GAO-04-677R, Management Report: Opportunities for Improvements in FDIC's Internal Controls and Accounting Procedures


This is the accessible text file for GAO report number GAO-04-677R 
entitled 'Management Report: Opportunities for Improvements in FDIC's 
Internal Controls and Accounting Procedures' which was released on June 
16, 2004.

This text file was formatted by the U.S. General Accounting Office 
(GAO) to be accessible to users with visual impairments, as part of a 
longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov.

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately.

June 16, 2004:

Mr. Steven O. App:

Deputy to the Chairman and Chief Financial Officer:

Federal Deposit Insurance Corporation:

Subject: Management Report: Opportunities for Improvements in FDIC's 
Internal Controls and Accounting Procedures:

Dear Mr. App:

In February 2004, we issued our opinions on the calendar year 2003 
financial statements of the Bank Insurance Fund (BIF), the Savings 
Association Insurance Fund (SAIF), and the FSLIC Resolution Fund (FRF). 
We also issued our opinion on the effectiveness of the Federal Deposit 
Insurance Corporation's (FDIC) internal controls as of December 31, 
2003, and our evaluation of FDIC's compliance with significant 
provisions of selected laws and regulations for the three funds for the 
year ended December 31, 2003.[Footnote 1]

The purpose of this report is to discuss issues identified during our 
audits of the 2003 financial statements regarding accounting procedures 
and internal controls that could be improved and to recommend 
improvements to address these issues. Although these issues were not 
material in relation to the financial statements, we believe they 
warrant management's attention. We are making five recommendations for 
strengthening FDIC's accounting procedures and internal controls. We 
conducted our audits in accordance with U.S. generally accepted 
government auditing standards:

Results in Brief:

During 2003, we identified several internal control issues that 
affected FDIC's accounting for the funds it administers. These 
weaknesses would have resulted in reporting errors had they not been 
detected and corrected. Specifically, we found the following:

FDIC erroneously accounted for funds it received related to 
securitizations that terminated in prior years, which would have caused 
the related FRF account balances to be misstated.

FDIC did not always follow its procedures relating to time and 
attendance reporting, which would have resulted in an improper 
allocation of operating expenses among the funds.

FDIC made errors in calculations supporting its allowance for losses on 
receivables from thrift resolutions. These errors would have led to 
misstatements in FRF's financial statements.

At the end of our discussion of each of these issues in the following 
sections, we make recommendations for strengthening FDIC's internal 
controls. Implementation of these recommendations is intended to bring 
FDIC into conformance with the internal control standards that federal 
agencies are required to follow.[Footnote 2]

In its comments, FDIC agreed with our recommendations and described 
actions it has taken or plans to take to address the control weaknesses 
described in this report. At the end of our discussion of each of the 
issues in this report, we have summarized FDIC's related comments and 
our evaluation.

Scope and Methodology:

As part of our audits of the 2003 and 2002 financial statements of the 
three funds administered by FDIC, we evaluated the corporation's 
internal controls and its compliance with selected provisions of laws 
and regulations. We designed our audit procedures to test relevant 
controls, including those for proper authorization, execution, 
accounting, and reporting of transactions.

We requested comments on a draft of this report from the FDIC Deputy to 
the Chairman and Chief Financial Officer. We received written comments 
and have reprinted the comments in enclosure I. Further details on our 
scope and methodology are included in our report on the results of our 
audits of the 2003 and 2002 financial statements and are reproduced in 
enclosure II.

Accounting for Terminated Securitizations:

During our 2003 financial audit, we found that FDIC did not always 
properly account for the funds it received related to terminated 
securitization deals. This resulted in certain account balances for FRF 
being misstated. GAO's Standards for Internal Control in the Federal 
Government[Footnote 3] requires that transactions be accurately 
recorded.

The former Resolution Trust Corporation (RTC)[Footnote 4] engaged in 
numerous securitization transactions as a means of recovering the value 
of assets from failed financial institutions. These transactions 
involved selling receivership loans to trusts that in turn issued 
bonds, known as mortgage-backed securities, to investors. Two types of 
assets resulted from these transactions: credit enhancement reserves 
and residual certificates. A portion of the proceeds from the sale of 
the bonds was placed in credit enhancement reserves to protect the 
bondholders from losses. Residual certificates entitle the holder to 
excess cash that results when the proceeds from the sale of the 
underlying loans is greater than the funds needed to pay off the bonds. 
FDIC, as the owner of the credit enhancement reserves and residual 
certificates, receives the remaining funds when a securitization deal 
terminates. When a deal terminates, the credit enhancement reserve 
account for the particular deal is adjusted to zero, and either a 
realized gain or loss is recorded. In a given year, FDIC may receive 
funds related to securitization deals that terminated in prior years.

During our audit, we found that FDIC erroneously accounted for four of 
the five instances in which it received funds related to securitization 
deals that terminated in prior years.[Footnote 5] While FDIC correctly 
determined that funds it received in 2003 pertained to the credit 
enhancement reserves on the terminated deals, it improperly recorded 
journal entries that erroneously decreased (credited) the credit 
enhancement reserve account instead of adjusting the realized gain or 
loss account. This resulted in the related FRF account balances being 
understated. FDIC recorded entries to correct these errors after we 
brought this matter to its attention.

FDIC's policy requires that accounting entries for cash collections 
related to the RTC securitization deals not be made by staff 
responsible for administering the deals. The accounting entries are 
required to be made by staff from another business unit, but are to be 
made at the direction of staff responsible for administering the deals. 
The journal entries we reviewed were approved and recorded in FDIC's 
general ledger by staff other than those responsible for administering 
the securitization deals. However, there was no evidence on the journal 
entries that staff preparing the entries had received the required 
input and direction from staff responsible for administering the 
securitization deals. In addition, training of new staff responsible 
for administering securitization-related transactions did not cover 
activity related to previously terminated deals. These factors 
contributed to the errors we identified during our testing of 
securitization transactions.

Recommendation:

We recommend that FDIC management formally remind staff responsible for 
recording activity associated with securitization transactions of the 
need to obtain input and approval from the individual responsible for 
administering the securitization deals prior to recording the activity 
in FDIC's accounting records.

FDIC Comments and Our Evaluation:

FDIC agreed with our recommendation. In response to our finding, FDIC 
management stated that they have reiterated to staff responsible for 
recording cash transactions, including securitization activity, the 
procedures relating to proper preparation, documentation, and review of 
journal vouchers. We will evaluate the effectiveness of FDIC's actions 
during our 2004 financial audit.

Time and Attendance Reporting:

During our 2003 financial audit, we found that FDIC's controls over 
time and attendance reporting did not always ensure that such 
information was properly recorded, resulting in incorrect reporting. 
GAO's Standards for Internal Control in the Federal Government[Footnote 
6] requires that all transactions be recorded accurately and timely, 
all transactions and other significant events be clearly documented, 
and the documentation should be readily available for examination.

FDIC's payroll processing procedures call for employees to complete a 
Corporate Time and Attendance Worksheet (CTAW) and submit it to a 
timekeeper. The timekeeper reviews the CTAW and the supporting 
documents and enters the data into the corporation's Biweekly Time and 
Attendance System. The timekeeper prints a Time and Attendance Report 
for Certification (Report for Certification) for each employee, and 
compares the report to each employee's CTAW to ensure data was entered 
completely and correctly. Supervisors are required to compare the 
Report for Certification, the CTAW, and all other supporting documents 
for consistency and accuracy. Additionally, supervisors verify the 
accuracy of the employee's hours worked and leave taken, and ensure 
that hours are charged to the correct fund, organization, program, 
location, and project codes. The supervisor signs and dates each 
employee's Report for Certification, certifying the accuracy of the 
data. Timekeepers are required to receive all approved time and 
attendance related documents and reports from the supervisor, and file 
all original documents in a locked file cabinet.

In testing a sample of operating expenses, we found three cases where 
the CTAW and Report for Certification entries did not match. These 
errors were not discovered by either the timekeeper or the supervisor, 
resulting in the incorrect recording of these transactions. In two 
cases, the organization/program coding was incorrect, which would have 
resulted in an improper allocation of operating expense among the funds 
had FDIC not corrected the errors when we brought them to its 
attention. In the third case, direct expense charges to BIF were 
incorrect. We also noted that, in a fourth case, the Report for 
Certification was not signed and it took FDIC 2 months to locate the 
related CTAW.

Recommendation:

We recommend that FDIC management formally remind:

timekeepers of their responsibility to compare the Report for 
Certification to each employee's CTAW to ensure data was entered 
completely and correctly,

supervisors of their responsibility to verify the accuracy of the 
employee's time and attendance data by signing and dating each 
employee's Report for Certification, and:

timekeepers of their responsibility to receive all approved time and 
attendance documents and reports from supervisors and to file all 
original documents in a locked file cabinet.

FDIC Comments and Our Evaluation:

FDIC agreed with our recommendations. In response to our findings, FDIC 
stated that it had sent notices to its timekeepers and supervisors 
reminding them of their responsibilities and has held refresher 
timekeeper training courses. FDIC also stated that it would review its 
policy on time and attendance reporting to identify any needed 
improvements in the policy. We will evaluate the effectiveness of 
FDIC's actions during our 2004 financial audit.

