This is the accessible text file for GAO report number GAO-03-543 entitled 'Financial Audit: Federal Deposit Insurance Corporation Funds' 2002 and 2001 Financial Statements' which was released on March 28, 2003. This text file was formatted by the U.S. General Accounting Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products’ accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. Report to the Congress: March 2003: Financial Audit: Federal Deposit Insurance Corporation Funds’ 2002 and 2001 Financial Statements: GAO-03-543: GAO Highlights: Highlights of GAO-03-543, a report to the President of the Senate and the Speaker of the House of Representatives Why GAO Did This Study: Created in 1933 to insure bank deposits and promote sound banking practices, the Federal Deposit Insurance Corporation (FDIC) plays an important role in maintaining public confidence in the nation’s financial system. In 1989, legislation to reform the federal deposit insurance system created three funds to be administered by FDIC: the Bank Insurance Fund and the Savings Association Insurance Fund, which protect bank and savings deposits, and the FSLIC Resolution Fund, created to close out the business of the former Federal Savings and Loan Insurance Corporation. GAO is responsible for obtaining reasonable assurance about whether FDIC’s financial statements for the funds are presented fairly, whether it maintains effective internal controls, and whether FDIC has complied with selected laws and regulations. What GAO Found: In GAO’s opinion, FDIC fairly presented the 2002 and 2001 financial statements for the three funds it administers—the Bank Insurance Fund, the Savings Association Insurance Fund, and the FSLIC Resolution Fund. GAO also found that, although certain controls should be improved, FDIC had effective control over financial reporting and compliance. GAO did not find reportable instances of noncompliance with the laws and regulations it tested. Although FDIC made progress in response to previous reports, GAO found weaknesses in control over information systems. Newly identified and continuing weaknesses impaired FDIC’s ability to ensure the reliability, confidentiality, and availability of financial data. For example, information system controls did not adequately to ensure that users had only the access needed to perform their assigned duties, that FDIC’s network was secure from unauthorized access, or that unusual or suspicious access would be identified. At the time of the audit, FDIC had made progress in implementing a corporatewide security management program, including establishing a central security staff to provide guidance and oversight in enhancing its security awareness program, and in its continuing efforts to develop and update security policy. What GAO Recommends: Because of the sensitive nature of the weaknesses in control over information systems, GAO will report the details, along with recommendations for corrective actions, in a separate report to FDIC management. www.gao.gov/cgi-bin/getrpt?GAO-03-543. To view the full report, including the scope and methodology, click on the link above. For more information, contact Jeanette Franzel at (202) 512-9406 or franzelj@gao.gov. Letter: Auditor’s Report: Opinion on BIF’s Financial Statements: Opinion on SAIF’s Financial Statements: Opinion on FRF’s Financial Statements: Opinion on Internal Control: Compliance with Laws and Regulations: Objectives, Scope, and Methodology: Reportable Condition: BIF’s Reserve Ratio: FDIC Comments and Our Evaluation: Bank Insurance Fund’s Financial Statements: Statements of Financial Position: Statements of Income and Fund Balance: Statements of Cash Flows: Notes to the Financial Statements: Savings Association Insurance Fund’s Financial Statements: Statements of Financial Position: Statements of Income and Fund Balance: Statements of Cash Flows: Notes to the Financial Statements: FSLIC Resolution Fund’s Financial Statements: Statements of Financial Position: Statements of Income and Accumulated Deficit: Statements of Cash Flows: Notes to the Financial Statements: Appendixes: Appendix I: Comments from the Federal Insurance Deposit Corporation Appendix II: GAO Contacts and Staff Acknowledgments: Abbreviations: BIF: Bank Insurance Fund: CFO: Chief Financial Officer: FDIC: Federal Deposit Insurance Corporation: FDICIA: Federal Deposit Insurance Corporation Improvement Act of 1991: FMFIA: Federal Managers’ Financial Integrity Act of 1982: FRF: FSLIC Resolution Fund: FSLIC: Federal Savings and Loan Insurance Corporation: SAIF: Savings Association Insurance Fund: This is a work of the U.S. Government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. It may contain copyrighted graphics, images or other materials. Permission from the copyright holder may be necessary should you wish to reproduce copyrighted materials separately from GAO’s product. Letter March 28, 2003: The President of the Senate The Speaker of the House of Representatives: This report presents our opinions on whether the financial statements of the Bank Insurance Fund (BIF), the Savings Association Insurance Fund (SAIF), and the FSLIC Resolution Fund (FRF) are presented fairly for the years ended December 31, 2002 and 2001. These financial statements are the responsibility of the Federal Deposit Insurance Corporation (FDIC), the administrator of the three funds. This report also presents (1) our opinion on the effectiveness of FDIC’s internal control as of December 31, 2002, (2) our evaluation of FDIC’s compliance with laws and regulations during 2002, and (3) weaknesses in information system controls detected during our 2002 audits. In addition, it discusses BIF’s reserve ratio of its fund balance to total insured deposits. The provisions of section 17(d) of the Federal Deposit Insurance Act, as amended (12 U.S.C. 1827(d)), requires GAO to conduct an annual audit of BIF, SAIF, and FRF in accordance with U.S. generally accepted government auditing standards. We are sending copies of this report to the Chairman and Ranking Minority Member of the Senate Committee on Banking, Housing, and Urban Affairs; the Chairman and Ranking Minority Member of the House Committee on Financial Services; the Chairman of the Board of Directors of the Federal Deposit Insurance Corporation; the Chairman of the Board of Governors of the Federal Reserve System; the Comptroller of the Currency; the Director of the Office of Thrift Supervision; the Secretary of the Treasury; the Director of the Office of Management and Budget; and other interested parties. In addition, this report will be available at no charge on GAO’s Web site at http://www.gao.gov. David M. Walker Comptroller General of the United States: Signed by David M. Walker Auditor’s Report To the Board of Directors The Federal Deposit Insurance Corporation: We have audited the statements of financial position as of December 31, 2002 and 2001, for the three funds administered by the Federal Deposit Insurance Corporation (FDIC), the related statements of income and fund balance (accumulated deficit), and the statements of cash flows for the years then ended. In our audits of the Bank Insurance Fund (BIF), the Savings Association Insurance Fund (SAIF), and the FSLIC Resolution Fund (FRF), we found: * the financial statements of each fund are presented fairly, in all material respects, in conformity with U.S. generally accepted accounting principles; * although certain internal controls should be improved, FDIC had effective internal control over financial reporting (including safeguarding of assets) and compliance with laws and regulations; and: * no reportable noncompliance with the laws and regulations that we tested. The following sections discuss our conclusions in more detail. They also present information on (1) the scope of our audits, (2) a reportable condition[Footnote 1] related to information system control weaknesses, (3) BIF’s reserve ratio, and (4) our evaluation of FDIC management’s comments on a draft of this report. Opinion on BIF’s Financial Statements: The financial statements, including the accompanying notes, present fairly, in all material respects, in conformity with U.S. generally accepted accounting principles, BIF’s financial position as of December 31, 2002 and 2001, and the results of its operations and its cash flows for the years then ended. Opinion on SAIF’s Financial Statements: The financial statements, including the accompanying notes, present fairly, in all material respects, in conformity with U.S. generally accepted accounting principles, SAIF’s financial position as of December 31, 2002 and 2001, and the results of its operations and its cash flows for the years then ended. Opinion on FRF’s Financial Statements: The financial statements, including the accompanying notes, present fairly, in all material respects, in conformity with U.S. generally accepted accounting principles, FRF’s financial position as of December 31, 2002 and 2001, and the results of its operations and its cash flows for the years then ended. Opinion on Internal Control: Although certain internal controls should be improved, FDIC management maintained, in all material respects, effective internal control over financial reporting (including safeguarding assets) and compliance as of December 31, 2002, that provided reasonable but not absolute assurance that misstatements, losses, or noncompliance material in relation to FDIC’s financial statements would be prevented or detected on a timely basis. Our opinion is based on criteria established under 31 U.S.C. 3512 (c), (d) [Federal Managers’ Financial Integrity Act (FMFIA)]. Our work identified weaknesses in FDIC’s information system controls, which we describe as a reportable condition in a later section of this report. The reportable condition in information system controls, although not considered material, represents a significant deficiency in the design or operation of internal control that could adversely affect FDIC’s ability to meet its internal control objectives. Although the weaknesses did not materially affect the 2002 financial statements, misstatements may nevertheless occur in other FDIC-reported financial information as a result of the internal control weaknesses. Compliance with Laws and Regulations: Our tests for compliance with selected provisions of laws and regulations disclosed no instances of noncompliance that would be reportable under U.S. generally accepted government auditing standards. However, the objective of our audits was not to provide an opinion on overall compliance with selected laws and regulations. Accordingly, we do not express such an opinion. Objectives, Scope, and Methodology: FDIC management is responsible for (1) preparing the annual financial statements in conformity with U.S. generally accepted accounting principles, (2) establishing, maintaining, and assessing internal control to provide reasonable assurance that the broad control objectives of FMFIA are met, and (3) complying with selected laws and regulations. We are responsible for obtaining reasonable assurance about whether (1) the financial statements are presented fairly, in all material respects, in conformity with U.S. generally accepted accounting principles, and (2) management maintained effective internal control, the objectives of which are: * financial reporting--transactions are properly recorded, processed, and summarized to permit the preparation of financial statements in conformity with U.S. generally accepted accounting principles, and assets are safeguarded against loss from unauthorized acquisition, use, or disposition, and: * compliance with laws and regulations--transactions are executed in accordance with laws and regulations that could have a direct and material effect on the financial statements. We are also responsible for testing compliance with selected provisions of laws and regulations that have a direct and material effect on the financial statements. In order to fulfill these responsibilities, we: * examined, on a test basis, evidence supporting the amounts and disclosures in the financial statements; * assessed the accounting principles used and significant estimates made by management; * evaluated the overall presentation of the financial statements; * obtained an understanding of internal control related to financial reporting (including safeguarding assets) and compliance with laws and regulations; * tested relevant internal controls over financial reporting and compliance, and evaluated the design and operating effectiveness of internal control; * considered FDIC’s process for evaluating and reporting on internal control based on criteria established by FMFIA; and: * tested compliance with selected provisions of the Federal Deposit Insurance Act, as amended, and the Chief Financial Officers Act of 1990. We did not evaluate all internal controls relevant to operating objectives as broadly defined by FMFIA, such as those controls relevant to preparing statistical reports and ensuring efficient operations. We limited our internal control testing to controls over financial reporting and compliance. Because of inherent limitations in internal control, misstatements due to error or fraud, losses, or noncompliance may nevertheless occur and not be detected. We also caution that projecting our evaluation to future periods is subject to the risk that controls may become inadequate because of changes in conditions or that the degree of compliance with controls may deteriorate. We did not test compliance with all laws and regulations applicable to FDIC. We limited our tests of compliance to those deemed applicable to the financial statements for the year ended December 31, 2002. We caution that noncompliance may occur and not be detected by these tests and that such testing may not be sufficient for other purposes. We performed our work in accordance with U.S. generally accepted government auditing standards. FDIC management provided comments on a draft of this report. They are discussed and evaluated in a later section of this report and are reprinted in appendix I. Reportable Condition: In connection with the funds’ financial statement audits, we reviewed FDIC’s information system controls. Effective information system controls are essential to safeguarding financial data, protecting computer application programs, providing for the integrity of system software, and ensuring the continued computer operations in case of unexpected interruption. These controls include the corporatewide security management program, access controls, system software, application development and change control, segregation of duties, and service continuity controls. During 2002, FDIC made progress in improving information system controls. Of the 41 prior year recommendations that we made, FDIC had completed action on 18 and partially completed or had action plans to address those remaining. During our current review, FDIC also corrected several newly identified weaknesses. Nevertheless, continuing and newly identified vulnerabilities involving information system controls continue to impair FDIC’s ability to ensure the reliability, confidentiality, and availability of financial data. For example, FDIC did not have information system controls to adequately ensure that (1) users had only the access needed to perform their assigned duties, (2) its network was secured from unauthorized access, and (3) comprehensive programs were in place to routinely oversee and monitor access to its computer data to identify unusual or suspicious access. The effect of these weaknesses increases the risk of unauthorized disclosure of critical FDIC financial and sensitive personnel and bank examination information, disruption of critical financial operations, and loss of assets. As we have previously reported, the primary reason for FDIC’s information system control weaknesses is that it has not fully developed and implemented a comprehensive corporatewide security management program. An effective program would include assessing risks, establishing a central security function, establishing policies and related controls, raising awareness of prevailing risks and mitigating controls, and regularly evaluating the effectiveness of established controls. During the past year, FDIC has made progress in implementing such a program, including establishing a central security staff to provide guidance and oversight, enhancing its security awareness program, and continuing efforts to develop and update security policy. However, FDIC has not yet fully established a risk assessment process and the recently implemented program to assess the effectiveness of controls does not address all critical evaluation areas. A complete risk assessment process would assist management in making decisions on necessary controls. Similarly, an ongoing comprehensive program of tests and evaluations of the effectiveness of established controls would enable FDIC to identify and correct information security weaknesses, such as those reported in this review. We determined that other management controls mitigated the effect of the information system control weaknesses on the preparation of the funds’ financial statements. Because of their sensitive nature, the details surrounding these weaknesses are being reported separately to FDIC management, along with our recommendations for corrective actions. BIF’s Reserve Ratio: The Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA) requires FDIC to maintain BIF fund balance at a designated reserve ratio of at least 1.25 percent of estimated insured deposits.[Footnote 2] Under FDIC’s required risk-based assessment system, as long as BIF’s reserve ratio is at or above the designated reserve ratio, FDIC cannot charge premiums to institutions that are well-capitalized and highly rated by supervisors. Currently, over 90 percent of the industry does not pay for deposit insurance. In 1991, BIF’s reserve ratio was significantly below the designated reserve ratio and did not reach the designated reserve ratio of 1.25 percent of estimated insured deposits until May 1995.[Footnote 3] During the years ended December 31, 1995 through 2000, BIF’s reserve ratio ranged from 1.30 to 1.38. As of December 31, 2001, and September 30, 2002, BIF’s ratio decreased to 1.26 and 1.25, respectively. At its November 12, 2002, meeting, the FDIC Board of Directors voted to maintain the existing BIF assessment rate schedule for the first semiannual assessment period of 2003 based on the board’s determination that the reserve ratio would likely remain at or near 1.25 during the first half of 2003. Most of BIF’s income comes from the interest earned on investments with the U.S. Treasury. FDIC describes the recent legislative initiatives to reform the federal deposit insurance system in note 1 of the financial statements for BIF and SAIF. FDIC Comments and Our Evaluation: In commenting on a draft of this report, FDIC’s Chief Financial Officer (CFO) was pleased to receive unqualified opinions on BIF’s, SAIF’s, and FRF’s 2002 and 2001 financial statements. FDIC’s CFO also acknowledged the information system weaknesses we identified and plans to continue efforts to strengthen its information system program and to incorporate our recommendations into its security plans for 2003. We plan to evaluate the effectiveness of the corrective actions as part of our 2003 audit. David M. Walker Comptroller General of the United States: Signed by David M. Walker February 27, 2003: [End of section] Bank Insurance Fund’s Financial Statements: [See PDF for image] [End of figure] Statements of Financial Position: [See PDF for image] [End of figure] Statements of Income and Fund Balance: [See PDF for image] [End of figure] Statements of Cash Flows: [See PDF for image] [End of figure] Notes to the Financial Statements: [See PDF for image] [End of figure] [End of section] Savings Association Insurance Fund’s Financial Statements: Statements of Financial Position: [See PDF for image] [End of figure] Statements of Income and Fund Balance: [See PDF for image] [End of figure] Statements of Cash Flows: [See PDF for image] [End of figure] Notes to the Financial Statements: [See PDF for image] [End of figure] [End of section] FSLIC Resolution Fund’s Financial Statements: Statements of Financial Position: [See PDF for image] [End of figure] Statements of Income and Accumulated Deficit: [See PDF for image] [End of figure] Statements of Cash Flows: [See PDF for image] [End of figure] Notes to the Financial Statements: [See PDF for image] [End of figure] [End of section] Appendixes: Appendix I: Comments from the Federal Deposit Insurance Corporation: Federal Deposit Insurance Corporation: 550 17th St. NW Washington DC, 20429 Deputy to the Chairman & Chief Financial Officer: March 21, 2003: Mr. David M. Walker: Comptroller General of the United States U. S. General Accounting Office: 441 G Street, NW Washington, D.C. 20548: Re: FDIC Management Response on the GAO 2002 Financial Statements Audit Report: Dear Mr. Walker: Thank you for the opportunity to comment on the U. S. General Accounting Office’s (GAO) draft audit report titled, Financial Audit: Federal Deposit Insurance Corporation Funds’ 2002 and 2001 Financial Statements, GAO-03-543. The report presents GAO’s opinions on the calendar year 2002 financial statements of the Bank Insurance Fund (BIF), the Savings Association Insurance Fund (SAIF), and the Federal Savings and Loan Insurance Corporation (FSLIC) Resolution Fund (FRF). The report also presents GAO’s opinion on the effectiveness of FDIC’s internal controls as of December 31, 2002 and GAO’s evaluation of FDIC’s compliance with laws and regulations. We are pleased to accept GAO’s unqualified opinions on the BIF, SAIF, and FRF financial statements and to note that there were no material weaknesses identified during the 2002 audits. The GAO reported that: the funds’ financial statements were presented fairly and in conformity with U. S. generally accepted accounting principles; FDIC had effective internal control over financial reporting (including safeguarding of assets) and compliance with laws and regulations; and there were no instances of noncompliance with selected provisions of laws and regulations. GAO identified the need to improve internal control over FDIC’s information systems (IS) and issued a reportable condition. Although GAO identified weaknesses in FDIC’s IS controls, the audit team noted that significant improvements had been made over the last eighteen months, and that the weaknesses did not materially affect the 2002 financial statements. We agree with GAO’s assessment of both the status and the progress made in addressing IS general control weaknesses. During 2002, FDIC’s accomplishments included completion of the first IS controls self assessment, implementation of the Information Security Manager (ISM) program, and development of an information security tactical plan to support FDIC’s information security strategic plan. The FDIC will continue efforts to strengthen its IS program and to incorporate GAO’s recommendations into its security plans for 2003. If you have any questions or concerns, please let me know. Sincerely, Steven O. App: Deputy to the Chairman and Chief Financial Officer: [End of section] Appendix II: GAO Contacts and Staff Acknowledgments: GAO Contacts: Jeanette M. Franzel, (202) 512-9471 Gregory A. Maio, (202) 512-8172: Acknowledgments: In addition to those named above, the following staff made key contributions to this report: Ronald A. Bergman, Gary P. Chupka, John C. Craig, Anh Dang, Kristen A. Kociolek, Wing Y. Lam, Gloria Medina, Timothy J. Murray, Stacey L. Volis, and Gregory J. Ziombra. The following staff from the FDIC Office of Inspector General also contributed to this report: Arlene S. Boateng, R. William Harrington, Paul S. Johnston, Marilyn R. Kraus, John S. Leevy, Duane H. Rosenberg, Titus S. Simmons, Ross E. Simms, Charles E. Thompson, and Leon R. Wellons. (194127): : FOOTNOTES [1] Reportable conditions involve matters coming to the auditor’s attention that, in the auditor’s judgment, should be communicated because they represent significant deficiencies in the design or operation of internal control and could adversely affect FDIC’s ability to meet the control objectives described in this report. [2] Section 302 of FDICIA amended section 7(b) of the Federal Deposit Insurance Act. FDICIA requirements are the same for both BIF and SAIF. SAIF reached the designated reserve ratio in 1996, and as of September 30, 2002, SAIF’s reserve ratio was 1.38 percent. [3] If the reserve ratio falls below 1.25 percent of estimated insured deposits, FDICIA requires the FDIC Board of Directors to set semiannual assessment rates for BIF members that are sufficient to increase the reserve ratio to the designated reserve ratio not later than 1 year after such rates are set, or in accordance with a recapitalization schedule of 15 years or less. GAO’s Mission: The General Accounting Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO’s Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as “Today’s Reports,” on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select “Subscribe to daily E-mail alert for newly released products” under the GAO Reports heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. General Accounting Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: