Management Report: Continued Improvements Needed in FDIC's Internal Control over Contract Documentation and Payment-Review Processes
Fast Facts
The Federal Deposit Insurance Corporation helps maintain stability and public confidence in the nation's financial system.
During our 2021-2022 financial statement audit of the two funds that the FDIC administers (the Deposit Insurance Fund and the Federal Savings and Loan Insurance Corporation Resolution Fund), we continued to identify issues—what auditors call a "significant deficiency." These issues related to how the FDIC ensures that its payments to contractors are correct and contracts are sufficiently documented.
In this report to FDIC's management, we made four new recommendations to address these issues.
Highlights
What GAO Found
During the audits of the 2022 and 2021 financial statements of the two funds that the Federal Deposit Insurance Corporation (FDIC) administers—the Deposit Insurance Fund (DIF) and the Federal Savings and Loan Insurance Corporation Resolution Fund (FRF)—GAO continued to identify deficiencies in FDIC’s controls over contract documentation and payment-review processes that collectively represent a significant deficiency in FDIC’s internal control over financial reporting that merits attention by those charged with FDIC governance.
GAO communicated to FDIC management detailed information regarding these control deficiencies and made four new recommendations to address them. For three prior open recommendations GAO found that FDIC implemented corrective actions during 2022 to resolve one of these recommendations. As a result, GAO closed this recommendation. Therefore, FDIC currently has six open GAO financial audit recommendations intended to improve FDIC’s internal controls over financial reporting, as well as to bring FDIC into conformance with its own policies and Standards for Internal Control in the Federal Government.
Why GAO Did This Study
The purpose of this report is to present (1) the internal control deficiencies identified during GAO's audit testing of FDIC's 2022 nonpayroll operating expenses and (2) the status of FDIC's corrective actions to address GAO's recommendations related to internal control deficiencies identified in prior-year reports that were open as of December 31, 2021. GAO intends this report for FDIC management use.
Recommendations
GAO is making four recommendations to help FDIC improve internal controls over financial reporting by designing new or updating its existing policies and procedures. In commenting on a draft of this report, FDIC acknowledged GAO’s findings and described planned actions to address its recommendations.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Federal Deposit Insurance Corporation | The Deputy Director of the Acquisition Services Branch of the Division of Administration should design and implement a policy that (1) requires all oversight managers and contracting officers from all divisions to routinely take mandatory training in order to review and enhance their awareness of the existing policies and procedures for contract documentation and payment-review processes and (2) includes an established process for routinely tracking the completion of such training. (Recommendation 1) |
In its written comments, FDIC acknowledged our findings and provided planned corrective actions. In 2023, FDIC updated its mandatory oversight managers refresher training to enhance oversight manager awareness of existing policies and procedures for contract documentation and payment-review processes. Also in 2023, the Deputy Director established a Quality Assurance/Internal Control Program that routinely (1) tests and monitors oversight managers' and contracting officers' implementation of policies and procedures, and (2) communicates results and findings through routine reports and annual training, all of which helps ensure oversight managers and contracting officers enhance their awareness of existing policies and procedures for contract documentation and payment-review processes. As a result, we determined that FDIC has taken sufficient corrective actions to close this recommendation, as implemented.
|
| Federal Deposit Insurance Corporation | The Chief Risk Officer should design and implement procedures for tracking and communicating to management the status of corrective actions (e.g., for considerations, observations, or takeaways) for contract monitoring reviews and testing that the Office of Risk Management and Internal Controls performs until FDIC fully implements corrective actions. (Recommendation 2) |
In its written comments on our draft report, FDIC acknowledged our findings and provided planned corrective actions. In 2023, FDIC implemented the use of the Audit Reports Tracking System to track, monitor, and periodically communicate to management the status of audit reports, recommendations, and corrective actions resulting from the Office of Risk Management and Internal Controls' contract monitoring reviews and testing. As a result, we determined that FDIC has taken sufficient corrective actions to close this recommendation, as implemented.
|
| Federal Deposit Insurance Corporation | The Deputy Director of the Acquisition Services Branch of the Division of Administration should update FDIC's existing policies and procedures to prohibit contracting officers and oversight managers from using hard drives to store and maintain contract documentation, in order to mitigate the risk of losing documentation and making improper payments. (Recommendation 3) |
In its written comments on our draft report, FDIC acknowledged our findings and provided planned corrective actions. In 2023, FDIC replaced existing policies with "Directive 3700.16 - Acquisition Program and the Acquisition Procedures and Guidance Manual," which clarified that final contract documentation must be stored and maintained in the official contract file repository. FDIC also consolidated all related job aids to one combined internal site. Further, FDIC implemented new periodic review procedures to ensure contract documentation is stored in the official contract file repository. As a result, we determined that FDIC has taken sufficient corrective actions to close this recommendation, as implemented.
|
| Federal Deposit Insurance Corporation | The Deputy Director of the Acquisition Services Branch of the Division of Administration should update FDIC's existing policies and procedures to define acceptable time frames for uploading contract documentation to a centralized location in order to reasonably assure that contracting officers and oversight managers properly document and support contracts in a timely manner. (Recommendation 4) |
In its written comments on our draft report, FDIC acknowledged our findings and provided planned corrective actions. FDIC determined the timeframes cited in the policy were acceptable and appropriate, and in 2023, FDIC established a Quality Assurance and Internal Control Program, which implements periodic review procedures that ensure contract documentation is properly and timely stored in the official contract file repository. As a result, we determined that FDIC has taken sufficient corrective actions to close this recommendation, as implemented.
|