This is the accessible text file for GAO report number GAO-05-553R entitled 'Management Report: Opportunities for Improvements in FDIC's Internal Controls and Accounting Procedures' which was released on June 10, 2005. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Letter June 10, 2005: Mr. Steven O. App: Deputy to the Chairman and Chief Financial Officer: Federal Deposit Insurance Corporation: Subject: Management Report: Opportunities for Improvements in FDIC's Internal Controls and Accounting Procedures: Dear Mr. App: In February 2005, we issued our opinions on the calendar year 2004 financial statements of the Bank Insurance Fund (BIF), the Savings Association Insurance Fund (SAIF), and the FSLIC Resolution Fund (FRF). We also issued our opinion on the effectiveness of the Federal Deposit Insurance Corporation's (FDIC) internal controls as of December 31, 2004, and our evaluation of FDIC's compliance with significant provisions of selected laws and regulations for the three funds for the year ended December 31, 2004.[Footnote 1] The purpose of this report is to discuss issues identified during our audits of the 2004 financial statements regarding accounting procedures and internal controls that could be improved, and to recommend improvements to address these issues. Although these issues were not material in relation to the financial statements, we believe they warrant management's attention. We are making three recommendations for strengthening FDIC's accounting procedures and internal controls. We conducted our audits in accordance with U.S. generally accepted government auditing standards. Results in Brief: During 2004, we identified several internal control issues that affected FDIC's accounting for the funds it administers. Although the amounts would not have been material to the financial statements taken as a whole, these issues would have resulted in reporting errors had they not been detected by our audit and corrected by FDIC. Specifically, we found the following: * FDIC made errors in calculations supporting its allowance for losses on receivables from thrift resolutions. These errors would have led to misstatements in SAIF's and FRF's financial statements. * FDIC did not have effective compensating controls in place to ensure the accuracy of pay computations related to the National Finance Center's (NFC) Thrift Savings Plan (TSP). Other payroll expenses could have been misstated in the funds' financial statements. * FDIC did not detect billing errors made by a contractor, resulting in overpayments to the contractor. The lack of effective invoice review procedures increases the risk of overcharges for goods and services and that they may not be detected and recovered. We are making three recommendations regarding FDIC's accounting procedures and internal controls. Implementation of these recommendations is intended to strengthen FDIC's conformance with the internal control standards that federal agencies are required to follow.[Footnote 2] In its comments, FDIC agreed with our recommendations and described actions it has taken or plans to take to address the control weaknesses described in this report. At the end of our discussion of each of the issues in this report, we have summarized FDIC's related comments and our evaluation. Scope and Methodology: As part of our audits of the 2004 and 2003 financial statements of the three funds administered by FDIC, we evaluated the Corporation's internal controls and its compliance with selected provisions of laws and regulations. We designed our audit procedures to test relevant controls, including those for proper authorization, execution, accounting, and reporting of transactions. We requested comments on a draft of this report from the FDIC Deputy to the Chairman and Chief Financial Officer. We received written comments and have reprinted the comments in enclosure I. Further details on our scope and methodology are included in our report on the results of our audits of the 2004 and 2003 financial statements and are reproduced in enclosure II. Asset Valuation: During our 2004 financial audit, we identified errors in certain calculations supporting the allowance for losses on receivables from thrift resolutions that were not identified during FDIC's normal supervisory review process. These errors, while not material to SAIF's and FRF's financial statements, nonetheless would have led to misstatements in the financial statements had we not identified them through the audit process. GAO's Standards for Internal Control in the Federal Government requires agencies to implement internal control procedures to ensure the accurate and timely recording of transactions and events. In addition, these standards require that qualified and continual supervision be provided to ensure that internal control objectives are achieved. FDIC's receivables from thrift resolutions are paid off through the sale of failed thrift assets of its receiverships. To determine the allowance for losses on its receivables from failed thrift resolutions, FDIC estimates values for the receivership assets to be disposed of through a Loan Loss Reserve process. To ensure that consistent methods for valuing assets are being applied, FDIC developed a uniform Standard Asset Valuation Estimation (SAVE) methodology, which is documented in an asset valuation policies and procedures manual (the SAVE manual). Cash flow analysis is one of the key methodologies that is standardized in the SAVE manual. As part of the cash flow analysis, future cash outflows and inflows are estimated and a discount rate from an assumption listed in the SAVE manual is to be applied. To further ensure both accuracy and consistency, the SAVE manual requires two levels of review after the valuation is prepared. Despite these requirements, we found that three of five assets we reviewed were not valued in accordance with the SAVE methodology. In one case, the individual responsible for preparing the valuation failed to use all the current available information as described in the SAVE manual to calculate the asset valuation. In another case, the individual responsible for preparing the asset valuation used an incorrect net present value formula in the calculation. For the third case, the individual responsible for preparing the asset valuation applied an incorrect discount rate over an incorrect number of time periods (quarters) in the calculation. While FDIC had performed primary and secondary reviews of the asset valuations, both reviews failed to detect errors in the asset valuation calculations. FDIC corrected the errors after we brought them to its attention. In response to this matter, FDIC stated that the lack of detection of these errors in the first case was the result of a primary reviewer who was new to the asset valuation process. FDIC re-reviewed six of its asset valuations related to the other cases and advised us that they did not detect any further deviations from the SAVE methodology. We identified similar reviewing errors during our 2003 financial audit.[Footnote 3] At that time, FDIC stated that it had developed additional procedures to ensure that proper review was being effectively implemented. However, as our work during the 2004 audit indicates, these additional procedures have not been fully effective in preventing or detecting asset valuation errors in a timely manner. Recommendation: We recommend that FDIC issue a formal notice to all individuals who perform primary and secondary reviews of asset valuations reminding them of their responsibility to ensure that assets are valued in accordance with the SAVE methodology. FDIC Comments and Our Evaluation: FDIC agreed with our recommendation. In response to our finding, FDIC management stated that by July 31, 2005, a formal notice will be issued to all individuals designated to perform primary and secondary reviews of asset valuations to remind them of their responsibility to ensure that assets are valued in accordance with the SAVE methodology, and to reemphasize the importance of an in-depth review of the asset valuations. We will evaluate the effectiveness of FDIC's actions during our 2005 financial audit. Thrift Savings Plan: During our 2004 financial audit, we found that 11 FDIC employees were incorrectly excluded from receiving a 1 percent agency contribution to their TSP accounts. Although the total amount of these errors was not material to the financial statements of the three funds, FDIC is at risk that other payroll information processed by the NFC may contain errors. Consistent with GAO's Standards for Internal Control in the Federal Government, FDIC's internal control should provide reasonable assurance that its financial transactions, including those processed by NFC, are accurately recorded and that its staff are compensated properly. The Federal Employees' Retirement System (FERS) became effective January 1, 1987. Almost all new employees hired after December 31, 1983, are automatically covered by FERS. One of the components of the FERS retirement plan is the TSP. For all FERS employees, the employing agency is required to pay 1 percent of the basic pay every pay period into each employee's TSP account whether or not the employee contributes to a TSP account.[Footnote 4] NFC provides FDIC with centralized, automated, integrated systems and support services for payroll and personnel payments, including the 1 percent TSP agency contribution. In October 2004, the U.S. Department of Agriculture's Inspector General issued a report which contained a qualified opinion for the internal control structure at NFC because certain control policies and procedures at the center were not suitably designed or operating effectively.[Footnote 5] The report described weaknesses in policies and procedures that may be relevant to the internal control structure of NFC's customer agencies, such as FDIC. The report further warned customer agencies that the accuracy and reliability of any payroll- related data processed by NFC ultimately rests with the customer agencies and any accompanying compensating controls implemented by such agency. Given the seriousness of the control weaknesses at NFC and the critical nature and sensitivity of federal payroll, it is important that FDIC implement compensating controls to ensure the Corporation's biweekly payroll is accurately processed by NFC. Although FDIC has compensating controls to test payroll information processed by NFC at an aggregate level, these procedures do not include verifying NFC's mathematical calculations related to FDIC's payroll data at the individual employee level. In our testing, we found that an employee was incorrectly excluded from receiving the 1 percent contribution. Once we notified FDIC of this situation, the Corporation performed more detailed analyses and identified 10 additional employees who were also not receiving the 1 percent contribution. FDIC made NFC aware of this problem, and NFC subsequently corrected these employees' TSP accounts. Additionally, NFC has informed FDIC that it is still trying to determine the cause of the error. For its part, FDIC has recently implemented an additional control by running a report every pay period to detect any employees not receiving the agency's automatic 1 percent TSP contribution. Recommendation: In light of the errors we found in FDIC employees' TSP accounts and continued serious internal controls deficiencies cited over NFC's payroll processing functions, we recommend that FDIC review its existing compensating controls over NFC-processed payroll information to determine whether additional controls, such as periodically verifying NFC's mathematical calculations related to FDIC's payroll data at the individual employee level, are needed to ensure that other NFC mathematical calculations related to FDIC's payroll data are correct. FDIC Comments and Our Evaluation: FDIC agreed with our recommendation. The Division of Administration's Human Resources Branch at FDIC has reviewed its existing compensating controls over NFC-processed payroll information and determined that additional controls are not warranted at this time. We will continue to review the effectiveness of FDIC's compensating controls over NFC- processed payroll information as part of our 2005 financial audit. Contractor Payment: During our 2004 financial audit, we found that FDIC approved and paid a monthly invoice to a contractor that contained an overcharge. After we brought this error to FDIC's attention, the Corporation discovered additional overcharge errors from the same contractor in 13 other monthly invoices. GAO's Standards for Internal Control in the Federal Government requires agencies to implement internal control procedures to ensure the accurate and timely recording of transactions and events. In addition, these standards require that qualified and continual supervision be provided to ensure that internal control objectives are achieved. Specifically, we found that a contractor FDIC hired for computer- related services incorrectly charged the Corporation a mark-up fee for subcontractor costs in a January 2004 invoice. The terms of the contract between FDIC and the contractor called for FDIC to pay for any subcontractor costs based on the subcontractors' hourly rates, with no surcharge or mark-up. FDIC's subsequent analysis of the 14 invoices submitted by this contractor from August 2003 to September 2004 showed that in each case, the contractor added a mark-up fee to the costs associated with its use of subcontractors. FDIC ultimately determined the total amount of the overcharges to be $32,713.35, for which it was subsequently reimbursed by the contractor. Although all 14 monthly invoices had been reviewed and approved by either or both the contracting officer and oversight manager, the overcharges were not detected in the invoice reviewing process. The amount of the total overcharges was not material to the financial statements of the three funds. Nonetheless, the lack of effective review procedures over contractor invoices increases the risk that FDIC would be overcharged for goods and services provided and that such overcharges may not be timely detected and recovered. Recommendation: We recommend that FDIC issue a formal notice to all individuals who review and approve invoices reminding them of their responsibility to compare each invoice to the terms of the contract prior to approving the invoice for payment. FDIC Comments and Our Evaluation: FDIC agreed with our recommendation. In response to our finding, FDIC management issued a memorandum on May 10, 2005, reminding oversight managers of their critical responsibility for reviewing and approving contractor invoices. We will evaluate the effectiveness of FDIC's actions during our 2005 financial audit. This report contains recommendations to you. We would appreciate receiving a description and status of your corrective actions within 30 days of the date of this letter. This report is intended for use by FDIC management, members of the FDIC Audit Committee, and the FDIC Inspector General. We are sending copies of this report to the Chairman and Ranking Minority Member of the Senate Committee on Banking, Housing, and Urban Affairs; the Chairman and Ranking Minority Member of the House Committee on Financial Services; the Chairman of the Board of Directors of the Federal Deposit Insurance Corporation; the Chairman of the Board of Governors of the Federal Reserve System; the Comptroller of the Currency; the Director of the Office of Thrift Supervision; the Secretary of the Treasury; the Director of the Office of Management and Budget; and other interested parties. In addition, this report will be available at no charge on GAO's web site at [Hyperlink, http://www.gao.gov]. We acknowledge and appreciate the cooperation and assistance provided by FDIC management and staff during our audits of FDIC's 2004 and 2003 financial statements. If you have any questions about this report or need assistance in addressing these issues, please contact me on (202) 512-9521 or sebastians@gao.gov. Sincerely yours, Signed by: Steven J. Sebastian: Director: Financial Management and Assurance: Enclosures: [End of section] Enclosure I: Comments from the Federal Deposit Insurance Corporation: FDIC: Federal Deposit Insurance Corporation: Deputy to the Chairman and Chief Financial Officer: 550 17th Street, NW, Washington, DC 20429 May 20, 2005: Mr. Steven J. Sebastian, Director: Financial Management and Assurance: U.S. Government Accountability Office: 441 G Street, NW: Washington, DC 20548: Dear Mr. Sebastian: Thank you for the opportunity to respond to the draft report entitled, Management Report: Opportunities for Improvements in FDIC's Internal Controls and Accounting Procedures (GAO-05-553R), dated May 5, 2005. The report discusses issues that were identified during the 2004 financial statements audit regarding weaknesses in accounting procedures and internal control and recommendations for improvement. We were also pleased to have the Government Accountability Office (GAO) acknowledge that, although the weaknesses warranted management's attention, they were not material in relation to the financial statements. Overall, FDIC agrees with the results presented in the draft report and recognizes the need to strengthen our internal control environment to ensure the accurate and timely recording of transactions and events. We are committed to identifying opportunities for improvement and ensuring that internal control objectives are achieved. Our corrective action plans in response to the recommendations are discussed below. Asset Valuation: GAO recommended that FDIC issue a formal notice to all individuals who perform primary and secondary review of asset valuations reminding them of their responsibility to ensure that assets are valued in accordance with the Standard Asset Valuation Estimation (SAVE) methodology. Management Response: FDIC. concurs with this recommendation. By July 31, 2005, we will issue a formal notice to all individuals designated to perform primary and secondary reviews of asset valuations reminding them of their responsibility to ensure that assets are valued in accordance with the SAVE methodology and re-emphasize the importance of an in-depth review of the asset valuations. Thrift Savings Plan: GAO recommended that FDIC review its existing compensating controls over the National Finance Center (NFC) processed payroll information to determine whether additional controls, such as periodically verifying NFC's mathematical calculations related to FDIC's payroll data at the individual employee level, are needed to ensure that other NEC mathematical calculations related to FDIC's payroll data are correct. Management Response: FDIC concurs that it is appropriate to review the existing compensating controls over the NFC payroll information - in fact, we have already taken action to address this matter. The Division of Administration's Human Resources Branch (HRB) has reviewed its existing compensating controls over NEC processed payroll information and determined that additional controls are not warranted at this time. The Thrift Savings Plan (TSP) contribution issue identified by GAO was not an NFC miscalculation issue but, rather, a system issue. In each case, the employee identified as not receiving the Corporation's automatic one percent TSP contribution had set their own contributions to zero via Employee Express. Erroneously, NFC set all TSP contributions for these employees, including the automatic one percent contribution, to zero. To ensure that this error does not reoccur, the FDIC instructed NFC to remedy the problem. In the interim, FDIC implemented the additional control of running a report every pay period to detect any employee who did not receive the Corporation's automatic one percent TSP contribution. If an error is identified, NFC is notified immediately and the necessary corrective action is taken. FDIC has no evidence that NFC is miscalculating employee payroll information. In the past, FDIC performed an exhaustive payroll reconciliation effort. This effort revealed a deviation of less than one percent from what was provided to NFC for employee payroll. Based on its analysis, FDIC determined that future verification of payroll at that level of detail was not warranted unless the deviation between FDIC and NFC payroll amounts exceeds one percent. Currently, FDIC performs an aggregate payroll reconciliation every pay period to determine the difference between FDIC and NFC payroll amounts, if any. As stated in GAO's draft report, FDIC has a number of compensating controls in place to test payroll information processed by NFC. First, FDIC verifies and reconciles the number of payroll hours submitted to NFC to the number of hours received back from NFC for accuracy. Any discrepancies at the employee level are reconciled by HRB staff. Second, HRB compares the total amount of net pay for payroll to the net payroll paid out to employees by NFC. Lastly, HRB runs a report every pay period to test the automatic one percent corporate contribution to each employee. Given FDIC's existing internal control environment, we do not believe that an exhaustive payroll review is warranted at this time. Contractor Payment: GAO recommended that FDIC issue a formal notice to all individuals who review and approve invoices reminding them of their responsibility to compare each invoice to the terms of the contract prior to approving the invoice for payment. Management Response: FDIC concurs with this recommendation. The Division of Administration's Acquisition Services Branch issued a memorandum, dated May 10, 2005, to Headquarters and Regional Office Oversight Managers and "technical Monitors and Acquisition Services Branch personnel reminding Oversight Managers of their critical responsibility for reviewing and approving contractor invoices and to "ensure the FDIC is billed only for goods and services that are contained in the contract, at rates quoted within the contract..." A copy of this letter is attached. If you have any questions relating to the FDIC management responses, please contact James H. Angel, Jr., Director, Office of Enterprise Risk Management, at 202-736-0138. Sincerely, Signed by: Steven O. App: Deputy to the Chairman and Chief Financial Officer: cc: John Bovenzi; Mitchell Glassman; Arleas Upton Kea; James H. Angel, Jr.; Fred Selby: Attachment: FDIC: Federal Deposit Insurance Corporation: 550 17th St NW: Washington DC, 20429: Division of Administration: May 10, 2005: TO: Headquarters and Regional Office Oversight Managers and Technical Monitors And Acquisition Services Branch Personnel: FROM: Ann Bridges Steely, Associate Director: Acquisition Services Branch: SUBJECT: Invoice Review and Approval: The FDIC pays contractor costs that are allowable by the terms of the contract and are reasonable in nature and amount. The Oversight Manager is responsible for the review and approval of contractor invoices. It is of critical importance that all invoices be thoroughly reviewed prior to approval to ensure that contractors have fully complied with the terms of the contract. Oversight Managers must ensure the FDIC is billed only for goods and services that are contained in the contract, at the rates quoted within the contract, and only for goods or services that the FDIC has received and which are acceptable to the FDIC. The Oversight Manager is also responsible far monitoring total payments to the contractor to ensure that they do no exceed the contract ceiling. Any questions regarding invoices and adherence to contractual terms should be directed to your Contract Specialist or Contracting Officer prior to approving any invoice. Refer to the Acquisition Policy Manual Section 5.H., Contract Payments, for further guidance. Questions regarding this memorandum should be addressed to Ann Bridges Steely at (202) 942-3010. [End of section] Enclosure II: Details on Audit Methodology: To fulfill our responsibilities as auditor of the financial statements of the three funds administered by the FDIC, we did the following: * examined, on a test basis, evidence supporting the amounts and disclosures in the financial statements; * assessed the accounting principles used and significant estimates made by management; * evaluated the overall presentation of the financial statements; * obtained an understanding of internal controls related to financial reporting (including safeguarding assets) and compliance with selected laws and regulations; * tested relevant internal controls over financial reporting and compliance, and evaluated the design and operating effectiveness of internal control; * considered FDIC's process for evaluating and reporting on internal control based on criteria established by 31 U.S.C. § 3512 (c), (d), (commonly referred to as the Federal Managers' Financial Integrity Act); and: * tested compliance with applicable laws and regulations, including selected provisions of the Federal Deposit Insurance Act, as amended, and the Chief Financial Officers Act of 1990. [End of section] Enclosure III: GAO Contact and Staff Acknowledgments: GAO Contact: Steven J. Sebastian (202) 512-9521: Acknowledgments: Staff who made key contributions to this report were Gary Chupka, Julia Duquette, Wing Lam and LaShawnda Wilson. (196045): FOOTNOTES [1] GAO, Financial Audit: Federal Deposit Insurance Corporation Funds' 2004 and 2003 Financial Statements, GAO-05-281 (Washington, D.C.: Feb. 11, 2005). [2] GAO, Standards for Internal Control in the Federal Government, GAO/ AIMD-00-21.3.1 (Washington, D.C.: November 1999). [3] GAO, Management Report: Opportunities for Improvements in FDIC's Internal Controls and Accounting Procedures, GAO-04-677R (Washington, D.C.: June 16, 2004). [4] See 5 U.S.C. 8432 (c) (1). [5] U.S. Department of Agriculture Office of Inspector General Audit Report, Fiscal Year 2004--Review of the National Finance Center General Controls, Report No. 11401-20-FM (Washington, D.C.: Oct. 25, 2004).