This is the accessible text file for GAO report number GAO-04-677R entitled 'Management Report: Opportunities for Improvements in FDIC's Internal Controls and Accounting Procedures' which was released on June 16, 2004. This text file was formatted by the U.S. General Accounting Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. June 16, 2004: Mr. Steven O. App: Deputy to the Chairman and Chief Financial Officer: Federal Deposit Insurance Corporation: Subject: Management Report: Opportunities for Improvements in FDIC's Internal Controls and Accounting Procedures: Dear Mr. App: In February 2004, we issued our opinions on the calendar year 2003 financial statements of the Bank Insurance Fund (BIF), the Savings Association Insurance Fund (SAIF), and the FSLIC Resolution Fund (FRF). We also issued our opinion on the effectiveness of the Federal Deposit Insurance Corporation's (FDIC) internal controls as of December 31, 2003, and our evaluation of FDIC's compliance with significant provisions of selected laws and regulations for the three funds for the year ended December 31, 2003.[Footnote 1] The purpose of this report is to discuss issues identified during our audits of the 2003 financial statements regarding accounting procedures and internal controls that could be improved and to recommend improvements to address these issues. Although these issues were not material in relation to the financial statements, we believe they warrant management's attention. We are making five recommendations for strengthening FDIC's accounting procedures and internal controls. We conducted our audits in accordance with U.S. generally accepted government auditing standards: Results in Brief: During 2003, we identified several internal control issues that affected FDIC's accounting for the funds it administers. These weaknesses would have resulted in reporting errors had they not been detected and corrected. Specifically, we found the following: FDIC erroneously accounted for funds it received related to securitizations that terminated in prior years, which would have caused the related FRF account balances to be misstated. FDIC did not always follow its procedures relating to time and attendance reporting, which would have resulted in an improper allocation of operating expenses among the funds. FDIC made errors in calculations supporting its allowance for losses on receivables from thrift resolutions. These errors would have led to misstatements in FRF's financial statements. At the end of our discussion of each of these issues in the following sections, we make recommendations for strengthening FDIC's internal controls. Implementation of these recommendations is intended to bring FDIC into conformance with the internal control standards that federal agencies are required to follow.[Footnote 2] In its comments, FDIC agreed with our recommendations and described actions it has taken or plans to take to address the control weaknesses described in this report. At the end of our discussion of each of the issues in this report, we have summarized FDIC's related comments and our evaluation. Scope and Methodology: As part of our audits of the 2003 and 2002 financial statements of the three funds administered by FDIC, we evaluated the corporation's internal controls and its compliance with selected provisions of laws and regulations. We designed our audit procedures to test relevant controls, including those for proper authorization, execution, accounting, and reporting of transactions. We requested comments on a draft of this report from the FDIC Deputy to the Chairman and Chief Financial Officer. We received written comments and have reprinted the comments in enclosure I. Further details on our scope and methodology are included in our report on the results of our audits of the 2003 and 2002 financial statements and are reproduced in enclosure II. Accounting for Terminated Securitizations: During our 2003 financial audit, we found that FDIC did not always properly account for the funds it received related to terminated securitization deals. This resulted in certain account balances for FRF being misstated. GAO's Standards for Internal Control in the Federal Government[Footnote 3] requires that transactions be accurately recorded. The former Resolution Trust Corporation (RTC)[Footnote 4] engaged in numerous securitization transactions as a means of recovering the value of assets from failed financial institutions. These transactions involved selling receivership loans to trusts that in turn issued bonds, known as mortgage-backed securities, to investors. Two types of assets resulted from these transactions: credit enhancement reserves and residual certificates. A portion of the proceeds from the sale of the bonds was placed in credit enhancement reserves to protect the bondholders from losses. Residual certificates entitle the holder to excess cash that results when the proceeds from the sale of the underlying loans is greater than the funds needed to pay off the bonds. FDIC, as the owner of the credit enhancement reserves and residual certificates, receives the remaining funds when a securitization deal terminates. When a deal terminates, the credit enhancement reserve account for the particular deal is adjusted to zero, and either a realized gain or loss is recorded. In a given year, FDIC may receive funds related to securitization deals that terminated in prior years. During our audit, we found that FDIC erroneously accounted for four of the five instances in which it received funds related to securitization deals that terminated in prior years.