Summary

On March 4, 2004, GAO testified before the Subcommittee on Oversight and Investigations, House Committee on Financial Services, at a hearing on oversight of the Federal Deposit Insurance Corporation (FDIC) and discussed the results of our 2003 and 2002 audits of FDIC's financial statements. This letter responds to subsequent questions that the Chairwoman asked GAO to answer for the record.

FDIC has been responsive to addressing information security weaknesses GAO has previously reported. If fully and effectively implemented, FDIC's corrective actions should address each of the security deficiencies identified. A key reason for FDIC's continuing weaknesses in information system security controls is that it has not yet fully implemented all elements of a comprehensive security management program. While FDIC has done much to establish a complete security management program, its review, testing, and evaluation program does not yet address all key areas. FDIC management currently has a plan in place to establish a comprehensive security management program that includes a complete review, testing, and evaluation program. GAO has a two-pronged approach for keeping pace with the constantly changing environment in which we conduct our audits. First, we update our own audit methodology, the Financial Audit Manual. Second, during the audit process we monitor and review FDIC's actions to adapt and improve its operations to a changing environment. FDIC is currently in the process of changing the methodology it uses to estimate potential failure and loss rates of insured financial institutions and of developing new financial systems to enhance its ability to meet financial management and information needs.