GAO-04-674R, Posthearing Questions Related to the Federal Deposit Insurance Corporation's 2003 and 2002 Financial Audits


This is the accessible text file for GAO report number GAO-04-674R 
entitled 'Posthearing Questions Related to the Federal Deposit 
Insurance Corporation's 2003 and 2002 Financial Audits' which was 
released on April 20, 2004.

This text file was formatted by the U.S. General Accounting Office 
(GAO) to be accessible to users with visual impairments, as part of a 
longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov.

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately.

April 20, 2004:

The Honorable Sue W. Kelly:

Chairwoman:

Subcommittee on Oversight and Investigations:

Committee on Financial Services:

House of Representatives:

Subject:Posthearing Questions Related to the Federal Deposit Insurance 
Corporation's 2003 and 2002 Financial Audits:

Dear Madam Chairwoman:

On March 4, 2004, I testified before your subcommittee at a hearing on 
oversight of the Federal Deposit Insurance Corporation (FDIC)[Footnote 
1] and discussed the results of our 2003 and 2002 audits of FDIC's 
financial statements.[Footnote 2] This letter responds to subsequent 
questions that you asked me to answer for the record. The questions and 
my responses follow.

1. The FDIC has made significant progress in correcting the computer 
security weaknesses identified in GAO's 2002 report. Do you feel that 
the FDIC is on the right path to correct the 22 new information 
security weaknesses identified through your oversight in 2003? How will 
GAO monitor the agency in the coming months to ensure that these 
weaknesses are addressed?

FDIC has been responsive to addressing information security weaknesses 
we have previously reported. For example, during the past year, FDIC 
corrected 28 of 29 weaknesses that were still open from our 2002 
calendar year financial audit. Similarly, prior to the completion of 
our audit, the corporation developed a comprehensive corrective action 
plan to address each of the 22 new information security weaknesses 
identified in our calendar year 2003 financial audit. If fully and 
effectively implemented, FDIC's corrective actions should address each 
of the security deficiencies identified.

In addition to these 22 weaknesses, as we included in our testimony, a 
key reason for FDIC's continuing weaknesses in information system 
security controls is that it has not yet fully implemented all elements 
of a comprehensive security management program. Such a program is 
critical to resolving existing computer security problems and 
continuously managing information security risks, and includes a 
testing and evaluation program to ensure that systems are in compliance 
with policies and procedures and to identify and correct weaknesses 
that may occur. While FDIC has done much to establish a complete 
security management program, its review, testing, and evaluation 
program does not yet address all key areas. FDIC management currently 
has a plan in place to establish a comprehensive security management 
program that includes a complete review, testing, and evaluation 
program. Implementing such a program should allow FDIC to better 
identify and correct security problems, such as those identified in our 
2003 audit.

We will continue to monitor FDIC's progress in addressing the 22 
information security weaknesses and in implementing its comprehensive 
security management program. During the course of the next several 
months, we plan to meet periodically with FDIC's Chief Information 
Officer and his staff to discuss their progress in implementing their 
corrective action plans. Further, in connection with our calendar year 
2004 financial audit, we will follow-up on the status of these 
weaknesses and perform tests, as appropriate, to determine whether 
adequate actions were taken to remediate the information security 
weaknesses.

2. In your testimony, you state that since the banking and financial 
services environment is constantly changing, the FDIC must continually 
monitor its business environment and related risks, and adapt its 
internal operations as well as its monitoring functions to manage risk 
and maximize its overall mission. What steps is GAO taking to uphold 
its high audit standards in this constantly changing financial services 
environment?

GAO has a two-pronged approach for keeping pace with the constantly 
changing environment in which we conduct our audits. First, we update 
our own audit methodology, the Financial Audit Manual (FAM), to reflect 
current issues and updated auditing standards. For example, soon we 
will be requesting comments on an exposure draft that will update the 
FAM, primarily to incorporate the provisions of Statement on Auditing 
Standards 99, Consideration of Fraud in a Financial Statement Audit. 
Second, during the audit process we monitor and review FDIC's actions 
to adapt and improve its operations to a changing environment. FDIC is 
currently in the process of changing the methodology it uses to 
estimate potential failure and loss rates of insured financial 
institutions and of developing new financial systems to enhance its 
ability to meet financial management and information needs. As part of 
our audit, we will analyze FDIC's new and revised methodologies and 
programs to determine if they follow a reasonable approach and include 
the proper internal controls over the accuracy and completeness of the 
data being captured and the results.

We are sending copies of this letter to the Ranking Minority Member and 
Vice Chairman of your subcommittee. This letter is also available on 
GAO's Web site at www.gao.gov.

If you or your staff have questions about the responses to your 
questions, please contact me at (202) 512-9471 for financial issues or 
Robert Dacey at (202) 512-3317 for information technology issues. We 
can also be reached by e-mail at franzelj@gao.gov or daceyr@gao.gov.

Sincerely yours,

Signed by: 

Jeanette M. Franzel:

Director:

Financial Management and Assurance:

(194393):

FOOTNOTES

[1] U.S. General Accounting Office, Federal Deposit Insurance 
Corporation: Results of 2003 and 2002 Financial Audits, GAO-04-522T 
(Washington, D.C.: Mar. 4, 2004). 

[2] U.S. General Accounting Office, Financial Audit: Federal Deposit 
Insurance Corporation Funds' 2003 and 2002 Financial Statements, GAO-
04-429 (Washington, D.C.: Feb. 13, 2004).