[Footnote 5] While FDIC correctly determined that funds it received in 2003 pertained to the credit enhancement reserves on the terminated deals, it improperly recorded journal entries that erroneously decreased (credited) the credit enhancement reserve account instead of adjusting the realized gain or loss account. This resulted in the related FRF account balances being understated. FDIC recorded entries to correct these errors after we brought this matter to its attention. FDIC's policy requires that accounting entries for cash collections related to the RTC securitization deals not be made by staff responsible for administering the deals. The accounting entries are required to be made by staff from another business unit, but are to be made at the direction of staff responsible for administering the deals. The journal entries we reviewed were approved and recorded in FDIC's general ledger by staff other than those responsible for administering the securitization deals. However, there was no evidence on the journal entries that staff preparing the entries had received the required input and direction from staff responsible for administering the securitization deals. In addition, training of new staff responsible for administering securitization-related transactions did not cover activity related to previously terminated deals. These factors contributed to the errors we identified during our testing of securitization transactions. Recommendation: We recommend that FDIC management formally remind staff responsible for recording activity associated with securitization transactions of the need to obtain input and approval from the individual responsible for administering the securitization deals prior to recording the activity in FDIC's accounting records. FDIC Comments and Our Evaluation: FDIC agreed with our recommendation. In response to our finding, FDIC management stated that they have reiterated to staff responsible for recording cash transactions, including securitization activity, the procedures relating to proper preparation, documentation, and review of journal vouchers. We will evaluate the effectiveness of FDIC's actions during our 2004 financial audit. Time and Attendance Reporting: During our 2003 financial audit, we found that FDIC's controls over time and attendance reporting did not always ensure that such information was properly recorded, resulting in incorrect reporting. GAO's Standards for Internal Control in the Federal Government[Footnote 6] requires that all transactions be recorded accurately and timely, all transactions and other significant events be clearly documented, and the documentation should be readily available for examination. FDIC's payroll processing procedures call for employees to complete a Corporate Time and Attendance Worksheet (CTAW) and submit it to a timekeeper. The timekeeper reviews the CTAW and the supporting documents and enters the data into the corporation's Biweekly Time and Attendance System. The timekeeper prints a Time and Attendance Report for Certification (Report for Certification) for each employee, and compares the report to each employee's CTAW to ensure data was entered completely and correctly. Supervisors are required to compare the Report for Certification, the CTAW, and all other supporting documents for consistency and accuracy. Additionally, supervisors verify the accuracy of the employee's hours worked and leave taken, and ensure that hours are charged to the correct fund, organization, program, location, and project codes. The supervisor signs and dates each employee's Report for Certification, certifying the accuracy of the data. Timekeepers are required to receive all approved time and attendance related documents and reports from the supervisor, and file all original documents in a locked file cabinet. In testing a sample of operating expenses, we found three cases where the CTAW and Report for Certification entries did not match. These errors were not discovered by either the timekeeper or the supervisor, resulting in the incorrect recording of these transactions. In two cases, the organization/program coding was incorrect, which would have resulted in an improper allocation of operating expense among the funds had FDIC not corrected the errors when we brought them to its attention. In the third case, direct expense charges to BIF were incorrect. We also noted that, in a fourth case, the Report for Certification was not signed and it took FDIC 2 months to locate the related CTAW. Recommendation: We recommend that FDIC management formally remind: timekeepers of their responsibility to compare the Report for Certification to each employee's CTAW to ensure data was entered completely and correctly, supervisors of their responsibility to verify the accuracy of the employee's time and attendance data by signing and dating each employee's Report for Certification, and: timekeepers of their responsibility to receive all approved time and attendance documents and reports from supervisors and to file all original documents in a locked file cabinet. FDIC Comments and Our Evaluation: FDIC agreed with our recommendations. In response to our findings, FDIC stated that it had sent notices to its timekeepers and supervisors reminding them of their responsibilities and has held refresher timekeeper training courses. FDIC also stated that it would review its policy on time and attendance reporting to identify any needed improvements in the policy. We will evaluate the effectiveness of FDIC's actions during our 2004 financial audit. Asset Valuation: During our 2003 financial audit, we identified errors in certain calculations supporting the allowance for losses on receivables from thrift resolutions that were not identified during FDIC's normal supervisory review process. These errors, while not material to FRF's financial statements, nonetheless would have led to misstatements in the financial statements had we not identified them through the audit process. GAO's Standards for Internal Control in the Federal Government[Footnote 7] requires agencies to implement internal control procedures to ensure the accurate and timely recording of transactions and events. In addition, these standards require that qualified and continual supervision be provided to ensure that internal control objectives are achieved. FDIC's receivables from bank/thrift resolutions are paid off through the sale of failed bank/thrift assets of its receiverships. To determine the allowance for losses on its receivables from failed bank/ thrift resolutions, FDIC estimates values for the receivership assets to be disposed of through a Loan Loss Reserve (LLR) process. To ensure that consistent methods for valuing assets are being applied, FDIC developed a uniform Standard Asset Valuation Estimation (SAVE) methodology, which is documented in an asset valuation policies and procedures manual (the SAVE manual). Per the SAVE manual, equity in subsidiaries' assets are valued using the Subsidiary Cash Recovery Analysis Worksheets and Cash Flow Worksheets to determine the estimated present values of the assets' estimated recovery. As part of the cash flow analysis, future cash outflows and inflows are estimated and a discount rate from an assumption listed in the SAVE manual is to be applied. To further ensure both accuracy and consistency, the SAVE manual requires two levels of review after the valuation is prepared. Despite these requirements, we found that two of six assets we reviewed were not valued in accordance with the SAVE methodology. In both cases, the individual responsible for preparing the valuation failed to use the prescribed standard yield comparison rate as part of calculating the overall discount rate for equity in subsidiary assets. Additionally, in one of these cases, the preparer also made errors in the calculation of future cash flows, which contributed to the overall error found in the valuation of the asset. While FDIC had performed primary and secondary reviews of the asset valuations, both reviews failed to detect errors in the asset valuation calculations. FDIC corrected the errors after we brought them to its attention. While the errors, totaling over $570,000, were not material to the financial statements, they indicate that the review procedures are not fully effective in preventing or timely detecting errors in the asset valuation process. Recommendation: We recommend that FDIC management examine its current review procedures and controls related to its loan loss reserve estimation process and revise them if necessary to ensure the review guidelines are properly implemented. FDIC Comments and Our Evaluation: FDIC agreed with our recommendation. In response to our finding, FDIC stated that it had developed additional procedures to ensure proper review is being implemented. We will evaluate the effectiveness of FDIC's actions during our 2004 financial audit. This report contains recommendations to you. We would appreciate receiving a description and status of your corrective actions within 30 days of the date of this letter. This report is intended for use by FDIC management, members of the FDIC Audit Committee, and the FDIC Inspector General. We are sending copies of this report to the Chairman and Ranking Minority Member of the Senate Committee on Banking, Housing, and Urban Affairs; the Chairman and Ranking Minority Member of the House Committee on Financial Services; the Chairman of the Board of Directors of the Federal Deposit Insurance Corporation; the Chairman of the Board of Governors of the Federal Reserve System; the Comptroller of the Currency; the Director of the Office of Thrift Supervision; the Secretary of the Treasury; the Director of the Office of Management and Budget; and other interested parties. In addition, this report will be available at no charge on GAO's web site at http://www.gao.gov. We acknowledge and appreciate the cooperation and assistance provided by FDIC management and staff during our audits of FDIC's 2003 and 2002 financial statements. If you have any questions about this report or need assistance in addressing these issues, please contact Julia Duquette, Assistant Director, at (202) 512-5131 or duquettej@gao.gov. Sincerely yours, Signed by: Steven J. Sebastian: Director: Financial Management and Assurance: Enclosures - 3: Enclosure I: Comments from the Federal Deposit Insurance Corporation: FDIC: Federal Deposit Insurance Corporation: 550 17th Street NW, Washington, D.C. 20429-9990 Deputy to the Chairman and CFO: May 26, 2004: Mr. Steven J. Sebastian, Director Financial Management and Assurance U.S. General Accounting Office: 441 G Street, NW Washington, DC 20548: Dear Mr. Sebastian: Thank you for the opportunity to respond to the draft report entitled, Management Report: Opportunities far Improvements in FDIC's Internal Controls and Accounting Procedures (GAO-04-677R). The report discusses issues that were identified during the 2003 financial statements audit regarding weaknesses in accounting procedures and internal controls and recommendations for improvement. As noted in the report, corrective actions were taken to address the internal control weaknesses that the audit team identified prior to the issuance of FDIC's 2003 yearend financial statements. We agreed with the findings and have implemented the recommendations as follow: Accounting for Terminated Securitizations: FDIC reiterated to staff responsible for recording cash transactions, including securitization activity, the procedures relating to the proper preparation, documentation, and review of journal vouchers. This covers documentation of any direction provided by the staff responsible for securitization accounting. Additionally, the remaining Resolution Trust Corporation securitization deal that was active as of December 31, 2003, was terminated in March 2004. Time and Attendance Reporting: On November 25, 2003, and again on May 24, 2004, a notice was sent to all Bi-weekly Time and Attendance (T&A) system administrators to remind timekeepers and supervisors of their T&A responsibilities to ensure that T&A data is complete and correct and that original documents are kept in a locked file cabinet. A corrective action plan was prepared and distributed on February 23, 2004, to address the errors discovered in the 2003 T&A audit. In addition, a refresher timekeeper training was held on March 9 and 10, 2004, for some divisions with the remaining division and office timekeepers to be trained in 2004. Also, on May 24, 2004, a notice was sent directly to all supervisors to remind them of their responsibilities to carefully review each employee's T&A information. Further, FDIC will review Circular 2300.5, Time and Attendance Reporting, for ways to improve the policy. Asset Valuation: The non-loan assets subject to this condition were noted and recalculated, thereby correcting the yield comparison spread rate. These corrections were made during the GAO review of assets in 2003. The Credit Notation System was modified in January 2004 to ensure there will be no yield comparison spread errors in future valuations for the Asset Loss Reserve (ALR) process. The Credit Notation System was amended to make certain that the current yield spread rate is utilized when valuing an asset for ALR. Prior to the changes, updating a previously used yield spread rate necessitated an unprompted input by the system user, resulting in the aforementioned errors. We developed additional procedures to ensure proper review is being implemented. Although the weaknesses were not material in relation to the financial statements, we believe that resolving them strengthen our internal control program. Our commitment to continue improvement of internal controls and accounting procedures remains as strong as ever. If you have any questions, please contact Michael MacDermott, Acting Director, Office of Enterprise Risk Management, at 202-736-0075. Sincerely, Signed by: Steven O. App: Deputy to the Chairman And Chief Financial Officer: cc: John Bovenzi Jodey Arrington Fred Selhy Mitchell Glassman Arleas Upton Kea Mike Bartell: Michael MacDermott: Enclosure II: Details on Audit Scope and Methodology: To fulfill our responsibilities as auditor of the financial statements of the three funds administered by the FDIC, we did the following: Examined, on a test basis, evidence supporting the amounts and disclosures in the financial statements; Assessed the accounting principles used and significant estimates made by management; Evaluated the overall presentation of the financial statements; Obtained an understanding of internal controls related to financial reporting (including safeguarding assets) and compliance with laws and regulations; Tested relevant internal controls over financial reporting and compliance, and evaluated the design and operating effectiveness of internal control; Considered FDIC's process for evaluating and reporting on internal control based on criteria established by 31 U.S.C. § 3512 (c), (d) (commonly referred to as the Federal Managers' Financial Integrity Act); and: Tested compliance with selected provisions of the Federal Deposit Insurance Act, as amended, and the Chief Financial Officers Act of 1990. Enclosure III: GAO Contacts and Staff Acknowledgments: GAO Contacts: Julia Duquette, (202) 512-5131: Gary Chupka, (202) 512-9314: Acknowledgments: Staff who made key contributions to this report were Ronald Bergman, John Craig, and Timothy Murray. (196015): FOOTNOTES [1] U.S. General Accounting Office, Financial Audit: Federal Deposit Insurance Corporation Funds' 2003 and 2002 Financial Statements, GAO- 04-429 (Washington, D.C.: Feb. 13, 2004). [2] U.S. General Accounting Office, Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999). [3] GAO/AIMD-00-21.3.1 [4] FDIC is charged with the responsibility for the sale of the remaining assets and satisfaction of the liabilities associated with the RTC. [5] When these particular deals terminated, the trustees held back funds owed to FDIC because of unresolved issues with one or more of the parties to the deals. [6] GAO/AIMD-00-21.3.1 [7] GAO/AIMD-00-21.3.1