United States General Accounting Office Accounting and Information Washington, DC 20548 Management Division B-283406 August 24,1999 The Honorable Donna A. Tanoue Chairman, Board of Directors Federal Deposit Insurance Corporation Subject: Financial Audie Other Matters Identified During GAO’s 1998 F’DIC Financial Statement Audits Dear Chairman Tanoue: In June 1999, we issued our opinions on the calendar year 1998 financial statements of the Bank Insurance Fund (BIF), Savings Association Insurance Fund (SAIF), and FSLIC Resolution F’und (FRF’). We also issued our opinion on the Federal Deposit Insurance Corporation (FDIC) management’s assertions regarding the effectiveness of its internal control as of December 31,1998, and reported on FDIC’s compliance with selected provisions of laws and regulations for the three funds for the year ended December 31,1998 (GAO/AND-99-202 June 30,1999). We conducted our audit pursuant to the provisions of section 17(d) of the Federal Deposit Insurance Act, as amended (12 U.S.C. 1827(d)), and in accordance with generally accepted government auditing standards. The purpose of this letter is to advise you of internal control weaknesses identified during our audits of the 1998 financial statements and to suggest improvements to address those weaknesses. Ahhough these matters were not material in relation to the financial statements, we believe that they warrant the attention of management. We provided FDIC officials with a draft of this letter and discussed the matters addressed below with them. FDIC officials generally agreed with our findings and suggestions. We wih follow up on these matters during our audits of the 1999 financial statements. In a separate letter, we are also communicating several additional sensitive matters concerning vulnerabihties in electronic information system controls. GAO/AIMD-99-275R FDIC Management Letter B-283406 CALCULATION OF LOSS ALLOWANCES FDIC calculates loss allowances on receivables from resolution of troubled and failed financial institutions (receivables from resolutions), and on assets acquired from assisted financial institutions and terminated receiverships (assets acquired). To calculate these loss allowances, FDIC relies on both mainframe and personal computer based programs. In calculating the loss allowance on receivables from resolutions, FDIC considers the distribution of asset recoveries to receivership liabilities. For the loss allowance on assets acquired, FDIC compares the estimated recoveries of the assets to their book value. Regarding this data, GAO’s Standards for Internal Control in the Federal Government’ provides that an objective of internal control is to ensure reliable data are maintained, and fairly disclosed in reports. In 1998, we found an internal control weakness in the data processing associated with calculating these loss allowances that resulted in immaterial errors in the financial statements that were not detected by FDIC. Specifically, we found that some data relating to the calculation of the loss allowance on assets acquired was erroneously included in the calculation of the loss allowance for receivables from resolutions. This error was not detected by FDIC because the book values for assets acquired used in the loss allowance calculations were not reconciled to the liquidation general ledger balances. To ensure the integrity of the data being used to calculate these loss allowances, we suggest that FDIC reconcile the book value of the assets acquired (by asset type) used in the calculation of the loss allowance on assets acquired from assisted financial institutions and terminated receiverships to the liquidation general ledger balances. FDIC has stated that it is correcting these situations. INFORMATION SYSTEMS APPLICATION CONTROL ACTIVITIES The Financial Information Processing Control Unit (FIPCU) within FDIC’s Division of Finance @OF) is responsible for entering changes to the Financial Information Management System (FIMS) account maintenance tables and for granting transaction privileges to users. During our testing of FIMS, we found that although separate duties were assigned, all 11 employees of FIPCU could grant user transaction privileges, perform FIMS account maintenance, and enter transactions to FIMS. Also, there is no automatic ‘While GAO has proposed revisions to the standards (Fkposure Draft Standards for Internal Control in the Federal Government GAO/AIMD-220.127.116.11issued May 1999), the proposed revisions retain these specific requirements. 2 GAOAIMD-99-275RFDIC Management Letter B-283406 tracking of system changes, such as logs, to effectively identify security and account maintenance performed by FIPCU. Lack of segregation of duties and systems logs increases the risk that unauthorized activities may not be detected. GAO’s internal control standards provide that key duties and responsibilities.in authorizing, processing, recording, and reviewing transactions should be -.separated. As a result of our findings, we suggest that FDIC analyze its staffing resources and duties within FIPCU and institute appropriate and effective segregation of duties, so that FIPCU personnel do not all perform security, account maintenance, and transaction related activities. Also, system logs should be produced and reviewed. FDIC has stated that it is correcting these situations. VENDOR FILE MAINTENANCE FDIC uses Electronic Funds Transfer (EFT) to pay many vendors for goods and services. The Vendor File Maintenance Group in DOF has the responsibility for maintaining an electronic file that contains the needed EFT related data for each vendor. This file is the vendor maintenance table within FIX’s accounts payable system. We found that the Vendor File Maintenance Group has the ability to modify data in the vendor maintenance table without independent review or verification and without confirmation with the vendor. Accordingly, unauthorized or incorrect changes to EFT data could be made and not timely detected by FDIC, and could lead to erroneous transactions. GAO’s internal control standards provide for separation of duties, and that qualified and continuous supervision is to be provided to ensure that internal control objectives are achieved. We suggest that all EFT related data changes be verified by an independent individual who does not have the capability to change the data. FDIC should also institute procedures to confirm any changes with the related vendor to ensure that the changes are authorized and correct. We would appreciate receiving your comments as well as a description and status of your planned corrective actions within 30 days from the date of this letter. We appreciate the cooperation and assistance the FDIC management and staff provided during our 1998 audits. This letter is intended for use by FDIC management, members of the FDIC Audit Committee, and the FDIC Inspector General. This letter is a matter of public record, 3 GAOAIMD-99-275R FDIC Management Letter El-283406 and its distribution is not limited. Consequently,copies are availableto others upon request. If you have any questionsor need assistancein ad$ressingthese matters, pleasecontact me at (202) 512-9406,or Jeanette Franzel, Assistant Director at (202) 512-9471. Sincerelyyours, Robert W. Gramling u Director, CorporateAudits and Standards (917799) GAOAIMD-99-275R FDIC Management Letter Ordering Information The first copy of each GAO report and testimony is free. Additional copies are $2 each. Orders should be sent to the following address, accompanied by a check or money order made out to the Superintendent of Documents, when necessary. VISA and Mastercard credit cards are accepted, also. Orders for 100 or more copies to be mailed to a single address are discounted 25 percent. Orders by mail: U.S. General Accounting Office P.O. Box 37056 Washington, DC 20013 or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW) U.S. General Accounting Office Washington, DC Orders may also be placed by caRing (202) 5126000 or by using fax number (202) 512-6061, or TDD (202) 512-2537. Each day, GAO issues a list of newly available reports and testimony. To receive facsimile copies of the daily list or any list from the past 30 days, please call (202) 512-6000 using a touchtone phone. A recorded menu wiB provide information on how to obtain these lists. For information on how to access GAO reports on the INTERNET, send an e-mail message with “info” in the body to: infoQwww.gao.gov or visit GAO’s World Wide Web Home Page at: httpti/www.gao.gov United States General Accounting Office Washington, D.C. 20548-0001 Official Business Penalty for Private Use $300 Address Correction Reauested
Financial Audit: Other Matters Identified During GAO's 1998 FDIC Financial Statement Audits
Published by the Government Accountability Office on 1999-08-24.
Below is a raw (and likely hideous) rendition of the original report. (PDF)