Asset Valuation:

During our 2003 financial audit, we identified errors in certain 
calculations supporting the allowance for losses on receivables from 
thrift resolutions that were not identified during FDIC's normal 
supervisory review process. These errors, while not material to FRF's 
financial statements, nonetheless would have led to misstatements in 
the financial statements had we not identified them through the audit 
process. GAO's Standards for Internal Control in the Federal 
Government[Footnote 7] requires agencies to implement internal control 
procedures to ensure the accurate and timely recording of transactions 
and events. In addition, these standards require that qualified and 
continual supervision be provided to ensure that internal control 
objectives are achieved.

FDIC's receivables from bank/thrift resolutions are paid off through 
the sale of failed bank/thrift assets of its receiverships. To 
determine the allowance for losses on its receivables from failed bank/
thrift resolutions, FDIC estimates values for the receivership assets 
to be disposed of through a Loan Loss Reserve (LLR) process. To ensure 
that consistent methods for valuing assets are being applied, FDIC 
developed a uniform Standard Asset Valuation Estimation (SAVE) 
methodology, which is documented in an asset valuation policies and 
procedures manual (the SAVE manual). Per the SAVE manual, equity in 
subsidiaries' assets are valued using the Subsidiary Cash Recovery 
Analysis Worksheets and Cash Flow Worksheets to determine the estimated 
present values of the assets' estimated recovery. As part of the cash 
flow analysis, future cash outflows and inflows are estimated and a 
discount rate from an assumption listed in the SAVE manual is to be 
applied. To further ensure both accuracy and consistency, the SAVE 
manual requires two levels of review after the valuation is prepared.

Despite these requirements, we found that two of six assets we reviewed 
were not valued in accordance with the SAVE methodology. In both cases, 
the individual responsible for preparing the valuation failed to use 
the prescribed standard yield comparison rate as part of calculating 
the overall discount rate for equity in subsidiary assets. 
Additionally, in one of these cases, the preparer also made errors in 
the calculation of future cash flows, which contributed to the overall 
error found in the valuation of the asset. While FDIC had performed 
primary and secondary reviews of the asset valuations, both reviews 
failed to detect errors in the asset valuation calculations. FDIC 
corrected the errors after we brought them to its attention. While the 
errors, totaling over $570,000, were not material to the financial 
statements, they indicate that the review procedures are not fully 
effective in preventing or timely detecting errors in the asset 
valuation process.

Recommendation:

We recommend that FDIC management examine its current review procedures 
and controls related to its loan loss reserve estimation process and 
revise them if necessary to ensure the review guidelines are properly 
implemented.

FDIC Comments and Our Evaluation:

FDIC agreed with our recommendation. In response to our finding, FDIC 
stated that it had developed additional procedures to ensure proper 
review is being implemented.

We will evaluate the effectiveness of FDIC's actions during our 2004 
financial audit.

This report contains recommendations to you. We would appreciate 
receiving a description and status of your corrective actions within 30 
days of the date of this letter.

This report is intended for use by FDIC management, members of the FDIC 
Audit Committee, and the FDIC Inspector General. We are sending copies 
of this report to the Chairman and Ranking Minority Member of the 
Senate Committee on Banking, Housing, and Urban Affairs; the Chairman 
and Ranking Minority Member of the House Committee on Financial 
Services; the Chairman of the Board of Directors of the Federal Deposit 
Insurance Corporation; the Chairman of the Board of Governors of the 
Federal Reserve System; the Comptroller of the Currency; the Director 
of the Office of Thrift Supervision; the Secretary of the Treasury; the 
Director of the Office of Management and Budget; and other interested 
parties. In addition, this report will be available at no charge on 
GAO's web site at http://www.gao.gov.

We acknowledge and appreciate the cooperation and assistance provided 
by FDIC management and staff during our audits of FDIC's 2003 and 2002 
financial statements. If you have any questions about this report or 
need assistance in addressing these issues, please contact Julia 
Duquette, Assistant Director, at (202) 512-5131 or duquettej@gao.gov.

Sincerely yours,

Signed by: 

Steven J. Sebastian:

Director:

Financial Management and Assurance:

Enclosures - 3:

Enclosure I:

Comments from the Federal Deposit Insurance Corporation:

FDIC:

Federal Deposit Insurance Corporation:

550 17th Street NW, 
Washington, D.C. 20429-9990

Deputy to the Chairman and CFO:

May 26, 2004:

Mr. Steven J. Sebastian, Director 
Financial Management and Assurance 
U.S. General Accounting Office:
441 G Street, NW 
Washington, DC 20548:

Dear Mr. Sebastian:

Thank you for the opportunity to respond to the draft report entitled, 
Management Report: Opportunities far Improvements in FDIC's Internal 
Controls and Accounting Procedures (GAO-04-677R). The report discusses 
issues that were identified during the 2003 financial statements audit 
regarding weaknesses in accounting procedures and internal controls and 
recommendations for improvement. As noted in the 
report, corrective actions were taken to address the internal control 
weaknesses that the audit team identified prior to the issuance of 
FDIC's 2003 yearend financial statements. We agreed with the findings 
and have implemented the recommendations as follow:

Accounting for Terminated Securitizations: FDIC reiterated to staff 
responsible for recording cash transactions, including securitization 
activity, the procedures relating to the proper preparation, 
documentation, and review of journal vouchers. This covers 
documentation of any direction provided by the staff responsible for 
securitization accounting. Additionally, the remaining Resolution 
Trust Corporation securitization deal that was active as of December 
31, 2003, was terminated in March 2004.

Time and Attendance Reporting: On November 25, 2003, and again on May 
24, 2004, a notice was sent to all Bi-weekly Time and Attendance (T&A) 
system administrators to remind timekeepers and supervisors of their 
T&A responsibilities to ensure that T&A data is complete and correct 
and that original documents are kept in a locked file cabinet. A 
corrective action plan was prepared and distributed on February 23, 
2004, to address the errors discovered in the 2003 T&A audit. In 
addition, a refresher timekeeper training was held on March 9 and 10, 
2004, for some divisions with the remaining division and office 
timekeepers to be trained in 2004. Also, on May 24, 2004, a notice was 
sent directly to all supervisors to remind them of their 
responsibilities to carefully review each employee's T&A information. 
Further, FDIC will review Circular 2300.5, Time and Attendance 
Reporting, for ways to improve the policy.

Asset Valuation: The non-loan assets subject to this condition were 
noted and recalculated, thereby correcting the yield comparison spread 
rate. These corrections were made during the GAO review of assets in 
2003. The Credit Notation System was modified in January 2004 to ensure 
there will be no yield comparison spread errors in future valuations 
for the Asset Loss Reserve (ALR) process. The Credit Notation System 
was amended to make certain that the current yield spread rate is 
utilized when valuing an asset for ALR. Prior to the changes, updating 
a previously used yield spread rate necessitated an unprompted input by 
the system user, resulting in the aforementioned errors. We developed 
additional procedures to ensure proper review is being implemented.

Although the weaknesses were not material in relation to the financial 
statements, we believe that resolving them strengthen our internal 
control program. Our commitment to continue improvement of internal 
controls and accounting procedures remains as strong as ever.

If you have any questions, please contact Michael MacDermott, Acting 
Director, Office of Enterprise Risk Management, at 202-736-0075.

Sincerely,

Signed by: 

Steven O. App:

Deputy to the Chairman And Chief Financial Officer:

cc: John Bovenzi 
Jodey Arrington 
Fred Selhy 
Mitchell Glassman 
Arleas Upton Kea 
Mike Bartell:
Michael MacDermott: 

Enclosure II:

Details on Audit Scope and Methodology:

To fulfill our responsibilities as auditor of the financial statements 
of the three funds administered by the FDIC, we did the following:

Examined, on a test basis, evidence supporting the amounts and 
disclosures in the financial statements;

Assessed the accounting principles used and significant estimates made 
by management;

Evaluated the overall presentation of the financial statements;

Obtained an understanding of internal controls related to financial 
reporting (including safeguarding assets) and compliance with laws and 
regulations;

Tested relevant internal controls over financial reporting and 
compliance, and evaluated the design and operating effectiveness of 
internal control;

Considered FDIC's process for evaluating and reporting on internal 
control based on criteria established by 31 U.S.C. � 3512 (c), (d) 
(commonly referred to as the Federal Managers' Financial Integrity 
Act); and:

Tested compliance with selected provisions of the Federal Deposit 
Insurance Act, as amended, and the Chief Financial Officers Act of 
1990.

Enclosure III:

GAO Contacts and Staff Acknowledgments:

GAO Contacts:

Julia Duquette, (202) 512-5131:

Gary Chupka, (202) 512-9314:

Acknowledgments:

Staff who made key contributions to this report were Ronald Bergman, 
John Craig, and Timothy Murray.

(196015):

FOOTNOTES

[1] U.S. General Accounting Office, Financial Audit: Federal Deposit 
Insurance Corporation Funds' 2003 and 2002 Financial Statements, GAO-
04-429 (Washington, D.C.: Feb. 13, 2004).

[2] U.S. General Accounting Office, Standards for Internal Control in 
the Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C.: November 
1999).

[3] GAO/AIMD-00-21.3.1

[4] FDIC is charged with the responsibility for the sale of the 
remaining assets and satisfaction of the liabilities associated with 
the RTC.

[5] When these particular deals terminated, the trustees held back 
funds owed to FDIC because of unresolved issues with one or more of the 
parties to the deals.

[6] GAO/AIMD-00-21.3.1

[7] GAO/AIMD-00-21.3.1