This is the accessible text file for GAO report number GAO-08-863R entitled 'Management Report: Opportunities for Improvements in FDIC's Internal Controls and Accounting Procedures' which was released on July 11, 2008. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. GAO-08-863R: July 11, 2008: The Honorable Steven O. App: Deputy to the Chairman and Chief Financial Officer: Federal Deposit Insurance Corporation: The Honorable John F. Bovenzi: Deputy to the Chairman and Chief Operating Officer: Federal Deposit Insurance Corporation: Subject: Management Report: Opportunities for Improvements in FDIC's Internal Controls and Accounting Procedures: In February 2008, we issued our opinions on the calendar year 2007 financial statements of the Deposit Insurance Fund (DIF) and the FSLIC Resolution Fund (FRF). We also issued our opinion on the effectiveness of the Federal Deposit Insurance Corporation's (FDIC) internal control over financial reporting (including safeguarding assets) and compliance as of December 31, 2007, and our evaluation of FDIC's compliance with provisions of selected laws and regulations for the two funds for the year ended December 31, 2007.[Footnote 1] The purpose of this report is to present issues identified during our audits of the 2007 financial statements regarding certain internal controls and accounting procedures and to recommend actions to address these issues. Although these issues were not material in relation to the financial statements, we believe that they warrant management's attention. We are making five recommendations for strengthening FDIC's internal controls and accounting procedures. We conducted our audits in accordance with U.S. generally accepted government auditing standards. Results in Brief: During our audits of the 2007 financial statements, we identified internal control issues that affected FDIC's accounting for the funds it administers. Although we do not consider them to be material weaknesses or significant deficiencies,[Footnote 2] we believe that they warrant management's attention and action. Specifically, we found the following: * FDIC did not properly account for checks received in its Dallas mailroom. FDIC also lacked adequate procedures and controls to safeguard transported checks for deposit, increasing the risk of theft, loss, or misappropriation of these assets. * FDIC's process for approving payment transactions in its accounting system did not always timely prevent or detect errors in recording these transactions, increasing the risk that operating expenses may be incorrectly classified and presented in DIF's financial statements. At the end of our discussion of each of these issues in the following sections, we make recommendations for strengthening FDIC's internal controls or accounting procedures. These recommendations are intended to bring FDIC into conformance with Standards for Internal Control in the Federal Government, which federal agencies are required to follow, [Footnote 3] and minimize the risk of future misstatements in the DIF and FRF financial statements. In its comments, FDIC agreed with our recommendations and described actions it has taken or plans to take to address the control weaknesses described in this report. At the end of our discussion of each of the issues in this report, we have summarized FDIC's related comments and our evaluation. Scope and Methodology: As part of our audits of the 2007 and 2006 financial statements of the two funds administered by FDIC, we evaluated FDIC's internal controls and its compliance with selected provisions of laws and regulations. We designed our audit procedures to test relevant controls, including those intended to ensure proper authorization, execution, accounting, and reporting of transactions. We requested comments on a draft of this report from the FDIC Deputy to the Chairman and Chief Financial Officer and the Deputy to the Chairman and Chief Operating Officer. We received written comments from FDIC and have reprinted the comments in their entirety in enclosure 1. Further details on our scope and methodology are included in our report on the results of our audits of the 2007 and 2006 financial statements and are discussed in enclosure II. Receivership Receipts (Mailroom and Cashier Controls): During our testing of FDIC's internal controls in the mailroom and cashier operations of its Dallas field office, we identified deficiencies in controls over checks received that increased the risk of theft, loss, or misappropriation of receipts. The mailroom of the Dallas field office is responsible for opening mail, including checks for loan repayments from debtors of failed financial institutions. FDIC's Cashiers Unit in the Dallas field office uses a courier service to transport these checks daily to a lockbox administered by JPMorgan Chase Bank, N.A. (JPMorgan). However, not all checks are sent to the Dallas mailroom. Instead, some checks are sent directly to the lockbox. The lockbox is emptied several times a day and the checks are deposited in an FDIC account at JPMorgan. Each day, JPMorgan forwards to FDIC online image copies of the checks deposited that day and all supporting documentation received with the checks. For calendar year 2007, the mailroom of the Dallas field office directly processed 1,361 checks totaling approximately $21.7 million, while the lockbox operation processed 1,779 checks totaling approximately $2.5 million. Whether checks are received in the mailroom or lockbox, the Cashiers Unit is responsible for accounting for all receivership receipts. In our tests of controls at FDIC's Dallas field office mailroom and of Cashiers Unit operations, we found the following control deficiencies: * The mailroom contractor staff did not follow procedures to adequately account for checks upon receipt and prior to storing the checks in a safe. Specifically, we found that the check log prepared upon extraction of receipts from the envelopes was not reconciled to the total number of checks and the total dollar value of checks received, and the check log was not initialed and dated by the preparer. Additionally, mailroom staff did not reconcile the e-mail confirmation received from the Cashiers Unit noting checks forwarded to JPMorgan for deposit to the check log that was manually completed by the mailroom staff. * The Cashiers Unit did not have procedures and controls to safeguard checks transported via courier from FDIC's Dallas field office to the JPMorgan lockbox. Specifically, we found that there were no procedures in place requiring the Cashiers Unit staff who handed the daily checks to the contract courier to obtain information on the identity of the courier or confirm the courier's authorization to pick up and deliver the checks. Additionally, the Cashiers Unit staff were not required to obtain a receipt from the courier documenting that the checks were provided to the courier. Finally, there were no procedures requiring the courier to be bonded. A bonded courier would indemnify FDIC for monetary losses related to the transported checks. Standards for Internal Control in the Federal Government requires agencies to establish accounting and physical control to record, secure, and safeguard vulnerable assets. Examples include accountability and security for, and limited access to, assets such as cash, securities, inventories, and equipment that might be vulnerable to risk of loss or unauthorized use. Also, these internal control standards require internal control procedures to be documented in operating manuals. The deficiencies we identified in the mailroom were due to the fact that the Mail Center Standard Operating Procedures Manual has not been revised to incorporate past changes in procedures as well as those necessitated by the Dallas field office's move to a new location in October 2007, resulting in reconciliation and other procedures not being performed. FDIC officials stated that going forward, a computer will be placed at the mail-opening table so that information from checks received can be entered directly into an electronic spreadsheet and reconciled, thus eliminating the need for a manual logbook. They also explained that the e-mail received from the Cashiers Unit confirming check numbers and amounts will be reconciled to the spreadsheet. FDIC officials also informed us that for depositing checks with JPMorgan, FDIC is working with JPMorgan on implementing remote electronic deposits. As such, any checks received in the mailroom will be converted to electronic images and electronically sent to JPMorgan for deposit. Safeguarding controls are critical in preventing the theft of checks. The lack of effective safeguarding controls increases the risk of theft, loss, or misappropriation of assets. Recommendations: To improve accounting and safeguards for receipts in the Dallas field office mailroom and cashier operations, we recommend that you: * ensure that mailroom contractor staff follow procedures for entering information from checks received into an electronic spreadsheet and perform necessary reconciliations; * review the Mail Center Standard Operating Procedures Manual and make necessary revisions to reflect current procedures and controls over mailroom check processing; * establish procedures to require remote electronic deposits and thus eliminate the need for a courier service and the risks associated with using a courier; and: * until such time as FDIC implements a remote electronic deposit process, require Cashiers Unit staff to verify the identity of the courier, obtain a receipt for the checks, and ensure that the courier is bonded. FDIC Comments and Our Evaluation: FDIC agreed with our recommendations. In response to our findings related to accounting for checks received in its Dallas field office mailroom, FDIC cited corrective actions completed by April 30, 2008, that address the issues we identified. As to the review and revision of the Mail Center Standard Operating Procedures Manual, FDIC stated that the completion date will be December 31, 2008. With respect to our findings related to the risks of using a courier, FDIC responded that it expects to begin using a Remote Capture service by July 30, 2008, which will eliminate the need for a courier. In the interim, FDIC commented that it has implemented procedures requiring Cashiers Unit staff to verify the identity of the courier and obtain receipts for checks. FDIC also commented that the courier is bonded. We will evaluate the effectiveness of FDIC's actions during our 2008 financial audit. Operating Expense Coding: During our testing of operating expense transactions, we identified an invoice related to an expense transaction that was incorrectly coded. After we brought this error to the attention of the responsible FDIC oversight manager, she identified a second invoice that was incorrectly coded. These two invoice payments were made through the Intra- government Payments and Collections (IPAC) process. The oversight manager has the primary responsibility for approving expense payments, but the Division of Finance (DOF) also has the responsibility to accurately and timely record the transactions. When IPAC payments are involved, DOF staff are required to prepare the payment voucher and forward it to the responsible oversight manager for review and approval. The two errors resulted from (1) DOF staff entering incorrect account codes on payment vouchers for recording the transactions in the accounting system and (2) the oversight manager responsible for approving the payments not detecting the coding error and erroneously approving the voucher. These errors resulted in the wrong expense account being charged, but in each case did not affect the operating expense line item on DIF's income statement since the affected accounts were both expense accounts. Internal control standards require agencies to implement procedures to ensure the accurate and timely recording of transactions and events. In addition, these standards require that qualified and continuous supervision be provided to ensure that internal control objectives are achieved. Lack of supervision and effective implementation of procedures increases the risk that expenses may be incorrectly classified, which could affect the accurate presentation of operating expenses in DIF's financial statements. Recommendation: To minimize the risk of charging expenses to the wrong account, we recommend that you issue written notification to all individuals involved with processing IPAC transactions reminding them of their responsibility to properly review and accurately record these transactions. FDIC Comments and Our Evaluation: FDIC agreed with our recommendation. FDIC stated that by June 25, 2008, it issued e-mails to the disbursement staff and the oversight managers reminding them of their responsibility to properly review and accurately record transactions to minimize the risk of charging expenses to the wrong account. We will evaluate the effectiveness of FDIC's actions during our 2008 financial audit. This report contains recommendations to you. We would appreciate receiving a description and status of your corrective actions within 30 days of the date of this report. This report is intended for use by FDIC management, members of the FDIC Audit Committee, and the FDIC Inspector General. We are sending copies of this report to the Chairman and Ranking Member of the Senate Committee on Banking, Housing, and Urban Affairs; the Chairman and Ranking Member of the House Committee on Financial Services; the Chairman of the Board of Directors of the Federal Deposit Insurance Corporation; the Chairman of the Board of Governors of the Federal Reserve System; the Comptroller of the Currency; the Director of the Office of Thrift Supervision; the Secretary of the Treasury; the Director of the Office of Management and Budget; and other interested parties. In addition, this report will be available at no charge on GAO's Web site at [hyperlink, http://www.gao.gov]. We acknowledge and appreciate the cooperation and assistance provided by FDIC management and staff during our audits of FDIC's 2007 and 2006 financial statements. If you have any questions about this report or need assistance in addressing these issues, please contact me at (202) 512-3406 or sebastians@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this report are Gary Chupka, Assistant Director; Gloria Cano; Nina Crocker; Wing Kwong; Gloria Proa; and Gregory Ziombra. Signed by: Steven J. Sebastian: Director: Financial Management and Assurance: Enclosures: Enclosure 1: Comments from the Federal Deposit Insurance Corporation: FDIC: Federal Deposit Insurance Corporation: Deputy to the Chairman and CFO: 550 17th Street NW: Washington, DC. 20429-9990: June 30, 2008: Mr. Steven J. Sebastian: Director, Financial Management and Assurance: U.S. Government Accountability Office: Washington, DC 20548: Dear Mr. Sebastian: Thank you for providing the U.S. Government Accountability Office's (GAO) draft report titled, Management Report: Opportunities for Improvements in FDIC's Internal Controls and Accounting Procedures (GAO- 08-863R) for review and comment. The report discusses the matters that were identified during the audits of the Federal Deposit Insurance Corporation's (FDIC) 2007 financial statements regarding internal controls and accounting procedures and the recommendations for strengthening them. Although GAO believes that these matters warrant management's attention, we are pleased that GAO acknowledged that they are not material in relation to the financial statements and does not consider them to be material weaknesses or significant deficiencies. We appreciate GAO's work on the 2007 audits and recognize the benefit of the recommendations that were made. FDIC has already completed actions to address some of the recommendations and will be implementing the remaining recommendations. Our detailed management responses are provided in Attachment 1. FDIC remains committed to improving its financial operations and maintaining effective internal control. We appreciate your support of these efforts and look forward to continuing the productive collaboration during the course of this year's audit. If you have any questions relating to our responses, please contact James H. Angel, Jr., Director, Office of Enterprise Risk Management, at 703-562-6456. Sincerely, Signed by: Steven O. App: Deputy to the Chairman and Chief Financial Officer: Attachment: cc: John Bovenzi: Bret Edwards: Arleas Upton Kea: Mitchell Glassman: James H. Angel, Jr. Audit Committee: Attachment 1: FDIC Responses To 2007 GAO Management Report: Receivership Receipts (Mailroom and Cashier Controls): GAO found that FDIC did not properly account for checks in its Dallas mailroom. FDIC also lacked adequate procedures and controls to safeguard transported checks for deposit, increasing the risk of theft, loss, or misappropriation of these assets. Recommendation 1: GAO recommended that FDIC ensure that mailroom contractor staff follow procedures for entering information from checks received into an electronic spreadsheet and perform necessary reconciliations. Management Response: FDIC concurs with the recommendation. However, it should be noted that the mailroom staff maintained two logs for recording checks. The first log was a manual log book with the date preprinted on the top of the page. The second log was created in an electronic spreadsheet that was initialed by both parties. As the manual log was not initialed, GAO deemed the staff was not properly recording these checks even though the electronic spreadsheet was initialed by the mailroom staff. To avoid this confusion, the Division of Administration, as was stated in its response to GAO in April 2008, eliminated the manual log book and is maintaining the electronic spreadsheet only. The mailroom staff enters all checks into the electronic spreadsheet and the spreadsheet is initialed by one employee, verified by another, and dated. The email confirmation received from the Cashiers Unit, along with a copy of the check log, is filed daily. The email confirmation is visually reconciled with the daily electronic spreadsheet. The completion date was April 30, 2008, and FDIC considers the recommendation implemented. Recommendation 2: GAO recommended that FDIC review the Mail Center Standard Operating Procedures Manual and make necessary revisions to reflect current procedures and controls over mailroom check processing. Management Response: FDIC concurs with the recommendation. The Division of Administration is currently reviewing the Mail Center Operations Manual. It should be noted that interim guidance was issued in 2006 and in 2007 to all mailroom staff clarifying the opening of mail and the processing of checks. The current review and revision of the Mail Center Operations Manual will incorporate the interim guidance. The completion date is December 31, 2008. Recommendation 3: GAO recommended that FDIC establish procedures to require remote electronic deposits and thus eliminate the need for a courier service and the risks associated with using a courier. Management Response: FDIC concurs with the recommendation. FDIC has begun the process of implementing a Remote Capture service through JP Morgan Chase, which will eliminate the need for the courier service. Remote Capture will convert all checks received directly by FDIC to electronic files and cause a daily deposit for the total amount of the checks into FDIC's primary account. Equipment, system requirements, pricing, and maintenance have been agreed upon. FDIC expects to begin using Remote Capture service by July 30, 2008, once the file format and its compatibility for upload into FDIC's cashier module is finalized. Recommendation 4: GAO recommended that FDIC require the Cashiers Unit staff to verify the identity of the courier, obtain a receipt for the checks, and ensure that the courier is bonded until such time as FDIC implements a remote electronic deposit process. Management Response: FDIC concurs with the recommendation. As stated in the response to recommendation 3, FDIC expects to begin using Remote Capture service by July 30, 2008, which will eliminate the need for a courier. In the interim, FDIC has implemented procedures requiring the Cashiers Unit staff to verify the identity of the courier and obtain receipts for checks. FDIC has confirmed that the courier is bonded. Operating Expense Coding: GAO found that FDIC's process for approving payment transactions in its accounting system did not always timely prevent or detect errors in recording these transactions, increasing the risk that operating expenses may be incorrectly classified and presented in the financial statements. Recommendation 5: GAO recommended that FDIC issue written notification to all individuals involved with processing Intragovernment Payments and Collections (IPAC) transactions reminding them of their responsibility to properly review and accurately record these transactions to minimize the risk of charging expenses to the wrong account. Management Response: FDIC concurs with the recommendation. As stated in GAO's finding, the coding errors on two IPAC transactions were the result of human error. The coding from an earlier similar transaction was incorrectly recorded on these transactions and the coding error was not detected in the review and approval process by either the disbursement staff or the Oversight Manager. The Division of Finance issued emails to the disbursement staff and the Oversight Managers reminding them of their responsibility to properly review and accurately record transactions to minimize the risk of charging expenses to the wrong account. The completion date was June 25, 2008. [End of enclosure] Enclosure 2: Details on Audit Scope and Methodology: To fulfill our responsibilities as auditor of the financial statements of the two funds administered by FDIC, we did the following: * examined, on a test basis, evidence supporting the amounts and disclosures in the financial statements; * assessed the accounting principles used and significant estimates made by management; * evaluated the overall presentation of the financial statements; * obtained an understanding of internal controls related to financial reporting (including safeguarding assets) and compliance with selected laws and regulations; * tested relevant internal controls over financial reporting and compliance, and evaluated the design and operating effectiveness of internal control; * considered FDIC's process for evaluating and reporting on internal control based on criteria established by 31 U.S.C. ยง 3512 (c), (d) (commonly referred to as the Federal Managers' Financial Integrity Act); and: * tested compliance with applicable laws and regulations, including selected provisions of the Federal Deposit Insurance Act, as amended, and the Chief Financial Officers Act of 1990. [End of enclosure] Footnotes: [1] GAO, Financial Audit: Federal Deposit Insurance Corporation Funds' 2007 and 2006 Financial Statements, [hyperlink, http://www.gao.gov/cgi- bin/getrpt?GAO-08-416] (Washington, D.C.: Feb. 11, 2008). [2] A material weakness is a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected. A significant deficiency is a control deficiency, or combination of control deficiencies, that adversely affects the entity's ability to initiate, authorize, record, process, or report financial data reliably in accordance with generally accepted accounting principles such that there is more than a remote likelihood that a misstatement of the entity's financial statements that is more than inconsequential will not be prevented or detected. [3] GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO/AIMD-00-21.3.1] (Washington, D.C.: Nov. 1999). [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office: 441 G Street NW, Room LM: Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: