This is the accessible text file for GAO report number GAO-12-752R entitled 'Management Report: Opportunities for Improvements in FDIC's Shared Loss Estimation Process' which was released on July 19, 2012. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. GAO-12-752R: United States Government Accountability Office: Washington, DC 20548: July 19, 2012: The Honorable Steven O. App: Deputy to the Chairman and Chief Financial Officer: Federal Deposit Insurance Corporation: Subject: Management Report: Opportunities for Improvements in FDIC's Shared Loss Estimation Process: Dear Mr. App: In April 2012, we issued our report on the results of our audits of the financial statements of the Deposit Insurance Fund (DIF) and the Federal Savings and Loan Insurance Corporation Resolution Fund (FRF) as of and for the years ending December 31, 2011, and 2010, and on the effectiveness of the Federal Deposit Insurance Corporation's (FDIC) internal control over financial reporting as of December 31, 2011. We also reported our conclusions on FDIC's compliance with selected provisions of laws and regulations.[Footnote 1] As part of that audit, we identified a significant deficiency[Footnote 2] in FDIC's internal control over its shared loss estimation process for the DIF. The purpose of this report is to present additional information on the control deficiencies we identified during our 2011 audit that comprised the significant deficiency, along with our four related recommended corrective actions to address them. In addition, we are providing an update on our assessment of the status of recommendations we made to address control deficiencies identified in previous audits that were open at the beginning of our 2011 financial statement audits (see summary in enclosure I). In a separate report,[Footnote 3] we provided details on additional information technology-related deficiencies also identified during our 2011 FDIC financial statement audits. These findings and related recommendations were issued in a separate report due to their sensitive nature. Results in Brief: During our audit of the DIF's 2011 and 2010 financial statements, we identified deficiencies in controls over FDIC's process for deriving and reporting estimates of losses to the DIF from resolution transactions involving shared loss agreements. While these deficiencies, individually and collectively, did not constitute a material weakness in internal control over financial reporting,they nevertheless increased the risk of additional undetected errors or irregularities in the DIF's financial statements.[Footnote 4] Thus, these control deficiencies collectively represented a significant deficiency in FDIC's internal control over financial reporting for the DIF related to estimating losses from shared loss agreements. Specifically, we found the following deficiencies in FDIC's internal control over financial reporting for the DIF related to estimating losses from shared loss agreements: * FDIC did not have adequate documentation for key aspects of the shared loss estimation process. This, in turn, did not allow for sufficient review and oversight of its loss estimation process for shared loss agreements. As a result, FDIC's multiple reviews and approvals did not identify three programming errors that existed in the shared loss model that caused errors in the shared loss estimate and resulted in errors in the DIF's draft financial statements. * FDIC did not consistently implement its corporate software change management policies to its shared loss estimating process. This led to programming errors that went unidentified and resulted in inaccuracies in the DIF's draft financial statements. * FDIC's internal controls were not designed or implemented to ensure that the source data used by the shared loss model were accurate. As a result, FDIC did not identify errors in the source information or errors in the shared loss model that resulted in errors in the DIF's draft financial statements. At the end of our description of each of these deficiencies, we provide our recommendations for strengthening FDIC's related internal controls. These recommendations are intended to improve management's oversight and controls and minimize the risk of misstatements in FDIC's financial statements for the DIF. We also found that FDIC addressed many of the control deficiencies related to open recommendations from our prior audits. As a result, FDIC has eight financial management-related recommendations that need to be addressed, including four new recommendations we are making in this report. We provided FDIC with a draft of this report and obtained its written comments. In its comments, FDIC concurred with all of our recommendations and described actions it has taken, has underway, or plans to take to address the control weaknesses described in this report. In addition, FDIC provided an update on actions it has taken or plans to take to address our prior open recommendations related to its processing of receivership disbursements, its review of asset valuations, and its documentation of the shared loss estimation process. At the end of our discussion of each of the deficiencies in this report, we have summarized FDIC's related comments and our evaluation. We have also reprinted FDIC's written comments in their entirety in enclosure II. In addition to its written comments, FDIC provided technical comments, which we considered and have incorporated where appropriate. Scope and Methodology: As part of our financial statement audits of the two funds[Footnote 5] administered by FDIC, we determined whether FDIC maintained, in all material respects, effective internal control over financial reporting as of December 31, 2011, as it relates to the two funds. We also tested compliance with selected provisions of laws and regulations that had a direct and material effect on the funds' financial statements. In conducting the audit, we examined, on a test basis, evidence supporting the amounts and disclosures in the financial statements, assessed the accounting principles used and significant estimates made by FDIC management, and obtained an understanding of FDIC and its operations. We also tested internal control over financial reporting. We did not evaluate all internal controls relevant to operating objectives, such as controls relevant to ensuring efficient operations. We limited our internal control testing to controls over financial reporting. We performed our audits of the DIF's and the FRF's 2011 and 2010 financial statements in accordance with U.S. generally accepted government auditing standards. We believe that our audits provided a reasonable basis for our conclusions in this report. Further details on our audit methodology are presented in enclosure III. Documentation for the Shared Loss Model: During our 2011 financial audit, we found that FDIC lacked adequate documentation for key aspects of its shared loss estimation process for the DIF. Lacking such documentation, FDIC officials were unable to effectively review and verify the accuracy of the loss estimates associated with FDIC's shared loss agreements. As a result, FDIC's multiple reviews and approvals did not identify programming errors that existed within the shared loss model. This resulted in errors in the draft DIF financial statements that went undetected by FDIC. Since 2009, FDIC has used purchase and assumption agreements with accompanying shared loss agreements as the primary means of resolving failed financial institutions. Under such a purchase and assumption agreement, FDIC sells a failed institution to an acquirer with an agreement that FDIC, through the DIF, will share in losses the acquirer experiences in servicing and disposing of assets purchased and covered under these agreements. Typically, shared loss agreements are structured such that FDIC assumes 80 percent of any such losses. For financial reporting purposes, FDIC developed a process to calculate a lifetime loss estimate under these shared loss agreements. For 2011, the lifetime loss estimate was $42.8 billion (46 percent) of the total DIF allowance for losses related to the Receivables from resolutions, net line item on the DIF's balance sheet at December 31, 2011. As an integral part of this shared loss estimation process, FDIC developed a series of computerized programs that are commonly referred to as the shared loss model. We reported in 2009 and again in 2010 that FDIC did not have clear, comprehensive documentation over the shared loss estimation process to allow for an effective level of review. FDIC attempted to address this continuing deficiency by strengthening its internal controls over the entire process in 2011 through documenting flowcharts, data dictionaries, and high-level comprehensive descriptions of the process. However, FDIC did not document how the shared loss model should perform calculations or how the calculations relate to the estimation methodology. In December 2011, FDIC's internal review reported a similar lack of documentation.[Footnote 6] As a result, review of the model was problematic and ineffective. The documentation developed for the model did not clearly document, outside of the programs themselves, the calculations performed by the model to derive the estimates. As such, FDIC management or other reviewers were unable to identify the specific logic of the program to verify that it was accurately following management's intentions. This deficiency led to undetected errors in the calculation of the shared loss estimate that were reflected in the initial draft of the DIF's 2011 financial statements. Standards for Internal Control in the Federal Government states that internal control and all transactions and other significant events need to be clearly documented, and the documentation should be readily available for examination. The documentation should appear in management directives, administrative policies, or operating manuals. [Footnote 7] Given that the shared loss estimate is a key element used in deriving the overall allowance for losses on the DIF's Receivables from resolutions, net financial statement line item, it is critical that FDIC design and implement effective controls and ensure that all steps in the shared loss model are fully documented to allow for appropriate review of key steps in the process. Recommendation: We recommend that you direct the appropriate FDIC officials to develop documentation specifying how the shared loss estimation model programs should perform calculations and how the calculations within the model's programs relate to the shared loss estimation methodology. FDIC Comments and Our Evaluation: FDIC agreed with our recommendation and stated that it is in the process of developing a document to define terms, assumptions, and calculations that are relevant to the shared loss estimation methodology. FDIC stated that it expects to have these actions fully implemented by August 31, 2012. We will review and evaluate FDIC's documentation of the shared loss model during our 2012 financial audit. Change Control and Testing the Shared Loss Model: During our 2011 financial audit, we found that FDIC did not consistently implement its corporate software change management policies to its shared loss model or data used in the shared loss estimating process. Although FDIC made progress in applying change management controls to those areas, it did not always (1) document change management procedures, (2) store all programs in the model in its software change management library, and (3) sufficiently test program changes. These deficiencies led to undetected programming errors resulting in inaccuracies in the initial year-end shared loss calculation. Although in most instances FDIC had documented and controlled changes to its major applications in accordance with its policies, it did not consistently implement its corporate software change management policies in controlling changes to the shared loss model. Specifically, FDIC did not document its procedures for managing changes to the model used to derive its shared loss estimates. In addition, although FDIC used a software change management library for access and version control for most of the programs in the model, it did not use the library to store a program that generated data for the year-end calculation. Finally, even though FDIC conducted two tests of the changes to the model, one test was not designed to compare the program logic and the test results to the objective of the program, and the other test did not include all portions of the shared loss calculation in its scope. These deficiencies occurred because FDIC's Division of Resolutions and Receivership's process for managing changes to the model did not include steps to systematically propose, coordinate, approve, track, and implement program changes in accordance with FDIC's established policies for software change management. Because of these deficiencies, FDIC did not detect certain programming errors either through its existing change management controls or through its testing of the model which resulted in undetected gross errors in the draft DIF financial statements' overall allowance for losses of $578 million and a $184 million net reduction in the loss estimate. The specific programming errors resulted in the following: * Double counting covered losses[Footnote 8] in the calculation of the liability estimate. The error affected the loss estimate for 40 different agreements and caused a $381 million overstatement to the overall allowance for losses: * Misallocating of assets[Footnote 9] across various asset categories. This error affected the loss estimate for 23 agreements and resulted in a $289,000 understatement to the overall allowance for losses. * Miscalculating true-up.[Footnote 10] The model erroneously interpreted blank fields as zero dollar items, which resulted in a miscalculation of the estimated value of the true-up payment. The result of the error was an understatement to the overall allowance for losses of $197 million. While FDIC subsequently corrected these errors in finalizing the DIF's 2011 financial statements, errors may continue to occur if changes to these programs are not consistently controlled, documented, and fully tested. Recommendations: We recommend that you direct the appropriate FDIC officials to implement the corporation's change management policies to the shared loss model by taking the following actions: * develop, document, and implement a formal change management process for the shared loss model that is consistent with FDIC's corporate policies for software change management and: * design and perform tests of the shared loss model to ensure that (1) the program logic and test results are consistent with the objectives of the programs and (2) all portions of the shared loss calculation are tested. In a separate report with limited distribution, we made an additional recommendation to store all programs that make up the shared loss model in a software change management library.[Footnote 11] FDIC Comments and Our Evaluation: FDIC agreed with our change management recommendation and stated that it has planned improvements that are consistent with the corporation's change management policies. Specifically, FDIC will implement a more complete change management process, including formal signoffs and testing checklists, and will upgrade documentation of the coding logic and business rules used in the estimation model. FDIC also agreed with our testing recommendation, stating that it will conduct more rigorous testing that covers all portions of the shared loss calculation. FDIC expects to have these actions fully implemented by November 30, 2012. We will evaluate the effectiveness of these new procedures during our 2012 financial audit. Source Data Used by the Shared Loss Model: During our 2011 financial statement audit, we found FDIC's controls were not designed or implemented to ensure that the source data used by its shared loss model were accurate. For example, when FDIC tested the model it did not include steps to verify either the model's input or results with original source documents. FDIC's data validation testing of the calculations focused on analytic testing rather than tracing transactions back to source documentation. Similarly, in its review of data integrity controls over one of the source databases for the model, FDIC concluded that tracing data back to its original source was not necessary to validate the data in the database. [Footnote 12] However, because our audit procedures were designed to trace back to original source data, we identified errors not only in the source information but also in the model itself that FDIC's testing did not identify. Subsequently, FDIC performed an additional validation of source data and identified potential errors in 45 receiverships. Errors in the source data from 4 receiverships resulted in undetected gross errors in the draft DIF financial statements' overall allowance for losses of $191 million and a $90 million net reduction in the loss estimate. Had FDIC traced the data used by the model back to the original source documentation, these errors could have been identified and corrected before the final shared loss liability was calculated. Standards for Internal Control in the Federal Government states that internal control activities are to help ensure that all activities are completely and accurately recorded. These standards also state that internal control should generally be designed to assure that ongoing review and monitoring occurs in the course of normal operations. [Footnote 13] Recommendation: To enhance the reliability of estimates produced by the shared loss model, we recommend that you direct the appropriate FDIC officials to design and perform tests to verify data used in the shared loss model back to an original source. FDIC Comments and Our Evaluation: FDIC agreed with our recommendation and stated that it will expand testing procedures to include verification of certain data points of the model back to the original source documentation. FDIC stated that it expects to have these actions fully implemented by October 31, 2012. We will evaluate the effectiveness of these new testing procedures during our 2012 financial audit. Status of GAO Recommendations from FDIC Financial Audits and Related Management Reports: FDIC has continued to work to address many of the control deficiencies related to open recommendations from our prior audits. At the beginning of our 2011 financial audit, we had 10 recommendations to improve FDIC's financial operations from prior year audits that remained open and therefore required corrective action by FDIC. [Footnote 14] In the course of performing our 2011 financial audits, we identified numerous actions FDIC took to address many of its previously identified control deficiencies. On the basis of FDIC's actions, which we were able to substantiate through our audit, we are closing 6 of our prior years' recommendations. Consequently, a total of 8 financial management--related recommendations need to be addressed--4 remaining from our prior years' audits and 4 new recommendations resulting from our 2011 financial audit. See enclosure I for more details on our assessment of the status of FDIC's actions to address our prior year recommendations. This report contains recommendations to you. We would appreciate receiving a description and status of your corrective actions within 30 days of the date of this report. This report is intended for use by FDIC management, members of the FDIC Audit Committee, and the FDIC Inspector General. We are sending copies of this report to the Chairman and Ranking Member of the Senate Committee on Banking, Housing, and Urban Affairs; the Chairman and Ranking Member of the House Committee on Financial Services; the Chairman of the Board of Directors of the Federal Deposit Insurance Corporation; the Chairman of the Board of Governors of the Federal Reserve System; the Comptroller of the Currency; the Secretary of the Treasury; the Director of the Office of Management and Budget; and other interested parties. In addition, this report is available at no charge on the GAO website at [hyperlink, http://www.gao.gov]. We acknowledge and appreciate the cooperation and assistance provided by FDIC management and staff during our audits of FDIC's 2011 and 2010 financial statements. If you or members of your staff have any questions concerning this report, please contact Jim Dalkin at (202) 512-3133 or dalkinj@gao.gov or Greg Wilshusen at (202)-512-6244 or wilshuseng@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this report are listed in enclosure IV. Sincerely yours, Signed by: James R. Dalkin: Director: Financial Management and Assurance: Signed by: Gregory C. Wilshusen: Director: Information Security Issues: Enclosures - 4: [End of section] Enclosure I: Status of Recommendations That Were Open at the Beginning of GAO's Audit of FDIC's 2011 Financial Statements: Audit area: Oversight of lockbox bank; 1. Oversight of lockbox bank: Revise procedures to obtain assurance-- through such means as SAS 70 reports, internal audit reports, and other monitoring processes--that internal controls over receivership receipts are in place and functioning properly at the Dallas lockbox facility. (GAO-09-943R, p. 8); FDIC action: The Federal Deposit Insurance Corporation's (FDIC) lockbox service provider does not engage for a SSAE 16 (formerly SAS 70) audit. To address this recommendation, FDIC conducted an internal control site visit of the lockbox facility and implemented check deposit tests to verify that the lockbox accurately deposited checks into FDIC's account. FDIC revised its policies and procedures to require quarterly testing of check deposit; Status as of April 2012: Closed. Audit area: Processing receivership disbursements and expenses; 2. Oversight of lockbox bank: Develop and implement written policies and procedures for assigning responsibility and detailing actions required to effectively review and approve payment vouchers, enter and verify payment vouchers in the accounts payable system, and generate receivership payments through checks, wires, or electronic fund transfers. (GAO-11-23R, p. 15); FDIC action: To address this recommendation, FDIC updated its policies and procedures to include assigning responsibility and giving guidance for approving payment vouchers and related activities; Status as of April 2012: Closed. 3. Oversight of lockbox bank: Develop and implement written policies and procedures for reviewing receivership liabilities, including assigning responsibility and detailing actions required for performing oversight reviews and the frequency for performing such reviews. (GAO- 11-23R, p. 15); FDIC action: To address this recommendation, FDIC updated its policies and procedures. However, FDIC's updates did not assign responsibility for preparing the tracking of account 2000. We will evalutate FDIC's implementation of its new procedures during our 2012 financial audit; Status as of April 2012: In progress. 4. Oversight of lockbox bank: Develop and implement written policies and procedures for reviewing and canceling stale checks, including assigning specific responsibility, stating the frequency in which stale checks should be reviewed and canceled, and detailing the manner in which banks are to be notified to cancel stale checks. (GAO-11-23R, p. 16); FDIC action: To address this recommendation, FDIC updated its policies and procedures to include a policy that governs the frequency at which stale checks should be reviewed and canceled; Status as of April 2012: Closed. 5. Oversight of lockbox bank: Take steps to reinforce the policy that voucher approvers ensure the accuracy and validity of general ledger expense coding and hold preparers accountable for coding expenses correctly. (GAO-11-687R, p. 12); FDIC action: To address this recommendation, FDIC reinforced the policy that voucher approvers ensure the accuracy and validity of general ledger expense coding by sending an e-mail message reminding approvers to be diligent in reviewing the selection of expense general ledger accounts. FDIC also provided a job aid to facilitate selecting general ledger expense accounts and updated the general ledger expense account definitions for clarity. However, during our 2011 audit testing, we continued to find disbursements being applied to incorrect general ledger expense accounts. We will continue to monitor FDIC's actions during our 2012 financial audit; Status as of April 2012: In progress. Audit area: Review of asset valuations; 6. Oversight of lockbox bank: Establish a mechanism to better ensure FDIC officials comply with the SAVE methodology's review procedures for asset valuations, including correctly tracing the numbers used in the calculations back to the source documents and verifying that asset valuations are fully substantiated, logical, and reasonable. (GAO-11- 687R, p. 11); FDIC action: To address this recommendation, FDIC added to its SAVE Job Aid sections detailing instructions on how to verify calculations and actions, affirm that assumptions are correctly applied, and review supporting documents that are the sources for the calculations, actions, and assumptions. Additionally, most of the SAVE asset valuation preparers and reviewers completed training in 2011. However, we found that FDIC did not always comply with the SAVE procedures in the Job Aid. As a result, the preparers made errors in valuing the assets and the first and second-level reviewers did not identify numerous errors in the valuation of the assets using the SAVE methodology. We will continue to monitor FDIC's actions during our 2012 financial audit; In progress. Audit area: Recognition of systemic risk revenue; 7. Oversight of lockbox bank: Direct appropriate FDIC officials to document FDIC's analysis and conclusions regarding the amount of systemic risk revenue to recognize at December 2011. (GAO-11-687R, p. 14); FDIC action: FDIC documented its analysis of deferred revenue recognition in 2011, recognizing Deposit Insurance Fund (DIF) revenue of $2.6 billion for fees related to debt guarantees that had expired. In recognizing this revenue FDIC transferred funds from restricted systemic risk cash and investments to the DIF's cash and investments accounts; Status as of April 2012: Closed. Audit area: Procedures over financial reporting; 8. Oversight of lockbox bank: Direct appropriate staff to complete revisions to the Accounting Operations Branch procedures regarding the preparation and review of depreciation expenses and fringe benefits and leave allocations, to include providing sufficiently detailed steps staff and reviewers are to follow to perform their general ledger closing responsibilities completely and effectively. (GAO-11- 687R, p. 15); FDIC action: FDIC staff completed revisions to the Accounting Operations Branch procedures regarding the preparation and review of depreciation expenses and fringe benefits and leave allocations. The revisions include detailed steps that allow staff and reviewers to perform their general ledger closing responsibilities completely and effectively; Status as of April 2012: Closed. Audit area: Documentation of shared loss estimation process; 9. Oversight of lockbox bank: Direct the appropriate FDIC officials to develop comprehensive shared loss process documentation to include detailing the shared loss estimation process steps to be followed from the inception of the agreement to the reporting on the financial statements, including details regarding assumptions, databases, computer programs, and any other related materials used to estimate losses resulting from shared loss agreements. (GAO-11-687R, p. 6); FDIC action: FDIC made progress in addressing this recommendation by attempting to strengthen its internal controls over the entire process in 2011. FDIC documented flow charts, developed multiple data dictionaries, and created high-level comprehensive descriptions of the process. However, FDIC continued to lack documentation in critical areas of the process such as the methodology and calculation of true- up recovery amounts, which are used to decrease current loss estimate amounts FDIC anticipates recovering when a shared loss agreement ends. We will continue to monitor progress in this area as part of our 2012 financial audit; Status as of April 2012: In progress. Audit area: Reviews of allowance for loss estimation process; 10. Oversight of lockbox bank: Direct the appropriate FDIC officials to consider and adopt, as appropriate, additional cost-effective automated tools and procedures for DOF officials to enhance the review and monitoring activities related to the LLR templates to gain additional assurance that the underlying data and calculations are complete and accurate. (GAO-11-687R, p. 9); FDIC action: To make the process more automated and less prone to error, FDIC's Division of Finance (DOF) changed its process for generating the Loan Loss Reserve (LLR) templates used to perform the overall allowance for loss calculation. FDIC implemented the use of a software program to upload files and automatically run programmed mathematical calculations, which helps to ensure the consistency and accuracy of the estimates produced by the LLR templates. We tested the effectiveness of the program and found it to be producing a reliable overall allowance for loss estimate; Status as of April 2012: Closed. Source: GAO and FDIC: [End of table] [End of section] Enclosure II: Comments from the Federal Deposit Insurance Corporation: FDIC: Federal Deposit Insurance Corporation: Deputy to the Chairman and CFO: 550 17th Street NW: Washington, D.C. 20429-9990: July 12, 2012: Mr. James R. Dalkin: Director, Financial Management and Assurance: U.S. Government Accountability Office: Washington, D.C. 20548: Mr. Gregory C. Wilshusen: Director, Information Security Issues: U.S. Government Accountability Office: Washington, D.C. 20548: Dear Mr. Dalkin and Mr. Wilshusen: Thank you for providing the U.S. Government Accountability Office's (GAO) draft report entitled: Management Report: Opportunities for Improvements in FDIC's Shared Loss Estimation Process (GAO-12-752R). We welcome the opportunity to review and comment on the draft report. We note that the report contains new recommendations for improvement, and we appreciate GAO's acknowledgment of the corrective actions that FDIC implemented to address the previously reported internal control issues. FDIC is committed to strengthening its internal control environment and making improvements, where applicable, to processes and procedures. We continue to maintain a proactive approach in addressing issues that could adversely impact controls over financial reporting. Our specific response to the GAO findings and recommendations are included in the attachment to this letter. We look forward to continuing our positive working relationship with the GAO during the 2012 financial statement audit. I have every confidence that with the continued dedication of staff, we will further enhance internal controls and accounting procedures. Any questions or comments on these matters should be directed to James H. Angel, Jr., Deputy Director, Corporate Management Control Branch, at (703) 562-6456. Sincerely, Signed by: Steven 0. App: Deputy to the Chairman and Chief Financial Officer: Attachment: cc: Craig R. Jarvill: Bret D. Edwards: Stephen A. Quick: James H. Angel, Jr: Audit Committee: [End of letter] FDIC Responses To The 2011 GAO Management Report: Documentation for the Shared Loss Model: Recommendation 1: GAO recommended that FDIC direct the appropriate officials to develop documentation specifying how the shared loss estimation model programs should perform calculations, and how the calculations within the model's programs relate to the shared loss estimation methodology. Management Response: We concur with the recommendation. Division of Finance (DOF) and Division of Resolutions and Receiverships (DRR) personnel are currently developing a business logic requirements document for the shared-loss liability estimation process. This document will enhance clarity and understanding by better defining the terms, assumptions, and calculations that are relevant to the shared loss estimation methodology. Estimated Completion Date: August 31, 2012. Change Control and Testing the Shared Loss Model: Recommendation 2: GAO recommended that FDIC direct the appropriate officials to implement the corporation's change management policies to the shared loss model by taking the following actions: * develop, document, and implement a formal change management process for the shared loss model that is consistent with FDIC's corporate policies for software change management; and; * design and perform tests of the shared loss model to ensure that: (1) the program logic and test results are consistent with the objectives of the programs; and (2) all portions of the shared loss calculation are tested. Management Response: We concur with the recommendation that the change management process and testing related to the shared loss model require improvements. Our planned improvements, which are consistent with the corporation's change management policies, include: * a more complete change management process that includes formal signoffs and testing checklists; * upgraded documentation of the coding logic used in the estimation model; * documentation of the business rules that the estimation process is designed to capture; * verification that the coding logic appropriately captures the business rules; and; * more rigorous testing that covers all portions of the shared loss calculation. Estimated Completion Date: November 30, 2012. Source Data Used by the Shared Loss Model: Recommendation 3: To enhance the reliability of estimates produced by the shared loss model, GAO recommended that FDIC direct the appropriate officials to design and perform tests to verify data used in the shared loss model back to an original source. Management Response: We concur with the recommendation. As part of the process improvements noted above, our testing will include verification of certain data inputs back to the original source. Estimated Completion Date: October 31, 2012. Status of Prior Years' Audit Recommendations: Recommendation: Develop and implement written policies and procedures for reviewing receivership liabilities, including assigning responsibility and detailing actions required for performing oversight reviews and the frequency for performing such reviews. Management Response: We concur with this recommendation and had addressed this identified concern within our procedures when the Receivership Accounting Manual was published in 2011. This manual contains various sections dealing with managing and accounting for receivership liabilities. Management will enhance the procedures to include explanations that further clarify GAO concerns on capturing/documenting balances from applicable systems, comparing sources, identifying/resolving differences, monitoring completions, and status reporting. Estimated Completion Date: September 30, 2012. Recommendation: Take steps to reinforce the policy that voucher approvers ensure the accuracy and validity of general ledger expense coding and hold preparers accountable for coding expenses correctly. Management Response: As noted in the 'FDIC Action' portion of this recommendation, during 2011 we did take certain steps to reinforce the policy that voucher approvers ensure accuracy and validity of general ledger expense account encoding. These reinforcing actions did not take place until late 2011 and early 2012 and, as a result, had little impact toward improving expense account coding accuracy for 2011. We agree that accuracy in receivership income and expense coding is important and during 2011 and early 2012 we implemented the following: * Issued communications in December 2011 that stressed the accountability of approvers when selecting general ledger (GL) accounts. * Provided a "Job Aid" for approver use in explaining GL account selection. * Provided training to 197 Payment Voucher approvers and Oversight Managers. * Reviewed and revised expense account definitions to consolidate or enhance clarity as appropriate. * Implemented a process on December 1, 2011 where the GL account number is reviewed for reasonableness on all payments made via a wire transfer and for all payment vouchers in excess of $50,000. Errors noted will be bought to the attention of the approver and their management. DRR estimates that this should result in a review of 80 percent of the dollar amount of the targeted disbursement requests. DRR will continue to review activity in this area and take steps necessary to ensure that expense coding improvements are realized. Review of Asset Valuations: Recommendation: Establish a mechanism to better ensure FDIC officials comply with the SAVE methodology's review procedures for asset valuations, including correctly tracing the numbers used in the calculations back to the source documents and verifying that asset valuations are fully substantiated, logical, and reasonable. Management Response: We concur with the recommendation. For the 2012 Asset Loss Review cycle, some of our improvements include, * discontinuing the computer based training course and expanding the two-day classroom instruction to three days; * expanding the Reviewer Checklist that was developed last year to require, among other steps, the Reviewer to trace all numbers back to source and/or supporting documents; and; * adding a step in the In-House Other Receivership Assets Job Aid for Roles and Responsibilities that the First Level Reviewer will verify supporting documents. Estimated Completion Date: August 31, 2012. Documentation of Shared Loss Estimation Process: Recommendation: Direct the appropriate FDIC officials to develop comprehensive shared loss process documentation to include detailing the shared loss estimation process steps to be followed from the inception of the agreement to the reporting on the financial statements, including details regarding assumptions, databases, computer programs, and any other related materials used to estimate losses resulting from shared loss agreements. Management Response: We concur with the recommendation. We have begun work on business requirements documentation and a Process Manual that will be part of the documentation detailing the shared loss estimation process. In addition, we have made significant enhancements to the coding documentation. Estimated Completion Date: November 30, 2012. [End of section] Enclosure III: Details on Audit Scope and Methodology: To fulfill our responsibilities as auditor of the financial statements of the two funds administered by the Federal Deposit Insurance Corporation (FDIC), we did the following: * Examined, on a test basis, evidence supporting the amounts and disclosures in the financial statements. * Assessed the accounting principles used and significant estimates made by FDIC management. * Evaluated the overall presentation of the financial statements. * Obtained an understanding of FDIC and its operations, including its internal control related to financial reporting and compliance with certain laws and regulations. * Assessed the risk that a material misstatement exists in the financial statements. * Tested relevant internal controls over financial reporting and compliance, and evaluated the design and operating effectiveness of FDIC's internal control based on the assessed risk. * Considered FDIC's process for evaluating and reporting on internal control based on criteria established under the Federal Managers' Financial Integrity Act (FMFIA). * Tested compliance with certain laws and regulations, including selected provisions of the Federal Deposit Insurance Act, as amended. * Performed such other procedures as we considered necessary in the circumstances. [End of section] Enclosure IV: GAO Contact and Staff Acknowledgments: GAO Contact: James R. Dalkin, (202) 512-3133 or dalkinj@gao.gov: Gregory C. Wilshusen (202) 512-6244 or wilhuseng@gao.gov: Staff Acknowledgments: The following individuals made key contributions to this report: William J. Cordrey, Assistant Director; Nicholas H. Marinos, Assistant Director; Gloria Cano; Gary Chupka; Dennis Clarke; William Cook; Jody Ecie; David Hayes; Brian P. Koning; Marc Oestreicher; Krzysztof Pasternak; Leticia Pena, Daniel Swartz; Shaunyce Wallace; and Gregory Ziombra. [End of section] Footnotes: [1] GAO, Financial Audit: Federal Deposit Insurance Corporation Funds' 2011 and 2010 Financial Statements, [hyperlink, http://www.gao.gov/products/GAO-12-416] (Washington, D.C.: Apr. 19, 2012). [2] A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit the attention of those charged with governance. A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect and correct misstatements on a timely basis. [3] GAO, Information Security: Opportunities Exist for the Federal Deposit Insurance Corporation to Improve Controls, [hyperlink, http://www.gao.gov/products/GAO-12-609SU] (Washington, D.C.: June 14, 2012). [4] A material weakness is a deficiency, or combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented or detected and corrected on a timely basis. [5] FDIC is also the manager of the Orderly Liquidation Fund established under title II of the Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub. L. No. 111-203, § 210(n), 124 Stat. 1376, 1506 (July 21, 2010). That fund, established as a separate fund in the U.S. Treasury, is unfunded and conducted no transactions during the years covered by our audit. Thus, FDIC did not prepare financial statements for the fund. [6] FDIC Division of Resolutions and Receiverships, SAS Program Methodology Review (Washington, D.C.: Dec. 22, 2011). [7] GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: Nov. 1999). [8] Covered losses are a key component used in the shared loss model to calculate FDIC's estimated liability. [9] Asset balances are a key component used in the shared loss model to calculate the estimated liability. [10] True-up is a term used by FDIC to reflect a payment to FDIC from the acquiring institution to be made at the termination of the shared loss agreement if covered losses have not equaled estimates. [11] [hyperlink, http://www.gao.gov/products/GAO-12-609SU]. [12] FDIC Division of Resolutions and Receiverships, General Controls Review of the Loss Share Database (Washington, D.C.: Dec. 8, 2011). [13] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [14] This does not include information systems security recommendations reported separately and with limited distribution due to their sensitive nature. [End of section] GAO’s Mission: The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO’s website [hyperlink, http://www.gao.gov]. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, go to [hyperlink, http://www.gao.gov] and select “E-mail Updates.” Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO: Connect with GAO on facebook, flickr, twitter, and YouTube. Subscribe to our RSS Feeds or E mail Updates. Listen to our Podcasts. Visit GAO on the web at [hyperlink, http://www.gao.gov]. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Website: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]; E-mail: fraudnet@gao.gov; Automated answering system: (800) 424-5454 or (202) 512-7470. Congressional Relations: Katherine Siggerud, Managing Director, siggerudk@gao.gov, (202) 512-4400 U.S. Government Accountability Office, 441 G Street NW, Room 7125 Washington, DC 20548. Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, DC 20548.