This is the accessible text file for GAO report number GAO-11-23R entitled 'Management Report: Opportunities for Improvements in FDIC's Internal Controls and Accounting Procedures' which was released on December 1, 2010. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. GAO-11-23R: United States Government Accountability Office: Washington, DC 20548: November 30, 2010: The Honorable Steven 0. App: Deputy to the Chairman and Chief Financial Officer: Federal Deposit Insurance Corporation: Subject: Management Report: Opportunities for Improvements in FDIC's Internal Controls and Accounting Procedures: Dear Mr. App: In June 2010, we issued our report on the results of our audit of the financial statements of the Deposit Insurance Fund (DIF) and the FSLIC Resolution Fund (FRF) as of, and for the years ending December 31, 2009, and 2008, and on the effectiveness of the Federal Deposit Insurance Corporation's (FDIC) internal control over financial reporting as of December 31, 2009. We also reported our conclusions on FDIC's compliance with selected provisions of laws and regulations. [Footnote 1] During our 2009 financial audit, we identified several control deficiencies[Footnote 2] over FDIC's process for deriving and reporting estimates of losses to the DIF from financial institution resolution transactions involving loss-sharing agreements. These deficiencies led to misstatements in the draft DIF financial statements, which were ultimately corrected through adjustments to achieve fair presentation in the final financial statements. Although the net adjustments were not material to the DIF's financial statements, the nature of the control deficiencies we identified were such that a reasonable possibility existed that a material misstatement of the DIF's financial statements would not be prevented, or detected and corrected on a timely basis. Thus, these control deficiencies collectively represented a material weakness[Footnote 3] in FDIC's internal control over financial reporting related to estimated losses from loss-sharing agreements. During our 2009 financial audit, we also identified control deficiencies with respect to FDIC's information-systems security that increased the risk of unauthorized modification and disclosure of financial and other sensitive information, and disruption of critical operations. These control deficiencies, which collectively represented a significant deficiency,[Footnote 4] reduced FDIC's ability to ensure that authorized users only had the access needed to perform their assigned duties and that its systems were sufficiently protected from unauthorized access. We are issuing a separate report on the issues affecting FDIC's information systems identified during our 2009 audit, along with associated recommendations.[Footnote 5] The purpose of this report is to discuss in more detail the control deficiencies that collectively represented the material weakness in FDIC's internal control over financial reporting related to its loss- share estimation process and to discuss other internal control issues identified during our 2009 audit for which we did not have previous recommendations. Although not all of these issues were discussed in our report on the results of our 2009 financial statement audit, they all warrant FDIC management's attention and correction. This report provides 14 recommendations to address the internal control issues we identified during our 2009 audit. This report also provides the status of recommendations from prior audits we made to address previously identified internal control issues (enclosure III). Results in Brief: We identified three deficiencies in FDIC's internal control related to its process for estimating losses associated with resolutions involving loss-sharing agreements during our 2009 financial audit, which, collectively, represented a material weakness in internal control over financial reporting. These deficiencies consisted of the following: * FDIC lacked controls in place to ensure its staff consistently applied its methodology for deriving loss rates and for preventing, or detecting and correcting, errors in calculating initial and updated loss estimates for loss-sharing agreements. As a result, more than 25 percent of FDIC's 2009 estimates contained errors. * FDIC lacked policies and procedures requiring documentation to (1) support the basis for assumptions contained in the complex spreadsheets used to calculate 2009 loss-share loss estimates, and (2) demonstrate management's review and approval of those assumptions. This increased the risk that critical assumptions may not provide accurate estimates of losses. * FDIC's review process over its calculation of the corporate-level allowance for loss for the Receivables from Resolutions, net line item reported on the DIF's balance sheet was not effective in preventing, or detecting and correcting, errors in the calculation. As a result, we identified multiple errors or omissions that were not timely identified and corrected. In addition, we identified seven other deficiencies in FDIC's internal control that individually or in the aggregate did not constitute material weaknesses or significant deficiencies, but which nonetheless require FDIC management's attention and correction. These additional control deficiencies included the following: * FDIC lacked written policies and procedures for documenting the review and approval of payments made on loss-sharing agreements for much of 2009. As a result, evidence of review to ensure that documentation accompanying payment requests from acquiring institutions was accurate and adequately supported the payments was inconsistent or missing. * FDIC did not always complete reconciliations of its receivership general ledger to the receivership operating bank account statements within reasonable time frames. As a result, FDIC did not always timely identify and resolve errors and omissions during the year in its receivership general ledger records related to its receivership disbursements. * FDIC did not resolve unreconciled differences between the DIF's cash accounts and the records of the Federal Home Loan Bank (FHLB) of New York in a timely manner. As a result, two general ledger cash accounts for the DIF had incorrect balances as of December 31, 2009. * FDIC's written policies and procedures did not assign specific responsibility for processing and administering receivership disbursements and managing related liabilities. This increased the risk of inconsistency and error in processing receivership disbursements, and reduced FDIC's ability to effectively manage the associated liabilities. * FDIC's controls over its process for estimating potential losses to the DIF under the Debt Guarantee Program (DGP) were not fully effective in identifying and correcting errors. As a result, we identified an error in a computer-based formula used to estimate a reasonably possible loss amount for debt that FDIC guaranteed under the DGP. * FDIC's procedures to monitor losses associated with the year end contingent liabilities for the DIF under the Transaction Account Guarantee (TAG) program were not consistent with its procedures for assuring the reasonableness of the year end contingent liabilities for anticipated failure of insured institutions. Because both estimates are affected by similar events, the effect of such events on both estimates should be evaluated on a consistent basis. * FDIC misclassified a property and equipment adjustment to the Accounts Payable and Other Liabilities line item on the DIF's statement of cash flows. This resulted in errors in DIF's statement of cash flows that needed to be corrected prior to issuance of the financial statements. At the end of our discussion of each of these issues in the following sections, we make recommendations for strengthening FDIC's internal controls or accounting procedures. These recommendations are intended to improve management's oversight and controls, minimize the risk of misstatements in DIF's and FRF's financial statements, and decrease the risk of theft or misappropriation of assets. Enclosure III provides the status as of June 14, 2010, of four recommendations related to previously identified control deficiencies that were open at the beginning of our audit of FDIC's 2009 financial statements. These recommendations addressed issues relating to FDIC's operating expenses, receivership operations, and net receivables from resolution activities. Two of the four recommendations remained open at the end of the 2009 audit. We provided FDIC with a draft of this report and obtained its written comments. In its comments, FDIC concurred with 10 of our 14 recommendations and described actions it had taken, underway, or planned to take to address the control weaknesses described in this report. For the remaining recommendations, FDIC disagreed with one recommendation and partially agreed with three. FDIC disagreed with our finding and recommendation related to monitoring losses associated with the Transaction Account Guarantee (TAG) program, stating its belief that it has a sound methodology in place for monitoring such losses. Additionally, FDIC partially agreed with our 3 recommendations associated with our finding related to receivership disbursement policies and procedures, stating its belief that it has procedures or practices in place to address this activity. In both cases, we do not concur with FDIC's views on these matters and, as we discuss in further detail at the end of each section of the report, we continue to believe that additional corrective actions are needed in each of these areas. At the end of our discussion of each of the issues in this report, we have summarized FDIC's related comments and our evaluation. We have also reprinted FDIC's written comments in their entirety in enclosure I. In addition to its written comments, FDIC provided technical comments, which we considered and have incorporated where appropriate. Scope and Methodology: As part of our audit of the two funds administered by FDIC, we determined whether FDIC maintained, in all material respects, effective internal control over financial reporting as of December 31, 2009. We also tested compliance with selected provisions of laws and regulations that had a direct and material effect on the financial statements. In conducting the audit, we examined, on a test basis, evidence supporting the amounts and disclosures in the financial statements, assessed the accounting principles used and significant estimates made by FDIC management, and obtained an understanding of FDIC and its operations. We also tested internal control over