This is the accessible text file for GAO report number GAO-12-415R entitled 'Management Report: Improvements Are Needed in Internal Control over Financial Reporting for the Troubled Asset Relief Program' which was released on February 13, 2012. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. GAO-12-415R: United States Government Accountability Office: Washington, DC 20548: February 13, 2012: Mr. Timothy G. Massad: Assistant Secretary for Financial Stability: Office of Financial Stability: Department of the Treasury: Subject: Management Report: Improvements Are Needed in Internal Control over Financial Reporting for the Troubled Asset Relief Program: Dear Mr. Massad: The Emergency Economic Stabilization Act of 2008 (EESA)[Footnote 1] requires that we annually audit the financial statements[Footnote 2] of the Troubled Asset Relief Program (TARP), which are prepared by the Department of the Treasury's (Treasury) Office of Financial Stability (OFS).[Footnote 3] On November 10, 2011, we issued our audit report [Footnote 4] including (1) an unqualified opinion on OFS's financial statements for TARP as of and for the fiscal years ended September 30, 2011 and 2010, and (2) an opinion that OFS maintained effective internal control over financial reporting as of September 30, 2011. We also reported that our tests of OFS's compliance with selected provisions of laws and regulations for the fiscal year ended September 30, 2011, disclosed no instances of noncompliance. Our November 2011 audit report concluded that although certain internal controls could be improved, OFS maintained, in all material respects, effective internal control over financial reporting as of September 30, 2011, that provided reasonable assurance that misstatements, losses, or noncompliance material in relation to the financial statements would be prevented or detected and corrected on a timely basis. Our audit report also identified a continuing significant deficiency[Footnote 5] in OFS's internal control over its accounting and financial reporting processes. This report presents (1) detailed information concerning underlying new control deficiencies that contributed to the continuing significant deficiency identified in our audit report, along with related recommendations for corrective actions; (2) a less-significant control deficiency that we identified during our audit, along with a related recommendation for corrective action; and (3) the status, as of November 4, 2011, of corrective actions taken by OFS to address the 13 recommendations that remained open at the end of the fiscal year 2010 audit and were detailed in our April 2011 management report. [Footnote 6] While the deficiencies we identified are not considered material weaknesses, they nonetheless warrant management's attention and action. The four new recommendations presented in this report are in addition to those we have made as part of the series of reports issued on our ongoing oversight of TARP.[Footnote 7] Results in Brief: During fiscal year 2011, OFS addressed several of the internal control issues related to the significant deficiency we reported for fiscal year 2010 concerning its accounting and financial reporting processes. However, remaining uncorrected control deficiencies along with other control deficiencies that we identified in this area in fiscal year 2011 collectively represented a continuing significant deficiency in OFS's internal control over its accounting and financial reporting processes. Specifically, while OFS improved its review and approval process for preparing its financial statements, notes, and Management Discussion and Analysis (MD&A) for TARP for fiscal year 2011, we continued to identify incorrect amounts and inconsistent disclosures in OFS's draft financial statements, notes, and MD&A that were significant, but not material, and that were not detected by OFS. For fiscal year 2011, we also identified deficiencies in other OFS accounting and financial reporting procedures related to: (1) recording of noncash transactions, (2) recording of warrant adjustments, and (3) accounting for Public-Private Investment Fund (PPIF) equity distributions. OFS had other controls over TARP transactions and activities that reduced the risk of misstatements in its financial statements resulting from these deficiencies. For significant errors and issues that were identified, OFS revised the financial statements, notes, and MD&A, as appropriate. In addition to the significant deficiency, we identified a less- significant control deficiency relating to key patches[Footnote 8] that were not in place for the server[Footnote 9] supporting OFS's subsidiary ledger. During fiscal year 2011, OFS addressed the three less-significant control deficiencies that existed as of September 30, 2010, and that we reported in our April 2011 management report. [Footnote 10] We are making three new recommendations related to OFS's continuing significant deficiency and one related to the less-significant control deficiency. Further, our work showed that OFS had completed corrective action on 10 of the 13 recommendations that remained open at the end of the fiscal year 2010 audit, and corrective actions were in progress on the three remaining recommendations. Enclosure I of this report summarizes the status of actions taken as of November 4, 2011, on the recommendations that remained open at the end of the fiscal year 2010 audit. We plan to follow up to determine the status of corrective actions taken for the seven open recommendations during our fiscal year 2012 audit of OFS's financial statements for TARP. In commenting on a draft of this report, the Assistant Secretary for Financial Stability stated that OFS concurred with the recommendations in our draft report. The Assistant Secretary also stated that OFS began taking actions related to these recommendations in December 2011 following the release of our audit report and expects to have implemented the corrective actions for all recommendations by September 30, 2012. Scope and Methodology: As part of our audit of OFS's fiscal years 2011 and 2010 financial statements for TARP, we evaluated the design and operating effectiveness of OFS's internal control over financial reporting. We tested relevant internal controls over financial reporting, including those designed to provide reasonable assurance that (1) transactions are properly recorded, processed, and summarized to permit the preparation of the financial statements in conformity with U.S. generally accepted accounting principles (GAAP), and assets are safeguarded against loss from unauthorized acquisition, use, or disposition; and (2) transactions are executed in accordance with the laws governing the use of budget authority and other laws and regulations that could have a direct and material effect on the financial statements. We did not evaluate all internal controls relevant to operating objectives as broadly established under 31 U.S.C. § 3512(c), (d), commonly known as the Federal Managers' Financial Integrity Act, such as those controls relevant to preparing statistical reports and ensuring efficient operations. We limited our internal control testing to controls over financial reporting. Our internal control testing was for the purpose of expressing an opinion on the effectiveness of internal control over financial reporting and may not be sufficient for other purposes. Consequently, our audit may not identify all deficiencies in internal control over financial reporting that are less severe than a material weakness. Because of inherent limitations, internal control may not prevent or detect and correct misstatements due to error or fraud, losses, or noncompliance. Additional details on our audit methodology can be found in our November 2011 audit report. [Footnote 11] We performed our audit of OFS's fiscal years 2011 and 2010 financial statements for TARP in accordance with U.S. generally accepted government auditing standards. We believe that our audit provided a reasonable basis for our conclusions in this report. We requested comments on a draft of this report from the Assistant Secretary for Financial Stability. In a letter dated February 6, 2012, OFS commented on our draft report. OFS's comments are reprinted in enclosure II. Continuing Significant Deficiency in Accounting and Financial Reporting: During fiscal year 2011, OFS addressed several of the internal control issues related to the significant deficiency we reported in November 2010 on the results of our fiscal year 2010 audit related to its accounting and financial reporting processes.[Footnote 12] Three control deficiencies remaining from our 2010 audit combined with other control deficiencies in this area that we identified in fiscal year 2011, however, collectively represent a continuing significant deficiency in OFS's internal control over its accounting and financial reporting processes. Specifically, the significant deficiency is composed of control deficiencies in the following areas: (1) financial statement review and approval process and (2) completion or effective implementation of procedures for other key accounting and financial reporting processes. The following sections present additional information concerning these control deficiencies, along with our related recommendations for corrective actions. Financial Statement Review and Approval Process: While OFS improved its review and approval process for preparing its financial statements, notes, and MD&A for TARP for fiscal year 2011, we continued to identify incorrect amounts and inconsistent disclosures in OFS's draft financial statements, notes, and MD&A that were significant, but not material, and that were not detected by OFS. Office of Management and Budget (OMB) Circular No. A-136, Financial Reporting Requirements,[Footnote 13] provides that agencies are to ensure that information in the financial statements is presented in accordance with GAAP for federal entities. Without an effectively implemented review and approval process for preparing financial statements and related disclosures, an agency is at risk of presenting information that is inaccurate, inconsistent, or not in conformity with GAAP. While we are not making any new recommendations in this area, we reaffirm our recommendation from our June 2010 management report that the Assistant Secretary for Financial Stability direct the Chief Financial Officer (CFO) to establish a mechanism for the effective implementation of the review and approval process for preparing the year-end financial statements and related disclosures, including MD&A, for TARP.[Footnote 14] Procedures for Other Key Accounting and Financial Reporting Processes: For fiscal year 2010, we reported instances where OFS accounting and financial reporting procedures were not always followed or effectively implemented. Standards for Internal Control in the Federal Government provides that federal entities should have control activities that enforce management's directives and help ensure that actions are taken to address risks.[Footnote 15] The standards further provide that control activities should be an integral part of an entity's planning, implementing, reviewing, and accountability for stewardship of government resources and achieving effective results. While we found improvements in this area during fiscal year 2011, we also identified instances in the following areas where OFS's accounting and financial reporting procedures were not complete or effectively implemented. * Recording of Noncash Transactions. Most of OFS's TARP financial transactions are automatically recorded in the general ledger directly from OFS's accounting subsidiary ledger. However, TARP noncash transactions and investment and loan- related events that do not affect TARP cash flows (e.g., exchange of preferred stock for common stock with no change in the total investment value) are not automatically processed into the general ledger. To determine whether all necessary noncash transactions are properly recorded in the general ledger, OFS performs manual procedures. OFS's procedures for recording these transactions require a quarterly analysis of OFS's Noncash Transaction Report to identify any and all transactions that require recording in the general ledger and a review of the findings from the quarterly analysis prior to recording the transactions. During fiscal year 2011, we found OFS's procedures for recording noncash transactions were not appropriately designed to provide reasonable assurance that the review of the analysis and Noncash Transaction Report was completed effectively. Specifically, information accompanying the analysis of the Noncash Transaction Report only provided the findings from the analysis and an excerpt of the Noncash Transaction Report. Consequently, the review did not include the entire analysis along with the entire Noncash Transaction Report to confirm that all relevant transactions were identified for recording in the general ledger. Based on our review of the findings from the fourth quarter analysis and the excerpt of the Noncash Transaction Report, we were unable to readily assess the completeness of the noncash transactions recorded in the general ledger. However, we were able to perform other procedures to determine the general ledger's completeness for fiscal year 2011. Standards for Internal Control in the Federal Government provides that agencies should appropriately design internal controls and clearly document internal controls, all transactions, and other significant events. Without an appropriately designed control to obtain reasonable assurance of the completeness and accuracy of the general ledger, there is an increased risk that the financial statements could be misstated. Recommendation for Executive Action: We recommend that the Assistant Secretary for Financial Stability direct the CFO to revise OFS's procedures related to recording and review of noncash transactions, to include requirements for the individual performing the quarterly noncash transactions analysis to provide adequate supporting documentation for the entire analysis and for the reviewer to review this information along with the entire Noncash Transaction Report to ensure that all necessary noncash transactions are identified and properly recorded in the general ledger. * Recording of Warrant Adjustments in the Subsidiary Ledger. As part of TARP's Capital Purchase Program (CPP), OFS purchased senior preferred stock from qualifying U.S. financial institutions. In addition to the senior preferred stock, OFS received warrants,[Footnote 16] as required by section 113(d) of EESA, from qualifying institutions to purchase a number of shares of common stock. OFS's written policies and procedures provide that OFS is to record the value of such warrants and any subsequent warrant adjustments[Footnote 17] in its subsidiary ledger. Our testing for fiscal year 2011 identified that OFS did not properly record a warrant adjustment transaction that occurred during the year in its subsidiary ledger. Specifically, we noted that a CPP institution implemented a 1- for-15 reverse stock split of all outstanding shares of its common stock effective in January 2011. OFS decided to delay the recording of this adjustment in its subsidiary ledger, as OFS had other related pending adjustments and intended to record all adjustments at one time. However, as of September 30, 2011, OFS had not recorded the related warrant adjustment in its subsidiary ledger. OFS's review process did not detect this error. Upon analysis, we determined that, in this particular instance, the financial statements were misstated by $12 million, which OFS and we deemed immaterial. As a result, OFS did not revise the financial statements, but did subsequently correct the related warrant records in its subsidiary ledger. Without effective implementation of procedures designed to reasonably ensure that warrant adjustments are properly recorded, OFS faces an increased risk of undetected material misstatements in the financial statements. Standards for Internal Control in the Federal Government provides that agencies should establish internal controls for all transactions and other significant events to provide reasonable assurance that financial transactions are recorded completely and accurately and that these transactions should be clearly documented and readily available for examination. It further provides that documentation should appear in management directives, administrative policies, or operating manuals. Recommendation for Executive Action: We recommend that the Assistant Secretary for Financial Stability direct the CFO to establish a mechanism for the effective implementation of the review process for recording warrant adjustments. * Accounting for Public-Private Investment Program Distributions. Under TARP's Public-Private Investment Program (PPIP), OFS made equity investments in and direct loans to nine Public-Private Investment Funds established by private-sector fund managers for the purpose of purchasing eligible assets.[Footnote 18] During fiscal year 2011, OFS received interest on loans, loan principal repayments, and equity distributions from the PPIFs. As part of our evaluation of OFS's receipts of PPIF equity distributions, we found that OFS had not established an accounting methodology and specific written procedures for recording PPIF equity distributions. OFS was recording all equity distributions from these PPIFs as investment income. We held discussions with OFS officials regarding OFS's accounting methodology for recording PPIF equity distributions entirely as investment income versus recording a portion of the PPIF equity distributions as net proceeds in excess of cost or as repayments of the equity investment outstanding, or both. Subsequent to our discussion, in September 2011, OFS adopted an accounting methodology for recording PPIF equity distributions to determine portions of the equity distributions that should be recorded as net proceeds in excess of cost or as repayments of the equity investment outstanding, or both. Accordingly, OFS made a correcting entry in the general ledger to record the applicable portions of PPIF equity distributions that were shown as investment income in the OFS draft financial statements as net proceeds in excess of cost or as repayments of the equity investment outstanding, or both. However, as of September 30, 2011, OFS lacked specific written procedures to determine that its recently adopted accounting methodology for recording PPIF equity distributions is properly implemented for any such future transactions. As previously noted above, Standards for Internal Control in the Federal Government provides that agencies should establish and document internal controls for all transactions and other significant events. Without clearly documented procedures to reasonably assure that PPIP distributions are properly recorded, OFS faces an increased risk of undetected misstatements in the financial statements. Recommendation for Executive Action: We recommend that the Assistant Secretary for Financial Stability direct the CFO to develop and implement written procedures to provide reasonable assurance that PPIF equity distributions are properly recorded in the general ledger in accordance with OFS's adopted accounting methodology. Other Control Deficiency--Key Patches on the Server Supporting OFS's Subsidiary Ledger: In addition to the significant deficiency, we identified an additional control deficiency that we consider not to be a material weakness or significant deficiency, but nevertheless warrants OFS management's attention and action. We identified a deficiency concerning OFS's controls over key patches on the server supporting OFS's subsidiary ledger. Specifically, Treasury did not have numerous key patches in place for the server supporting OFS's subsidiary ledger (the Core Information Transaction Flow [CITF] system).[Footnote 19] Patch management is a critical process to securing computing systems [Footnote 20] and data processed in those systems. National Institute of Standards and Technology Special Publication 800-53 provides that organizations should promptly install security-relevant software updates (such as patches). However, during our testing, we noted that Treasury did not apply key operating system and application patches on the server supporting OFS's subsidiary ledger in a timely manner. At the time of our testing, 36 "critical" or "important" (as defined by the vendor) patches had not been installed, and were over 90 days old. Missing patches provide paths for an attacker to compromise the integrity of the server and the processed data, increasing the risk that known vulnerabilities could be exploited. Recommendation for Executive Action: We recommend that the Assistant Secretary for Financial Stability establish procedures for coordinating with the Treasury Chief Information Officer to ensure the timely installation of patches to the CITF. Agency Comments: In commenting on a draft of this report, the Assistant Secretary for Financial Stability stated that OFS concurred with the recommendations in our draft report. The Assistant Secretary also stated that OFS began taking actions related to these recommendations in December 2011 following the release of our audit report and expects to have implemented corrective actions for all recommendations by September 30, 2012. We plan to follow up to determine the status of corrective actions taken for these matters during our fiscal year 2012 audit. This report is intended for use by OFS management. We are sending copies of this report to interested congressional committees and members, the Secretary of the Treasury, Inspector General of the Department of the Treasury, Deputy Special Inspector General for TARP, Financial Stability Oversight Board, Acting Director of the Office of Management and Budget, and others. In addition, this report is available at no charge on the GAO website at [hyperlink, http://www.gao.gov]. We acknowledge and appreciate the cooperation and assistance provided by OFS management and staff during our audits of OFS's fiscal years 2011 and 2010 financial statements for TARP. If you have questions about this report, please contact me at (202) 512-3406 or engelg@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. Sincerely yours, Signed by: Gary T. Engel: Director: Financial Management and Assurance: Enclosures - 2: [End of section] Enclosure I: Status of Open Recommendations from Our Prior Year Management Report: Our fiscal year 2011 audit included a review of the status of the Office of Financial Stability’s (OFS) corrective actions to address the open recommendations from our April 2011 management report. [Footnote 21] Table 1 summarizes the open recommendations included in that report, including the status of the recommendations according to OFS, as well as our own assessment as of November 4, 2011. In all instances, we agreed with OFS’s assessment of the status of the recommendation. In summary, 10 of the 13 recommendations have been closed, and 3 remain open. We will continue to monitor OFS’s progress in addressing the open recommendations as part of our fiscal year 2012 financial statement audit. GAO-10-743R (TARP Fiscal Year 2009 Management Report): Count: 1; Number: 09-1; Recommendation: Establish a mechanism for the effective implementation of the review and approval process for preparing the year-end financial statements and related disclosures, including management discussion and analysis, for TARP; Status of recommendation, Per OFS: Open. Draft fiscal year 2011 year- end financial statements, notes, and Management Discussion and Analysis (MD&A) were provided to GAO early in OFS’s Agency Financial Report production process at the request of the auditors. OFS has a robust process to identify incorrect amounts and inconsistent disclosures in the draft financial statements, notes, and MD&A. OFS plans to develop a master template of financial statement, footnote, and MD&A information to separate the data gathering from the assembly of the Agency Financial Report. Also, OFS will consider utilizing contractors for referencing the financial statements, footnotes, and MD&A; Status of recommendation, Per GAO: Open. While OFS improved its review and approval process for preparing its financial statements, notes, and MD&A for TARP, we identified incorrect amounts and inconsistent disclosures in OFS’s draft fiscal year 2011 financial statements, notes, and MD&A that were not detected by OFS. During our fiscal year 2012 audit of OFS’s financial statements for TARP, we will consider and assess any changes OFS makes to its policies and procedures in fiscal year 2012. Count: 2; Number: 09-6; Recommendation: Update OFS’s asset valuation procedures to include specific requirements for documenting the basis of economic and financial model assumption values derived from informed opinion consistent with FASAB Technical Release 6; Status of recommendation, Per OFS: Closed; Status of recommendation, Per GAO: Closed. Count: 3; Number: 09-12; Recommendation: Develop and implement written procedures to document the rationale for established thresholds used in determining whether to investigate differences between the asset manager valuations and OFS’s internally developed asset valuations; Status of recommendation, Per OFS: Closed; Status of recommendation, Per GAO: Closed. Count: 4; Number: 09-18; Recommendation: Develop, document, and implement a mechanism to track the location of executed agreements; Status of recommendation, Per OFS: Closed; Status of recommendation, Per GAO: Closed. GAO-11-434R (TARP Fiscal Year 2010 Management Report): Count: 5; Number: 10-1; Recommendation: Establish a mechanism for ensuring that OFS personnel follow prescribed policies and procedures for (1) documenting execution of its A-123 process and thereby ensuring consistency among its A-123 documentation, existing policies and procedures, and actual practices executed by OFS personnel; and (2) performing testing on the operating effectiveness of OFS’s key internal controls in accordance with its A-123-related policies and procedures; Status of recommendation, Per OFS: Closed; Status of recommendation, Per GAO: Closed. Count: 6; Number: 10-2; Recommendation: Establish a mechanism for ensuring (1) that only those individuals specifically designated in OFS’s policies and procedures to review and approve period-end reconciliations conduct such procedures and (2) effective review of period-end reconciliations by the designated official; Status of recommendation, Per OFS: Open. In addition to period-end reconciliation review and approval procedures, OFS has multiple compensating processes to ensure that material errors are discovered and corrected in a timely manner. Therefore, OFS plans to update its policies and procedures to broaden the population of acceptable technical and responsibility reviewers and to clarify certain expectations about what each review will accomplish; Status of recommendation, Per GAO: Open. During fiscal year 2011, we found that OFS established a mechanism to ensure that only those individuals specifically designated in OFS’s policies and procedures to review and approve period-end reconciliations conduct such procedures. However, we continued to identify errors in certain reconciliations that were undetected during the review. During our fiscal year 2012 audit of OFS’s financial statements for TARP, we will consider and assess any changes OFS makes to its policies and procedures in fiscal year 2012. Count: 7; Number: 10-3; Recommendation: Establish a mechanism for ensuring effective reviews of documentation attached to journal entries, including ensuring such reviews assess whether the supporting documentation is sufficient and consistent with the journal entry before such entries are recorded in the general ledger; Status of recommendation, Per OFS: Open. In addition to journal entry review and approval procedures, OFS has multiple compensating processes to ensure that material errors are discovered and corrected in a timely manner. Therefore, OFS plans to update its policies and procedures to broaden the population of acceptable technical and responsibility reviewers and to clarify certain expectations about what journal voucher review will accomplish; Status of recommendation, Per GAO: Open. During fiscal year 2011, we continued to identify ineffective implementation of OFS’s policies and procedures related to the review and approval of journal entries. During our fiscal year 2012 audit of OFS’s financial statements for TARP, we will consider and assess any changes OFS makes to its policies and procedures in fiscal year 2012. Count: 8; Number: 10-4; Recommendation: Establish a mechanism for ensuring that changes to the assumptions used in the economic and financial models, and to data used in the models, are properly documented in accordance with OFS policies and procedures; Status of recommendation, Per OFS: Closed; Status of recommendation, Per GAO: Closed. Count: 9; Number: 10-5; Recommendation: Establish a mechanism for ensuring that the economic and financial models are accurately updated to reflect any changes made to the data and/or assumptions used in the models in accordance with OFS policies and procedures; Status of recommendation, Per OFS: Closed; Status of recommendation, Per GAO: Closed. Count: 10; Number: 10-6; Recommendation: Establish a mechanism for ensuring that changes in OFS’s Automotive Industry Financing Program valuation methodology, including the rationale for the changes, are documented in accordance with OFS policies and procedures; Status of recommendation, Per OFS: Closed; Status of recommendation, Per GAO: Closed. Count: 11; Number: 10-7; Recommendation: Establish a mechanism for ensuring that asset valuations for certain direct loan and equity investment programs only reflect amounts outstanding as of fiscal year end in accordance with the Statement of Federal Financial Accounting Standards No. 2; Status of recommendation, Per OFS: Closed; Status of recommendation, Per GAO: Closed. Count: 12; Number: 10-8; Recommendation: Establish a mechanism for ensuring that any housing program issues discussed at the OFS Compliance Committee meetings, which could have a financial statement impact, are sufficiently communicated to all applicable officials in OFS within 2 days as specified in the Home Affordable Modification Program Compliance Committee charter; Status of recommendation, Per OFS: Closed; Status of recommendation, Per GAO: Closed. Count: 13; Number: 10-9; Recommendation: Verify that the accrual calculated by IR2, the housing program system that is maintained by a third-party administrator, appropriately accounts for mortgages which have reached their maximum incentive payment amounts; Status of recommendation, Per OFS: Closed; Status of recommendation, Per GAO: Closed. Source: GAO and OFS. [End of table] [End of enclosure] Enclosure II: Comments from the Office of Financial Stability: Department of The Treasury: Assistant Secretary: Washington, D.C. 20220: February 6, 2012: Ms. Lynda E. Downing: Assistant Director, Financial Management and Assurance: U.S. Government Accountability Office: Dear Ms. Downing: We have received a copy of your draft report entitled Management Report: Improvements Are Needed in Internal Control Over Financial Reporting for the Troubled Asset Relief Program (GAO-12-415R). We are pleased that you noted in your draft report that the Office of Financial Stability (OFS) received unqualified opinions on both the OFS' FY 2011 financial statements and internal controls over financial reporting and GAO identified no instances of noncompliance with selected provisions of laws and regulations. We have reviewed the detailed recommendations that you have provided regarding the one significant deficiency you identified during your FY 2011 audit and regarding other less significant control deficiencies. We concur with your draft recommendations. Through coordination with your staff and our understanding of the Matters for Further Consideration that we responded to during the FY 2011 audit, we began taking actions on the recommendations in December 2011 immediately after your final report was released. We have made improvements to our processes and procedures. We expect to implement the majority of other necessary changes by June 30, 2012 and any remaining changes by September 30, 2012. Sincerely, Signed by: Timothy G. Massad: Assistant Secretary: Office of Financial Stability: [End of enclosure] Footnotes: [1] Pub. L. No. 110-343, Div. A, 122 Stat. 3765 (Oct. 3, 2008), codified in part, as amended, at 12 U.S.C. §§ 5201-5261. [2] Section 116(b) of EESA, 12 U.S.C. § 5226(b), requires that the Department of the Treasury (Treasury) annually prepare and submit to Congress and the public audited fiscal year financial statements for TARP that are prepared in accordance with generally accepted accounting principles. Section 116(b) further requires that GAO audit TARP's financial statements annually in accordance with generally accepted auditing standards. [3] Section 101 of EESA, 12 U.S.C. § 5211, established OFS within Treasury to implement TARP. [4] GAO, Financial Audit: Office of Financial Stability (Troubled Asset Relief Program) Fiscal Years 2011 and 2010 Financial Statements, [hyperlink, http://www.gao.gov/products/GAO-12-169] (Washington, D.C.: Nov. 10, 2011). [5] A significant deficiency is a deficiency, or combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. A material weakness is a deficiency, or combination of deficiencies, in internal control such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or detected and corrected, on a timely basis. A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. [6] GAO, Management Report: Improvements Are Needed in Internal Control Over Financial Reporting for the Troubled Asset Relief Program, [hyperlink, http://www.gao.gov/products/GAO-11-434R] (Washington, D.C.: Apr. 18, 2011). [7] Section 116(a) of EESA, 12 U.S.C. § 5226(a), requires GAO to report at least every 60 days on TARP activities and performance. Products and recommendations related to GAO's oversight of TARP are available on GAO's website at [hyperlink, http://www.gao.gov]. [8] Patches are additional pieces of code that have been developed to address specific problems or flaws in existing software. Vulnerabilities are flaws that can be exploited, enabling unauthorized access to information technology systems or enabling users to have access to greater privileges than authorized. [9] A server represents a computer running administrative software that controls access to all or part of the network and its resources, such as disk drives or printers. A computer acting as a server makes resources available to computers acting as workstations on the network. [10] [hyperlink, http://www.gao.gov/products/GAO-11-434R]. [11] [hyperlink, http://www.gao.gov/products/GAO-12-169]. [12] GAO, Financial Audit: Office of Financial Stability (Troubled Asset Relief Program) Fiscal Years 2010 and 2009 Financial Statements, [hyperlink, http://www.gao.gov/products/GAO-11-174] (Washington, D.C.: Nov. 15, 2010). [13] OMB Circular No. A-136, Financial Reporting Requirements (Revised September 2010), establishes a central point of reference for federal financial reporting guidance for executive-branch agencies required to submit audited financial statements. [14] GAO, Management Report: Improvements Are Needed in Internal Control Over Financial Reporting for the Troubled Asset Relief Program, [hyperlink, http://www.gao.gov/products/GAO-10-743R] (Washington, D.C.: June 30, 2010). [15] GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: November 1999), contains the internal control standards to be followed by executive agencies in establishing and maintaining systems of internal control as required by 31 U.S.C. § 3512 (c), (d) (commonly referred to as the Federal Managers' Financial Integrity Act). [16] A warrant is an option to buy shares of common stock or preferred stock at a predetermined price (i.e., exercise price) on or before a specified date. [17] A warrant adjustment is a change to the exercise price, the number of shares underlying the warrant, or both because of various events such as stock splits and stock dividends. [18] Eligible assets are the legacy Residential Mortgage-Backed Securities and Commercial Mortgage-Backed Securities issued prior to January 1, 2009, that were originally rated AAA or an equivalent rating by two or more nationally recognized statistical rating organizations (without external credit enhancement) and secured directly by the actual mortgage loans, leases, or other assets. [19] The server that supports CITF is maintained by Treasury. [20] See GAO, Information Security: Continued Action Needed to Improve Software Patch Management, [hyperlink, http://www.gao.gov/products/GAO-04-706] (Washington, D.C.: June 2, 2004). [21] GAO, Management Report: Improvements Are Needed in Internal Control Over Financial Reporting for the Troubled Asset Relief Program, [hyperlink, http://www.gao.gov/products/GAO-11-434R] (Washington, D.C.: Apr. 18, 2011). [End of section] GAO’s Mission: The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO’s website [hyperlink, http://www.gao.gov]. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, go to [hyperlink, http://www.gao.gov] and select “E- mail Updates.” Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO: Connect with GAO on facebook, flickr, twitter, and YouTube. Subscribe to our RSS Feeds or E mail Updates. Listen to our Podcasts. Visit GAO on the web at [hyperlink, http://www.gao.gov]. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Website: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]; E-mail: fraudnet@gao.gov; Automated answering system: (800) 424-5454 or (202) 512-7470. Congressional Relations: Katherine Siggerud, Managing Director, siggerudk@gao.gov, (202) 512-4400 U.S. Government Accountability Office, 441 G Street NW, Room 7125 Washington, DC 20548. Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, DC 20548.