oversight

Financial Audit: Other Matters Identified During GAO's 1998 FDIC Financial Statement Audits

Published by the Government Accountability Office on 1999-08-24.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

United States General Accounting   Office                              Accounting   and Information
Washington,  DC 20548                                                          Management    Division




           B-283406


           August 24,1999

           The Honorable Donna A. Tanoue
           Chairman, Board of Directors
           Federal Deposit Insurance Corporation

           Subject:    Financial Audie Other Matters Identified During GAO’s 1998 F’DIC
                       Financial Statement Audits

           Dear Chairman Tanoue:

           In June 1999, we issued our opinions on the calendar year 1998 financial statements
           of the Bank Insurance Fund (BIF), Savings Association Insurance Fund (SAIF), and
           FSLIC Resolution F’und (FRF’). We also issued our opinion on the Federal Deposit
           Insurance Corporation (FDIC) management’s assertions regarding the effectiveness
           of its internal control as of December 31,1998, and reported on FDIC’s compliance
           with selected provisions of laws and regulations for the three funds for the year
           ended December 31,1998 (GAO/AND-99-202 June 30,1999). We conducted our
           audit pursuant to the provisions of section 17(d) of the Federal Deposit Insurance
           Act, as amended (12 U.S.C. 1827(d)), and in accordance with generally accepted
           government auditing standards.

           The purpose of this letter is to advise you of internal control weaknesses identified
           during our audits of the 1998 financial statements and to suggest improvements to
           address those weaknesses. Ahhough these matters were not material in relation to
           the financial statements, we believe that they warrant the attention of management.
           We provided FDIC officials with a draft of this letter and discussed the matters
           addressed below with them. FDIC officials generally agreed with our findings and
           suggestions. We wih follow up on these matters during our audits of the 1999
           financial statements.

           In a separate letter, we are also communicating several additional sensitive matters
           concerning vulnerabihties in electronic information system controls.




                                                    GAO/AIMD-99-275R FDIC Management Letter
B-283406


CALCULATION OF LOSS ALLOWANCES

FDIC calculates loss allowances on receivables from resolution of troubled and failed
financial institutions (receivables from resolutions), and on assets acquired from
assisted financial institutions and terminated receiverships (assets acquired). To
calculate these loss allowances, FDIC relies on both mainframe and personal
computer based programs.

In calculating the loss allowance on receivables from resolutions, FDIC considers the
distribution of asset recoveries to receivership liabilities. For the loss allowance on
assets acquired, FDIC compares the estimated recoveries of the assets to their book
value. Regarding this data, GAO’s Standards for Internal Control in the Federal
Government’ provides that an objective of internal control is to ensure reliable data
are maintained, and fairly disclosed in reports.

In 1998, we found an internal control weakness in the data processing associated
with calculating these loss allowances that resulted in immaterial errors in the
financial statements that were not detected by FDIC. Specifically, we found that
some data relating to the calculation of the loss allowance on assets acquired was
erroneously included in the calculation of the loss allowance for receivables from
resolutions. This error was not detected by FDIC because the book values for assets
acquired used in the loss allowance calculations were not reconciled to the
liquidation general ledger balances.

To ensure the integrity of the data being used to calculate these loss allowances, we
suggest that FDIC reconcile the book value of the assets acquired (by asset type)
used in the calculation of the loss allowance on assets acquired from assisted
financial institutions and terminated receiverships to the liquidation general ledger
balances. FDIC has stated that it is correcting these situations.

INFORMATION SYSTEMS APPLICATION CONTROL ACTIVITIES

The Financial Information Processing Control Unit (FIPCU) within FDIC’s Division of
Finance @OF) is responsible for entering changes to the Financial Information
Management System (FIMS) account maintenance tables and for granting transaction
privileges to users.

During our testing of FIMS, we found that although separate duties were assigned, all
11 employees of FIPCU could grant user transaction privileges, perform FIMS
account maintenance, and enter transactions to FIMS. Also, there is no automatic


‘While GAO has proposed revisions to the standards (Fkposure Draft Standards for Internal Control in
the Federal Government GAO/AIMD-99.21.3.1issued May 1999), the proposed revisions retain these
specific requirements.

2                                               GAOAIMD-99-275RFDIC Management Letter
B-283406


tracking of system changes, such as logs, to effectively identify security and account
maintenance performed by FIPCU. Lack of segregation of duties and systems logs
increases the risk that unauthorized activities may not be detected. GAO’s internal
control standards provide that key duties and responsibilities.in authorizing,
processing, recording, and reviewing transactions should be -.separated.

As a result of our findings, we suggest that FDIC analyze its staffing resources and
duties within FIPCU and institute appropriate and effective segregation of duties, so
that FIPCU personnel do not all perform security, account maintenance, and
transaction related activities. Also, system logs should be produced and reviewed.
FDIC has stated that it is correcting these situations.

VENDOR FILE MAINTENANCE

FDIC uses Electronic Funds Transfer (EFT) to pay many vendors for goods and
services. The Vendor File Maintenance Group in DOF has the responsibility for
maintaining an electronic file that contains the needed EFT related data for each
vendor. This file is the vendor maintenance table within FIX’s accounts payable
system.

We found that the Vendor File Maintenance Group has the ability to modify data in
the vendor maintenance table without independent review or verification and without
confirmation with the vendor. Accordingly, unauthorized or incorrect changes to
EFT data could be made and not timely detected by FDIC, and could lead to
erroneous transactions. GAO’s internal control standards provide for separation of
duties, and that qualified and continuous supervision is to be provided to ensure that
internal control objectives are achieved.

We suggest that all EFT related data changes be verified by an independent individual
who does not have the capability to change the data. FDIC should also institute
procedures to confirm any changes with the related vendor to ensure that the
changes are authorized and correct.



We would appreciate receiving your comments as well as a description and status of
your planned corrective actions within 30 days from the date of this letter. We
appreciate the cooperation and assistance the FDIC management and staff provided
during our 1998 audits.

This letter is intended for use by FDIC management, members of the FDIC Audit
Committee, and the FDIC Inspector General. This letter is a matter of public record,



3                                         GAOAIMD-99-275R FDIC Management Letter
El-283406


and its distribution is not limited. Consequently,copies are availableto others upon
request. If you have any questionsor need assistancein ad$ressingthese matters,
pleasecontact me at (202) 512-9406,or Jeanette Franzel, Assistant Director at (202)
512-9471.
Sincerelyyours,



Robert W. Gramling           u
Director, CorporateAudits
 and Standards




 (917799)




                                         GAOAIMD-99-275R FDIC Management Letter
Ordering      Information

The first copy of each GAO report and testimony is free.
Additional   copies are $2 each. Orders should be sent to the
following  address, accompanied by a check or money order
made out to the Superintendent     of Documents, when
necessary. VISA and Mastercard      credit cards are accepted, also.
Orders for 100 or more copies to be mailed to a single address
are discounted 25 percent.

Orders      by mail:

U.S. General Accounting     Office
P.O. Box 37056
Washington,  DC 20013

or visit:

Room 1100
700 4th St. NW (corner of 4th and G Sts. NW)
U.S. General Accounting Office
Washington, DC

Orders may also be placed by caRing (202) 5126000
or by using fax number (202) 512-6061, or TDD (202)       512-2537.

Each day, GAO issues a list of newly available reports and
testimony.   To receive facsimile copies of the daily list or any
list from the past 30 days, please call (202) 512-6000 using a
touchtone phone. A recorded menu wiB provide information          on
how to obtain these lists.

For information on how to access GAO reports on the INTERNET,
send an e-mail message with “info” in the body to:

infoQwww.gao.gov

or visit    GAO’s World Wide Web Home Page at:

httpti/www.gao.gov
United States
General Accounting    Office
Washington,   D.C. 20548-0001


Official   Business
Penalty    for Private   Use $300
Address    Correction    Reauested