GAO-05-553R, Management Report: Opportunities for Improvements in FDIC's Internal Controls and Accounting Procedures


This is the accessible text file for GAO report number GAO-05-553R 
entitled 'Management Report: Opportunities for Improvements in FDIC's 
Internal Controls and Accounting Procedures' which was released on June 
10, 2005.

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov.

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately.

Letter June 10, 2005:

Mr. Steven O. App: 
Deputy to the Chairman and Chief Financial Officer: 
Federal Deposit Insurance Corporation:

Subject: Management Report: Opportunities for Improvements in FDIC's 
Internal Controls and Accounting Procedures:

Dear Mr. App:

In February 2005, we issued our opinions on the calendar year 2004 
financial statements of the Bank Insurance Fund (BIF), the Savings 
Association Insurance Fund (SAIF), and the FSLIC Resolution Fund (FRF). 
We also issued our opinion on the effectiveness of the Federal Deposit 
Insurance Corporation's (FDIC) internal controls as of December 31, 
2004, and our evaluation of FDIC's compliance with significant 
provisions of selected laws and regulations for the three funds for the 
year ended December 31, 2004.[Footnote 1]

The purpose of this report is to discuss issues identified during our 
audits of the 2004 financial statements regarding accounting procedures 
and internal controls that could be improved, and to recommend 
improvements to address these issues. Although these issues were not 
material in relation to the financial statements, we believe they 
warrant management's attention. We are making three recommendations for 
strengthening FDIC's accounting procedures and internal controls. We 
conducted our audits in accordance with U.S. generally accepted 
government auditing standards.

Results in Brief:

During 2004, we identified several internal control issues that 
affected FDIC's accounting for the funds it administers. Although the 
amounts would not have been material to the financial statements taken 
as a whole, these issues would have resulted in reporting errors had 
they not been detected by our audit and corrected by FDIC. 
Specifically, we found the following:

* FDIC made errors in calculations supporting its allowance for losses 
on receivables from thrift resolutions. These errors would have led to 
misstatements in SAIF's and FRF's financial statements.

* FDIC did not have effective compensating controls in place to ensure 
the accuracy of pay computations related to the National Finance 
Center's (NFC) Thrift Savings Plan (TSP). Other payroll expenses could 
have been misstated in the funds' financial statements.

* FDIC did not detect billing errors made by a contractor, resulting in 
overpayments to the contractor. The lack of effective invoice review 
procedures increases the risk of overcharges for goods and services and 
that they may not be detected and recovered.

We are making three recommendations regarding FDIC's accounting 
procedures and internal controls. Implementation of these 
recommendations is intended to strengthen FDIC's conformance with the 
internal control standards that federal agencies are required to 
follow.[Footnote 2]

In its comments, FDIC agreed with our recommendations and described 
actions it has taken or plans to take to address the control weaknesses 
described in this report. At the end of our discussion of each of the 
issues in this report, we have summarized FDIC's related comments and 
our evaluation.

Scope and Methodology:

As part of our audits of the 2004 and 2003 financial statements of the 
three funds administered by FDIC, we evaluated the Corporation's 
internal controls and its compliance with selected provisions of laws 
and regulations. We designed our audit procedures to test relevant 
controls, including those for proper authorization, execution, 
accounting, and reporting of transactions.

We requested comments on a draft of this report from the FDIC Deputy to 
the Chairman and Chief Financial Officer. We received written comments 
and have reprinted the comments in enclosure I. Further details on our 
scope and methodology are included in our report on the results of our 
audits of the 2004 and 2003 financial statements and are reproduced in 
enclosure II.

Asset Valuation:

During our 2004 financial audit, we identified errors in certain 
calculations supporting the allowance for losses on receivables from 
thrift resolutions that were not identified during FDIC's normal 
supervisory review process. These errors, while not material to SAIF's 
and FRF's financial statements, nonetheless would have led to 
misstatements in the financial statements had we not identified them 
through the audit process. GAO's Standards for Internal Control in the 
Federal Government requires agencies to implement internal control 
procedures to ensure the accurate and timely recording of transactions 
and events. In addition, these standards require that qualified and 
continual supervision be provided to ensure that internal control 
objectives are achieved.

FDIC's receivables from thrift resolutions are paid off through the 
sale of failed thrift assets of its receiverships. To determine the 
allowance for losses on its receivables from failed thrift resolutions, 
FDIC estimates values for the receivership assets to be disposed of 
through a Loan Loss Reserve process. To ensure that consistent methods 
for valuing assets are being applied, FDIC developed a uniform Standard 
Asset Valuation Estimation (SAVE) methodology, which is documented in 
an asset valuation policies and procedures manual (the SAVE manual). 
Cash flow analysis is one of the key methodologies that is standardized 
in the SAVE manual. As part of the cash flow analysis, future cash 
outflows and inflows are estimated and a discount rate from an 
assumption listed in the SAVE manual is to be applied. To further 
ensure both accuracy and consistency, the SAVE manual requires two 
levels of review after the valuation is prepared.

Despite these requirements, we found that three of five assets we 
reviewed were not valued in accordance with the SAVE methodology. In 
one case, the individual responsible for preparing the valuation failed 
to use all the current available information as described in the SAVE 
manual to calculate the asset valuation. In another case, the 
individual responsible for preparing the asset valuation used an 
incorrect net present value formula in the calculation. For the third 
case, the individual responsible for preparing the asset valuation 
applied an incorrect discount rate over an incorrect number of time 
periods (quarters) in the calculation. While FDIC had performed primary 
and secondary reviews of the asset valuations, both reviews failed to 
detect errors in the asset valuation calculations. FDIC corrected the 
errors after we brought them to its attention. In response to this 
matter, FDIC stated that the lack of detection of these errors in the 
first case was the result of a primary reviewer who was new to the 
asset valuation process. FDIC re-reviewed six of its asset valuations 
related to the other cases and advised us that they did not detect any 
further deviations from the SAVE methodology.

We identified similar reviewing errors during our 2003 financial 
audit.[Footnote 3] At that time, FDIC stated that it had developed 
additional procedures to ensure that proper review was being 
effectively implemented. However, as our work during the 2004 audit 
indicates, these additional procedures have not been fully effective in 
preventing or detecting asset valuation errors in a timely manner.

Recommendation:

We recommend that FDIC issue a formal notice to all individuals who 
perform primary and secondary reviews of asset valuations reminding 
them of their responsibility to ensure that assets are valued in 
accordance with the SAVE methodology.

FDIC Comments and Our Evaluation:

FDIC agreed with our recommendation. In response to our finding, FDIC 
management stated that by July 31, 2005, a formal notice will be issued 
to all individuals designated to perform primary and secondary reviews 
of asset valuations to remind them of their responsibility to ensure 
that assets are valued in accordance with the SAVE methodology, and to 
reemphasize the importance of an in-depth review of the asset 
valuations. We will evaluate the effectiveness of FDIC's actions during 
our 2005 financial audit.

Thrift Savings Plan:

During our 2004 financial audit, we found that 11 FDIC employees were 
incorrectly excluded from receiving a 1 percent agency contribution to 
their TSP accounts. Although the total amount of these errors was not 
material to the financial statements of the three funds, FDIC is at 
risk that other payroll information processed by the NFC may contain 
errors. Consistent with GAO's Standards for Internal Control in the 
Federal Government, FDIC's internal control should provide reasonable 
assurance that its financial transactions, including those processed by 
NFC, are accurately recorded and that its staff are compensated 
properly.

The Federal Employees' Retirement System (FERS) became effective 
January 1, 1987. Almost all new employees hired after December 31, 
1983, are automatically covered by FERS. One of the components of the 
FERS retirement plan is the TSP. For all FERS employees, the employing 
agency is required to pay 1 percent of the basic pay every pay period 
into each employee's TSP account whether or not the employee 
contributes to a TSP account.[Footnote 4] NFC provides FDIC with 
centralized, automated, integrated systems and support services for 
payroll and personnel payments, including the 1 percent TSP agency 
contribution.

In October 2004, the U.S. Department of Agriculture's Inspector General 
issued a report which contained a qualified opinion for the internal 
control structure at NFC because certain control policies and 
procedures at the center were not suitably designed or operating 
effectively.[Footnote 5] The report described weaknesses in policies 
and procedures that may be relevant to the internal control structure 
of NFC's customer agencies, such as FDIC. The report further warned 
customer agencies that the accuracy and reliability of any payroll- 
related data processed by NFC ultimately rests with the customer 
agencies and any accompanying compensating controls implemented by such 
agency. Given the seriousness of the control weaknesses at NFC and the 
critical nature and sensitivity of federal payroll, it is important 
that FDIC implement compensating controls to ensure the Corporation's 
biweekly payroll is accurately processed by NFC.

Although FDIC has compensating controls to test payroll information 
processed by NFC at an aggregate level, these procedures do not include 
verifying NFC's mathematical calculations related to FDIC's payroll 
data at the individual employee level. In our testing, we found that an 
employee was incorrectly excluded from receiving the 1 percent 
contribution. Once we notified FDIC of this situation, the Corporation 
performed more detailed analyses and identified 10 additional employees 
who were also not receiving the 1 percent contribution. FDIC made NFC 
aware of this problem, and NFC subsequently corrected these employees' 
TSP accounts. Additionally, NFC has informed FDIC that it is still 
trying to determine the cause of the error. For its part, FDIC has 
recently implemented an additional control by running a report every 
pay period to detect any employees not receiving the agency's automatic 
1 percent TSP contribution.

Recommendation:

In light of the errors we found in FDIC employees' TSP accounts and 
continued serious internal controls deficiencies cited over NFC's 
payroll processing functions, we recommend that FDIC review its 
existing compensating controls over NFC-processed payroll information 
to determine whether additional controls, such as periodically 
verifying NFC's mathematical calculations related to FDIC's payroll 
data at the individual employee level, are needed to ensure that other 
NFC mathematical calculations related to FDIC's payroll data are 
correct.

FDIC Comments and Our Evaluation:

FDIC agreed with our recommendation. The Division of Administration's 
Human Resources Branch at FDIC has reviewed its existing compensating 
controls over NFC-processed payroll information and determined that 
additional controls are not warranted at this time. We will continue to 
review the effectiveness of FDIC's compensating controls over NFC- 
processed payroll information as part of our 2005 financial audit.

Contractor Payment:

During our 2004 financial audit, we found that FDIC approved and paid a 
monthly invoice to a contractor that contained an overcharge. After we 
brought this error to FDIC's attention, the Corporation discovered 
additional overcharge errors from the same contractor in 13 other 
monthly invoices. GAO's Standards for Internal Control in the Federal 
Government requires agencies to implement internal control procedures 
to ensure the accurate and timely recording of transactions and events. 
In addition, these standards require that qualified and continual 
supervision be provided to ensure that internal control objectives are 
achieved.

Specifically, we found that a contractor FDIC hired for computer- 
related services incorrectly charged the Corporation a mark-up fee for 
subcontractor costs in a January 2004 invoice. The terms of the 
contract between FDIC and the contractor called for FDIC to pay for any 
subcontractor costs based on the subcontractors' hourly rates, with no 
surcharge or mark-up. FDIC's subsequent analysis of the 14 invoices 
submitted by this contractor from August 2003 to September 2004 showed 
that in each case, the contractor added a mark-up fee to the costs 
associated with its use of subcontractors. FDIC ultimately determined 
the total amount of the overcharges to be $32,713.35, for which it was 
subsequently reimbursed by the contractor. Although all 14 monthly 
invoices had been reviewed and approved by either or both the 
contracting officer and oversight manager, the overcharges were not 
detected in the invoice reviewing process.

The amount of the total overcharges was not material to the financial 
statements of the three funds. Nonetheless, the lack of effective 
review procedures over contractor invoices increases the risk that FDIC 
would be overcharged for goods and services provided and that such 
overcharges may not be timely detected and recovered.

Recommendation:

We recommend that FDIC issue a formal notice to all individuals who 
review and approve invoices reminding them of their responsibility to 
compare each invoice to the terms of the contract prior to approving 
the invoice for payment.

FDIC Comments and Our Evaluation:

FDIC agreed with our recommendation. In response to our finding, FDIC 
management issued a memorandum on May 10, 2005, reminding oversight 
managers of their critical responsibility for reviewing and approving 
contractor invoices. We will evaluate the effectiveness of FDIC's 
actions during our 2005 financial audit.

This report contains recommendations to you. We would appreciate 
receiving a description and status of your corrective actions within 30 
days of the date of this letter.

This report is intended for use by FDIC management, members of the FDIC 
Audit Committee, and the FDIC Inspector General. We are sending copies 
of this report to the Chairman and Ranking Minority Member of the 
Senate Committee on Banking, Housing, and Urban Affairs; the Chairman 
and Ranking Minority Member of the House Committee on Financial 
Services; the Chairman of the Board of Directors of the Federal Deposit 
Insurance Corporation; the Chairman of the Board of Governors of the 
Federal Reserve System; the Comptroller of the Currency; the Director 
of the Office of Thrift Supervision; the Secretary of the Treasury; the 
Director of the Office of Management and Budget; and other interested 
parties. In addition, this report will be available at no charge on 
GAO's web site at [Hyperlink, http://www.gao.gov].

We acknowledge and appreciate the cooperation and assistance provided 
by FDIC management and staff during our audits of FDIC's 2004 and 2003 
financial statements. If you have any questions about this report or 
need assistance in addressing these issues, please contact me on (202) 
512-9521 or sebastians@gao.gov.

Sincerely yours,

Signed by: 

Steven J. Sebastian: 
Director: 
Financial Management and Assurance:

Enclosures:

[End of section]

Enclosure I: Comments from the Federal Deposit Insurance Corporation:

FDIC:

Federal Deposit Insurance Corporation:
Deputy to the Chairman and Chief Financial Officer:

550 17th Street, NW, 
Washington, DC 20429 

May 20, 2005:

Mr. Steven J. Sebastian, Director: 
Financial Management and Assurance: 
U.S. Government Accountability Office: 
441 G Street, NW:
Washington, DC 20548:

Dear Mr. Sebastian:

Thank you for the opportunity to respond to the draft report entitled, 
Management Report: Opportunities for Improvements in FDIC's Internal 
Controls and Accounting Procedures (GAO-05-553R), dated May 5, 2005. 
The report discusses issues that were identified during the 2004 
financial statements audit regarding weaknesses in accounting 
procedures and internal control and recommendations for improvement. We 
were also pleased to have the Government Accountability Office (GAO) 
acknowledge that, although the weaknesses warranted management's 
attention, they were not material in relation to the financial 
statements.

Overall, FDIC agrees with the results presented in the draft report and 
recognizes the need to strengthen our internal control environment to 
ensure the accurate and timely recording of transactions and events. We 
are committed to identifying opportunities for improvement and ensuring 
that internal control objectives are achieved. Our corrective action 
plans in response to the recommendations are discussed below.

Asset Valuation:

GAO recommended that FDIC issue a formal notice to all individuals who 
perform primary and secondary review of asset valuations reminding them 
of their responsibility to ensure that assets are valued in accordance 
with the Standard Asset Valuation Estimation (SAVE) methodology.

Management Response:

FDIC. concurs with this recommendation. By July 31, 2005, we will issue 
a formal notice to all individuals designated to perform primary and 
secondary reviews of asset valuations reminding them of their 
responsibility to ensure that assets are valued in accordance with the 
SAVE methodology and re-emphasize the importance of an in-depth review 
of the asset valuations.

Thrift Savings Plan:

GAO recommended that FDIC review its existing compensating controls 
over the National Finance Center (NFC) processed payroll information to 
determine whether additional controls, such as periodically verifying 
NFC's mathematical calculations related to FDIC's payroll data at the 
individual employee level, are needed to ensure that other NEC 
mathematical calculations related to FDIC's payroll data are correct.

Management Response:

FDIC concurs that it is appropriate to review the existing compensating 
controls over the NFC payroll information - in fact, we have already 
taken action to address this matter. The Division of Administration's 
Human Resources Branch (HRB) has reviewed its existing compensating 
controls over NEC processed payroll information and determined that 
additional controls are not warranted at this time. The Thrift Savings 
Plan (TSP) contribution issue identified by GAO was not an NFC 
miscalculation issue but, rather, a system issue. In each case, the 
employee identified as not receiving the Corporation's automatic one 
percent TSP contribution had set their own contributions to zero via 
Employee Express. Erroneously, NFC set all TSP contributions for these 
employees, including the automatic one percent contribution, to zero. 
To ensure that this error does not reoccur, the FDIC instructed NFC to 
remedy the problem. In the interim, FDIC implemented the additional 
control of running a report every pay period to detect any employee who 
did not receive the Corporation's automatic one percent TSP 
contribution. If an error is identified, NFC is notified immediately 
and the necessary corrective action is taken.

FDIC has no evidence that NFC is miscalculating employee payroll 
information. In the past, FDIC performed an exhaustive payroll 
reconciliation effort. This effort revealed a deviation of less than 
one percent from what was provided to NFC for employee payroll. Based 
on its analysis, FDIC determined that future verification of payroll at 
that level of detail was not warranted unless the deviation between 
FDIC and NFC payroll amounts exceeds one percent. Currently, FDIC 
performs an aggregate payroll reconciliation every pay period to 
determine the difference between FDIC and NFC payroll amounts, if any.

As stated in GAO's draft report, FDIC has a number of compensating 
controls in place to test payroll information processed by NFC. First, 
FDIC verifies and reconciles the number of payroll hours submitted to 
NFC to the number of hours received back from NFC for accuracy. Any 
discrepancies at the employee level are reconciled by HRB staff. 
Second, HRB compares the total amount of net pay for payroll to the net 
payroll paid out to employees by NFC. Lastly, HRB runs a report every 
pay period to test the automatic one percent corporate contribution to 
each employee. Given FDIC's existing internal control environment, we 
do not believe that an exhaustive payroll review is warranted at this 
time.

Contractor Payment:

GAO recommended that FDIC issue a formal notice to all individuals who 
review and approve invoices reminding them of their responsibility to 
compare each invoice to the terms of the contract prior to approving 
the invoice for payment.

Management Response:

FDIC concurs with this recommendation. The Division of Administration's 
Acquisition Services Branch issued a memorandum, dated May 10, 2005, to 
Headquarters and Regional Office Oversight Managers and "technical 
Monitors and Acquisition Services Branch personnel reminding Oversight 
Managers of their critical responsibility for reviewing and approving 
contractor invoices and to "ensure the FDIC is billed only for goods 
and services that are contained in the contract, at rates quoted within 
the contract..." A copy of this letter is attached.

If you have any questions relating to the FDIC management responses, 
please contact James H. Angel, Jr., Director, Office of Enterprise Risk 
Management, at 202-736-0138.

Sincerely,

Signed by: 

Steven O. App:
Deputy to the Chairman and Chief Financial Officer:

cc: John Bovenzi; 
Mitchell Glassman; 
Arleas Upton Kea; 
James H. Angel, Jr.; 
Fred Selby:

Attachment: 

FDIC:

Federal Deposit Insurance Corporation:
550 17th St NW: 
Washington DC, 20429: 

Division of Administration:

May 10, 2005:

TO: Headquarters and Regional Office Oversight Managers and Technical 
Monitors And Acquisition Services Branch Personnel:

FROM: Ann Bridges Steely, Associate Director: 
Acquisition Services Branch:

SUBJECT: Invoice Review and Approval:

The FDIC pays contractor costs that are allowable by the terms of the 
contract and are reasonable in nature and amount. The Oversight Manager 
is responsible for the review and approval of contractor invoices. It 
is of critical importance that all invoices be thoroughly reviewed 
prior to approval to ensure that contractors have fully complied with 
the terms of the contract. Oversight Managers must ensure the FDIC is 
billed only for goods and services that are contained in the contract, 
at the rates quoted within the contract, and only for goods or services 
that the FDIC has received and which are acceptable to the FDIC. The 
Oversight Manager is also responsible far monitoring total payments to 
the contractor to ensure that they do no exceed the contract ceiling. 
Any questions regarding invoices and adherence to contractual terms 
should be directed to your Contract Specialist or Contracting Officer 
prior to approving any invoice.

Refer to the Acquisition Policy Manual Section 5.H., Contract Payments, 
for further guidance.

Questions regarding this memorandum should be addressed to Ann Bridges 
Steely at (202) 942-3010. 

[End of section]

Enclosure II: Details on Audit Methodology:

To fulfill our responsibilities as auditor of the financial statements 
of the three funds administered by the FDIC, we did the following:

* examined, on a test basis, evidence supporting the amounts and 
disclosures in the financial statements;

* assessed the accounting principles used and significant estimates 
made by management;

* evaluated the overall presentation of the financial statements;

* obtained an understanding of internal controls related to financial 
reporting (including safeguarding assets) and compliance with selected 
laws and regulations;

* tested relevant internal controls over financial reporting and 
compliance, and evaluated the design and operating effectiveness of 
internal control;

* considered FDIC's process for evaluating and reporting on internal 
control based on criteria established by 31 U.S.C. � 3512 (c), (d), 
(commonly referred to as the Federal Managers' Financial Integrity 
Act); and:

* tested compliance with applicable laws and regulations, including 
selected provisions of the Federal Deposit Insurance Act, as amended, 
and the Chief Financial Officers Act of 1990.

[End of section]

Enclosure III: GAO Contact and Staff Acknowledgments:

GAO Contact:

Steven J. Sebastian (202) 512-9521:

Acknowledgments:

Staff who made key contributions to this report were Gary Chupka, Julia 
Duquette, Wing Lam and LaShawnda Wilson.

(196045):

FOOTNOTES

[1] GAO, Financial Audit: Federal Deposit Insurance Corporation Funds' 
2004 and 2003 Financial Statements, GAO-05-281 (Washington, D.C.: Feb. 
11, 2005).

[2] GAO, Standards for Internal Control in the Federal Government, GAO/ 
AIMD-00-21.3.1 (Washington, D.C.: November 1999).

[3] GAO, Management Report: Opportunities for Improvements in FDIC's 
Internal Controls and Accounting Procedures, GAO-04-677R (Washington, 
D.C.: June 16, 2004).

[4] See 5 U.S.C. 8432 (c) (1).

[5] U.S. Department of Agriculture Office of Inspector General Audit 
Report, Fiscal Year 2004--Review of the National Finance Center General 
Controls, Report No. 11401-20-FM (Washington, D.C.: Oct. 25, 2004).