Management Report: Opportunities for Improvements in FDIC's Shared Loss Estimation Process

What GAO Found

During our audit of the DIF’s 2011 and 2010 financial statements, we identified deficiencies in controls over FDIC’s process for deriving and reporting estimates of losses to the DIF from resolution transactions involving shared loss agreements. While these deficiencies, individually and collectively, did not constitute a material weakness in internal control over financial reporting, they nevertheless increased the risk of additional undetected errors or irregularities in the DIF’s financial statements. Thus, these control deficiencies collectively represented a significant deficiency in FDIC’s internal control over financial reporting for the DIF related to estimating losses from shared loss agreements.

Specifically, we found the following deficiencies in FDIC’s internal control over financial reporting for the DIF related to estimating losses from shared loss agreements:

• FDIC did not have adequate documentation for key aspects of the shared loss estimation process. This, in turn, did not allow for sufficient review and oversight of its loss estimation process for shared loss agreements. As a result, FDIC’s multiple reviews and approvals did not identify three programming errors that existed in the shared loss model that caused errors in the shared loss estimate and resulted in errors in the DIF’s draft financial statements.

• FDIC did not consistently implement its corporate software change management policies to its shared loss estimating process. This led to programming errors that went unidentified and resulted in inaccuracies in the DIF’s draft financial statements.

• FDIC’s internal controls were not designed or implemented to ensure that the source data used by the shared loss model were accurate. As a result, FDIC did not identify errors in the source information or errors in the shared loss model that resulted in errors in the DIF’s draft financial statements.

At the end of our description of each of these deficiencies, we provide our recommendations for strengthening FDIC’s related internal controls. These recommendations are intended to improve management’s oversight and controls and minimize the risk of misstatements in FDIC’s financial statements for the DIF.

We also found that FDIC addressed many of the control deficiencies related to open recommendations from our prior audits. As a result, FDIC has eight financial management-related recommendations that need to be addressed, including four new recommendations we are making in this report.

Why GAO Did This Study

In April 2012, we issued our report on the results of our audits of the financial statements of the Deposit Insurance Fund (DIF) and the Federal Savings and Loan Insurance Corporation Resolution Fund (FRF) as of and for the years ending December 31, 2011, and 2010, and on the effectiveness of the Federal Deposit Insurance Corporation’s (FDIC) internal control over financial reporting as of December 31, 2011. We also reported our conclusions on FDIC’s compliance with selected provisions of laws and regulations. As part of that audit, we identified a significant deficiency in FDIC’s internal control over its shared loss estimation process for the DIF.

The purpose of this report is to present additional information on the control deficiencies we identified during our 2011 audit that comprised the significant deficiency, along with our four related recommended corrective actions to address them. In addition, we are providing an update on our assessment of the status of recommendations we made to address control deficiencies identified in previous audits that were open at the beginning of our 2011 financial statement audits. In a separate report, we provided details on additional information technology-related deficiencies also identified during our 2011 FDIC financial statement audits. These findings and related recommendations were issued in a separate report due to their sensitive nature.