financial reporting. We did not evaluate all internal controls relevant to operating objectives, such as controls relevant to ensuring efficient operations. We limited our internal control testing to controls over financial reporting. We performed our audit of the DIF's and the FRF's 2009 and 2008 financial statements in accordance with U.S. generally accepted government auditing standards. We believe that our audit provided a reasonable basis for our conclusions in this report. Further details on our audit methodology are presented in enclosure II. Control Deficiencies Constituting a Material Weakness over Loss-Share Estimates: During our 2009 financial audit, we identified three deficiencies in internal controls over FDIC's process for calculating and reporting estimates of losses to the DIF from loss-sharing agreements. These three internal control deficiencies, which collectively represented a material weakness in FDIC's internal control over financial reporting as of December 31, 2009, consisted of a lack of (1) controls to ensure the consistent and accurate application of its methodology for calculating loss-share loss estimation rates, (2) documented managerial review and approval of assumptions contained in complex spreadsheets used to estimate losses under loss-sharing agreements, and (3) effective controls to prevent or timely detect and correct errors in the calculation of the allowance for loss for the Receivables from Resolutions, net line item reported on the DIF's balance sheet. Calculation of Estimated Loss-Share Loss Rates: During our 2009 financial audit, we found that FDIC did not have controls in place to ensure that staff consistently applied its methodology for deriving the loss rates applied to failed-institution asset book values, or for preventing, or detecting and correcting, errors in calculating initial loss estimates for loss-sharing agreements. FDIC's review and monitoring controls over its loss-share loss estimation process were not effective in preventing or detecting and correcting the inconsistent application of its methodology and computational errors related to the development of estimated losses under loss-sharing agreements. As a result, more than 25 percent of FDIC's 2009 estimates contained errors. Beginning in 2008 and continuing in 2009, FDIC used whole bank purchase and assumption agreements with accompanying loss-sharing agreements as the primary means of resolving failed financial institutions.[Footnote 6] Under such an agreement, FDIC sells a failed institution to an acquirer with an agreement that FDIC, through the DIF, will share in any losses the acquirer experiences in servicing and disposing of a failed institution's assets purchased and covered under the loss-sharing agreement.[Footnote 7] Typically, these agreements were structured such that FDIC assumed 80 percent of any such losses.[Footnote 8] Ninety of the 140 resolutions of failed institutions were structured with such loss-sharing agreements in 2009, compared to 3 such agreements entered into for 25 failed institutions resolved in 2008. For financial reporting purposes, FDIC reflected an estimate of the losses that will likely be incurred on these agreements on the DIF's 2009 financial statements. The cumulative estimates of losses from loss-sharing agreements are reflected in the line item Receivables from Resolutions, net on the DIF's balance sheet, as a component of the $60 billion allowance for losses established against this line item at December 31, 2009. [Footnote 9] To estimate the reported potential losses under a loss-sharing agreement, FDIC applied a loss-rate factor to the recorded book value of assets included under the agreement. To determine this loss-rate factor, FDIC contracted with financial advisors to review the asset portfolio of the failed institution and instructed them to derive both a high and a low estimated loss rate for multiple types of assets. FDIC then combined the types of assets into two large asset pools and calculated a midpoint loss rate for each. The midpoint loss rates were applied to the book values of the asset pools to estimate the overall losses under the agreement at its initiation FDIC updated these loss estimates based on revised asset book values close to the end of calendar year 2009 for year-end financial reporting purposes. Although FDIC had issued guidance on the methodology to be followed in preparing the loss rate calculations in February 2009, we found that FDIC personnel applied the methodology inconsistently when developing the midpoint loss rates from the contractors' high and low rates. Additionally, our testing of FDIC's initial calculations of loss-share loss estimates identified significant errors in the calculations. In total, over 25 percent of the 93 individual loss-share loss estimates for 2009 contained errors with an absolute value of $386 million. While many of the individual errors were not large, some were significant. For example, one error resulted in an estimate of loss for an institution that was twice the amount it should have been if FDIC's methodology were properly applied. Despite the large percentage of estimates with errors and the relatively high dollar effect of these errors, they were not detected by FDIC's Division of Resolutions and Receiverships (DRR) in the normal course of preparing the initial loss-share-related loss estimates nor when updating the loss estimates for year-end reporting. This occurred because DRR had not established procedures detailing specific steps required to effectively review and monitor the development and updating of these estimates. The Standards for Internal Control in the Federal Government[Footnote 10] provide that control activities are to help ensure that all transactions are completely and accurately recorded. These standards also state that internal control should generally be designed to assure that ongoing monitoring occurs in the course of normal operations. By not ensuring that adequate supervisory or independent review or monitoring was performed on initial loss calculations, FDIC increased the risk that undetected errors and inaccurate data result in significant over- or understatement of such loss estimates on the DIF's financial statements. In response to our concerns, in May 2010, DRR issued revised policies and procedures regarding the calculation of the midpoint loss rates under loss-sharing agreements, including requiring documentation of review of the loss calculation on the face of midpoint loss rate calculation documents. FDIC informed us that it has also issued revised procedures that require a comprehensive review and monitoring process over the calculation of initial losses for failed institutions.[Footnote 11] We plan to review the implementation and effectiveness of the new policies and procedures during our 2010 audit. Recommendation: We recommend that you direct the appropriate FDIC officials to establish a mechanism for monitoring implementation of newly issued policies and procedures within DRR regarding the review process for calculation of initial loss-share loss estimates to verify compliance by DRR personnel. FDIC Comments and Our Evaluation: FDIC agreed with our recommendation and stated that it has developed new policies and procedures requiring multiple reviews intended to ensure that all necessary steps were performed, including the calculation of the loss estimates and the accuracy of the bank data entered into the cost models. We will evaluate the effectiveness of these new review procedures during our 2010 financial audit. Management Review of Loss-Share Loss Estimation Assumptions: During our 2009 financial audit, we found FDIC lacked documentation both to support assumptions contained in the complex spreadsheets it used to calculate its 2009 receivership-by-receivership loss-share loss estimates and to demonstrate management's review and approval of those assumptions. This increased the risk that critical assumptions may not be fully approved by management and may not provide accurate loss estimates. FDIC uses a spreadsheet-based worksheet to calculate an estimate of the amount of the loss on the portfolio of assets under a loss-sharing agreement that FDIC will have to pay, or FDIC's loss-share portion of the total estimated loss. Inputs to the loss-share worksheet include the failed institution's asset book values and the FDIC-calculated midpoint loss rates for specific asset categories (single-family mortgage loans and commercial real-estate loans). However, FDIC did not have documented policies and procedures in place detailing specific steps to be followed in developing, documenting, using, maintaining, and revising the worksheet, nor the basis of assumptions included in the worksheet calculations. As a matter of practice, FDIC analysts used the loss-share worksheet to multiply the book value of assets held by a particular failed institution by the midpoint loss rate factors calculated by FDIC for that institution. The worksheet then applied a series of built-in assumptions to derive the estimated loss to the DIF, such as the pace at which various types of assets (loans) will be sold and the distribution of losses over the term of the loss-sharing agreement. These built-in assumptions can significantly affect the resulting loss estimate calculation. A loss-share worksheet was prepared separately for each failed institution and calculated the initial estimated loss- share-related loss to the DIF at the time a troubled institution failed. FDIC updated the initial estimate for year-end reporting. We found that the bases for the underlying assumptions contained in the loss-share worksheet were not documented, nor was there evidence that they had been reviewed or approved by management. FDIC officials told us that the assumptions were developed by one analyst within DRR, in conjunction with informal consultations with FDIC financial experts. However, these consultations were not documented. According to this analyst, major changes to the loss-share worksheet were discussed in DRR. However, FDIC did not have documented procedures requiring management's review and approval of the worksheet and its underlying assumptions. The Standards for Internal Control in the Federal Government provide that internal control and all transactions and other significant events need to be clearly documented, and the documentation should be readily available for examination. The documentation should appear in management directives, administrative policies, or operating manuals. Because the assumptions underlying the loss-share loss estimation process can significantly affect the estimated losses under loss- sharing agreements, it is critical that FDIC management has reviewed and is in agreement with the underlying assumptions used in deriving these estimates. Lack of specific procedures to follow in developing the loss estimate worksheet, including adequate documentation, review, and approval of assumptions, greatly increased the risk that FDIC's estimate of losses and a significant estimate on the DIF's financial statements could be misstated due to inaccurate or incomplete assumptions. Recommendations: We recommend that you direct the appropriate FDIC officials to: * develop specific procedures for developing the loss-share worksheet, to include documenting the assumptions made in the loss-share worksheet and the rationale behind existing assumptions; and; * develop policies and procedures to provide for and document periodic management review and approval of the loss-share worksheet, to include assumptions, and any changes in assumptions over time, used in preparing the worksheet. FDIC Comments and Our Evaluation: FDIC agreed with our recommendations and stated that it has established the Closed Bank Financial Risk Committee to review and approve the assumptions, including changes in assumptions, contained in the loss-share worksheet. FDIC also stated that written management approval is now required before any changes to the loss-share worksheet can be placed into operation. We will evaluate the effectiveness of FDIC's actions during our 2010 financial audit. Calculation of the Receivables from Resolutions Allowance for Loss: During our 2009 financial audit, we found that FDIC's controls over the calculation of the corporate-level allowance for loss for the Receivables from Resolutions, net line item reported on the DIF's balance sheet were not effective in preventing, or detecting and correcting, errors and omissions for year-end reporting. As a result, we identified numerous errors and omissions in FDIC's calculation of the DIF's allowance for loss that were not detected or corrected through FDIC's own review and monitoring processes. When an FDIC-insured financial institution fails, the institution is placed into a receivership administered by FDIC. As part of this process, FDIC, through the DIF, closes the institution on behalf of the chartering entity. This also includes paying off or transferring insured deposits and selling some or all of the failed institution to an acquiring institution. The amount of funds FDIC disburses to resolve the failed institution represents a claim, or receivable, the DIF has against the failed institution's receivership. The amounts FDIC disburses on behalf of the DIF to pay off insured depositors or to pay an acquiring institution to assume responsibility for some or all of the failed institution's liabilities represents a claim, or receivable, the DIF has against the failed institution's receivership, which is also operated by FDIC. Subsequent to the closing and initial disbursement of funds, FDIC, through the DIF, may periodically advance additional funds to the failed-institution receivership to cover operating costs while the assets and liabilities of the receivership are sold or otherwise disposed. These subsequent advances add to the DIF's claim, or receivable, against the receivership. Proceeds from the servicing, sale, or disposition of the failed-institution receivership's assets are used to pay off, or reduce the DIF's outstanding receivable. For financial reporting purposes, FDIC must periodically estimate what portion of the outstanding balance of the DIF's receivable from resolutions is collectible. This estimate is primarily based on the amounts FDIC expects the DIF will recover through the servicing, sale, and disposition of the receivership's assets. The difference between the outstanding receivable balance and the amount FDIC estimates will ultimately be collected represents the allowance for losses on the receivable included in the DIF's financial statements. To calculate the allowance for losses against amounts owed to the DIF by a receivership, FDIC's Division of Finance (DOF) utilizes a spreadsheet-based worksheet, which it refers to as the Loan Loss Reserve (LLR) template. The LLR template provides a structure for capturing the data needed to determine the allowance for loss amount by individual receivership, which FDIC then aggregates to arrive at the total corporate-level allowance for loss. The LLR template calculations consider receiverships' cash, estimated asset recoveries from the sale of loans and other assets of the failed institution, and administrative liabilities, including estimated losses under loss- sharing agreements, to determine the receiverships' ability to pay amounts due to FDIC. For 2009, FDIC completed LLR templates for each of its 179 active DIF receiverships. FDIC's reliance on a primarily manual process for the calculation of the allowance for loss necessitates that each template undergo a detailed review to ensure its accuracy. However, we identified errors and omissions in the calculations on the LLR templates, including errors related to loss-share information, which affected FDIC's initial allowance-for-loss estimate for 2009 and which FDIC's review procedures failed to detect and correct. These errors included using incorrect recovery rates, incorrect spreadsheet formulas, and outdated information. We also found FDIC inadvertently omitted the values of some assets when preparing some of the LLR templates, which caused the estimated recoveries for those institutions to be incorrect. After we apprised FDIC of these errors, it reviewed all of the LLR templates used in this process to identify and correct errors and inconsistencies. In total, 32 of the 179 LLR templates (nearly 18 percent) used in the calculation of the DIF's initial year-end allowance for loss contained errors. These errors totaled $243 million on an absolute-value basis. When FDIC corrected these additional errors, it resulted in a net decrease to the Receivables from Resolutions, net line item on the DIF's financial statements totaling about $115 million.[Footnote 12] While FDIC had desk procedures calling for independent reviews of the LLR templates, the procedures did not include specific instructions on how the reviews should be conducted or what information should be verified. This, coupled with an increased workload due to the significant number of financial institution failures in 2009, contributed to the errors we identified going undetected by FDIC. The Standards for Internal Control in the Federal Government provide that control activities are to help ensure that all activities are completely and accurately recorded. These standards also state that internal control should generally be designed to assure that ongoing review and monitoring occurs in the course of normal operations. By not performing adequate review of the LLR templates, FDIC increased the risk that inaccurate or incomplete data were used in the year-end calculations for the overall allowance for loss, the most significant estimate on the DIF's financial statements. Recommendation: We recommend that you direct the appropriate FDIC officials to establish and document detailed procedures for Division of Finance (DOF) officials to follow in reviewing the LLR template calculations to ensure they are complete and accurate, including data requiring verification. FDIC Comments and Our Evaluation: FDIC agreed with our recommendation and stated that the DOF has developed and implemented additional procedures to enhance the quality- assurance reviews of the LLR templates and the verification of data input. We will evaluate the effectiveness of these additional procedures during our 2010 financial audit. Review of Loss-Share Payment Certificates: During our 2009 financial audit, we found that for much of the year FDIC lacked written policies and procedures for carrying out and documenting the review and approval of payments made on loss-sharing agreements. As a result, evidence of review to ensure that documentation accompanying payment requests from acquiring institutions was accurate and adequately supported was inconsistent or missing. Under FDIC's loss-sharing agreements, an acquiring institution can apply for payment as a result of losses incurred through the sale, foreclosure, loan modification, or write-down of loans in accordance with the terms of the agreement. FDIC pays on loss-share agreements based on claims submitted by acquiring institutions for losses related to single-family or commercial real-estate loans transferred under the loss-share agreement. Claims for single-family real estate may be made when the loan is modified or when the asset is sold, enters into foreclosure, or is written off. For commercial real-estate loans, acquiring institutions may also request payment for losses related to decreases in market value. To make a claim for payment, the acquiring institution submits a payment certificate and supporting documentation to FDIC, including such information as the loan number and loan history. A loss-share specialist in one of FDIC's field offices reviews the payment certificate for mathematical accuracy and reasonableness and prepares and submits a payment voucher to DRR in Washington, D.C. Once DRR in Washington approves the payment, DRR's accounts payable division in Dallas pays the acquiring institution. In 2009, FDIC disbursed about $892 million in loss-share payments to acquiring institutions. In testing FDIC's payments on loss-sharing agreements, we found that, prior to September 2009, FDIC had no written policies and procedures in place requiring management to document its review and approval of loss-share payment certificates. Because FDIC lacked such review and approval policies and procedures for much of 2009, evidence regarding performance of review was inconsistent or inadequate. For example, in our sample of payment transactions, we identified handwritten checkmarks indicating the payment certificates and supporting documentation were reviewed, but no evidence, such as a signature, that the payment certificate was approved. The Standards for Internal Control in the Federal Government provide that agencies establish internal controls and that all transactions and other significant events be clearly documented, the documentation be readily available for examination, and all documentation and records be properly managed and maintained. Further, these standards provide that ongoing monitoring occurs in the course of normal operations. The lack of evidence of review of the payment certificates increased the risk that reviews may not be complete and claims for payment may not be adequately supported. FDIC updated the written policies and procedures it put in place in September 2009 and issued new policies and procedures regarding its review of loss-share payment certificates and supporting documents. FDIC's new detailed procedures, issued in March 2010, require checklists to be completed and attested to by assigned reviewers of the payment certificates and supporting documentation in the field prior to submission to DRR headquarters in Washington for certificate payment approval. FDIC also added an approval date and signature line to the face of the certificate to evidence management review. If properly implemented and monitored, these procedures should improve FDIC's oversight of its loss-share payment process. We plan to review the implementation and effectiveness of the new policies and procedures during our 2010 financial audit. Recommendation: We recommend that you direct the appropriate FDIC officials to establish a mechanism to monitor the implementation of the newly issued policies and procedures pertaining to the documentation of review and approval of loss-share payment certificates. FDIC Comments and Our Evaluation: FDIC agreed with our recommendation and stated that the Division of Resolutions and Receiverships (DRR) now performs a second-level review to confirm that the appropriate documentation for the loss-share payment and applicable checklists have been completed, and that the second-level reviewer signs as approver. We will evaluate the effectiveness of FDIC's new second-level review process during our 2010 financial audit. Receivership Bank Reconciliations: During our 2009 financial audit, we found that FDIC did not always complete reconciliations of its receivership general ledger to the receivership operating bank account statements within reasonable time frames. As a result, FDIC did not always timely identify and resolve errors and omissions during the year in its receivership general ledger records related to its receivership disbursements. Effectively reconciling the general ledger to the bank statements requires the comparison of each transaction recorded on the bank statement to items recorded in the general ledger. Such reconciliations for an operating bank account should ensure that all transactions reported on the bank statement are valid and recorded in the general ledger for the same amount, and that any differences between the bank statement and accounting records (referred to as reconciling items) are resolved. Reconciling items may be due to timing differences or errors in either the accounting records or the bank statement. Errors include transactions recorded for the incorrect amount or transactions not recorded in either the accounting or the bank records. In reviewing FDIC's receivership bank reconciliations, we found that four of the six (66 percent) bank reconciliations for April 2009 through September 2009 were not completed within 30 days of the last day covered by the bank statement.[Footnote 13] For example, FDIC's April 2009 receivership bank reconciliation was not completed for over 5 months, and the reconciliation for May 2009 was not completed for over 4 months. Because it did not timely reconcile the receivership disbursement bank account with its receivership general ledger, FDIC did not identify and correct numerous omissions and errors related to disbursement activity for months after they were made and recorded. For example, we found that five disbursements totaling $53,097 were not recorded correctly on the general ledger for more than 180 days after the disbursement was made. One such disbursement for $46,400, issued on December 8, 2008, was erroneously recorded in the general ledger for $46,000. This $400 difference was not corrected until September 2009—nearly 9 months later. Another was a disbursement related to FDIC corporate-level expenses[Footnote 14] that was incorrectly paid from the receivership bank account. It took FDIC months to identify and correct the mistake because the bank account reconciliations were not prepared timely. Although four of the six 2009 reconciliations we tested were not completed within 30 days, all four reconciliations were completed by the end of the year. FDIC officials told us that the dramatic increase in bank failures in 2009 led to substantial increases in the volume of receivership transactions that significantly increased the workload of DRR, [Footnote 15] and that this contributed to some bank reconciliations not being prepared until several months after the last day covered by the bank statement. FDIC management did not timely monitor the status of bank reconciliations and variances between the general ledger and bank statements. The Standards for Internal Control in the Federal Government provide that internal control should generally be designed to assure that ongoing monitoring occurs in the course of normal operations. This includes regular management and supervisory activities, as well as comparisons, reconciliations, and accurate and timely recording of transactions and events. Adequate monitoring of internal controls ensures that reconciliations are created monthly and reconciling items are resolved timely. Performing monthly reconciliations and timely clearing reconciling items reduces the risk of accounting records being inaccurate and allows management the opportunity to identify and address any irregular activity that could indicate fraud or abuse. The lack of timely preparation of receivership bank reconciliations and the resulting delay in clearing reconciling items for receivership operations led to FDIC's receivership cash account being overstated on the receivership general ledger at month end for each month we reviewed. In addition, the lack of timely preparation of such reconciliations and the timely research and correction of reconciling items increased the risk of misstatements to the Receivables from Resolutions, net line item on the DIF's financial statements, and increased the risk that theft or loss of assets could occur and not be detected in a timely manner. Recommendation: We recommend that you direct the appropriate FDIC officials to establish a monitoring process to ensure that reconciliations between the receivership general ledger and the receivership operating bank account are timely prepared and differences arising from these reconciliations are timely identified, researched, and resolved. FDIC Comments and Our Evaluation: FDIC agreed with our recommendation and stated that the Division of Resolutions and Receiverships (DRR) has established a written reporting process that provides for a weekly status of accounting activities, including the completion status of reconciliations. FDIC stated that this new process will provide the monitoring necessary to ensure the required recommendations are completed timely, including the timely resolution of differences arising from the reconciliation process. We will evaluate the effectiveness of this new process during our 2010 financial audit. Cash Reconciliations: During our 2009 financial audit, we found that FDIC did not resolve unreconciled differences between the DIF's cash accounts and the records of the Federal Home Loan Bank (FHLB) of New York in a timely manner. As a result, two DIF general ledger cash accounts had incorrect account balances as of December 31, 2009. FDIC maintains an account at the New York FHLB to fund claim payments resulting from financial institution failures. FDIC has two general ledger accounts to record activity related to the account at the FHLB. The first, account 1020 (Payout Account), represents funds that FDIC deposited in the FHLB for payment of claims arising from financial institution failures. FDIC initially funds the account at resolution by estimating the amount it will need to pay the insured depositors of the failed institution. If subsequent claims arise in excess of the amount in the account, FDIC provides additional funding. The second cash account, account 1042 (Outstanding Payments—Payout Account), represents the amount of checks drawn by FDIC on the FHLB of New York payout account 1020 that have been issued but not cleared through the bank. In essence, the balance in this account represents disbursements made that are in transit. The combined balance of the two accounts is the remaining cash available. The activity for both accounts is recorded on the receivership general ledger. On a monthly basis, FDIC's DRR reports the general ledger balances for accounts 1020 and 1042 to the DOF to be included in the cash balance on the DIF's corporate general ledger. As part of our audit, we obtained the reconciliations prepared by FDIC for these two accounts for 2009. Our review of these reconciliations resulted in our determining that the balances in these accounts as of December 31, 2009 were not correct. The amounts recorded in accounts 1020 and 1042 as of December 31, 2009 were $60 million and a credit balance of $107 million, respectively. After we informed FDIC's management of errors in the accounts, FDIC revised these account balances for 1020 and 1042 to $2 million and a credit balance of $49 million, respectively. Because the net difference between these two accounts in this case was the same, there was no effect on the DIF's financial statements. FDIC procedures require that reconciliations be prepared monthly, quarterly, or annually. We found that while FDIC prepared reconciliations of these accounts and these reconciliations identified differences, it did not timely research and resolve the reconciling items identified by the reconciliations. For example, the December 31, 2009, reconciliation for account 1020 had an unreconciled item dating back to January 2009, while the December 31, 2009, reconciliation for account 1042 had unreconciled items dating back to April 2009. As a result, the recorded balances for accounts 1020 and 1042 in the DIF's corporate general ledger at December 31, 2009, were incorrect. According to FDIC, there was an extenuating event that prevented the timely reconciliation of these two accounts. During the latter part of 2009, the processor for FDIC's disbursement bank could not electronically read the checks. This forced FDIC to clear the checks manually. Additionally, an increase in the number of payout transactions resulted in an increased volume of disbursed checks, further delaying the clearing process. The Standards for Internal Control in the Federal Government provide that agencies are to ensure the accurate and timely recording of transactions and events. Further, the standards provide that ongoing monitoring should occur in the course of normal operations. The untimely research and resolution of reconciling differences increased the risk of FDIC misstating the year-end cash and cash equivalent [Footnote 16] balance on the DIF's financial statements. Recommendation: We recommend that you direct appropriate FDIC officials to establish a process to monitor the corporation's adherence to its procedures to complete reconciliations of the DIF's cash account balances, to timely resolve any unreconciled differences, and to identify and address any obstacles that would preclude the completion of such reconciliations. FDIC Comments and Our Evaluation: FDIC agreed with our recommendation. FDIC stated that both the DRR, which prepares the reconciliations, and the DOF, which reviews the reconciliations, have taken steps to enhance their monitoring process and that dedicated resources have been assigned to prepare the cash accounts reconciliations within 30 days. We will evaluate the effectiveness of FDIC's actions to enhance its cash reconciliation monitoring process during our 2010 financial audit. Receivership Disbursement Policies and Procedures: During our 2009 financial audit, we found that FDIC's written policies and procedures did not assign specific responsibility for processing and administering receivership disbursements and managing related liabilities. FDIC is responsible for managing and disposing of the assets and resolving the liabilities of failed institutions that are under FDIC's receivership control. In this capacity, FDIC is to act on behalf of the receivership to liquidate the assets and settle claims in accordance with all applicable laws and regulations. The assets and liabilities held by receiverships are required to be accounted for separately from the FDIC corporate asset and liability accounts of the DIF and the FRF. Accordingly, income and expenses attributable to receivership entities are to be accounted for as separate transactions of those entities Expenses incurred by FDIC on behalf of the receiverships are to be charged to the relevant receivership. As such, it is essential that disbursements are made and recorded promptly and accurately so that receivership funds are properly managed and expenses are promptly paid. FDIC has some procedures covering the processing of receivership disbursements. However, we did not find written policies and procedures that require and assign responsibility for reviewing and approving payment vouchers, entering and verifying payment vouchers in the accounts payable system, and generating payments using check, wire, or electronic funds transfers (EFT). We also found that FDIC did not have written policies and procedures regarding actions required to effectively manage receivership liabilities. The increase in the number of receiverships and the volume of transactions associated with those receiverships increases the risk that liabilities may not be paid promptly or accurately accounted for, or both, and exacerbates the need for detailed and clear procedures. In July 2009, FDIC assigned a contractor to begin to monitor receivership liabilities. However, FDIC did not have written guidance on actions required to effectively manage these liabilities. As a result, the contractor used its own judgment when reviewing receivership liabilities. FDIC also did not have written policies and procedures for reviewing and canceling checks that were not cashed within 6 months of issuance (stale checks).[Footnote 17] FDIC must notify the bank for it to cancel a stale check. However, FDIC did not have procedures for specifying when, how, or who is responsible for reviewing and notifying the bank to cancel stale checks. We found that as of December 7, 2009, FDIC had 30 stale checks totaling approximately $68,500. FDIC officials acknowledged that it did not have documented policies and procedures regarding stale checks. Routinely canceling stale checks would assist FDIC in determining whether any receivership expenses had not been paid and enable it to better manage receivership funds. The Standards for Internal Control in the Federal Government provide that internal controls be clearly documented. Further, these standards provide that ongoing monitoring occurs in the course of normal operations. Adequate monitoring of internal controls ensures that policies and procedures are created and timely updated. FDIC acknowledged that it did not have written policies and procedures covering the receivership disbursement process and management of associated liabilities. Without such written policies and procedures, there is an increased risk of inconsistency and error in processing receivership disbursements and ineffectively managing associated liabilities. Recommendations: We recommend that you direct the appropriate FDIC officials to develop and implement written policies and procedures that prescribe specific actions required for: * assigning responsibility and detailing actions required to effectively review and approve payment vouchers, enter and verify payment vouchers in the accounts payable system, and generate receivership payments whether through check, wire, or EFT; * reviewing receivership liabilities, including assigning responsibility and detailing actions required for performing oversight reviews and the frequency for performing such reviews; and; * reviewing and canceling stale checks, including assigning specific responsibility, stating the frequency in which stale checks should be reviewed and canceled, and detailing the manner in which banks are to be notified to cancel stale checks. FDIC Comments and Our Evaluation: FDIC agreed on the importance of having well-written procedures to guide the work being performed and stated that it is in the process of updating its Accounts Payable Manual to provide a single source for accounts payable procedures, with a target completion date of December 31, 2010. However, it disagreed with some of the specifics of our finding and our related recommendations, and stated that procedures existed to guide its payment voucher activity. As discussed in our draft report, we acknowledge that FDIC had some procedures covering the processing of receivership disbursements. We did not, however, find written procedures that assigned responsibility and detailed actions required to (1) effectively approve payment vouchers and process vouchers through actual payment; (2) perform oversight reviews including the frequency for such reviews; and (3) review and cancel stale checks. Consequently, we continue to believe that FDIC needs to develop written procedures covering these critical aspects of its receivership disbursement process. We are encouraged that FDIC, in its response, stated that it has expanded its procedures to specifically address voiding stale-dated checks. We will evaluate the effectiveness of its updated procedures during our 2010 financial audit and, as necessary, in future audits. Estimating Debt Guarantee Program Loss Exposure: During our 2009 financial audit, we found that FDIC's controls over its process for estimating potential losses to the DIF under the Debt Guarantee Program (DGP) were not fully effective in identifying and correcting errors. As a result, we identified an error in a computer- based formula used to estimate a reasonably possible loss amount [Footnote 18] for debt that FDIC guaranteed under the DGP. The DGP was established in October 2008 to facilitate lending by financial institutions in the face of severely constrained credit conditions resulting from the financial crisis. The DGP guarantees newly-issued senior unsecured debt up to prescribed limits issued by insured depository institutions and certain holding companies. FDIC collects fees from institutions participating in the DGP. Because FDIC, through the DIF, is providing a guarantee under the DGP, accounting standards require that FDIC estimate the possible future losses related to the guarantee for its year-end reporting for the DIF. To determine this estimated potential future loss, FDIC developed a computer program to estimate a reasonably possible loss amount for the outstanding DGP debt. However, we identified an error in one of the program's formulas used to estimate this amount. In following up on this error with FDIC officials, we found that while it was FDIC's practice to have a supervisor review the formulas, neither the staff person who created the program nor the immediate supervisor who reviewed the program's formulas identified the error we found. Additionally, we found that FDIC had no specific written procedures in place requiring periodic review of such programs, how such reviews should be conducted, or documentation evidencing the review. The Standards for Internal Control in the Federal Government provide that agencies establish internal controls and that such controls be clearly documented. The error we identified did not result in a change to the reasonably possible loss amount disclosed in the notes to DIF's financial statements because both the amount initially calculated by the program, and the adjusted amount after the program's formula was corrected, rounded to $2.5 billion. However, similar undetected errors in the future could affect the estimated amount reported. Recommendation: We recommend that you direct appropriate FDIC personnel to establish written procedures to provide for the periodic review of the computer program used in the DGP loss estimation process, how such reviews should be conducted, and documentation evidencing the review. FDIC Comments and Our Evaluation: FDIC agreed with our recommendation and stated that it is currently developing written procedures, to be implemented by November 30, 2010, to provide for the periodic review of the computer program used in the DGP loss estimation process. We will evaluate the effectiveness of FDIC's implementation of these new procedures during our 2010 financial audit. Transaction Account Guarantee Program Loss Monitoring: During our 2009 financial audit, we found that FDIC's procedures to monitor losses associated with the year end estimated contingent liabilities for the DIF under the Transaction Account Guarantee (TAG) program[Footnote 19] were not consistent with its procedures for assuring the reasonableness of the year end contingent liabilities for anticipated failure of insured institutions. The results of these procedures determine if any adjustments to the TAG contingent liability are needed prior to the issuance of DIF's audited financial statements. The current TAG was established under the Temporary Liquidity Guarantee Program in October 2008 in an effort to counter the systemwide crisis in the nation's financial sector, and provides unlimited coverage for non-interest-bearing transaction accounts held by insured depository institutions on all deposit amounts exceeding the fully insured limit (generally $250,000).[Footnote 20] In accordance with U.S. generally accepted accounting principles, FDIC records a contingent liability on the DIF's financial statements for any DIF-insured institutions that are likely to fail when the liability is probable and reasonably estimable. FDIC derives this contingent liability by applying expected failure rates and loss rates to institutions based on supervisory ratings, balance sheet characteristics, and projected capital levels. For those institutions identified as probable failures at year end that also participate in the TAG program, a separate contingent liability is recorded for the amount of TAG deposits over the regular $250,000 deposit insurance. The contingent liability for the TAG program was $1.3 billion at December 31, 2009. Subsequent to year-end and just prior to the issuance of the financial statements, FDIC evaluates the adequacy of the DIF's contingent liability for anticipated failures by comparing the expected losses at the time of failure for those institutions that fail prior to the issuance of the financial statements with the estimated losses for those same institutions that are included in the December 31 year-end contingent liability. FDIC will then adjust the year-end contingent liability if deemed necessary. However, for determining any needed subsequent adjustment to the TAG contingent liability at December 31, FDIC's procedures were not consistent with those for determining the subsequent adjustment to the contingent liability for anticipated failures. Specifically, we found that FDIC's most recent comparison of expected TAG losses associated with institutions that failed in 2010 to the total TAG contingent liability recorded as of December 31, 2009, was based on estimated aggregate losses, rather than a comparison of losses at failure to the amount recorded in the December 31, 2009, contingent liability on an institution-by-institution basis. In conducting our own analysis of the estimated TAG losses at time of failure for the 82 institutions that failed in 2010 through the audit's completion date of June 14, 2010, we found that the expected losses at failure were $43 million lower than the recorded contingent liability as of December 31, 2009. While the amount was not material to the DIF's 2009 financial statements, accounting standards (ASC 855- 10-25-1) provide that an entity should recognize in the financial statements the effects of all subsequent events that provide additional evidence about conditions that existed as of the balance sheet date, including the estimates inherent in the process of preparing financial statements. To FDIC's credit, it reviewed and evaluated the effect of subsequent events on both the contingent liability for anticipated failures and the contingent liability for the TAG. However, because both estimates are affected by similar events, the effect of such events on both estimates should be evaluated on a consistent basis. In this case, an institution-by- institution analysis, such as that done for the year-end contingent liability for anticipated failures, would be a more precise measure of the effect of subsequent events than an aggregate analysis. Consistency in applying accounting methods enhances the utility of the financial statements to users by facilitating analysis and understanding of comparative accounting data. Recommendation: We recommend that you direct the appropriate FDIC personnel to revise procedures to review and analyze the effect of institution failures that occur subsequent to year-end, but prior to the issuance of the DIF's financial statements, on the year-end contingent liabilities for TAG in a manner consistent with that performed for the contingent liability for anticipated failures. FDIC Comments and Our Evaluation: FDIC disagreed with our finding and our related recommendation and stated its belief that it has a sound and effective methodology in place to monitor the reasonableness of estimated losses reported under the TAG program. FDIC further stated that the fact that its validation method was not institution-specific did not, in its view, negate the effectiveness of the method used, nor did it equate to an increased risk of misstating DIF's estimated contingent liability under the TAG. As discussed in our draft report, we believe that conducting an institution-by-institution analysis would provide a more precise measure of the effect of subsequent events on the year-end estimated liability than an aggregate analysis. Additionally, as we point out in our draft report, such an approach would be consistent with FDIC's current methodology for assuring the reasonableness of the year-end contingent liabilities for anticipated failures of insured institutions. Additionally, the institutions constituting DIF's contingent liability for TAG losses are a subset of the institutions constituting DIF's contingent liability for anticipated failures of insured institutions, further evidencing the need for consistency in evaluating subsequent events on both estimates on an institution-by- institution basis. Finally, since both estimates are affected by similar events, the effect of such events should be evaluated on a consistent basis. Cash Flows Statement Preparation Process: During our 2009 financial audit, we found that FDIC misclassified a property and equipment adjustment to the Accounts Payable and Other Liabilities line item on the DIF's statement of cash flows. This resulted in errors in DIF's statement of cash flows that needed to be corrected prior to issuance of the financial statements. Specifically, we found that the statement of cash flows did not correctly reflect: * the amount of the change in the Accounts Payable and Other Liabilities financial statement line item as part of the reconciliation of the change to the net cash provided/used by operating activities, and; * the amount of property and buildings purchased by FDIC as part of the cash used by investing activities. The statement of cash flows, using the indirect method (which FDIC uses) should show how changes in balance sheet accounts affect cash and cash equivalents, and identifies operating and investing activities. Cash used by the entity to purchase property and equipment and other capital expenditures is to be presented in the investing activities section of the statement of cash flows. Additionally, the Standards for Internal Control in the Federal Government requires internal control procedures to ensure the accurate and timely recording of transactions and events. The errors we identified occurred because FDIC's process for the preparation of the DIF's statement of cash flows inappropriately excluded capital cash entries from the change in the Accounts Payable and Other Liabilities line item within the operating activities section of the statement of cash flows. Further, FDIC's process did not provide for including these excluded capital entries in the Purchase of Property and Equipment line item. After we brought this issue to FDIC's attention, it corrected the errors in DIF's final statement of cash flows. However, because of deficiencies in its process for the preparation of the statement of cash flows, FDIC lacked assurance that cash provided and used in operating and investing activities was accurately reflected in the DIF's financial statements. Recommendation: We recommend that you direct appropriate staff to revise FDIC's process used to prepare the statement of cash flows to (1) include capital cash entries in determining the change in the Accounts Payable and Other Liabilities line item, and (2) include capital cash entries in the Purchase of Property and Equipment line item. FDIC Comments and Our Evaluation: FDIC agreed with our recommendation and stated that it is working to modify its process for preparing the cash flow statement to ensure that amounts reported for changes in the Accounts Payable and Other Liabilities and Purchase of Property and Equipment line items are properly reflected in the statement of cash flows. FDIC stated that the estimated completion date for this modification is November 30, 2010. We will evaluate the effectiveness of FDIC's corrective actions during our 2010 financial audit. This report contains recommendations to you. We would appreciate receiving a description and status of your corrective actions within 30 days of the date of this report. This report is intended for use by FDIC management, members of the FDIC Audit Committee, and the FDIC Inspector General. We are sending copies of this report to the Chairman and Ranking Member of the Senate Committee on Banking, Housing, and Urban Affairs; the Chairman and Ranking Member of the House Committee on Financial Services; the Chairman of the Board of Directors of the Federal Deposit Insurance Corporation; the Chairman of the Board of Governors of the Federal Reserve System; the Comptroller of the Currency; the Director of the Office of Thrift Supervision; the Secretary of the Treasury; the Director of the Office of Management and Budget; and other interested parties. In addition, this report will be available at no charge on GAO's Web site at [hyperlink, http://www.gao.gov]. We acknowledge and appreciate the cooperation and assistance provided by FDIC management and staff during our audits of FDIC's 2009 and 2008 financial statements. Please contact me at (202) 512-3406 or sebastians@gao.gov if you or your staff have any questions concerning this report. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this report are listed in enclosure IV. Sincerely yours, Signed by: Steven J. Sebastian: Director: Financial Management and Assurance: Enclosures - 4: [End of section] Enclosure I: Comments from the Federal Deposit Insurance Corporation: FDIC: Federal Deposit Insurance Corporation: Deputy to the Chairman and CFOP: 550 17th Street NW: Washington, D.C. 20429-9990: November 3, 2010: Mr. Steven Sebastian: Director, Financial Management and Assurance: U.S. Government Accountability Office: Washington, D.C. 20548: Dear Mr. Sebastian: Thank you for providing the U.S. Government Accountability Office's (GAO) draft report titled, Management Report: Opportunities for Improvements in FDIC's Internal Controls and Accounting Procedures (GAO-11-23R). We appreciate GAO's comments as well as the opportunity to provide our responses thereon. The FDIC has continued to build on the foundation of new and expanded controls put into place last year and is confident that the combination of the maturity of those control activities and the greater experience level of our employees has resulted in a better control environment within the FDIC. We recognize some findings address more serious challenges to the effectiveness of our control environment, and we have continued our focus on improving these issues throughout this year. With respect to the more routine findings and recommendations in the 2009 draft report, we view them as opportunities for improvement. Our specific responses to all findings and recommendations are included in the attachment to this letter. We look forward to receiving the final 2009 report and continuing our positive working relationship with the GAO during the remainder of the 2010 audit and beyond. Please direct any questions or comments on these matters to James H. Angel, Jr., Director, Office of Enterprise Risk Management, at (703) 562-6456. Sincerely, Signed by: Steven O. App: Deputy to the Chairman and Chief Financial Officer: Attachment: cc: Bret Edwards: Mitchell Glassman: Arleas Upton Kea: James H. Angel, Jr. Audit Committee: [End of letter] Attachment 1: FDIC Responses To 2009 GAO Management Report: Control Deficiencies Comprising a Material Weakness Over Loss-Share Estimates: Calculation of Estimated Loss-Share Loss Rates: Recommendation 1: We recommend that you direct the appropriate FDIC officials to establish a mechanism for monitoring implementation of newly issued policies and procedures within DRR regarding the review process for calculation of initial loss-share loss estimates to verify compliance by DRR personnel. Management Response: The FDIC agrees with the recommendation. During 2010, the FDIC developed new policies and procedures for estimating the loss-share costs and implemented a new review process to ensure the accuracy of the loss estimates. Staff developed a standardized Least Cost Test (LCT) Package that improves the efficiency and accuracy of the review process. The LCT Package consists of documents that are cross referenced to the least cost analysis, such as, the institution's general ledger, asset valuation review, and the LCT backup template. The LCT backup template is used to arrive at the necessary inputs for the loss-share model, such as cumulative loss estimates for loans and other real estate. A peer review is conducted using the Qualified Reviewer Checklist (QRC). This review is designed to ensure that the analysts performed all the necessary steps in calculating the loss estimates and that the bank data was accurately entered into the least cost test models. After the peer review has been completed, a second level review is performed by the Manager, Franchise Marketing. Evidence of this review is documented in the LCT backup template and by signing the Bid Approval memo as the Reviewer. In August 2010, subsequent to the approval, staff began using the new procedures for completing the least cost analysis and performing the new review process. In addition, during 2010, the Manager, Franchise Marketing, formed an independent team to review the LCT process and Loss-Share Worksheets for the first three quarters of 2010 and plans to perform a similar review of the fourth quarter. Furthermore, DRR Internal Review performed a review of the cumulative loss estimate and the preparation of the least cost test for the first two quarters of 2010 and plans to perform a similar review for the remaining two quarters. Management Review of Loss-Share Loss Estimation Assumptions: Recommendations 2 and 3: We recommend that you direct the appropriate FDIC officials to: * Develop specific procedures for developing the loss-share worksheet, to include documenting the assumptions made in the loss-share worksheet and the rationale behind existing assumptions, and; * Develop policies and procedures to provide for and document periodic management review and approval of the loss-share worksheet, to include assumptions, and any changes in assumptions over time, used in preparing the worksheet. Management Response: The FDIC agrees with the recommendation. During 2010, the FDIC established the Closed Bank Financial Risk Committee (CB FRC). One of the responsibilities of this Committee is to review and approve assumptions in the Least Cost Test, including the loss-share worksheet. Staff has provided the CB FRC with memos that describe and support the assumptions in the loss-share worksheet. The CB FRC has (1) met and discussed all material assumptions related to the loss-share worksheet; (2) directed staff to make adjustments to the calculations as appropriate; (3) approved the current methodology and a regular review schedule going forward; and (4) directed staff to research certain assumptions that may result in future changes to assumptions. Written management approval is now required before any changes to the loss-share worksheet are placed into production. Calculation of the Receivables from Resolutions Allowance for Loss: Recommendation 4: We recommend that you direct the appropriate FDIC officials to establish and document detailed procedures for Division of Finance officials to follow in reviewing the LI,R template calculations to ensure they are complete and accurate, including data requiring verification. Management Response: The FDIC agrees with the recommendation. In 2010, DOF developed and implemented additional procedures that have enhanced the quality assurance reviews of the LLR templates and the verification of its data input. Review of Loss-Share Payment Certificates: Recommendation 5: We recommend that you direct the appropriate FDIC officials to establish a mechanism to monitor the implementation of the newly issued policies and procedures pertaining to the documentation of review and approval of loss-share payment certificates. Management Response: The FDIC agrees with the recommendation. DRR's Risk Sharing Asset Management Unit in Washington, DC performs a second level review of the Data Reporting Package (Payment Voucher, Certificate and Supporting Schedules, Task Order Oversight Manager Checklist, and Compliance Monitoring Contractor Checklist). The second level review includes confirming that the appropriate documentation for the payment and applicable checklists have been completed. After determining the payment documents are appropriate, the second level reviewer signs as the approver. In addition, DRR Internal Review was in process of performing a comprehensive review of the loss share payment process at the time the GAO draft report was received. Receivership Bank Reconciliations: Recommendation 6: We recommend that you direct the appropriate FDIC officials to establish a monitoring process to ensure that reconciliations between the receivership general ledger and the receivership operating bank account are timely prepared and differences arising from these reconciliations are timely identified, researched, and resolved. Management Response: FDIC agrees with the recommendation. Although DRR completed all 2009 reconciliations before December 31, some were not completed timely. During 2010, DRR established a written reporting process that provides the weekly status of accounting activities, including the completion status of reconciliations. The weekly reports are reviewed by the Assistant Director and Deputy Director, Receivership Operations. The process initiated in 2010 will provide the monitoring necessary to ensure the required reconciliations are completed timely, including resolving any difference arising from the reconciliations. Cash Reconciliations: Recommendation 7: We recommend that you direct appropriate FDIC officials to establish a process to monitor the Corporation's adherence to its procedures to complete reconciliations of the DIF's cash account balances, to timely resolve any unreconciled differences, and to identify and address any obstacles which would preclude the completion of such reconciliations. Management Response: FDIC agrees with the recommendation. Reconciliations are prepared monthly by DRR and forwarded to DOF for review and approval. Both divisions have taken steps to enhance their current monitoring process of reconciliations. DRR has dedicated resources assigned to prepare the reconciliations within 30 days of month end and clear all variances. A comprehensive review was performed by DRR Internal Review of the cash reconciliations in 2010 to ensure the accounts are reconciled every 30 days; outstanding items are researched and cleared timely; variances are documented and there is a formal review process in place. DOF has enhanced its reconciliation process by providing senior management with monthly status reports on reconciliations which include statistics on total reconciliations received, unreconciled items, reconciling items over two months old and un-submitted reconciliations. Receivership Disbursement Policies and Procedures: Recommendations 8, 9, and 10: We recommend that you direct the appropriate FDIC officials to develop and implement written policies and procedures that prescribe specific actions required for: * Assigning responsibility and detailing actions required to effectively review and approve payment vouchers, enter and verify payment vouchers in the accounts payable system, and generate receivership payments whether through check, wire or EFT. * Reviewing receivership liabilities, including assigning responsibility and detailing actions required for performing oversight reviews and the frequency for performing such reviews. * Reviewing and canceling stale checks, including assigning specific responsibility, the frequency in which stale checks should be reviewed and canceled, and the manner in which banks are to be notified to cancel stale checks. Management Response: While the FDIC disagrees with some of the specifics of this finding and recommendation, we agree with the importance of having good written procedures to guide work being performed. As we have previously indicated to GAO, procedures did exist to guide payment voucher activity. While we did not have written procedures guiding the account reconciliations for the general liability account, DRR did at least monthly monitor aged invoices and payment vouchers to ensure timely resolution of potential payment issues. Finally, FDIC had policies governing stale-dated checks. While our written procedures did need to be updated to reflect current processes, we were performing reviews of cancel-check activities. As of July 2010, we expanded our procedures to specifically address voiding stale-dated checks. DRR is updating its Accounts Payable Manual to provide a single source for all accounts payable policies and procedures. This update is targeted to be complete by December 31, 2010. Estimating Debt Guarantee Program Loss Exposure: Recommendation 11: We recommend that you direct appropriate FDIC personnel to establish written procedures to provide for the periodic review of the computer program used in the DGP loss estimation process, how such reviews should be conducted, and documentation evidencing the review. Management Response: FDIC agrees with the recommendation. We are currently developing written procedures to provide for the periodic review of the computer program used in the DGP loss estimation process. The procedures will be implemented by November 30, 2010. Transaction Account Guarantee Program Loss Monitoring: Recommendation 12: We recommend that you direct the appropriate FDIC personnel to revise procedures to review and analyze the impact of institution failures that occur subsequent to year-end, but prior to the issuance of the DIF's financial statements, on the year-end contingent liabilities for TAG in a manner consistent with that performed for the contingent liability for anticipated failures. Management Response: FDIC disagrees with this finding because we believe we did have a sound methodology in place to monitor the reasonableness of estimated losses reported under the Transaction Account Guarantee (TAG) Program. The fact that the FDIC validation method was not institution specific does not, in our view, negate the effectiveness of the method used, nor does it equate to an increased risk of misstating the DIF's estimated contingent liability under the TAG. Cash Flows Statement Preparation Process: Recommendations 13 and 14: We recommend that you direct appropriate staff to revise FDIC's process used to prepare the statement of cash flows to (1) include capital cash entries in determining the change in the Accounts Payable and Other Liabilities line item, and (2) include capital cash entries in the Purchase of Property and Equipment line item. Management Response: FDIC agrees with the recommendation. We are currently in the process of modifying this process for preparing the cash flow statement. This modification will ensure that amounts reported for changes in the accounts payable and other liabilities and purchase of property and equipment line items are properly reflected in the statement of cash flows. The modification estimated completion date is November 30, 2010. [End of Enclosure I] Enclosure II: Details on Audit Scope and Methodology: To fulfill our responsibilities as auditor of the financial statements of the two funds administered by the Federal Deposit Insurance Corporation (FDIC), we did the following: * Examined, on a test basis, evidence supporting the amounts and disclosures in the financial statements. * Assessed the accounting principles used and significant estimates made by FDIC management. * Evaluated the overall presentation of the financial statements. * Obtained an understanding of FDIC and its operations, including its internal control related to financial reporting (including safeguarding assets) and compliance with laws and regulations. * Assessed the risk that a material misstatement exists. * Tested relevant internal controls over financial reporting and compliance, and evaluated the design and operating effectiveness of FDIC's internal control based on the assessed risk. * Considered FDIC's process for evaluating and reporting on internal control based on criteria established by the Federal Managers' Financial Integrity Act of 1982. * Tested compliance with certain laws and regulations, including selected provisions of the Federal Deposit Insurance Act, as amended, and the Federal Deposit Insurance Reform Act of 2005. * Performed such other procedures as we considered necessary in the circumstances. [End of Enclosure II] Enclosure III: Status of Recommendations That Were Open at the Beginning of GAO's Audit of FDIC's 2009 Financial Statements: Audit area: Operating Expenses; 1. Document and implement the procedures to be followed for entering data into the fund distribution schedule. Year initially reported: 2008; Status of corrective action as of June 14, 2010: Completed. Audit area: Oversight of Lockbox Bank; 2. Revise procedures to obtain assurance—through such means as SAS 70 reports, internal audit reports, and other monitoring processes—that internal controls over receivership receipts are in place and functioning properly at the Dallas lockbox facility. Year initially reported: 2008; Status of corrective action as of June 14, 2010: In Progress. Audit area: Processing Receivership Receipts; 3. Document and implement a policy regarding a time frame, such as the current target of 90 days, by which receivership receipts are to be applied to the appropriate receivership accounts. Year initially reported: 2008; Status of corrective action as of June 14, 2010: In Progress. Audit area: Net Receivables; 4. Document procedural guidance for estimating failed financial institution receivership asset recoveries to derive the allowance for losses of the DIF's receivable from resolutions, disseminate the guidance to appropriate staff, and effectively implement the guidance. Year initially reported: 2008; Status of corrective action as of June 14, 2010: Completed. [End of Enclosure III] Enclosure IV: GAO Contact and Staff Acknowledgments: GAO Contact: Steven J. Sebastian, (202) 512-3406 or sebastians@gao.gov. Staff Acknowledgments: The following individuals made key contributions to this report: Gary Chupka, Assistant Director; William Cordrey, Assistant Director; Roshni Agarwal; Teressa Broadie-Gardner; Gloria Cano; Dennis Clarke; John Craig; Jody Ecie; Caitlyn Kwong; Marc Oestreicher; Angel Sharma; and Gregory Ziombra. [End of Enclosure IV] Footnotes: [1] GAO, Financial Audit: Federal Deposit Insurance Corporation Funds' 2009 and 2008 Financial Statements, [hyperlink, http://www.gao.gov/products/GAO-10-705] (Washington, D.C.: June 24, 2010). [2] A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. [3] A material weakness is a deficiency, or a combination of deficiencies, in internal control such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or detected and corrected on a timely basis. [4] A significant deficiency is a control deficiency, or combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. [5] GAO, Information Security: Federal Deposit Insurance Corporation Needs to Mitigate Control Weaknesses, [hyperlink, http://www.gao.gov/products/GAO-11-29] (Washington, D.C.: forthcoming). [6] FDIC has used three basic methods to resolve failed financial institutions: purchase and assumption transactions, insured deposit transfers, and deposit payoffs. Of the three, purchase and assumption transactions are the most common. A purchase and assumption is a resolution transaction in which a financially sound institution purchases some or all of the assets of a failed bank or thrift and may assume some or all of the liabilities, including all insured deposits. [7] Losses covered under the loss-sharing agreements include losses incurred through the sale, foreclosure, loan modification, or write- down of loans in accordance with the terms of the loss-sharing agreement. [8] During 2009, FDIC's loss-sharing agreements generally provided that if losses experienced by the acquirer reached a stated threshold amount, FDIC would begin paying 95 percent of the remaining losses the acquiring institution experienced on the acquired assets. [9] The allowance for losses represents the difference between the amount owed to the DIF by a receivership for payment of insured deposits and other resolution expenses and the amount expected to be repaid from the servicing and liquidation of the receivership's assets (such as from sale of loans and other assets of the failed institution). [10] GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: November 1999). [11] Per FDIC's corrective action plan, this review process encompasses the use of review checklists for peer review, documentation of managerial review and approval, and analysis reviews conducted by an independent team. [12] Our audit opinion report [hyperlink, http://www.gao.gov/products/GA0-10-705] identified only those LLR errors related to loss-share loss estimates, stating that 13 of the 93 spreadsheets for institutions with loss-sharing agreements (14 percent) used in the calculation of DIF's year-end allowance for loss contained errors. These errors totaled $225 million on an absolute- value basis. When FDIC corrected these additional errors, it resulted in an increase to the loss-share cost estimates and a net decrease to the Receivables from Resolutions, net line item on the DIF's financial statements totaling about $132 million. [13] We used 30 days as a benchmark to measure the timeliness of reconciliations since the bank provides its statements of activity each month. [14] Corporate-level expenses are FDIC expenses not related to a receivership. FDIC pays its corporate expenses from a separate bank account in order to account for those expenses separately from the receivership expenses. [15] DRR is the division responsible for disbursing funds to pay receivership expenses and for preparing receivership bank account reconciliations and resolving reconciling items identified as a result of these reconciliations. [16] Cash equivalents are short-term, highly liquid investments consisting of overnight investments with the U.S. Treasury. [17] Receivership disbursement checks are valid for cashing for only 6 months. Stale checks are those checks that have not been cashed within 6 months of issuance and, therefore, are no longer valid. [18] Accounting standards (ASC-450-20-20) define a reasonably possible loss amount as the chance of the future event or events occurring as more than remote but less than likely. If a loss has been designated as reasonably possible, the amount must be disclosed in the notes to the financial statements (ASC-450-20-50-3). [19] The contingent liability for TAG is recorded in the Contingent Liabilities for Systemic Risk line item and constitutes most of the line item balance. [20] The Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub.L. No. 111-203, was enacted on July 21, 2010. Under section 343 of the act, the current TAG program, set to expire on December 31, 2010, will be replaced on that date with expanded deposit insurance coverage for transaction accounts through December 31, 2012, that is mandatory for all institutions. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: