This is the accessible text file for GAO report number GAO-07-942R 
entitled 'Management Report: Opportunities for Improvements in FDIC's 
Internal Controls and Accounting Procedures' which was released on June 
27, 2007. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

June 27, 2007: 

Mr. Steven O. App: 
Deputy to the Chairman and Chief Financial Officer: 
Federal Deposit Insurance Corporation: 

Subject: Management Report: Opportunities for Improvements in FDIC's 
Internal Controls and Accounting Procedures: 

Dear Mr. App: 

In February 2007, we issued our opinions on the calendar year 2006 
financial statements of the Deposit Insurance Fund (DIF) and the FSLIC 
Resolution Fund (FRF).[Footnote 1] We also issued our opinion on the 
effectiveness of the Federal Deposit Insurance Corporation's (FDIC) 
internal control over financial reporting (including safeguarding 
assets) and compliance as of December 31, 2006, and our evaluation of 
FDIC's compliance with significant provisions of selected laws and 
regulations for the two funds for the year ended December 31, 
2006.[Footnote 2] 

The purpose of this report is to present issues identified during our 
audits of the 2006 financial statements regarding internal controls and 
accounting procedures and to recommend actions to address these issues. 
Although these issues were not material in relation to the financial 
statements, we believe they warrant management's attention. We are 
making seven recommendations for strengthening FDIC's internal controls 
and accounting procedures. We conducted our audits in accordance with 
U.S. generally accepted government auditing standards. 

Results in Brief: 

During our audits of the 2006 financial statements, we identified 
several internal control issues that affected FDIC's accounting for the 
funds it administers. Although we do not consider them to be material 
weaknesses[Footnote 3] or significant deficiencies,[Footnote 4] we 
believe they warrant management's consideration. 

Specifically, we found the following: 

* FDIC had inadequate or incomplete written procedures for key segments 
of its general ledger monthly closing process and other financial 
operations. The absence of adequate written procedures increases the 
risk that (1) all necessary steps in the monthly general ledger closing 
process and other processes may not be completely, correctly, and 
consistently performed and (2) disruptions and errors may arise when 
staff changes occur. This, in turn, could affect the reliability of 
data presented in FDIC's financial statements. 

* FDIC lacked adequate supervisory reviews of key tasks in the monthly 
general ledger closing process and other financial operations, 
increasing the risk that errors in preparing financial statements might 
not be timely detected and corrected. 

* FDIC incorrectly excluded certain receivership data used in the 
calculation of loss rates from bank failures, resulting in an error in 
these loss rates that could have affected the accuracy/reliability of 
the contingent liability presented in the financial statements. 

* FDIC lacked appropriate control to safeguard checks received in its 
Dallas mailroom and did not provide proper oversight of contractor 
lockbox operations, increasing the risk of theft, loss, or 
misappropriation of assets. 

We are making seven recommendations to improve FDIC's internal controls 
and accounting procedures. Implementation of these recommendations 
would strengthen FDIC's conformance with the internal control standards 
that federal agencies are required to follow[Footnote 5] and minimize 
the risk of future misstatements in the two funds' financial 
statements. 

In its comments, FDIC agreed with our recommendations and described 
actions it has taken or plans to take to address the control weaknesses 
described in this report. At the end of our discussion of each of the 
issues in this report, we have summarized FDIC's related comments and 
our evaluation. 

Scope and Methodology: 

As part of our audits of the 2006 and 2005 financial statements of the 
two funds administered by FDIC, we evaluated FDIC's internal controls 
and its compliance with selected provisions of laws and regulations. We 
designed our audit procedures to test relevant controls, including 
those intended to ensure proper authorization, execution, accounting, 
and reporting of transactions. 

We requested comments on a draft of this report from the FDIC Deputy to 
the Chairman and Chief Financial Officer. We received written comments 
and have reprinted the comments in enclosure I. Further details on our 
scope and methodology are included in our report on the results of our 
audits of the 2006 and 2005 financial statements, and are reproduced in 
enclosure II. 

General Ledger Closing and Other Financial Processing Procedures: 

During our observations of FDIC's monthly general ledger closing 
process and other financial operations related to the preparation of 
DIF's and FRF's financial statements, we identified several critical 
steps in the processes in which the documentation of procedures was 
either inadequate or incomplete and could be improved. These critical 
steps involved activities that were performed outside the automated 
processes of the PeopleSoft application within FDIC's financial 
environment. GAO's Standards for Internal Control in the Federal 
Government requires that internal control procedures be clearly 
documented in management directives, policies, or operating manuals. 
Further, all documentation should be properly managed and maintained. 

Specifically, we observed that there were inadequate written procedures 
covering the (1) preparation of the DIF and FRF financial statements, 
(2) closing out of terminated receiverships, (3) review of the vendor 
maintenance log, and (4) number and types of oversight reports and 
audit logs that are used to monitor financial processes, including 
documentation of the periodic review of these reports and audit logs. 

We also identified the following activities in the monthly general 
ledger closing process where the extent of written procedures could be 
improved: 

* Preparation and entering spreadsheet adjustments to the general 
ledger for (1) estimated legal contingent liabilities, (2) loan loss 
reserve, and (3) accounts payable accruals. 

* Preparation and recording entries to the general ledger for the 
payroll liability accruals. 

* Preparation of final accounts payable accrual analysis reports. 

Additionally, we found that there was incomplete detailed documentation 
(run sheets) for automated transactions used to accomplish the monthly 
closing process. 

According to FDIC officials, the lack of adequate written procedures 
was caused by the fact that management attention and resources have 
been devoted to higher priorities in ensuring the successful 
implementation of the new financial management system. Nonetheless, 
inadequate or incomplete written procedures reduce the assurance that 
critical processes and operating activities have been completely, 
correctly, and consistently performed; increase the risk of disruption 
and errors when staff changes occur; and could affect the reliability 
of data presented in FDIC's financial statements. 

Recommendation: 

We recommend that FDIC improve its written procedures by describing 
more explicitly the steps required to accomplish and document each 
significant activity in the monthly general ledger closing process and 
other financial operations related to financial statement preparation 
in order to help ensure that such steps are completely, consistently, 
and accurately performed. 

FDIC Comments and Our Evaluation: 

FDIC agreed with our recommendation. In response to our finding, FDIC 
stated that existing procedures and process documentation will be 
enhanced to more explicitly capture the key steps and activities 
required to support the monthly general ledger closing process and 
other related financial operation areas. FDIC further stated that this 
procedures work is scheduled to be completed in phases, starting with 
the most critical areas by June 30, 2007, and the other processes 
completed by December 31, 2007. We will evaluate the effectiveness of 
FDIC's actions during our 2007 financial audit. 

Supervisory Review of General Ledger Closing and Other Financial 
Operations: 

During our observations of the monthly general ledger closing process 
and related activities, we identified several instances in which there 
was inadequate supervisory review of key tasks or activities outside 
the automated financial processes. Supervisory review of key activities 
is important to ensure that errors in the data or processes leading to 
preparation of the annual financial statements are timely detected and 
corrected. GAO's Standards for Internal Control in the Federal 
Government requires agencies to implement internal control procedures 
to ensure the accurate and timely recording of transactions and events. 
In addition, these standards require that qualified and continuous 
supervision be provided to ensure that internal control objectives are 
achieved. 

Specifically, we identified the following activities in the monthly 
general ledger closing and related processes where there was inadequate 
supervisory review: 

* Manual compilation of spreadsheets containing expense accrual data 
used to update monthly balances prior to the system upload. 

* Manual compilation of final expense accrual analysis reports prior to 
distribution. 

* Preparation of reports relating to fiscal year comparisons and the 
corporate closing trial balance prior to the fiscal year end system 
close. 

* Changes to business rules that specify how certain financial 
transactions are to be processed. 

* Override of accounts payable match exception transactions. 

According to FDIC officials, the lack of adequate supervisory review 
was caused by management's attention being devoted to higher priorities 
in ensuring the successful implementation of new financial management 
processes and the administrative challenges posed by the merger of the 
Bank Insurance Fund and the Savings Association Insurance Fund. 
Nonetheless, inadequate supervisory review of the activities noted 
above increases the risk to FDIC that errors might not be detected and 
corrected in a timely manner. This, in turn, increases the risk of 
misstatements in the DIF's and FRF's financial statements. 

Recommendation: 

We recommend that FDIC emphasize to its staff the importance of 
completing required supervisory review of key transactions and 
procedures in the monthly general ledger closing process and other 
financial operations to ensure that they are properly executed and that 
these reviews are documented. 

FDIC Comments and Our Evaluation: 

FDIC agreed with our recommendation. FDIC stated that it has and will 
continue to emphasize to staff the importance of documented supervisory 
review of key tasks and activities. We will evaluate the effectiveness 
of FDIC's actions during our 2007 financial audit. 

Calculation of Loss Rates for Anticipated Bank Failures: 

During our testing of contingencies related to the anticipated failures 
of insured institutions, we identified an error in one of the 
statistical analysis programs FDIC uses to estimate expected loss rates 
for various categories of assets. Specifically, FDIC incorrectly 
excluded certain asset data for an individual receivership from this 
statistical program. GAO's Standards for Internal Control in the 
Federal Government requires agencies to implement internal control 
procedures to ensure the accurate and timely recording of transactions 
and events. In addition, these standards require that qualified and 
continuous supervision be provided to ensure that internal control 
objectives are achieved. 

FDIC records a contingent liability and loss provision for DIF-insured 
institutions that are likely to fail within 1 year of the financial 
statement reporting date, absent some favorable event such as obtaining 
additional capital or merging, when the liability becomes probable and 
reasonably estimable. The contingent liability is derived by applying 
expected failure and loss rates to institutions based on supervisory 
ratings, balance sheet characteristics, and projected capital levels. 

To derive expected loss rates, FDIC uses historical information from 
receiverships to compute actual losses on six categories of assets that 
constitute total bank assets: installment loans, commercial loans, 
securities, mortgages, other real estate owned, and all other assets. 
These actual losses are converted to expected loss rates for each asset 
category. These expected loss rates are then applied to the book value 
of each asset category of the institution deemed likely to fail to 
determine the total loss anticipated from the likely institution 
failure. 

To perform the analysis necessary to derive the expected loss rates and 
the contingent liability, FDIC uses statistical programs. However, 
during our audit, we found an error in the program used to estimate 
loss rates on the six categories of assets. Specifically, FDIC 
incorrectly included loss rates on securities of a receivership it 
intended to exclude, while mistakenly excluding loss rates of 
securities of another receivership. FDIC did not identify this error 
because it resulted from a transposition error that was not detected in 
FDIC's routine review of its statistical program. 

After we brought this error to FDIC's attention, FDIC corrected the 
error and recalculated the loss rates for 2006. While this revised 
calculation showed that the error had an immaterial effect on the loss 
rate computation in this instance, such an error, if undetected and 
uncorrected, could have had a significant effect on the calculation of 
loss rates and thus on the contingent liability presented in the 
financial statements. 

Recommendation: 

We recommend that FDIC emphasize to its staff the importance of 
thoroughly verifying the accuracy of all data elements included in the 
calculation of loss rates used in estimating the contingent liability 
for anticipated failures. 

FDIC Comments and Our Evaluation: 

FDIC agreed with our recommendation. FDIC stated that at the time of 
the review existing audit procedures required the review of all 
statistical programs but focused primarily on program logic. After GAO 
identified the error, FDIC modified the review process to also check 
any hard-coded data for errors. Additionally, FDIC stated that its 
staff was apprised of the new procedures, which became effective 
January 31, 2007. We will evaluate the effectiveness of FDIC's actions 
during our 2007 financial audit. 

Receivership Receipts (Mailroom and Cashier Controls): 

During our testing of FDIC's internal controls in the mailroom and 
cashier operations of its Dallas field office, we identified 
deficiencies in controls over checks received that increased the risk 
of theft, loss, or misappropriation of receipts. GAO's Standards for 
Internal Control in the Federal Government requires agencies to 
establish physical control to secure and safeguard vulnerable assets. 
Examples include security for, and limited access to, assets such as 
cash, securities, inventories, and equipment that might be vulnerable 
to risk of loss or unauthorized use. 

The mailroom of the Dallas field office is responsible for opening 
mail, including monetary receipts for receivership activities. These 
receipts are in the form of checks that generally consist of loan 
repayments from debtors of failed financial institutions. For those 
checks not received in the Dallas mailroom, FDIC uses a lockbox 
administered by JPMorgan Chase Bank, N.A. (JPMorgan). The lockbox is 
emptied several times a day and the checks are deposited in an FDIC 
account at JPMorgan. Each day, JPMorgan forwards to FDIC online image 
copies of the checks deposited that day and all supporting 
documentation received with the checks. For calendar year 2006, the 
mailroom of the Dallas field office directly processed 1,870 checks 
totaling approximately $31.9 million, while the lockbox operation 
processed 1,758 checks totaling approximately $5.2 million. Whether 
checks are received in the mailroom or lockbox, the Cashiers Unit is 
responsible for accounting for all receivership receipts. 

In our tests of controls of FDIC's Dallas field office mailroom and 
Cashiers Unit operations, we found the following control deficiencies: 

* The mailroom contractor staff did not adequately account for checks 
upon receipt and prior to storing the checks in a safe. Specifically, 
we found that the check log prepared upon extraction of receipts from 
the envelopes was not reconciled to the total number of checks and the 
total dollar value of checks received. Additionally, the check log was 
not initialed and dated by the preparer, and a tape recording agreement 
of checks to the check log was not prepared. Finally, we observed that 
the checks were not locked in a secured bag. 

* The file cabinet used by the Cashiers Unit to store checks overnight 
requires only one person to open it. We observed that four individuals 
had keys and unlimited access to the file cabinet. 

In addition, we found that FDIC's policies and procedures do not 
require the examination of any internal audit reviews of internal 
controls at JPMorgan's lockbox operation to ensure that these controls 
are effective and operating as intended. We were informed that 
JPMorgan's internal audit department conducts periodic reviews of 
lockbox operations using a risk-based approach. This approach includes 
an assessment of the key risks and processes within lockbox operations 
and an evaluation of associated controls, as well as an examination of 
policies and procedures to determine their overall effectiveness. 

JPMorgan's internal audit department completed its most recent review 
of lockbox operations in August 2006. However, its reviews are not 
required to be obtained and evaluated by FDIC. 

Safeguarding controls are critical in preventing the theft of cash or 
checks. The lack of effective safeguarding controls increases the risk 
of theft, loss, or misappropriation of assets. 

Recommendations: 

To improve physical security in the Dallas field office mailroom and 
cashier operations, we recommend that FDIC instruct: 

* mailroom contractor employees to reconcile checks received to the 
check log, initial and date the log, and prepare a tape recording 
agreement of the checks to the check log; 

* mailroom contractor employees to lock the checks in a secured bag 
immediately upon receipt and prior to storing the checks in a safe; 
and: 

* Cashiers Unit employees to store checks overnight in a locked file 
cabinet that requires two individuals to open it. 

In addition, we recommend that FDIC modify its policies and procedures 
to require regular review and take appropriate actions to address the 
results of examinations of internal controls at the contractor's 
lockbox operation to ensure that controls are effective and operating 
as intended. 

FDIC Comments and Our Evaluation: 

FDIC agreed with the intent of our recommendations. In response to our 
findings related to FDIC's Dallas field office mailroom and Cashiers 
Unit, FDIC cited corrective actions completed by January 31, 2007, that 
address the issues we identified and are consistent with the intent of 
our recommendations. As to FDIC's policies and procedures related to 
the internal audit reviews of internal controls at JPMorgan's lockbox 
operation, FDIC stated that its policies and procedures will be 
modified by June 30, 2007, to request annual audit reports from 
JPMorgan and for FDIC to review those reports for possible internal 
control weaknesses and proposed corrective actions. We will evaluate 
the effectiveness of FDIC's actions during our 2007 financial audit. 

This report contains recommendations to you. We would appreciate 
receiving a description and status of your corrective actions within 30 
days of the date of this report. 

This report is intended for use by FDIC management, members of the FDIC 
Audit Committee, and the FDIC Inspector General. We are sending copies 
of this report to the Chairman and Ranking Minority Member of the 
Senate Committee on Banking, Housing, and Urban Affairs; the Chairman 
and Ranking Minority Member of the House Committee on Financial 
Services; the Chairman of the Board of Directors of the Federal Deposit 
Insurance Corporation; the Chairman of the Board of Governors of the 
Federal Reserve System; the Comptroller of the Currency; the Director 
of the Office of Thrift Supervision; the Secretary of the Treasury; the 
Director of the Office of Management and Budget; and other interested 
parties. In addition, this report will be available at no charge on 
GAO's Web site at http://www.gao.gov. 

We acknowledge and appreciate the cooperation and assistance provided 
by FDIC management and staff during our audits of FDIC's 2006 and 2005 
financial statements. If you have any questions about this report or 
need assistance in addressing these issues, please contact me at (202) 
512-3406 or sebastians@gao.gov. Contact points for our Offices of 
Congressional Relations and Public Affairs may be found on the last 
page of this report. GAO staff who made major contributions to this 
report are listed in enclosure III. 

Sincerely yours, 

Signed by: 

Steven J. Sebastian: 
Director: 
Financial Management and Assurance: 

Enclosures - 3: 

[End of section] 

Enclosure I: Comments from the Federal Deposit Insurance Corporation: 

Federal Deposit Insurance Corporation: 
550 17th Street NW, 
Washington, D.C. 20429-9990: 
Deputy to the Chairman and CFO: 

June 15, 2007: 

Mr. Steven J. Sebastian, Director: 
Financial Management and Assurance: 
U.S. Government Accountability Office: 
441 G Street, NW: 
Washington, DC 20548: 

Dear Mr. Sebastian, 

Thank you for the opportunity to respond to the draft report entitled, 
Management Report: Opportunities for Improvement in FDIC's Internal 
Controls and Accounting Procedures, GAO-07-942R. The report discusses 
matters that were identified during the 2006 financial statements audit 
regarding internal controls and accounting procedures that could be 
improved, and recommendations to address them. Although the Government 
Accountability Office (GAO) believes that these matters warrant 
management's attention, we are pleased that GAO acknowledged that they 
were not material in relation to the financial statements and does not 
consider them to be material weaknesses or significant deficiencies. 

We welcome your recommendations to improve our internal controls and 
recognize the benefit of implementing them. The FDIC has already 
completed actions to address some of the recommendations and we look 
forward to completing the corrective actions on the remaining ones. Our 
detailed management responses to the recommendations are provided in 
Attachment 1. 

We appreciate your diligent work on these matters. If you have any 
questions relating to the responses, please contact James H. Angel, 
Jr., Director, Office of Enterprise Risk Management, at 703-562-6456. 

Sincerely, 

Signed by: 

Steven O. App: 
Deputy to the Chairman and Chief Financial Officer: 

Attachment: 

cc: John F. Bovenzi: 
Bret D. Edwards: 
Arthur J. Murton: 
Arleas Upton Kea: 
Mitchell Glassman: 
James H. Angel, Jr. 
Alice C. Goodman: 

FDIC Responses to 2006 Management Report: 

Attachment 1: 

General Ledger Closing and Other Financial Processing Procedures: 

GAO found that FDIC had inadequate or incomplete written procedures for 
key segments of its general ledger monthly closing process and other 
financial operations. The absence of adequate written procedures 
increases the risk that 1) all necessary steps in the closing process 
may not be completely, correctly, and consistently performed and 2) 
disruptions and errors may arise when staff changes occur. This could 
impact the reliability of data presented in FDIC's financial 
statements. 

Recommendation 1: 

GAO recommended that FDIC improve its written procedures by describing 
more explicitly the steps required to accomplish and document each 
significant activity in the monthly general ledger closing process and 
other financial operations related to financial statement preparation 
in order to help ensure that such steps are completely, consistently, 
and accurately performed. 

Management Response: 

We concur with the recommendation and agree that existing procedures 
and process documentation can be enhanced to more explicitly capture 
the key steps and activities required to support the monthly general 
ledger closing process and other financial operation related areas. 
This procedures work is scheduled to be completed in phases, starting 
with the most critical areas by June 30, 2007, and other processes 
completed by December 31, 2007. 

Supervisory Review of General Ledger Closing and Other Financial 
Operations: 

GAO found that FDIC lacked adequate supervisory reviews of key tasks in 
the closing process and other financial operations, increasing the risk 
that errors in preparing financial statements might not be timely 
detected and corrected. 

Recommendation 2: 

GAO recommended that FDIC emphasize to its staff the importance of 
completing required supervisory review of key transactions and 
procedures in the monthly general ledger closing process and other 
financial operations to ensure that they are properly executed and that 
these reviews be documented. 

Management Response: 

We concur with the recommendation and have and will continue to 
emphasize to staff the importance of documented supervisory review of 
key tasks and activities. Additionally, we believe the enhanced 
procedures referred to in the previous response will more explicitly 
detail the supervisory review steps and required documentation. 

Calculation of Loss Rates for Anticipated Bank Failures: 

GAO found that FDIC incorrectly excluded certain receivership data used 
in the calculation of loss rates from bank failures, resulting in an 
error in these loss rates which could have impacted the accuracy/ 
reliability of the contingent liability presented in the financial 
statements. 

Recommendation 3: 

GAO recommended that FDIC emphasize to its staff the importance of 
thoroughly verifying the accuracy of all data elements included in the 
calculation of loss rates used in estimating the contingent liability 
for anticipated failures. 

Management Response: 

We concur with the recommendation. At the time of the review, existing 
audit procedures required the review of all statistical programs, which 
focused primarily on program logic. After the identification of the 
error, which GAO acknowledges had no material effect on the loss rate 
computation, the review process was immediately modified also to check 
any hard-coded data as part of the audit of program files. The staff 
was apprised of the new procedures, which became effective January 31, 
2007. 

Receivership Receipts (Mailroom and Cashier Controls): 

GAO found FDIC did not maintain adequate control to safeguard checks 
received in its Dallas mailroom and did not provide proper oversight of 
contractor lock box operations, increasing the risk of theft, loss, or 
misappropriation of assets. 

Recommendation 4: 

To improve its physical security over the Dallas field office mailroom 
operations, GAO recommended that FDIC instruct mailroom contractor 
employees to reconcile checks received to the check log, initial and 
date the log, and prepare a tape recording agreement of the checks to 
the check log. 

Management Response: 

We concur with the recommendation. To improve the security over these 
checks, the mailroom check processing procedures were revised in 
January 2007. As has been the mailroom's practice, all checks received 
must be promptly recorded. The revised procedures instruct the mailroom 
staff to run a tape of the checks as they are received, initial and 
date the tape, and attach the tape to the checks. Additionally, as part 
of the revised process, the mailroom staff must place the checks and 
tapes in a sealed envelope, place that envelope into a wall mounted 
safe depository drop box, and contact the Division of Resolutions and 
Receiverships (DRR) Cashier Unit for pickup. The Cashier Unit maintains 
the key to the safe depository and retrieves the checks upon 
notification by the mailroom staff. Under this new process, the Cashier 
sends an email confirmation of the pick-up indicating the number of 
checks, total amount, and receipt date. The email is then reconciled to 
the check log. We have attached the revised Mailroom Check Processing 
procedures as well as a description of the secure drop box used for 
check depository. The corrective actions were completed January 31, 
2007. 

Recommendation 5: 

To improve its physical security over the Dallas field office mailroom 
operations, GAO recommended that FDIC instruct mailroom contractor 
employees to lock the checks in a secured bag immediately upon receipt 
and prior to storing the checks in a safe. 

Management Response: 

This recommendation is not applicable since the Division of 
Administration (DOA) no longer uses a secured bag to lock and store 
checks. As stated in our response to Recommendation 4, the DOA mailroom 
staffputs checks into a sealed envelope immediately upon receipt and 
places the envelope into a wall mounted locked safe depository drop box 
for pickup by the Cashier Unit. This process replaced the use of a 
secured bag and safe. The drop box can only be opened by the Cashier 
Unit. This process satisfies the intent of the recommendation. 

Recommendation 6: 

To improve its physical security over the Dallas field office cashier 
operations, GAO recommended that the Cashiers Unit employees store 
checks overnight in a locked file cabinet that requires two individuals 
to open. 

Management Response: 

We concur with the recommendation. The corrective activity for this 
recommendation was implemented during the audit. The file cabinet used 
by the Cashier Unit is a locking fire proof cabinet within a secure 
room. A combination lock was added to the file cabinet with access 
given to DRR accounting personnel who do not have a key to the file 
cabinet lock or knowledge of the cipher lock combination to the room. 
All monetary items in the possession of the Cashier Unit are secured in 
the file cabinet requiring two individuals to unlock the cabinet. This 
corrective activity was coordinated with DOA in conjunction with 
changes to the DOA mailroom procedures. A second lock was installed on 
the cashiers file on or about January 12, 2007. 

Recommendation 7: 

GAO recommended that FDIC modify its policies and procedures to require 
regular review and take appropriate actions to address the results of 
examinations of internal controls at the contractor's lock box 
operation to ensure that controls are effective and operating as 
intended. 

Management Response: 

We concur with the recommendation. DRR will modify its procedures and 
policies by June 30, 2007, to require annual requests of external audit 
reports of JPMorgan Chase Bank and will review those reports for 
possible internal control weaknesses and proposed corrective actions. 

[End of section] 

Enclosure II: Details on Audit Scope and Methodology: 

To fulfill our responsibilities as auditor of the financial statements 
of the two funds administered by FDIC, we did the following: 

* examined, on a test basis, evidence supporting the amounts and 
disclosures in the financial statements; 

* assessed the accounting principles used and significant estimates 
made by management; 

* evaluated the overall presentation of the financial statements; 

* obtained an understanding of internal controls related to financial 
reporting (including safeguarding assets) and compliance with selected 
laws and regulations; 

* tested relevant internal controls over financial reporting and 
compliance, and evaluated the design and operating effectiveness of 
internal control; 

* considered FDIC's process for evaluating and reporting on internal 
control based on criteria established by 31 U.S.C. § 3512 (c), (d), 
(commonly referred to as the Federal Managers' Financial Integrity 
Act); and: 

* tested compliance with applicable laws and regulations, including 
selected provisions of the Federal Deposit Insurance Act, as amended, 
and the Chief Financial Officers Act of 1990. 

[End of section] 

Enclosure III: Acknowledgments: 

The following individuals made major contributions to this report: Gary 
Chupka, Assistant Director; Verginie Amirkhanian; Gloria Cano; Nina 
Crocker; Mickie Gray; David Hayes; Wing Kwong; Mary Osorno; Eduvina 
Rodriguez; and Greg Ziombra. 

[End of section] 

(196161): 

FOOTNOTES 

[1] On February 8, 2006, the President signed into law the Federal 
Deposit Insurance Reform Act of 2005 (the Act). Among its provisions, 
the Act called for the merger of the Bank Insurance Fund (BIF) and 
Savings Association Insurance Fund (SAIF) into DIF. In accordance with 
the Act, the Federal Deposit Insurance Corporation merged BIF and SAIF 
into the newly established DIF on March 31, 2006. The financial results 
of the newly formed DIF were retrospectively applied as though they had 
been combined at the beginning of 2006, as well as for prior periods 
presented for comparative purposes. 

[2] GAO, Financial Audit: Federal Deposit Insurance Corporation Funds' 
2006 and 2005 Financial Statements, GAO-07-371 (Washington, D.C.: Feb. 
13, 2007). 

[3] A material weakness is a significant deficiency, or combination of 
significant deficiencies, that results in more than a remote likelihood 
that a material misstatement of the financial statements will not be 
prevented or detected. 

[4] A significant deficiency is a control deficiency, or combination of 
deficiencies, that adversely affects the entity's ability to initiate, 
authorize, record, process, or report financial data reliably in 
accordance with generally accepted accounting principles such that 
there is more than a remote likelihood that a misstatement of the 
entity's financial statements that is more than inconsequential will 
not be prevented or detected. 

[5] GAO, Standards for Internal Control in the Federal Government, GAO/ 
AIMD-00-21.3.1 (Washington, D.C.: November 1999).

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site (www.gao.gov). Each weekday, GAO posts 
newly released reports, testimony, and correspondence on its Web site. 
To have GAO e-mail you a list of newly posted products every afternoon, 
go to www.gao.gov and select "Subscribe to Updates." 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office 441 G Street NW, Room LM 
Washington, D.C. 20548: 

To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202) 
512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Gloria Jarmon, Managing Director, JarmonG@gao.gov (202) 512-4400 U.S. 
Government Accountability Office, 441 G Street NW, Room 7125 
Washington, D.C. 20548: 

Public Affairs: 

Paul Anderson, Managing Director, AndersonP1@gao.gov (202) 512-4800 
U.S. Government Accountability Office, 441 G Street NW, Room 7149 
Washington, D.C. 20548: