Management Report: Opportunities for Improvements in FDIC's Shared Loss Estimation Process
Highlights
What GAO Found
During our audit of the DIFs 2011 and 2010 financial statements, we identified deficiencies in controls over FDICs process for deriving and reporting estimates of losses to the DIF from resolution transactions involving shared loss agreements. While these deficiencies, individually and collectively, did not constitute a material weakness in internal control over financial reporting, they nevertheless increased the risk of additional undetected errors or irregularities in the DIFs financial statements. Thus, these control deficiencies collectively represented a significant deficiency in FDICs internal control over financial reporting for the DIF related to estimating losses from shared loss agreements.
Specifically, we found the following deficiencies in FDICs internal control over financial reporting for the DIF related to estimating losses from shared loss agreements:
FDIC did not have adequate documentation for key aspects of the shared loss estimation process. This, in turn, did not allow for sufficient review and oversight of its loss estimation process for shared loss agreements. As a result, FDICs multiple reviews and approvals did not identify three programming errors that existed in the shared loss model that caused errors in the shared loss estimate and resulted in errors in the DIFs draft financial statements.
FDIC did not consistently implement its corporate software change management policies to its shared loss estimating process. This led to programming errors that went unidentified and resulted in inaccuracies in the DIFs draft financial statements.
FDICs internal controls were not designed or implemented to ensure that the source data used by the shared loss model were accurate. As a result, FDIC did not identify errors in the source information or errors in the shared loss model that resulted in errors in the DIFs draft financial statements.
At the end of our description of each of these deficiencies, we provide our recommendations for strengthening FDICs related internal controls. These recommendations are intended to improve managements oversight and controls and minimize the risk of misstatements in FDICs financial statements for the DIF.
We also found that FDIC addressed many of the control deficiencies related to open recommendations from our prior audits. As a result, FDIC has eight financial management-related recommendations that need to be addressed, including four new recommendations we are making in this report.
Why GAO Did This Study
In April 2012, we issued our report on the results of our audits of the financial statements of the Deposit Insurance Fund (DIF) and the Federal Savings and Loan Insurance Corporation Resolution Fund (FRF) as of and for the years ending December 31, 2011, and 2010, and on the effectiveness of the Federal Deposit Insurance Corporations (FDIC) internal control over financial reporting as of December 31, 2011. We also reported our conclusions on FDICs compliance with selected provisions of laws and regulations. As part of that audit, we identified a significant deficiency in FDICs internal control over its shared loss estimation process for the DIF.
The purpose of this report is to present additional information on the control deficiencies we identified during our 2011 audit that comprised the significant deficiency, along with our four related recommended corrective actions to address them. In addition, we are providing an update on our assessment of the status of recommendations we made to address control deficiencies identified in previous audits that were open at the beginning of our 2011 financial statement audits. In a separate report, we provided details on additional information technology-related deficiencies also identified during our 2011 FDIC financial statement audits. These findings and related recommendations were issued in a separate report due to their sensitive nature.
Recommendations
We recommend that the Deputy to the Chairman and Chief Financial Officer direct the appropriate FDIC officials to develop documentation specifying how the shared loss estimation model programs should perform calculations and how the calculations within the models programs relate to the shared loss estimation methodology.
We recommend that the Deputy to the Chairman and Chief Financial Officer direct the appropriate FDIC officials to implement the corporations change management policies to the shared loss model by taking the following actions:
develop, document, and implement a formal change management process for the shared loss model that is consistent with FDICs corporate policies for software change management and
design and perform tests of the shared loss model to ensure that (1) the program logic and test results are consistent with the objectives of the programs and (2) all portions of the shared loss calculation are tested.
To enhance the reliability of estimates produced by the shared loss model, we recommend that the Deputy to the Chairman and Chief Financial Officer direct the appropriate FDIC officials to design and perform tests to verify data used in the shared loss model back to an original source.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Federal Deposit Insurance Corporation | The Deputy to the Chairman and Chief Financial Officer should direct the appropriate FDIC officials to develop documentation specifying how the shared loss estimation model programs should perform calculations and how the calculations within the model's programs relate to the shared loss estimation methodology. |
Closed – Implemented
In response to our recommendation, FDIC developed a Business Requirements document to define terms, assumptions, and calculations that are relevant to the shared loss estimation methodology, and issued it in August 2012.
|
Federal Deposit Insurance Corporation | The Deputy to the Chairman and Chief Financial Officer should direct the appropriate FDIC officials to implement the corporation's change management policies to the shared loss model by developing, documenting, and implementing a formal change management process for the shared loss model that is consistent with FDIC's corporate policies for software change management. |
Closed – Implemented
In response to our recommendation, FDIC corrected its Change Management process for the shared loss model to be consistent with the corporate policy.
|
Federal Deposit Insurance Corporation | The Deputy to the Chairman and Chief Financial Officer should direct the appropriate FDIC officials to implement the corporation's change management policies to the shared loss model by designing and performing tests of the shared loss model to ensure that (1) the program logic and test results are consistent with the objectives of the programs and (2) all portions of the shared loss calculation are tested. |
Closed – Implemented
In response to our recommendation, FDIC employed a third-party contractor who performed an independent review, assessment, and validation of the model used to generate the shared loss estimate. In November 2012, the contractor tested the model and its coding language, verified the completeness and accuracy of the model documentation, reviewed general controls of the model, and tested the traceability of model inputs back to an original source. This additional testing by FDIC - and its contractor - helped ensure that the model and its input data were accurate and that the shared loss estimate was calculated correctly. This improved the reliability of shared loss financial information reported by FDIC.
|
Federal Deposit Insurance Corporation | To enhance the reliability of estimates produced by the shared loss model, the Deputy to the Chairman and Chief Financial Officer should direct the appropriate FDIC officials to design and perform tests to verify data used in the shared loss model back to an original source. |
Closed – Implemented
In response to our recommendation, FDIC employed a third-party contractor who performed an independent review, assessment, and validation of the model used to generate the shared loss estimate. In November 2012, the contractor tested the model and its coding language, verified the completeness and accuracy of the model documentation, reviewed general controls of the model, and tested the traceability of model inputs back to an original source. This additional testing by FDIC - and its contractor - helped ensure that the model and its input data were accurate and that the shared loss estimate was calculated correctly. This improved the reliability of shared loss financial information reported by FDIC.
|