of Management and Budget; and other interested 
parties. In addition, this report will be available at no charge on 
GAO's Web site at [hyperlink, http://www.gao.gov]. 

We acknowledge and appreciate the cooperation and assistance provided 
by FDIC management and staff during our audits of FDIC's 2007 and 2006 
financial statements. If you have any questions about this report or 
need assistance in addressing these issues, please contact me at (202) 
512-3406 or sebastians@gao.gov. Contact points for our Offices of 
Congressional Relations and Public Affairs may be found on the last 
page of this report. GAO staff who made major contributions to this 
report are Gary Chupka, Assistant Director; Gloria Cano; Nina Crocker; 
Wing Kwong; Gloria Proa; and Gregory Ziombra. 

Signed by: 

Steven J. Sebastian:
Director:
Financial Management and Assurance: 

Enclosures: 

Enclosure 1: 

Comments from the Federal Deposit Insurance Corporation: 

FDIC: 
Federal Deposit Insurance Corporation: 
Deputy to the Chairman and CFO: 
550 17th Street NW: 
Washington, DC. 20429-9990: 

June 30, 2008: 

Mr. Steven J. Sebastian: 
Director, Financial Management and Assurance: 
U.S. Government Accountability Office: 
Washington, DC 20548: 

Dear Mr. Sebastian: 

Thank you for providing the U.S. Government Accountability Office's 
(GAO) draft report titled, Management Report: Opportunities for 
Improvements in FDIC's Internal Controls and Accounting Procedures (GAO-
08-863R) for review and comment. The report discusses the matters that 
were identified during the audits of the Federal Deposit Insurance 
Corporation's (FDIC) 2007 financial statements regarding internal 
controls and accounting procedures and the recommendations for 
strengthening them. Although GAO believes that these matters warrant 
management's attention, we are pleased that GAO acknowledged that they 
are not material in relation to the financial statements and does not 
consider them to be material weaknesses or significant deficiencies. 

We appreciate GAO's work on the 2007 audits and recognize the benefit 
of the recommendations that were made. FDIC has already completed 
actions to address some of the recommendations and will be implementing 
the remaining recommendations. Our detailed management responses are 
provided in Attachment 1. 

FDIC remains committed to improving its financial operations and 
maintaining effective internal control. We appreciate your support of 
these efforts and look forward to continuing the productive 
collaboration during the course of this year's audit. If you have any 
questions relating to our responses, please contact James H. Angel, 
Jr., Director, Office of Enterprise Risk Management, at 703-562-6456. 

Sincerely, 

Signed by: 

Steven O. App: 
Deputy to the Chairman and Chief Financial Officer: 

Attachment: 

cc: John Bovenzi: 
Bret Edwards: 
Arleas Upton Kea: 
Mitchell Glassman: 
James H. Angel, Jr. 
Audit Committee: 

Attachment 1: 
FDIC Responses To 2007 GAO Management Report: 

Receivership Receipts (Mailroom and Cashier Controls): 

GAO found that FDIC did not properly account for checks in its Dallas 
mailroom. FDIC also lacked adequate procedures and controls to 
safeguard transported checks for deposit, increasing the risk of theft, 
loss, or misappropriation of these assets. 

Recommendation 1: 

GAO recommended that FDIC ensure that mailroom contractor staff follow 
procedures for entering information from checks received into an 
electronic spreadsheet and perform necessary reconciliations. 

Management Response: 

FDIC concurs with the recommendation. However, it should be noted that 
the mailroom staff maintained two logs for recording checks. The first 
log was a manual log book with the date preprinted on the top of the 
page. The second log was created in an electronic spreadsheet that was 
initialed by both parties. As the manual log was not initialed, GAO 
deemed the staff was not properly recording these checks even though 
the electronic spreadsheet was initialed by the mailroom staff. To 
avoid this confusion, the Division of Administration, as was stated in 
its response to GAO in April 2008, eliminated the manual log book and 
is maintaining the electronic spreadsheet only. The mailroom staff 
enters all checks into the electronic spreadsheet and the spreadsheet 
is initialed by one employee, verified by another, and dated. The email 
confirmation received from the Cashiers Unit, along with a copy of the 
check log, is filed daily. The email confirmation is visually 
reconciled with the daily electronic spreadsheet. The completion date 
was April 30, 2008, and FDIC considers the recommendation implemented. 

Recommendation 2: 

GAO recommended that FDIC review the Mail Center Standard Operating 
Procedures Manual and make necessary revisions to reflect current 
procedures and controls over mailroom check processing. 

Management Response: 

FDIC concurs with the recommendation. The Division of Administration is 
currently reviewing the Mail Center Operations Manual. It should be 
noted that interim guidance was issued in 2006 and in 2007 to all 
mailroom staff clarifying the opening of mail and the processing of 
checks. The current review and revision of the Mail Center Operations 
Manual will incorporate the interim guidance. The completion date is 
December 31, 2008. 

Recommendation 3: 

GAO recommended that FDIC establish procedures to require remote 
electronic deposits and thus eliminate the need for a courier service 
and the risks associated with using a courier. 

Management Response: 

FDIC concurs with the recommendation. FDIC has begun the process of 
implementing a Remote Capture service through JP Morgan Chase, which 
will eliminate the need for the courier service. Remote Capture will 
convert all checks received directly by FDIC to electronic files and 
cause a daily deposit for the total amount of the checks into FDIC's 
primary account. Equipment, system requirements, pricing, and 
maintenance have been agreed upon. FDIC expects to begin using Remote 
Capture service by July 30, 2008, once the file format and its 
compatibility for upload into FDIC's cashier module is finalized. 

Recommendation 4: 

GAO recommended that FDIC require the Cashiers Unit staff to verify the 
identity of the courier, obtain a receipt for the checks, and ensure 
that the courier is bonded until such time as FDIC implements a remote 
electronic deposit process. 

Management Response: 

FDIC concurs with the recommendation. As stated in the response to 
recommendation 3, FDIC expects to begin using Remote Capture service by 
July 30, 2008, which will eliminate the need for a courier. In the 
interim, FDIC has implemented procedures requiring the Cashiers Unit 
staff to verify the identity of the courier and obtain receipts for 
checks. FDIC has confirmed that the courier is bonded. 

Operating Expense Coding: 

GAO found that FDIC's process for approving payment transactions in its 
accounting system did not always timely prevent or detect errors in 
recording these transactions, increasing the risk that operating 
expenses may be incorrectly classified and presented in the financial 
statements. 

Recommendation 5: 

GAO recommended that FDIC issue written notification to all individuals 
involved with processing Intragovernment Payments and Collections 
(IPAC) transactions reminding them of their responsibility to properly 
review and accurately record these transactions to minimize the risk of 
charging expenses to the wrong account. 

Management Response: 

FDIC concurs with the recommendation. As stated in GAO's finding, the 
coding errors on two IPAC transactions were the result of human error. 
The coding from an earlier similar transaction was incorrectly recorded 
on these transactions and the coding error was not detected in the 
review and approval process by either the disbursement staff or the 
Oversight Manager. The Division of Finance issued emails to the 
disbursement staff and the Oversight Managers reminding them of their 
responsibility to properly review and accurately record transactions to 
minimize the risk of charging expenses to the wrong account. The 
completion date was June 25, 2008. 

[End of enclosure] 

Enclosure 2: 

Details on Audit Scope and Methodology: 

To fulfill our responsibilities as auditor of the financial statements 
of the two funds administered by FDIC, we did the following: 

* examined, on a test basis, evidence supporting the amounts and 
disclosures in the financial statements; 

* assessed the accounting principles used and significant estimates 
made by management; 

* evaluated the overall presentation of the financial statements; 

* obtained an understanding of internal controls related to financial 
reporting (including safeguarding assets) and compliance with selected 
laws and regulations; 

* tested relevant internal controls over financial reporting and 
compliance, and evaluated the design and operating effectiveness of 
internal control; 

* considered FDIC's process for evaluating and reporting on internal 
control based on criteria established by 31 U.S.C.  3512 (c), (d) 
(commonly referred to as the Federal Managers' Financial Integrity 
Act); and: 

* tested compliance with applicable laws and regulations, including 
selected provisions of the Federal Deposit Insurance Act, as amended, 
and the Chief Financial Officers Act of 1990. 

[End of enclosure] 

Footnotes: 

[1] GAO, Financial Audit: Federal Deposit Insurance Corporation Funds' 
2007 and 2006 Financial Statements, [hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO-08-416] (Washington, D.C.: Feb. 11, 2008). 

[2] A material weakness is a significant deficiency, or combination of 
significant deficiencies, that results in more than a remote likelihood 
that a material misstatement of the financial statements will not be 
prevented or detected. A significant deficiency is a control 
deficiency, or combination of control deficiencies, that adversely 
affects the entity's ability to initiate, authorize, record, process, 
or report financial data reliably in accordance with generally accepted 
accounting principles such that there is more than a remote likelihood 
that a misstatement of the entity's financial statements that is more 
than inconsequential will not be prevented or detected. 

[3] GAO, Standards for Internal Control in the Federal Government, 
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO/AIMD-00-21.3.1] 
(Washington, D.C.: Nov. 1999). 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office: 
441 G Street NW, Room LM: 
Washington, D.C. 20548: 

To order by Phone: 
Voice: (202) 512-6000: 
TDD: (202) 512-2537: 
Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: