This is the accessible text file for GAO report number GAO-04-522T entitled 'Federal Deposit Insurance Corporation: Results of 2003 and 2002 Financial Audits' which was released on March 04, 2004. This text file was formatted by the U.S. General Accounting Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Testimony: Before the Subcommittee on Oversight and Investigations, Committee on Financial Services, House of Representatives: For Release on Delivery Expected at 10 a.m. EST Thursday, March 4, 2004: Federal Deposit Insurance Corporation: Results of 2003 and 2002 Financial Audits: Statement of Jeanette Franzel, Director Financial Management and Assurance: [Hyperlink, http: //www.gao.gov/cgi-bin/getrpt?GAO-04-522T]: GAO Highlights: Highlights of GAO-04-522T, testimony before the Subcommittee on Oversight and Investigations, Committee on Financial Services, House of Representatives Why GAO Did This Study: GAO is required to annually audit the financial statements of the three funds administered by the Federal Deposit Insurance Corporation (FDIC): the Bank Insurance Fund (BIF), the Savings Association Insurance Fund (SAIF), and the FSLIC (Federal Savings and Loan Insurance Corporation) Resolution Fund (FRF). GAO is responsible for obtaining reasonable assurance about whether FDIC’s financial statements for BIF, SAIF, and FRF are presented fairly in all material respects, in conformity with U.S. generally accepted accounting principles, and whether FDIC maintains effective internal controls and FDIC has complied with selected laws and regulations. Created in 1933 to insure bank deposits and promote sound banking practices, FDIC plays an important role in maintaining public confidence in the nation’s financial system. In 1989, legislation to reform the federal deposit insurance system created three funds to be administered by FDIC: BIF and SAIF, which protect bank and savings deposits, and FRF, which was created to close out the business of the former Federal Savings and Loan Insurance Corporation. GAO was asked by the Chairwoman of the House Subcommittee on Oversight and Investigations, Committee on Financial Services, to discuss the results of its February 13, 2004, report, Financial Audit: Federal Deposit Insurance Corporation Funds’ 2003 and 2002 Financial Statements (GAO-04-429). What GAO Found: In reporting on the results of the 2003 and 2002 audits, GAO issued unqualified, or “clean,” opinions on the three funds administered by the Federal Deposit Insurance Corporation (FDIC)—the Bank Insurance Fund (BIF), the Savings Association Insurance Fund (SAIF), and the FSLIC Resolution Fund (FRF). This means that the funds’ financial statements presented fairly, in all material respects, their financial position as of December 31, 2003 and 2002. FDIC also maintained, in all material respects, effective control over financial reporting (including safeguarding of assets) and compliance with laws and regulations. GAO identified one reportable internal control weakness in the area of information system security controls, which although not considered material, is nevertheless considered a significant deficiency in the design or operation of controls. GAO has reported weaknesses in FDIC’s information systems security for a number of years. Although GAO continued to consider information security weaknesses to be a reportable condition for 2003, we also found that FDIC has made significant progress in correcting the computer security weaknesses we previously identified. FDIC took action to address current and prior-year weaknesses, including completing action on all of the 22 weaknesses that remained open from GAO’s 2001 audit and 28 of the 29 weaknesses from our 2002 audit. However, GAO’s work in 2003 identified 22 additional security weaknesses in FDIC’s information systems. FDIC has made substantial progress in more fully implementing a computer security management program. However, it only recently established a program to test and evaluate its computer control environment and this program does not yet include all key areas. A mature, comprehensive, ongoing program of tests and evaluations of control would enable FDIC to better identify and correct information system security problems such as those found in our review. FDIC has reported that banks and savings institutions it insures have experienced record earnings during 2003. The financial condition of BIF and SAIF are also showing positive trends. The fund balances, or net worth, for both BIF and SAIF increased during fiscal year 2003. And, the current level of estimated losses from probable failures of insured institutions is low relative to the estimated liabilities that FDIC has recorded over the last 10 years. It is important to remember that GAO’s opinions on FDIC’s financial statements and its overall positive report on internal controls reflect a point in time. This also holds true for the positive financial trends that FDIC and insured financial institutions are currently experiencing. FDIC must continually monitor its business environment, assess the related risks, and adapt its internal operations as well as its insurance and supervision and monitoring functions to manage risk and maximize the value of its overall mission. FDIC is taking action to improve its risk monitoring and operations in several areas, including financial risk management, future financial management and information needs, and information technology security and processes. www.gao.gov/cgi-bin/getrpt?GAO-04-522T. To view the full product, including the scope and methodology, click on the link above. For more information, contact Jeanette Franzel at (202) 512-9471 or franzelj@gao.gov. [End of section] Madam Chairwoman and Members of the Subcommittee: I am pleased to be here today to discuss the results of our audits of the Federal Deposit Insurance Corporation (FDIC) Funds' Financial Statements. We are required by the Federal Deposit Insurance Act[Footnote 1] to annually audit the financial statements of the Bank Insurance Fund (BIF), the Savings Association Insurance Fund (SAIF), and the FSLIC Resolution Fund (FRF), which are administered by FDIC. Our recent report,[Footnote 2] issued on February 13, 2004, presents the results of our audits of the funds' 2003 and 2002 financial statements. Today, I will discuss the results of those audits, including the substantial progress that FDIC has made in the area of information security controls. In addition, I will provide some information on FDIC's financial condition and results and considerations for the future. Audit Results: In our audits of the 2003 and 2002 financial statements for BIF, SAIF, and FRF, we found: * the financial statements of each fund are presented fairly in all material respects in conformity with U.S. generally accepted accounting principles, * although internal controls in the area of information system security should be improved, FDIC had effective internal control over financial reporting (including safeguarding of assets) and compliance with laws and regulations, and: * no reportable noncompliance with the laws and regulations we tested. We issued unqualified or "clean" opinions on the financial statements for BIF, SAIF, and FRF. This means that the financial statements and accompanying notes for each fund presented fairly, in all material respects, the financial position as of December 31, 2003 and 2002, and the results of operations and cash flows for the years then ended and were in conformity with U.S. generally accepted accounting principles. In order to reach our conclusions about the financial statements, we (1) tested evidence supporting the amounts and disclosures in the financial statements, (2) assessed the accounting principles used and significant estimates made by management, and (3) evaluated the presentation of the financial statements. We also considered the results of our work in internal control when designing the nature and extent of our audit tests. Regarding FDIC's internal control, we concluded that FDIC management maintained, in all material respects, effective control over financial reporting (including safeguarding of assets) and compliance as of December 31, 2003. We identified one reportable internal control weakness related to information system security controls, which although not considered material, is nevertheless considered a significant deficiency in the design or operation of controls. We also noted that FDIC made substantial progress during 2003 in this area. I will discuss FDIC's progress and the remaining work that needs to be completed in more detail in a later section of this testimony. Our evaluation of internal control covered FDIC's financial reporting controls, which are the policies, processes, and management in place to meet the financial reporting objectives of ensuring that transactions are: * properly recorded, processed, and summarized to permit the preparation of financial statements in conformity with U.S. generally accepted accounting principles and assets are safeguarded against loss from unauthorized acquisition, use, or disposition and: * executed in accordance with laws and regulations that could have a direct and material effect on the financial statements. In the course of performing our work on internal control, we obtained an understanding of FDIC's internal control, evaluated the design and operating effectiveness of internal control, and tested specific procedures and controls. We also considered FDIC's "control environment" and "tone at the top," which refer to management's commitment to setting and maintaining the organization's ethical tone and a positive and supportive attitude toward internal control and conscientious management. During the course of our audit, we also tested compliance with selected provisions of laws and regulations that have a direct and material impact on the financial statements. For example, we tested for compliance with sections of the Federal Deposit Insurance Act that require FDIC to monitor the designated reserve ratio, set semiannual assessments for each fund, and keep full and complete accounting records for all costs and expenses. Our tests for compliance with selected provisions of laws and regulations disclosed no instances of noncompliance. This year's audit was notable in that it marked the first year that FDIC's audited financial statements were issued within 45 days of year end. FDIC's year end is December 31, and our audit report was issued on February 13, 2004. In contrast to other agencies that are making heroic efforts and using large amounts of resources to meet the accelerated reporting date, FDIC has achieved this milestone through solid financial processes and controls that help to ensure accurate and reliable financial reporting throughout the year, so that the preparation of the financial statements and the related audit can be completed in a short time after year end. We worked cooperatively with FDIC to begin accelerating the financial reporting and audit process in 2002. FDIC's accelerated reporting puts it in sync with the requirements for other federal agencies to issue their audited agency financial statements for fiscal year 2004 within 45 days of year end.[Footnote 3] FDIC Has Made Substantial Improvements in Information System Security Controls, but Weaknesses Remain: We have reported weaknesses in FDIC's information system security for a number of years. Although we continued to consider such weaknesses to be a reportable condition for 2003, we also found that FDIC has made substantial progress in correcting the security weaknesses we previously identified. FDIC took action to address current and prior- year weaknesses, including completing action on all of the 22 weaknesses that remained open from our 2001 audit,[Footnote 4] and 28 of the 29 weaknesses from our 2002 audit.[Footnote 5] In addition, FDIC has made substantial progress in more fully implementing an information system security management program to address the remaining weaknesses identified in our 2002 audit. Effective information system controls are essential to safeguarding financial data, protecting computer application programs, providing for the integrity of system software, and ensuring continued operations in case of unexpected interruption. Our work in 2003 identified 22 additional information security weaknesses in FDIC's information system. Specifically, FDIC had not adequately limited the access granted to all authorized users or completely secured access to its network. The risk created by these access weaknesses was heightened because FDIC had not completed a program to fully monitor access activity to identify and investigate unusual or suspicious access patterns that could indicate unauthorized access. Consequently, critical FDIC financial and sensitive personnel and bank examination information were at risk of unauthorized disclosure, disruption of operations, or loss of assets. A key reason for FDIC's continuing weaknesses in information system security controls is that it has not yet fully implemented all of the elements of a comprehensive security management program. An effective program includes the following elements: 1. a central security management structure to provide overall security policy, guidance, and oversight; 2. policies and procedures that are based on risk assessments and reduction of risks to ensure that information security is addressed throughout the life cycle of each system and applicable requirements are met; 3. security awareness training to inform all users of information security risks and users' responsibilities in complying with information security policies and procedures; 4. periodic assessment of risk and magnitude of harm that could result from unauthorized access, use, or disruption of information systems; and: 5. a program of testing and evaluating the effectiveness of information security policies, procedures, and practices relating to management, operational, and technical controls of every major system. FDIC has made substantial progress in implementing a comprehensive information system security management program. Specifically, FDIC has (1) strengthened its central security management structure, (2) updated its security policies and procedures, (3) enhanced security awareness training, and (4) developed and begun to implement a risk assessment program. The fifth and final key element of an effective information security program is ongoing review, testing, and evaluation of information security to ensure that systems are in compliance with policies and procedures and to identify and correct weaknesses that may occur. FDIC began implementing this program during 2003. In October 2003, FDIC used a contractor to (1) develop a self-assessment process that includes annual general and application control reviews and (2) begin to perform ongoing quarterly tests of FDIC systems. While FDIC has done much to establish an ongoing program of tests and evaluations to review its computer control environment, this program does not yet address all key areas. Specifically, it does not include adequate provisions to ensure that (1) all key computer resources supporting FDIC's financial environment are routinely reviewed and tested, (2) weaknesses detected are analyzed for systemic solutions, (3) corrective actions are independently tested, and (4) newly identified weaknesses or emerging security threats are incorporated into the test and evaluation process. Incorporating these provisions into its test and evaluation process should allow FDIC to better identify and correct security problems, such as those identified in our 2003 audit. FDIC management has shown a strong commitment to fully establishing a comprehensive security management program that includes a complete review, testing, and evaluation program. Fully establishing such a program should provide FDIC with a solid foundation for resolving computer security problems and managing its information security risks on an ongoing basis. FDIC's Financial Condition and Results: The two deposit insurance funds administered by FDIC--BIF and SAIF-- insured 9,182 commercial banks and savings institutions with over $9 trillion in assets and $3.5 trillion in insured deposits as of December 31, 2003. FDIC has reported that the banks and savings institutions it insures experienced record earnings during 2003. FDIC has also identified overall favorable trends in the loss provisions in the industry. However, within those trends, FDIC has noted risk and worsening asset quality in residential mortgage loans and credit cards loans. During 2003, three BIF-insured institutions with assets of $1.1 billion failed, at an estimated cost of $103 million to the fund. At December 31, 2003, BIF had a recorded liability of $178 million in estimated losses for institutions that are likely to fail within one year of the reporting date unless some favorable event occurs, such as obtaining additional capital or merging. As of December 31, 2003, SAIF had a recorded liability of $3.2 million in estimated losses for institutions that are likely to fail within one year. As shown in figures 1 and 2, the current level of estimated recorded liability for failures of insured institutions is relatively low, when compared to the estimated liabilities that FDIC recorded for probable bank failures over the past 10 years. Figure 1: Bank Insurance Fund Estimated Liability for Anticipated Failures, December 31, 1994 through December 31, 2003: [See PDF for image] - graphic text: [End of figure] Figure 2: Savings Association Insurance Fund Estimated Liability for Anticipated Failures, December 31,1994 through December 31, 2003: [See PDF for image] [End of figure] The fund balances for both BIF and SAIF increased during fiscal year 2003. Fund balance represents the difference between assets and liabilities and is a basic measure of the funds' net worth. Fund balance also represents the cumulative net income of the funds, and each year fund balance changes by the amount of comprehensive income earned or losses incurred by the funds. As of December 31, 2003, BIF's fund balance had increased by $1.7 billion to $33.8 billion, and SAIF's fund balance had increased by $493 million to $12.2 billion. For the year ended 2003, BIF and SAIF had comprehensive income of $1.7 billion and $493 million, respectively. During 2003, assessments, interest revenue, and unrealized gains decreased from what was earned during 2002, but those decreases were more than offset in BIF and partially offset in SAIF by a reduction in the estimated losses for future failures. The Federal Deposit Insurance Corporation Improvement Act of 1991 requires FDIC to maintain the fund balances for BIF and SAIF at a designated reserve ratio of at least 1.25 percent of estimated insured deposits. From lows significantly below 1.25 percent in 1991, the reserve ratios of both BIF and SAIF had risen above that threshold by 1996. They have remained at or above 1.25 percent since 1996 and were at 1.33 percent for BIF and 1.41 percent for SAIF as of December 31, 2003. Figures 3 and 4 show the changes in the reserve ratio for both funds from 1991 through 2003. Figure 3: Bank Insurance Fund Reserve Ratios from December 31, 1991 through December 31, 2003: [See PDF for image] [End of figure] Figure 4: Savings Association Insurance Fund Reserve Ratios from December 31, 1991 through December 31, 2003: [See PDF for image] [End of figure] FDIC also manages FRF, which fulfills the obligations of the former Federal Savings and Loan Insurance Corporation and the former Resolution Trust Corporation (RTC). As of December 31, 2003, FRF had $3.5 billion in assets remaining. Of that total, $3.3 billion was in the form of cash and cash equivalents, and approximately $200 million represented estimated recoveries from receiverships for failed institutions. In contrast, FRF had $11.6 billion in assets at December 31, 1996, after it assumed the assets and liabilities of RTC. As of December 31, 2003, 52 of the 850 FRF receiverships remained active primarily due to unresolved litigation. Considerations for the Future: It is important to remember that our opinions on FDIC's financial statements and our overall positive report on internal controls reflect a point in time. This also holds true for the positive financial trends that FDIC and insured financial institutions are currently experiencing. The banking and financial services environment is constantly changing, and in its role as insurer of financial institutions, FDIC must continually monitor its business environment, assess the related risks, and adapt its internal operations as well as its insurance and supervision and monitoring functions to manage risk and maximize the value of its overall mission. To respond to the need to update and improve its risk monitoring and measurement process, FDIC has ongoing efforts in place to: * review and update its method for estimating the contingent liability for anticipated future failures of financial institutions; * establish new processes to meet future financial management and financial information needs; and: * improve information technology (IT) processes, including its information system security management program. During 2003, FDIC hired an outside consulting firm to review its financial risk management practices. The review focused on FDIC's methods and procedures for estimating the liability associated with future failures of financial institutions. FDIC initiated revisions to this methodology in the third quarter of 2003 and is planning additional revisions during 2004. FDIC last changed this methodology in 1997. The current and planned changes primarily relate to the methodology used to estimate potential failure and loss rates of insured financial institutions. FDIC is also developing new financial systems to enhance its ability to meet future financial management and financial information needs. A related benefit of moving to more modernized systems is the ability to redirect staff resources from processing individual transactions to carrying out value-added accountability functions, such as financial analysis, decision making, and risk management functions. FDIC's current financial system was implemented in 1986, and it currently limits progress within FDIC because it is comprised of many stand-alone applications that need work-around and labor-intensive processes to interface with FDIC's core general ledger system. This current environment necessitates redundant data entry and requires the use of significant staff resources to gather and reconcile data and correct errors. The constant changes to its operational environment require FDIC to identify opportunities to improve its computerized processes in support of operations while maintaining effective internal control and computer security. FDIC's computerized processes are key to its mission. They are critical to all of FDIC's internal operations and business lines, including insurance, supervision, consumer protection, and receivership management. With the constantly changing IT and business environment in which FDIC operates, it is critical that FDIC maintain sound IT systems, with adequate internal control and security and applications, to effectively support and carry out its mission. In summary, the results of our audits for 2003 were positive--clean opinions on the financial statements and overall effective internal control, with significant improvements in the area of information system security controls, which we have been reporting as a significant deficiency for several years. We have seen a strong commitment from FDIC management in promoting excellence in financial reporting and internal control. FDIC is continuing to take important steps to monitor risk, modernize its systems, and adapt to change. FDIC's mission of insuring deposits in our nation's financial institutions is critical to the citizens of this country and our nation's economy. With the banking and financial services environment constantly changing, FDIC must continually monitor its business environment and related risks, and adapt its internal operations as well as its insurance and supervision and monitoring functions to manage risk and maximize the value of its overall mission. This testimony is based on our most recent audit of the FDIC funds' 2003 financial statements as well as our previous years' audits, which were conducted in accordance with generally accepted government auditing standards. Madam Chairwoman, that concludes my prepared statement. I would be pleased to answer any questions you or the other members of the Subcommittee may have. Contacts and Acknowledgments: Should you have any questions about this testimony, please contact me at (202) 512-9471 for financial issues or Robert Dacey at (202) 512- 3317 for information technology issues. We can also be reached by e- mail at [Hyperlink, franzelj@gao.gov] and [Hyperlink, daceyr@gao.gov]. Other major contributors to this testimony were Ronald Bergman, Gary Chupka, Julia Duquette, Maxine Hattery, Dave Irvin, Meg Mills, Tim Murray, Ed Tanaka, and Charles Vrabel. (194391): FOOTNOTES [1] 12 U.S.C. 1827(d). [2] Financial Audit: Federal Deposit Insurance Corporation Funds' 2003 and 2002 Financial Statements, GAO-04-429 (Washington, D.C.: Feb. 13, 2004). [3] Office of Management and Budget Bulletin No.01-09, Form and Content of Agency Financial Statements (as amended by Memorandum for Chief Financial Officers and Inspectors General dated December 21, 2001.) [4] See U.S. General Accounting Office, FDIC Information Security: Progress Made but Existing Weaknesses Place Data at Risk, GAO-03-630 (Washington, D.C.: June 18, 2003). [5] See U.S. General Accounting Office, FDIC Information Security: Improvements Made but Weaknesses Remain, GAO-02-689 (Washington, D.C.: July 15, 2002).