Summary

GAO is required to annually audit the financial statements of the three funds administered by the Federal Deposit Insurance Corporation (FDIC): the Bank Insurance Fund (BIF), the Savings Association Insurance Fund (SAIF), and the FSLIC (Federal Savings and Loan Insurance Corporation) Resolution Fund (FRF). GAO is responsible for obtaining reasonable assurance about whether FDIC's financial statements for BIF, SAIF, and FRF are presented fairly in all material respects, in conformity with U.S. generally accepted accounting principles, and whether FDIC maintains effective internal controls and FDIC has complied with selected laws and regulations. Created in 1933 to insure bank deposits and promote sound banking practices, FDIC plays an important role in maintaining public confidence in the nation's financial system. In 1989, legislation to reform the federal deposit insurance system created three funds to be administered by FDIC: BIF and SAIF, which protect bank and savings deposits, and FRF, which was created to close out the business of the former Federal Savings and Loan Insurance Corporation. GAO was asked by the Chairwoman of the House Subcommittee on Oversight and Investigations, Committee on Financial Services, to discuss the results of its February 13, 2004, report, Financial Audit: Federal Deposit Insurance Corporation Funds' 2003 and 2002 Financial Statements (GAO-04-429).

In reporting on the results of the 2003 and 2002 audits, GAO issued unqualified, or "clean," opinions on the three funds administered by the Federal Deposit Insurance Corporation (FDIC)--the Bank Insurance Fund (BIF), the Savings Association Insurance Fund (SAIF), and the FSLIC Resolution Fund (FRF). This means that the funds' financial statements presented fairly, in all material respects, their financial position as of December 31, 2003 and 2002. FDIC also maintained, in all material respects, effective control over financial reporting (including safeguarding of assets) and compliance with laws and regulations. GAO identified one reportable internal control weakness in the area of information system security controls, which although not considered material, is nevertheless considered a significant deficiency in the design or operation of controls. GAO has reported weaknesses in FDIC's information systems security for a number of years. Although GAO continued to consider information security weaknesses to be a reportable condition for 2003, we also found that FDIC has made significant progress in correcting the computer security weaknesses we previously identified. FDIC took action to address current and prior-year weaknesses, including completing action on all of the 22 weaknesses that remained open from GAO's 2001 audit and 28 of the 29 weaknesses from our 2002 audit. However, GAO's work in 2003 identified 22 additional security weaknesses in FDIC's information systems. FDIC has made substantial progress in more fully implementing a computer security management program. However, it only recently established a program to test and evaluate its computer control environment and this program does not yet include all key areas. A mature, comprehensive, ongoing program of tests and evaluations of control would enable FDIC to better identify and correct information system security problems such as those found in our review. FDIC has reported that banks and savings institutions it insures have experienced record earnings during 2003. The financial condition of BIF and SAIF are also showing positive trends. The fund balances, or net worth, for both BIF and SAIF increased during fiscal year 2003. And, the current level of estimated losses from probable failures of insured institutions is low relative to the estimated liabilities that FDIC has recorded over the last 10 years. It is important to remember that GAO's opinions on FDIC's financial statements and its overall positive report on internal controls reflect a point in time. This also holds true for the positive financial trends that FDIC and insured financial institutions are currently experiencing. FDIC must continually monitor its business environment, assess the related risks, and adapt its internal operations as well as its insurance and supervision and monitoring functions to manage risk and maximize the value of its overall mission. FDIC is taking action to improve its risk monitoring and operations in several areas, including financial risk management, future financial management and information needs, and information technology security and processes.