This is the accessible text file for GAO report number GAO-06-772R entitled 'Management Report: Opportunities for Improvements in FDIC's Internal Controls and Accounting Procedures' which was released on July 12, 2006. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. July 11, 2006: Mr. Steven O. App: Deputy to the Chairman and Chief Financial Officer: Federal Deposit Insurance Corporation: Subject: Management Report: Opportunities for Improvements in FDIC's Internal Controls and Accounting Procedures: Dear Mr. App: In March 2006, we issued our opinions on the calendar year 2005 financial statements of the Bank Insurance Fund (BIF), the Savings Association Insurance Fund (SAIF), and the FSLIC Resolution Fund (FRF). We also issued our opinion on the effectiveness of the Federal Deposit Insurance Corporation's (FDIC) internal control over financial reporting (including safeguarding assets) and compliance as of December 31, 2005, and our evaluation of FDIC's compliance with significant provisions of selected laws and regulations for the three funds for the year ended December 31, 2005.[Footnote 1] The purpose of this report is to discuss issues identified during our audits of the 2005 financial statements regarding internal controls and accounting procedures that could be improved, and to recommend actions to address these weaknesses. Although these issues were not material in relation to the financial statements, we believe they warrant management's attention. We are making eight recommendations for strengthening FDIC's internal controls and accounting procedures. We conducted our audits in accordance with U.S. generally accepted government auditing standards. Results in Brief: During our audits of the 2005 financial statements, we identified several internal control issues that affected FDIC's accounting for the funds it administers. Although we do not consider them to be material weaknesses[Footnote 2] or reportable conditions,[Footnote 3] we believe they warrant management's consideration. Specifically, we found that FDIC: * Made errors in several of its operating expense allocation percentages. These errors would have resulted in misstatements in the BIF, SAIF, and FRF financial statements. * Did not detect several internal control deficiencies in its procurement process, two of which resulted in misstatements in the BIF, SAIF, and FRF financial statements, though the misstatements were not considered material. * Did not detect allocation errors in its Supplemental Payment System. These errors resulted in misstatements in the BIF, SAIF, and FRF financial statements, though the misstatements were not considered material. * Lacked complete control over checks in its Dallas mailroom. The lack of effective safeguarding control procedures increased the risk of theft, loss, or misappropriation of assets. We are making eight recommendations regarding FDIC's internal controls and accounting procedures. Implementation of these recommendations would strengthen FDIC's conformance with the internal control standards that federal agencies are required to follow[Footnote 4] and minimize the risk of future misstatements in the three funds' financial statements. In its comments, FDIC agreed with our recommendations and described actions it has taken or plans to take to address the control weaknesses described in this report. At the end of our discussion of each of the issues in this report, we have summarized FDIC's related comments and our evaluation. Scope and Methodology: As part of our audits of the 2005 and 2004 financial statements of the three funds administered by FDIC,[Footnote 5] we evaluated the Corporation's internal controls and its compliance with selected provisions of laws and regulations. We designed our audit procedures to test relevant controls, including those for proper authorization, execution, accounting, and reporting of transactions. We requested comments on a draft of this report from the FDIC Deputy to the Chairman and Chief Financial Officer. We received written comments and have reprinted the comments in enclosure I. Further details on our scope and methodology are included in our report on the results of our audits of the 2005 and 2004 financial statements, and are reproduced in enclosure II. Expense Allocation: During our testing of a sample of operating expense transactions, we identified several erroneous percentages used in FDIC's expense allocation process. These errors led to an incorrect allocation of expenses among BIF, SAIF, and FRF. GAO's Standards for Internal Control in the Federal Government requires agencies to implement internal control procedures to ensure the accurate and timely recording of transactions and events. In addition, these standards require that qualified and continuous supervision be provided to ensure that internal control objectives are achieved. Operating expenses not directly attributable to BIF, SAIF, and FRF are allocated to each fund using predetermined expense allocation percentages. These percentages are developed during FDIC's annual corporate planning and budget process. With its implementation of a new accounting system in May 2005, FDIC's process for entering modifications to its expense allocation percentages changed. Previously, the process for modifying the allocation percentages merely required FDIC to modify information in a table within the accounting system, which in turn automatically updated the system; under the new accounting system, all changes to the allocation percentages must be made via a journal entry. The general ledger manager in the Division of Finance (DOF) is required to review and approve journal entries for adjusting the allocation percentages along with the underlying support. In comparing the allocation source reports prepared by the budget office to the actual percentages in the accounting system, we found that FDIC used erroneous expense allocation percentages in four cases. This resulted in an over allocation of expenses to BIF and FRF of $50,539 each, and an under allocation to SAIF of $101,078. FDIC corrected these misallocations in 2005 and corrected the allocation percentages for future allocations. Although the journal entries for the allocation percentages were approved by the general ledger manager, the review and approval process failed to identify these errors. Per discussions with FDIC officials, these errors were caused by the manager's inexperience with the new accounting system and the similarity of the allocation percentages. Recommendation: To minimize the risk of incorrect expense allocation among the funds, we recommend that FDIC issue a formal notice to all individuals who review and approve journal entries for the expense allocation percentages reminding them of their responsibility to properly review proposed changes to these percentages. FDIC Comments and Our Evaluation: FDIC agreed with our recommendation and stated that it will reemphasize to personnel having a general ledger manager role in the new accounting system that one of their primary responsibilities is to properly review all journal entries, including entries adjusting the allocation percentages. We will evaluate the effectiveness of FDIC's actions during our 2006 financial audit. Procurement Process: During our 2005 financial audit, we found several internal control deficiencies in FDIC's procurement process, two of which resulted in incorrect charges to the funds. GAO's Standards for Internal Control in the Federal Government requires agencies to implement internal control procedures to ensure proper execution of transactions and events. In addition, these standards require that qualified and continuous supervision be provided to ensure that internal control objectives are achieved. Procurement is performed mainly by the Acquisition Services Branch (ASB) within the Division of Administration. FDIC's Acquisition Policy Manual (FDIC Circular 3700.16) provides a consolidated and uniform set of policies and procedures for procuring goods and services on behalf of the corporation in its corporate, receivership, and conservatorship capacities. Generally, procurement begins when a requestor electronically completes a Requirements Package including a Procurement Requisition. After the requisition is approved by the requestor's division, ASB will begin to purchase the goods and services. This purchase is generally processed by the use of a purchase order or a contract. ASB is responsible for entering purchase order or contract information into the accounting system, including price, delivery information, due date, program codes, and account codes. Once the contracted goods/services have been received/performed, the invoices are sent to the Disbursement Operations Unit (DOU) within DOF. DOU is responsible for date stamping, entering information into the accounting system, and electronically routing the invoice to the appropriate oversight manager for approval. The information entered includes the vendor's name, invoice date, mailing address, and invoice amount. Once the oversight manager electronically approves the invoice, it is processed for payment. We reviewed the procurement process from requisition through the payment of invoices by selecting and testing samples of operating expense transactions. In testing these transactions, we identified the following issues: * A contractor who provided various advertising services to FDIC billed estimated expenses for its subcontractors to FDIC while the contract terms specified that the invoices were to be based on actual incurred costs. According to the FDIC oversight manager for this contract, it is commercial practice for advertising companies to bill based on estimated costs; however, this contract was not amended to include the appropriate terms and conditions for advance payment. The contractor conducted a year-end fiscal closeout that included a detailed reconciliation to its subcontractors' invoices. Based on the reconciliation, $132,800 was refunded to FDIC in March 2006. * Two transactions for computer consulting services, valued at $5,446 and $84,325 respectively, were incorrectly charged solely to BIF instead of allocated among BIF, SAIF, and FRF. Both of these transactions were approved by oversight managers. After we brought this to FDIC's attention, we were told that many employees were still learning the corporation's new accounting system. Accordingly, these errors were caused by the oversight managers' lack of experience with the new system. As a result of these errors, BIF was overcharged $15,278, and SAIF and FRF were undercharged $12,582 and $2,696, respectively. * An approved procurement-related transaction for $122,878 was incorrectly charged to a wrong purchase order. According to FDIC, this incorrect charge was due to the related oversight manager being newly assigned to this particular contract and all purchase order numbers having changed due to the implementation of the new accounting system. Because both the original purchase order and the incorrectly charged purchase order have the same allocation fund expense percentages, there was no dollar impact on the funds. * A $30,432 payment to a contractor for computer-related services was approved without verification of related subcontractor charges. The supporting subcontractor invoices were not readily available for review because they were not submitted with the prime contractor's monthly invoice, even though the contract required all subcontractor invoices to be submitted with the monthly invoice. After we requested that FDIC obtain the related subcontractor's invoices, we found that the related charges were correct. In our 2004 financial audit, we found the same type of control issue but with negative consequences. FDIC was overcharged nearly $33,000 because this same contractor did not furnish related subcontractor invoices to FDIC, and FDIC personnel were not verifying the subcontractor charges. In response to this finding, FDIC issued a memorandum in May 2005, reminding oversight managers of their critical responsibility for reviewing and approving contractor invoices. Nonetheless, the transaction we tested in 2005 was reviewed and approved by the oversight manager in July 2005, and again the oversight manager failed to follow FDIC's policies and procedures to obtain subcontractor's invoices to verify charges prior to payment. Recommendations: To improve internal controls over FDIC's procurement process and to minimize the potential for erroneous charges and misallocation of charges to the funds, we recommend that FDIC: * reissue a formal notice to all individuals who review and approve procurement-related transactions again reminding them of their responsibilities to ensure that terms and conditions of the contract are complied with or changed if appropriate and that transactions are properly recorded; and: * require contract oversight managers to send a letter to the appropriate contractors stating that, consistent with the contract terms, their invoices will not be paid until all supporting subcontractor invoices are submitted to FDIC for review. FDIC Comments and Our Evaluation: FDIC agreed with our recommendations. FDIC stated that it will issue another memorandum to all division and office directors and oversight managers restating their responsibilities, including the responsibility to ensure all required supporting documentation are provided and reviewed before approving payment. Additionally, FDIC stated that the memorandum will instruct the oversight managers to issue "invoice rejection letters" to contractors if contractors submit invoices without appropriate supporting documentation, including subcontractor invoices. The "invoice rejection letter" will inform the contractor that the invoice will not be paid until a proper invoice is received, reviewed and approved by the FDIC. FDIC stated that it will issue the memorandum to oversight managers by July 17, 2006. We will evaluate the effectiveness of FDIC's actions during our 2006 financial audit. Supplemental Payment System: During our testing of operating expenses, we identified a deficiency in the compensating controls FDIC put in place to allocate certain expenses processed by the Supplemental Payment System (SPS) among the funds. This deficiency resulted in incorrect expense charges to the three funds in 2005. GAO's Standards for Internal Control in the Federal Government requires agencies to implement internal control procedures to ensure the accurate and timely recording of transactions and events. In addition, these standards require that qualified and continuous supervision be provided to ensure that internal control objectives are achieved. FDIC uses the SPS to record and process supplemental employee payments such as relocation payments, commuter reimbursements, travel expenses, and employment buyouts. SPS also determines the applicable withholding taxes on supplemental employee payments; prevents FDIC from over withholding certain payroll taxes (e.g., social security and Medicare); accumulates supplemental payments made to each employee into one supplemental W-2; and generates this W-2 separately from the W-2 that the National Finance Center processes to cover its payroll-related payments. In implementing its new accounting system in May 2005, FDIC decided that it was not cost beneficial to customize SPS for automatic allocation of the tax expense processed within it to the three funds; to compensate, FDIC requires that manual journal entries be created by FDIC personnel and entered into the accounting system to allocate the SPS processed tax related charges among the funds. In testing transactions from SPS as part of our overall operating expense sample testing, we identified a $1,839 transaction related to the tax portion of an employee's relocation payment that was charged entirely to BIF, but which should have been allocated to BIF, SAIF, and FRF. Subsequent follow-up related to this transaction revealed that manual journal entries routinely prepared to allocate the SPS processed tax related transactions omitted three accounts. For 2005, these omissions resulted in BIF being overcharged $358,026, and SAIF and FRF being undercharged $273,785 and $84,241, respectively for expenses processed through SPS. These errors were not corrected in 2005. Going forward, FDIC officials stated that the corporation will manually allocate tax expenses from these three accounts to ensure the funds are being charged for appropriate costs. Recommendation: To address the limitation associated with expense transactions processed within the Supplemental Payment System, we recommend that FDIC review all of the general ledger accounts within the new accounting system that are processed through SPS to ensure that they are properly allocated to the appropriate funds. FDIC Comments and Our Evaluation: FDIC agreed with our recommendation. In response to our finding, FDIC stated that it has already reviewed the accounts processed through the SPS and confirmed that there are no other affected accounts. Going forward, FDIC stated that it will ensure these expenses are allocated appropriately. We will evaluate the effectiveness of FDIC's actions during our 2006 financial audit. Receivership Receipts (Mailroom Controls): During our testing of the corporation's internal controls, we identified several control deficiencies in the mailroom operation of its Dallas field office that increased the risk of theft, loss, or misappropriation of receipts. GAO's Standards for Internal Control in the Federal Government requires agencies to establish physical control to secure and safeguard vulnerable assets. Examples include security for, and limited access to, assets such as cash, securities, inventories, and equipment that might be vulnerable to risk of loss or unauthorized use. The mailroom of the Dallas field office is responsible for opening mail and monetary receipts for receivership activities. These receipts generally consist of loan repayments from debtors of failed financial institutions. For calendar year 2005, the mailroom of the Dallas field office processed 2,051 checks totaling approximately $19 million. In our tests of controls of FDIC's Dallas field office mailroom operations, we found the following deficiencies: * The mailroom entry door did not provide adequate physical security. The entry door was comprised of two half doors, with only the bottom half being closed and locked while the top half was left open. We observed several people bypassing the special access badge reader by reaching over the top of the bottom locked door and opening it using the inside handle. * FDIC's mail was not opened under dual control. Although FDIC stated that at least two contractor employees concurrently opened mail in the Dallas mailroom, we observed that they were not following the dual control procedure which calls for observing each other when opening official FDIC mail. * The mailroom staff logged in all checks at one time after all the mail was opened, instead of immediately at the time of their extraction as required by FDIC's Standard Operating Procedures. Safeguarding controls are critical in preventing the theft of cash or checks. The lack of effective safeguarding controls increases the risk of theft, loss, or misappropriation of assets. Recommendations: To improve its physical security over the Dallas field office mailroom operations, we recommend that FDIC: * instruct its contractor employees to follow FDIC's policy and procedures to specifically use the access card when entering the mailroom entry door; * close both half doors so that access can only be made by authorized personnel using the access card; * require personnel to open official FDIC mail under dual control; and: * log check receipts into the Daily Check Log immediately at the time of their extraction rather than at the completion of the mail-opening process. FDIC Comments and Our Evaluation: FDIC agreed with our recommendations. In response to our findings, FDIC stated that it had already taken action to address these issues and noted that, as of January 31, 2006: * the mail room door can only be opened by authorized personnel using their access card; * both half doors have been closed and secured so that access can only be made by authorized personnel using their access cards; * it has defined "dual control" in its mail opening policy to ensure that at least one employee or contractor oversees another employee or contractor when opening official FDIC mail. As an internal control, periodic observation for compliance is conducted by the oversight manager via a monitoring camera that can be viewed in the security area; and: * the oversight manager has instructed mailroom contractors to log checks into the daily check log immediately at the time of their extraction rather than at the completion of the mail opening process. We will evaluate the effectiveness of FDIC's actions during our 2006 financial audit. This report contains recommendations to you. We would appreciate receiving a description and status of your corrective actions within 30 days of the date of this letter. This report is intended for use by FDIC management, members of the FDIC Audit Committee, and the FDIC Inspector General. We are sending copies of this report to the Chairman and Ranking Minority Member of the Senate Committee on Banking, Housing, and Urban Affairs; the Chairman and Ranking Minority Member of the House Committee on Financial Services; the Chairman of the Board of Directors of the Federal Deposit Insurance Corporation; the Chairman of the Board of Governors of the Federal Reserve System; the Comptroller of the Currency; the Director of the Office of Thrift Supervision; the Secretary of the Treasury; the Director of the Office of Management and Budget; and other interested parties. In addition, this report will be available at no charge on GAO's Web site at [Hyperlink http://www.gao.gov]. We acknowledge and appreciate the cooperation and assistance provided by FDIC management and staff during our audits of FDIC's 2005 and 2004 financial statements. If you have any questions about this report or need assistance in addressing these issues, please contact me at (202) 512-3406 or by e-mail at sebastians@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this report are listed in enclosure III. Sincerely yours, Signed by: Steven J. Sebastian: Director: Financial Management and Assurance: Enclosures: [End of Section] Enclosure I: Comments from the Federal Deposit Insurance Corporation: Federal Deposit Insurance Corporation: 550 17th Street NW, Washington, D.C. 20429-9990: Deputy to the Chairman and CFO: June 28, 2006: Mr. Steven J. Sebastian, Director Financial Management and Assurance: U.S. Government Accountability Office: 441 G Street, NW: Washington, DC 20548: Dear Mr. Sebastian: Thank you for the opportunity to respond to the draft report titled, Management Report: Opportunities for Improvements in FDIC's Internal Controls and Accounting Procedures, GAO-06-772R. The report discusses issues that were identified during the 2005 financial statements audit regarding internal controls and accounting procedures that could be improved, and recommendations to address these issues. We were pleased to have the Government Accountability Office (GAO) acknowledge that, although these issues warranted management's attention, they were not material in relation to the financial statements. Overall, FDIC agrees with the results presented in the draft report and recognizes the need to strengthen our internal control environment to ensure the accurate and timely recording of transactions and events. We are committed to identifying opportunities for improvement and ensuring that internal control objectives are achieved. Our corrective action plan in response to the recommendations is discussed below. Expense Allocation: GAO found that FDIC made errors in several of its operating expense allocation percentages. These errors resulted in misstatements in the Bank Insurance Fund (BIF), the Savings Association Insurance Fund (SAIF), and the FSLIC Resolution Fund (FRF) financial statements, though the misstatements were not considered material. Recommendation 1: To minimize the risk of incorrect expense allocation among the funds, GAO recommended that FDIC issue a formal notice to all individuals who review and approve journal entries for the expense allocation percentages reminding them of their responsibility to properly review proposed changes to these percentages. Management Response: We concur with the recommendation and agree that there were four erroneous expense allocation percentages used in the common services expense allocation process. The initial percentages were set up in the New Financial Environment (NFE) prior to implementation. These percentages were set up using the workflow approval process and were approved by an individual with the General Ledger (GL) Manager approval role at the time. After NFE implementation, personnel with this role are housed in the General Ledger Unit, Accounting Operations Section. The process within the General Ledger Unit is to review journal entries to ensure they are correct, which includes ensuring that percentages processed in the allocation journal correspond to the percentages submitted in the budget process. Regardless, FDIC will reemphasize to personnel possessing the GL Manager role in NFE that one of their primary responsibilities is to properly review all journals, including journals adjusting the allocation percentages. Procurement Process: GAO found that FDIC did not detect several internal control deficiencies in its procurement process; two of which resulted in misstatements of the BIF, SAIF, and FRF financial statements, though the misstatements were not considered material. Recommendation 2: To improve internal controls over FDIC's procurement process and to minimize the potential for erroneous charges and misallocation of charges to the funds, GAO recommended that FDIC reissue a formal notice to all individuals who review and approve procurement-related transactions again reminding them of their responsibilities to ensure that terms and conditions of the contract are complied with or changed if appropriate and that transactions are properly recorded. Management Response: We concur with the recommendation. In response to GAO's internal controls and accounting procedures audit report for the calendar year 2004, FDIC issued a memorandum on May 10, 2005 (see attached), to headquarters and regional office oversight managers, technical monitors, and Acquisition Services Branch (ASB) personnel reminding oversight managers of their critical responsibility for reviewing and approving contractor invoices. FDIC will issue another memorandum to all division and office directors and oversight managers to restate their responsibilities, including the responsibility to ensure all required supporting documentation, such as subcontractor invoices, are provided and reviewed before approving payment. Guidance designed to prevent misallocation of funds and ensure proper reporting of transactions will also be included in this memorandum. FDIC will issue the memorandum to oversight managers by July 17, 2006. In addition, on May 26, 2006, ASB issued a notice (see attached) to FDIC contracting personnel to remind them of their role in appointing oversight managers and technical monitors and ensuring oversight managers properly perform their contract oversight responsibilities in accordance with applicable policies and procedures. Contracting officers were also reminded to monitor how well oversight managers perform their functions and to take appropriate action if oversight managers do not perform their oversight duties diligently. Recommendation 3: To improve internal controls over FDIC's procurement process and to minimize the potential for erroneous charges and misallocation of charges to the funds, GAO recommended that FDIC require contract oversight managers to send a letter to the appropriate contractors stating that, consistent with the contract terms, their invoices will not be paid until all supporting subcontractor invoices are submitted to FDIC for review. Management Response: We concur with the recommendation. While we concur that the issue needs to be addressed, we believe there is a more efficient and cost effective solution. To address this concern, we will issue a memorandum to all oversight managers no later than July 17, 2006, as specified in the above response. This memorandum will instruct the oversight managers to issue "invoice rejection letters" to contractors if contractors submit invoices without appropriate supporting documentation, including subcontractor invoices, or if invoices do not specify the accounting information as required by the contract. The "invoice rejection letter" will inform the contractor that the invoice will not be paid until a proper invoice is received, reviewed and approved by the FDIC. We believe this approach is a more efficient and cost effective solution and should achieve the overall goal of the GAO's recommendation. Supplemental Payment System: GAO found that FDIC did not detect allocation errors in its Supplemental Payment System. These errors resulted in misstatements in the BIF, SAY, and FRF financial statements, though the misstatements were not considered material. Recommendation 4: To address the limitation associated with expense transactions processed within the Supplemental Payment System (SPS), GAO recommended that FDIC review all of the general ledger accounts within the new accounting system that are processed through SPS to ensure that they are properly allocated to the appropriate funds. Management Response: We concur with the recommendation and as noted in greater detail below, have already implemented it. We agree that employer matching tax expenses and gross up expenses related to the Supplemental Payment System (SPS) were not allocated to the funds correctly. The SPS (essentially the PeopleSoft (PS) Payroll System) would have required considerable modifications to allow for the posting of these tax expenses by the fund where the expense originated. The system's accounting entry process is designed around the use of account codes representing a combination of chartfields and SPS assigns only one account code for the employer matching and gross-up expenses. During the NFE design process, it was determined that customizing the system would not be cost beneficial in this instance. However, the implementation team, while identifying the need to allocate these tax expenses to various department and program codes outside the SPS system, overlooked the need for allocating these expenses across the funds. The FDIC has already reviewed the accounts processed through the SPS and confirmed that the only accounts having the issue described above are the three accounts relating to employer matching and gross-up expenses. Going forward, FDIC will ensure these expenses are allocated appropriately. We note however, with the Bank Insurance Fund and the Savings Association Insurance Fund merging into the Deposit Insurance Fund and the continuing decline in the size of the FRF, FDIC is now in the process of reviewing whether it is proper to continue allocating these types of expenses to the FRF. Receivership Receipts (Mailroom Controls): GAO found that FDIC lacked the appropriate level of control over checks in its Dallas mailroom. The lack of effective safeguarding control procedures increased the risk of theft, loss, or misappropriation of assets. Recommendation 5: To improve its physical security over the Dallas field office mailroom operations, GAO recommended that FDIC instruct its contractor employees to follow FDIC's policy and procedures to specifically use the access card when entering the mailroom entry door. Management Response: We concur with the recommendation. In GAO's Matters for Further Consideration (MFC-2) dated January 18, 2006, GAO identified this issue, as well as others, and requested a response. We addressed and resolved this issue in our response dated January 31, 2006. For your convenience, we restate our earlier response here. As of January 31, 2006, both "halves" of the mail room door have been closed and secured so that access can only be obtained via the card reader to authorized personnel. Business transactions take place through the counter window which is locked when the mail room is closed. Recommendation 6: To improve its physical security over the Dallas field office mailroom operations, GAO recommended that FDIC close both half doors so that access can only be made by authorized personnel using the access card. Management Response: We concur with the recommendation and restate our earlier response dated January 31, 2006. As of January 31, 2006, both "halves" of the mail room door have been closed and secured so that access can only be obtained via the card reader to authorized personnel. Business transactions take place through the counter window which is locked when closed. Recommendation 7: To improve its physical security over the Dallas field office mailroom operations, GAO recommended that FDIC require personnel to open official mail under dual control. Management Response: We concur with the recommendation. FDIC Mail Operations Standard Operating Procedures clearly require that all mail should be opened under dual control to ensure adequate internal controls and accountability. The intent of this policy is to ensure that at least one employee or contractor oversees another employee or contractor when opening official FDIC mail. To address GAO's concerns and eliminate any ambiguity regarding FDIC's mail opening policy, we have defined "dual control," as it relates to the process for opening mail, in guidance issued and implemented on January 31, 2006. This guidance was provided in our response to GAO's Matter for Further Consideration (MFC-2). As an internal control, periodic observation for compliance is conducted by the oversight manager via a monitoring camera that can be viewed in the security area. Recommendation 8: To improve its physical security over the Dallas field office mailroom operations, GAO recommended that FDIC log check receipts into the Daily Check Log immediately at the time of their extraction rather than at the completion of the mail-opening process. Management Response: We concur with the recommendation and restate our earlier response. In our January 31, 2006, response to GAO's Matters for Further Consideration (MFC-2), we noted that the oversight manager instructed mailroom contractors to log checks into the daily check log immediately at the time of their extraction rather than at the completion of the mail opening process. We appreciate GAO's assistance in these matters. If you have any questions relating to these FDIC management responses, please contact James H. Angel, Jr., Director, Office of Enterprise Risk Management, at 703-562-6456. Sincerely, Signed by: Steven O. App: Deputy to the Chairman and Chief Financial Officer: Attachments: cc: John F. Bovenzi: Fred S. Selby: Arleas Upton Kea: James H. Angel, Jr. Alice C. Goodman: FDIC: Federal Deposit Insurance Corporation: 550 17th St. NW Washington DC, 20429 Division of Administration: May 10, 2005: To: Headquarters and Regional Office Oversight Managers and Technical Monitors And Acquisition Services Branch Personnel: From: Ann Bridges Steely, Associate Director Acquisition Services Branch: Subject: Invoice Review and Approval: The FDIC pays contractor costs that are allowable by the terms of the contract and are reasonable in nature and amount The Oversight Manager is responsible for the review and approval of contractor invoices. It is of. critical importance that all invoices be thoroughly reviewed prior to approval to ensure that contractors have fully complied with the terms of the contract. Oversight Managers must ensure the FDIC is billed only for goods and services that are contained in the contract, at the rates quoted within the contract, and only for. goads or services that the FDIC has received and which are acceptable to the FDIC. The Oversight Manages is also responsible for monitoring total payments to the contractor to ensure that they do no exceed the contract ceiling. Any questions regarding invoices and adherence to contractual terms should be directed to your Contract Specialist or Contracting Officer prior to approving any invoice. Refer to the Acquisition Policy Manual Section 5.H., Contract Payments, for further guidance. Questions regarding this memorandum should be addressed to Ann Bridges Steely at (202) 942-3010. May 26, 2006: Procurement Administrative Bulletin No. 2006-05: This PAB provides a list of general reminders for Contracting Officers with respect to appointing Oversight Managers, changing Oversight Managers, and taking appropriate action when Oversight Managers do not fulfill their designated roles and responsibilities during contract administration. Subject: General Reminders of Contracting Officer's Role In Appointing Oversight Managers: Background: APM REference: Section 5.A.6; General Policy Description: Requires Contracting Officers to appoint Oversight Managers (OMs) for all contracts awarded using ASB's formal contracting procedures. APM Reference: Section 5.A.7; General Policy Description: Addresses the policy for changing Oms. APM Reference: Section5.A.11; General Policy Description: Requires Oms to take the FDIC's web-based OM training course before the Contracting Officer can appoint them as OM. [End of Table] General Reminder: As a general reminder, it is important for Contracting Officers to: * Ensure that OM's have successfully completed the FDIC Oversight Manager on-line training course be ore issuing a Letter of OM Confirmation (Exhibit XVI to the APM). Document the file with a copy of the OM's Corporate University transcript which verifies successful course completion. * Verify that the OM has obtained approval from DIT (via the AASA form process) to approve invoices in NFE and also approval for access to CeFile. To do this: (1) Look up the OM's name on the NFE PO Header Details page. (2) Look up the OM's name on the `CeFile Acq OM' user access list in CeFile. * Issue OM Confirmation Letters immediately following the award of the Contract. * Forward a copy of the signed OM Confirmation Letter to the contractor upon award to ensure that that contractor has been advised of the OM's roles and responsibilities. * Monitor how well OMs are performing, and take appropriate action if they do not perform their roles and responsibilities (e.g., notify the OM and elevate the matter to the ASB Assistant Director). * To replace an OM with a new OM during contract administration, the above mentioned general reminders apply. In addition, make sure you: (1) Terminate the existing Letter of OM Confirmation in writing. (2) Provide a copy to the contractor to inform them of the change, along with a new OM Confirmation Letter with the name of the new OM. (3) Change the name of the OM in NFE immediately upon issuance of the new OM Confirmation Letter to ensure future invoices will be routed to the new OM. (4) Update the CeFile access list to remove the existing OM's name and replace it with the name of the new OM. (Note. Only the `owner' of the file in CeFile can update the access list.) * Copies of signed OM Confirmation Letters must be retained in the official contract file in CeFile. Questions regarding this PAB should be addressed to Julie Rothermel at (703) 562-2212. [End of Section] Enclosure II: Details on Audit Methodology: To fulfill our responsibilities as auditor of the financial statements of the three funds administered by the FDIC, we did the following: * examined, on a test basis, evidence supporting the amounts and disclosures in the financial statements; * assessed the accounting principles used and significant estimates made by management; * evaluated the overall presentation of the financial statements; * obtained an understanding of internal controls related to financial reporting (including safeguarding assets) and compliance with selected laws and regulations; * tested relevant internal controls over financial reporting and compliance, and evaluated the design and operating effectiveness of internal control; * considered FDIC's process for evaluating and reporting on internal control based on criteria established by 31 U.S.C. § 3512 (c), (d), (commonly referred to as the Federal Managers' Financial Integrity Act); and: * tested compliance with applicable laws and regulations, including selected provisions of the Federal Deposit Insurance Act, as amended, and the Chief Financial Officers Act of 1990. [End of Section] Enclosure III: Acknowledgments: The following individuals made major contributions to this report: Gloria Cano, Gary Chupka, Julia Duquette, Wing Lam, Richard Larsen, and Greg Ziombra. (196107): FOOTNOTES [1] GAO, Financial Audit: Federal Deposit Insurance Corporation Funds' 2005 and 2004 Financial Statements, GAO-06-146 (Washington, D.C.: Mar. 2, 2006). [2] Material weaknesses are defined as a condition in which the design or operation of one or more of the internal control components does not reduce to a relatively low level the risk that misstatements caused by error or fraud in amounts that would be material in relation to the financial statements may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions. [3] Reportable conditions are defined as significant deficiencies in the design or operation of internal control that could adversely affect the entity's ability to record, process, summarize, and report financial data consistent with the assertions of management in the financial statements. [4] GAO, Standards for Internal Control in the Federal Government, GAO/ AIMD-00-21.3.1 (Washington, D.C.: November 1999). [5] On February 8, 2006, the President signed into law the Federal Deposit Insurance Reform Act of 2005. Among its provisions, the act calls for merging the Bank Insurance Fund and Savings Association Insurance Fund into a single Deposit Insurance Fund. The merger occurred on March 31, 2006. GAO's Mission: The Government Accountability Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: