The subject final report is provided for your information and use. Please refer to the Executive Summary, included in the report, for the overall audit results.

Our evaluation of your response is incorporated into the body of the report. Your comments on a draft of this report were responsive to all five of the report’s recommendations, which are considered resolved. The recommendations will remain open for reporting purposes until we have determined that agreed-to corrective actions have been completed and are responsive.

If you have questions concerning the report, please contact me at (703) 562-6350, or Mark F. Mulholland, Deputy Assistant Inspector General for Audits, at (703) 562-6316. We appreciate the courtesies extended to the audit staff.

Attachment

cc: Connie A. Brindle, DOF

Part I

Report by KPMG LLP

controls by implementing a system of dual control over the authorization and execution of securities transactions and conducting periodic independent validations of key computer-based financial models to ensure they function as intended. We identified one additional potential control enhancement pertaining to interest rate risk management that we are reporting to the Office of Inspector General (OIG) separately because we do not consider the matter to be significant in the context of our performance audit results.

We issued a draft of this report on February 25, 2009. We subsequently met with representatives of DOF and the OIG and obtained informal feedback on the draft report. Based on the informal feedback we received, we made certain changes that we deemed appropriate. On May 8, 2009, the CFO and Director, DOF, provided a formal written response to our draft report.

Our work did not include an assessment of the sufficiency of deposit insurance assessments or other funding sources to cover anticipated losses from insured depository institutions. KPMG cautions that projecting the results of our audit to future periods is subject to the risks that controls may become inadequate because of changes in conditions or because compliance with controls may deteriorate. The information included in this report was obtained from the FDIC on or before February 25, 2009. We have no obligation to update our report or to revise the information contained therein to reflect events and transactions occurring subsequent to February 25, 2009.

KPMG policy requires that we obtain a management representation letter associated with the issuance of a performance audit report citing Generally Accepted Government Auditing Standards. We requested a management representation letter from the Director, DOF, on February 20, 2009 and received the signed representation letter on February 25, 2009.

Please contact Mark Twerdok at (412) 232-1599 if you have any questions or comments regarding this report.

Sincerely,

FDIC’s Corporate Investment Program

FINAL REPORT

Prepared for the
Federal Deposit Insurance Corporation
Office of Inspector General

May 14, 2009

KPMG LLP
2001 M Street, NW
Washington, DC 20036

EXECUTIVE SUMMARY

The FDIC Office of Inspector General (OIG) contracted with KPMG LLP (KPMG) to conduct a performance audit of the FDIC’s Corporate Investment Program. Both the OIG and FDIC management recognize that periodic, independent audits of the Corporate Investment Program are necessary and useful for sound corporate governance. The results of this audit support the OIG’s commitment to FDIC management to conduct an independent audit of the Corporate Investment Program every 3 years.

The objective of this performance audit was to assess the FDIC’s controls for ensuring that the Deposit Insurance Fund (DIF) and National Liquidation Fund (NLF) are managed consistent with the FDIC’s investment policies approved by the Board of Directors (the Board). As part of our work, we interviewed key officials with responsibility for managing and implementing the Corporate Investment Program, including the Deputy to the Chairman and Chief Financial Officer (CFO) and Division of Finance (DOF) officials. We also reviewed relevant FDIC policies, procedures, guidelines, plans, and reports pertaining to the Corporate Investment Program. Our work did not include an assessment of the sufficiency of deposit insurance assessments or other funding sources to cover anticipated losses from insured depository institutions.

We used the Government Accountability Office’s (GAO) November 1999 publication Standards for Internal Control in the Federal Government as the primary criteria for conducting the audit. We chose these standards because they define an overall framework for establishing and maintaining effective internal control in federal agencies. In addition, FDIC Circular 4010.3, FDIC Enterprise Risk Management Program, states that the GAO standards define the minimum acceptable level of quality for internal control and provide the basis against which internal controls should be evaluated at the FDIC. The GAO standards, which are intended to safeguard public resources and promote accountability, consist of the following five components:

• Control Environment – The attitude toward internal control and control consciousness established and maintained by management and employees.
• Risk Assessment – The assessment of risk from external and internal sources at both the entity and activity level.
• Control Activities – The activities that help identify, prevent, or reduce risks that can impede the accomplishment of organizational objectives. Common control activities include documentation, approvals, authorizations, verifications, separation of duties, and reporting.
• Information and Communications – The exchange of useful information among people and organizations to support decisions and coordinate activities. Information should be communicated to management and employees who need it, and in a form and timeframe that helps them carry out their responsibilities.
• Monitoring – The review of an organization’s activities and transactions to assess the quality of performance over time and determine whether controls are effective.

We also used FDIC policies and procedures and various industry-recognized guidelines and practices as supplemental criteria in assessing the Corporate Investment Program. The Glossary in Appendix II contains definitions of the terms used in this report.

In summary, we found that the FDIC had implemented a number of important controls designed to ensure that the DIF and NLF are managed consistent with the FDIC’s Board-approved investment policies. Of particular note, DOF had developed detailed procedures and guidelines to manage the day-to-day operations of the funds. Additionally, the FDIC had created an Investment Advisory Group (IAG) to monitor the performance of the funds and advise the

CFO on investment strategies pertaining to the funds. Further, the CFO and DOF officials reported regularly to the Board on the funds’ performance and were taking proactive measures to help ensure the viability of the funds in response to uncertainties in the banking industry.

While these actions are positive, control improvements in some areas of the Corporate Investment Program are warranted. Specifically, the FDIC’s Corporate Investment Policy and DOF’s detailed procedures and guidelines did not reflect current statutory definitions or current investment management practices in some areas. In addition, although the FDIC had a strategy for responding to a liquidity contingency involving the DIF, the FDIC can enhance its response planning by developing a comprehensive written contingency funding plan that describes how the Corporation will implement its strategy under the various contingency scenarios that could occur. Further, the FDIC can enhance its investment management controls by implementing a system of dual control over the authorization and execution of securities transactions and conducting periodic independent validations of key computer-based financial models to ensure they function as intended. We identified one additional potential control enhancement pertaining to interest rate risk management that we are reporting to the OIG separately because we do not consider the matter to be significant in the context of our performance audit results.

We issued a draft of this report on February 25, 2009. We subsequently met with DOF and OIG representatives and obtained informal feedback on the draft report. Based on the informal feedback we received, we made certain changes that we deemed appropriate. On May 8, 2009, the CFO and Director, DOF, provided a formal written response to our draft report.

We conducted this performance audit from September 2008 through January 2009 in accordance with Generally Accepted Government Auditing Standards issued by the Comptroller General of the United States. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective. This performance audit did not constitute an audit of financial statements in accordance with Government Auditing Standards. KPMG was not engaged to, and did not render an opinion on, the FDIC’s internal controls over financial reporting or over financial management systems (for purposes of the Office of Management and Budget’s Circular No. A-127, Financial Management Systems, July 23, 1993, as revised). KPMG cautions that projecting the results of our audit to future periods is subject to the risks that controls may become inadequate because of changes in conditions or because compliance with controls may deteriorate.

BACKGROUND

The FDIC has statutory responsibility for managing funds in the DIF and NLF. Brief descriptions of the DIF and NLF follow.

The Deposit Insurance Fund

The DIF was established on March 31, 2006, following the merger of the former Bank Insurance Fund (BIF) and Savings Association Insurance Fund (SAIF). The primary purpose of the DIF is to insure the deposits and protect the depositors of FDIC-insured financial institutions and to resolve failed financial institutions in a manner that results in the least possible cost to the Corporation. In order to remain viable, the DIF must have adequate sources of liquidity to fund the Corporation’s operating costs and the resolution of failed financial institutions. The DIF is funded principally by deposit insurance assessments charged to insured financial institutions and interest earned on investments in U.S. Treasury obligations. Additional funding sources, if needed, include the Federal Financing Bank, U.S. Department of the Treasury (Treasury), Federal Home Loan Banks, and insured depository institutions. Ultimately, the full faith and credit of the U.S. Government stands behind the FDIC’s obligations.

Section 13(a) of the Federal Deposit Insurance (FDI) Act provides that funds held in the DIF that are not otherwise employed shall be invested in obligations of the United States or in obligations guaranteed as to principal and interest by the United States. Further, the Treasury Secretary requires the FDIC to invest its non-appropriated cash held in U.S. Treasury accounts in non-marketable U.S. Treasury securities. Such securities include: U.S. Treasury certificates; conventional Treasury bills, notes, and bonds; callable Treasury securities; Treasury Inflation Protected Securities (TIPS); and zero-coupon Treasury securities. The FDIC purchases and sells these securities through the Bureau of Public Debt’s (BPD) Government Account Series (GAS) program. Although the GAS program is not available to the general public, securities can be purchased and sold through the program at current market prices and without transaction costs to the Corporation. GAS program investments enjoy a high degree of transactional liquidity.

In early August 2008, the FDIC re-classified all of the investment securities in the DIF designated as held to maturity (HTM) to available-for-sale (AFS).¹ This change was based on the FDIC’s determination that it no longer had the positive intent and ability to hold securities classified as HTM until their maturity dates due to significant actual and potential outlays related to the resolution of failed institutions. A key result of this change is that the DIF will now be accounted for at fair value and, as a result, the reserve ratio will be more volatile to changes in interest rates. To illustrate this point, the value of securities classified as AFS typically decreases in a rising interest rate environment. In such an environment, a decline in the value of the DIF investment portfolio would result in a lower reserve ratio, which could impact the Board’s deposit insurance assessment decisions.²

As of September 30, 2008, the balance of the DIF was $34.59 billion, down from $52.41 billion at the end of 2007. This decrease was primarily due to outlays associated with the failure of insured financial institutions and an increase in the FDIC’s provision for insurance losses. The DIF reserve ratio as of September 30, 2008, was 0.76

¹ Debt securities in the DIF investment portfolio may be classified as either AFS or HTM. Securities classified as AFS are accounted for at fair value, while securities classified as HTM are accounted for at amortized cost (i.e., the face value of the securities plus their unamortized premium or less their unamortized discount). To be classified as HTM, an entity must have the positive intent and ability to hold the security to its maturity.
² Pursuant to statute, if the DIF reserve ratio falls below 1.15 percent, or if the FDIC expects it to do so within 6 months, the FDIC must, within 90 days, establish and implement a plan to restore the DIF reserve ratio to 1.15 percent within 5 years absent “extraordinary circumstances.”

percent, which is below the 1.15 percent minimum level mandated by the Federal Deposit Insurance Reform Act of 2005. On October 7, 2008, the Board approved a plan to restore the DIF reserve ratio to 1.15 percent within the next 5 years as required by statute. The Board subsequently extended the restoration plan horizon to 7 years based on “extraordinary circumstances.”

The National Liquidation Fund

The NLF consists of all funds held by the FDIC in its receivership and corporate liquidator capacities. Investments in the NLF may include Treasury securities, federally-sponsored agency securities, overnight and term interest-bearing deposits at a designated depository, repurchase agreements, and government institutional money market funds. Among other provisions and restrictions, the term of any investment in the NLF may not exceed 1 year. When not otherwise deployed, NLF funds are deposited at the Federal Home Loan Bank of New York (FHLB-NY), the NLF’s current designated depository. FHLB-NY also acts as custodian for the NLF’s other investment securities, principally, federally-sponsored agency discount notes. As the NLF’s designated depository, FHLB-NY provides a variety of banking services that facilitate the collection of receivership funds, payment of receivership expenses, and payment of receivership dividends. In addition, the FDIC uses FHLB-NY to pay depositors of failed financial institutions. The Division of Resolutions and Receiverships’ Dallas Field Office is responsible for managing the FDIC’s banking relationship with FHLB-NY. As of September 30, 2008, the market value of the NLF was $2.86 billion, up from $393 million at the end of 2007. This increase was primarily the result of increased resolution activity.

DIF and NLF Investment Governance

The DIF and NLF are governed by two principal policies approved by the Board: the Corporate Investment Policy and Liquidation Investment Policy (respectively). Among other things, these policies define investment objectives for the funds, key roles and responsibilities, and reporting requirements to the Board. Of particular note, the policies designate the CFO as having primary responsibility for managing the DIF and NLF. The policies require the CFO to report quarterly to the Board on the (1) status and recent investment experience of the funds, (2) current and prospective investment strategies of the funds, (3) principal reasons for significant changes in either the investment experience or strategies of the funds, and (4) actions taken that constitute exceptions to the policies. To assist the CFO in carrying out his responsibilities, the FDIC established the IAG consisting of the CFO; the Director, DOF; and three other members not directly involved in the DIF or NLF investment operations. Among other things, the IAG advises the CFO on fund investment strategies, reviews current and projected economic conditions, investment performance, and cash flow projections for the funds, and evaluates exceptions to the Corporate Investment Policy and Liquidation Investment Policy. The IAG convenes quarterly.

The Director, DOF, is responsible for implementing the funds’ investment strategies and for managing the day-to-day financial transactions of the funds, subject to the general supervision of the CFO. Within DOF, the Treasury Management Section (TMS) handles the day-to-day purchase, sale, accounting, and reporting of investment funds. TMS consists of two units, the Funding and Investments Unit (FIU) and Treasury Operations Unit (TOU). FIU is responsible for monitoring current market conditions, making investment decisions consistent with approved investment strategies, purchasing and selling investment securities, and reporting to management on the performance and risks associated with the funds. TOU is responsible for reviewing the long-term investment purchases and sales made by FIU and for recording transactions in the FDIC’s accounting systems. TOU is also responsible for the overnight investment of DIF funds. Both FIU and TOU have established detailed procedures and guidelines to implement their collective investment management responsibilities. The Figure, which follows, illustrates the investment governance framework for the DIF and NLF.

In addition, DOF staff use various software automation tools and industry information to support their investment management activities, including those listed below.

• The Bloomberg Professional³ system and other financial publications are used to obtain information on current and near-term economic and Treasury market conditions (such as yields, maturities, and other relevant information). Among other things, such information is used in formulating investment strategies for the DIF.
• PORTIA®, a Thompson Reuters application, is used to track DIF and NLF investment transactions, calculate earnings, generate cash receipts for interest and maturity payments, generate reports, and track performance. Details on PORTIA® are provided later in the report under the section entitled, Validation of Computer-based Financial Models.
• Microsoft Excel®-based spreadsheets are used to prepare and report financial information, such as cash flow projections for the funds, for senior management.
• The results of Financial Risk Committee meetings and the Division of Resolutions and Receiverships’ Resolutions Report to the FDIC Chairman are used to determine near-term funding requirements and liquidity targets for the funds.

³ Bloomberg Professional is a trademark and servicemark of Bloomberg Finance L.P., a Delaware limited partnership, or its subsidiaries.

CORPORATE INVESTMENT PROGRAM POLICIES, PROCEDURES, AND GUIDELINES

The Corporate Investment Policy and Liquidation Investment Policy provide a comprehensive framework for the management and oversight of the DIF and NLF investment portfolios, respectively. In addition, DOF has established detailed procedures and guidelines to implement the Corporate Investment Policy and Liquidation Investment Policy and to manage the day-to-day activities of the funds. However, the Corporate Investment Policy and DOF’s detailed procedures and guidelines do not reflect current statutory definitions pertaining to the DIF or current investment management practices in some areas. Up-to-date policies, procedures, and guidelines are an important internal control for ensuring that processes are repeatable, consistent, and disciplined and for reducing operational risk associated with changes in staff.

GAO’s Standards for Internal Controls in the Federal Government state that policies and procedures are an integral part of an organization’s operations and a key control for ensuring that management’s directives are carried out. In addition, Circular 4010.3, FDIC Enterprise Risk Management System, requires divisions and offices to maintain current policies and procedures. The table below identifies key Corporate Investment Program policies, procedures, and guidelines and their status.

Policies, Procedures, and Guidelines	Status	Last Updated
Corporate Investment Policy	X	December 2006
Liquidation Investment Policy		October 2007
Corporate Liquidity Guidelines	X	2002
Procedures for Corporate Investment Purchases	X	February 2004
Procedures for Corporate Security Sales	X	March 2004
Procedures for Investing the National Liquidation Fund	X	January 2008
Procedures for Corporate Cash Flow Modeling	X	March 2002

We noted the following areas of the FDIC’s Corporate Investment Program policies, procedures, and guidelines that needed to be updated:

• Corporate Investment Policy. The policy requires the DIF to consist of both a primary and secondary reserve⁴ and defines specific investment objectives pertaining to each reserve. However, the secondary reserve has not had a balance since the FDIC reclassified all of the investment securities in the DIF to AFS in August 2008. Prior to the reclassification, approximately 66 percent of the DIF’s balance was in the secondary reserve. Because it is not known when the DIF will contain securities designated as HTM, the investment objectives of the primary and secondary reserves should be re-assessed. For example, the policy requires that the secondary reserve be managed to mitigate reinvestment risk by maintaining a

⁴ According to the policy, the primary reserve represents the fund’s principal source of liquidity. The primary reserve consists of overnight investments, investment securities designated as AFS, and investment securities designated as HTM with remaining maturities of 3 months or less. The fund’s secondary reserve, which represents a secondary source of funds, consists of investment securities designated as HTM that are not included in the primary reserve.

laddered maturity distribution. Because the HTM portfolio has been reclassified to AFS, the policy no longer contains specific controls to manage reinvestment risk.
• Corporate Liquidity Guidelines. The guidelines, which define the FDIC’s fund investment and borrowing strategies and address funding liquidity risk,⁵ were developed prior to deposit insurance reform legislation and do not address liquidity strategies pertaining to the DIF. For example, the guidelines define target liquidity levels and related assumptions pertaining to the former BIF and SAIF that do not apply to the DIF. In addition, the guidelines describe corporate borrowing authorities, strategies, and limitations that have been modified by recent legislation.
• Procedures for Investing the NLF. The procedures define how the FDIC purchases, sells, accounts for, and monitors investment securities permitted by the Liquidation Investment Policy. However, the procedures do not reflect the change in the fund’s designated depository, from the FHLB-Chicago to FHLB-NY, that took place in July 2008.
• Procedures for Corporate Investment Purchases, Corporate Security Sales, and Corporate Cash Flow Modeling. Because these procedures were developed prior to deposit insurance reform legislation, they define activities and describe computer files pertaining to the former BIF and SAIF that DOF no longer uses in administering the DIF. In addition, the procedures do not reflect DOF’s practice of performing periodic validations of third-party-provided market pricing used by PORTIA®

DOF officials advised us that the Corporate Investment Policy and Liquidation Investment Policy are typically updated and approved by the Board on a 3-year cycle, or when the membership of the Board changes.⁶ Updates to DOF’s detailed procedures and guidelines occur on a periodic basis. However, the introduction of legislation pertaining to the DIF, together with the high visibility of the DIF to the public and the Congress, warrant more frequent reviews and updates of the Corporate Investment Program policies, procedures, and guidelines. In the financial services industry, investment policies are typically reviewed at least annually. Once the Corporate Investment Policy and DOF’s procedures and guidelines are updated, it would be prudent for DOF to conduct periodic independent internal assessments of the effectiveness of the program’s controls, including assessing whether the program’s policies, procedures, and guidelines are current, accurate, and complete. DOF officials told us that an internal assessment of the Corporate Investment Program was last conducted in December 2006. Such reviews would promote sound governance and further the internal control and monitoring principles defined in Circular 4010.3.

Recommendations

1. Update the Corporate Investment Policy and DOF’s detailed investment procedures and guidelines and, where appropriate, obtain Board review and approval. As part of this effort, define the frequency with which the Corporate Investment Program policies will be reviewed for possible updates.

⁵ Funding liquidity risk refers to cash-flow estimations and individual positions.
⁶ For example, the current Corporate Investment Policy was approved by the Board in December 2006; the policy had been previously reviewed and approved by the Board in November 2003. The Liquidation Investment Policy was approved by the Board in October 2007; the policy had been previously reviewed and approved by the Board in November 2004 .

We recommend that the Director, DOF:

2. Conduct periodic independent internal assessments of the Corporate Investment Program, including its policies, procedures, and guidelines, to ensure such controls are operating as intended.

CONTINGENCY RESPONSE PLANNING

The FDIC has taken a number of proactive steps to prepare for a potential liquidity contingency involving the DIF in which the FDIC would need to borrow funds from outside sources to meet the fund’s liquidity needs. Such steps include executing a formal borrowing agreement with the Federal Financing Bank, recommending to the Congress that the Corporation’s statutory line of credit with the Treasury be increased to ensure the continued viability of the fund, and developing a strategy for borrowing funds from outside sources (components of which are defined in the Large Bank Resolution Strategy and Action Plan and various other briefing materials).

Although not mandated by statute or regulation, the FDIC can further enhance its contingency response planning for the DIF by developing a comprehensive, written contingency funding plan that describes how the Corporation will implement its strategy for borrowing from outside sources under the various contingency scenarios that could occur. Such a plan would represent a proactive risk response planning control for reducing operational risk, including risk associated with the unavailability of key individuals during a contingency. A comprehensive contingency funding plan would also promote transparency and communication throughout the Corporation regarding potential funding contingencies associated with current and emerging business programs. The contingency funding plan should be reviewed and approved by the Board which, by statute, has responsibility for managing the Corporation, and thus has the ultimate responsibility for authorizing outside borrowing decisions on behalf of the Corporation.

The DIF is funded principally by deposit insurance assessments charged to insured financial institutions and interest earned on investments in U.S. Treasury obligations. To ensure the DIF maintains adequate liquidity, the CFO and DOF officials regularly monitor projected sources and uses of funds and purchase or sell investment securities as needed. In addition, the Board may, under certain circumstances and consistent with its statutory authority, raise deposit insurance premiums and impose special assessments on insured financial institutions when additional funds are needed to replenish the DIF. However, circumstances can occur in which these funding sources would not be sufficient to meet the immediate liquidity needs of the DIF. To ensure the DIF remains liquid during such contingencies, the FDIC may use its statutory authority to borrow funds from the Federal Financing Bank, Treasury, Federal Home Loan Banks, and insured depository institutions (collectively referred to herein as outside sources).

We spoke with the CFO and DOF officials regarding how the FDIC would obtain funds from outside sources in response to a liquidity contingency involving the DIF. These officials described a strategy wherein the FDIC would first borrow up to $100 billion (on an as-needed basis and subject to statutory limitations) from the Federal Financing Bank pursuant to a Note Purchase Agreement (NPA), dated December 15, 2006 (as amended), between the FDIC and the Federal Financing Bank. The NPA defines the terms and conditions in which the Federal Financing Bank will purchase notes from the FDIC and the FDIC will request and repay advances. The current NPA is set to expire on September 30, 2009. The Board has authorized the CFO, with the concurrence of the General Counsel, to execute, renew, maintain, and make future minor modifications to the NPA and to execute and deliver future advance promissory notes. The Board has also authorized the CFO, or designee, subject to the

To its credit, the FDIC has developed the Large Bank Resolution Strategy and Action Plan, which defines, among other things, activities for obtaining cash and other funding assistance to operate a receivership and fund a bridge bank. While the Large Bank Resolution Strategy and Action Plan addresses key aspects of a contingency funding plan, it was developed prior to the current financial crisis and its focus is on one principal contingency—a large institution failure. The FDIC can strengthen its contingency response planning for the DIF by developing a comprehensive, written contingency funding plan that describes how the Corporation will implement its strategy for borrowing from outside sources under multiple contingencies. FDIC Financial Institution Letter (FIL) 84-2008, Liquidity Risk Management, dated August 26, 2008, recommends that FDIC-supervised institutions develop formal contingency funding plans that address the various contingency scenarios that can occur and the factors that might influence funding options. While we recognize that the FDIC’s liquidity risk profile differs from the institutions it supervises, FIL 84-2008 identifies elements of a contingency funding plan that, if tailored to the unique business needs of the FDIC, would benefit the Corporation’s liquidity response planning efforts. The following points summarize key elements of a contingency funding plan as defined in FIL 84-2008 and how these elements could apply to the FDIC.

• Roles and Responsibilities. Clearly defined responsibilities and lines of decision-making are critical for ensuring that all personnel understand their role during a liquidity contingency. While the FDIC has defined roles and responsibilities in its NPA, the Large Bank Resolution Strategy and Action Plan, and various other briefing materials, integrating these roles and responsibilities into a comprehensive, written plan would mitigate operational risk associated with the unavailability of key individuals during a contingency. Additionally, such a plan would promote awareness among division and office personnel who might become involved with a funding contingency.
• Potential Liquidity Contingencies. Clearly defined thresholds or measures for determining when a potential liquidity contingency has occurred or is about to occur are important components of successful contingency response planning. While the NPA prohibits the FDIC from obtaining advances under certain circumstances,⁹ recent FDIC program initiatives, such as loss sharing agreements with financial institutions and the Temporary Liquidity Guarantee Program (TLGP), have introduced new liquidity risk and potential contingency funding scenarios for the DIF.

⁷ In September 2008, the Board authorized the CFO to execute and deliver, or cause to be delivered, an amendment to the NPA, on such appropriate terms and conditions as are satisfactory to the CFO and the General Counsel, in order to increase the funding limit to an amount not to exceed $100 billion.
⁸ According to section 14 of the FDI Act, the FDIC may borrow $30 billion from the Treasury, except to the extent of any borrowing from insured depository institutions. In any case, the total of FDIC’s obligations is subject to the maximum obligation limitation (MOL) set forth in section 15(c) of the FDI Act; see the Glossary for further information. In addition, the Emergency Economic Stabilization Act of 2008 permits the FDIC to obtain loans in connection with the increase of the deposit insurance coverage affected by that Act; such loans are excluded from the $30 billion limitation and the MOL.
⁹ For example, advances are conditioned on: (1) the DIF holding $500 million or less in cash and investments in U.S. Treasury obligations at the time any advance is made and (2) that any advance will not cause the DIF to exceed the statutory limitation on its maximum amount of outstanding obligations as defined in Section 15(c) of the FDI Act. These conditions are consistent with provisions of Section 14(b) of the FDI Act, which permits the Federal Financing Bank to set terms and conditions for FDIC borrowings.

• Monitoring. Monitoring includes techniques for identifying potential liquidity contingencies and reporting on actions taken in response to such contingencies (e.g., reporting to the Congress, outside agencies, and the public on the FDIC’s borrowing and repayment activities).
• Potential Funding Restrictions. Planning for circumstances that could trigger restrictions on contingent funding sources, such as the MOL, is a prudent business practice.
• Adequacy of Contingent Funding Sources. It is a prudent business practice to identify potential contingency funding sources, conditions and limitations on their use, and criteria for determining which sources will be used to address various contingencies. For example, a comprehensive contingency funding plan would reflect the FDIC’s prior determination that certain funding sources permitted by statute are not as cost-effective as others, or that certain sources would not be viable under certain circumstances.

Many of the above concepts are also referenced in the Basel Committee on Banking Supervision’s September 2008 publication Principles for Sound Liquidity Risk Management and Supervision. For example, the Basel publication states that financial institutions should maintain formal contingency funding plans that contain clearly defined strategies for addressing liquidity shortfalls in emergency situations. The publication also states that contingency funding plans should outline policies for managing a range of contingencies, establish clear lines of responsibility, define clear invocation and escalation procedures, and be regularly updated to ensure that the plans remain operationally robust.

The FDIC has not needed to draw on outside funding sources since 1991.¹⁰ However, the deteriorating economic and industry conditions of the past year underscore the importance of proactive contingency response planning to cover unexpected developments in the financial services industry. A liquidity contingency involving the DIF would likely attract significant public and congressional attention. Accordingly, it would be prudent for the FDIC to develop a comprehensive, written contingency funding plan that describes how the Corporation will implement its strategy for borrowing from outside sources under the various contingency scenarios that could occur. Such a plan would represent an important control for mitigating the risk associated with the unavailability of key individuals during an actual liquidity contingency and for promoting transparency and communication throughout the Corporation. In addition, a contingency funding plan could aid in assessing the impact of new corporate programs, such as the TLGP and loss sharing agreements. The CFO and DOF officials should provide the contingency funding plan to the FDIC’s Board which, by statute, has responsibility for managing the Corporation, and thus has the ultimate responsibility for authorizing outside borrowing decisions on behalf of the Corporation.

Recommendation

3. Strengthen the FDIC’s contingency response planning for the DIF by developing a written contingency funding plan that describes how the Corporation will implement its strategy for borrowing from outside agency sources for the various contingencies that may occur. The completed contingency funding plan should be provided to the Board for review and approval.

¹⁰ The former BIF borrowed funds from the Federal Financing Bank in 1991 for working capital, which the FDIC fully repaid with interest by 1993.

AUTHORIZATIONS TO PURCHASE AND SELL INVESTMENT SECURITIES

DOF implemented a number of important controls over the purchase and sale of investment securities in the DIF and NLF. Such controls include preparing trade tickets to document the rationale and details pertaining to securities transactions, documenting trade confirmations, and performing regular reconciliations to help ensure securities transactions were properly recorded. However, DOF’s investment procedures do not define a dual control over the authorization and execution of securities transactions wherein the authorization is documented in advance of the transaction by an individual other than the person responsible for executing the transaction. Management authorizations to purchase and sell investment securities are based on consensus discussions. While our work did not identify any instances of inappropriate securities transactions, establishing a dual control over the authorization and execution of securities transactions would promote appropriate separation of duties in the FDIC’s investment activities and mitigate the risk of intentional or unintentional errors.

The purchase and sale of DIF and NLF investment securities is principally handled by FIU. Although the number of investment transactions that FIU processes per month varies, the size of the transactions during the period October 1, 2007 through September 30, 2008 ranged from approximately $5 million to $1.4 billion. DOF employs similar processes for executing securities transactions for the DIF and NLF. To illustrate these processes, the following summarizes how an investment security is purchased or sold in the DIF.

As a matter of practice, FIU’s team leader or a senior financial analyst (collectively referred to herein as the FIU) selects specific securities for purchase or sale after taking into consideration various factors, including, but not limited to:

• constraints contained in the Corporate Investment Policy,
• constraints contained in the quarterly investment strategy approved by the IAG,
• current and expected macroeconomic conditions,
• the relationship between the yield on Treasury securities for different maturities (also referred to as Treasury yields), and
• the FDIC’s projected funding needs.

After considering these factors, FIU, in consultation with the TMS manager, tentatively identifies specific securities and dollar amounts for purchase or sale and prepares a preliminary trade ticket. FIU forwards the preliminary trade ticket to TOU, which enters the information into PORTIA®. After obtaining current pricing information on the securities under consideration, FIU, in consultation with the TMS manager, decides which securities will be purchased or sold. FIU then executes the securities purchase or sale using BPD’s FedInvest Web site and prepares a final trade ticket to document the transaction.¹¹ FIU forwards the final trade ticket and a transaction confirmation generated by FedInvest to TOU to ensure the transaction is properly recorded in PORTIA®. TOU also enters the transaction information into the FDIC’s New Financial Environment (the FDIC’s principal financial system) and performs daily and monthly reconciliations to help ensure that the FDIC’s accounting records are current, accurate, and complete and consistent with BPD’s records.

Establishing a system of dual control wherein the authorization to execute a security transaction is documented in advance by an individual other than a person responsible for executing the transaction is a recognized control

¹¹ The final trade ticket includes such information as the security’s type, par amount, coupon rate, maturity date, call date (if applicable), Committee on Uniform Security Identification Procedures (CUSIP®) identifier, quoted price, and corresponding yield.

practice in the financial services industry. Such a control helps ensure appropriate separation of duties in operations and mitigates the risk of errors. Trading policies for financial services firms typically identify specific individuals or positions with the delegated authority to authorize and execute securities transactions. Such delegations are generally based on the relative size and complexity of the transaction. For example, significant dollar-value transactions typically require a higher-level management authorization than smaller dollar transactions. Such control practices are also consistent with GAO’s Standards for Internal Control in the Federal Government.

Recommendation

We recommend that the Director, DOF:

4. Establish a system of dual control over the authorization and execution of securities transactions wherein the authorization is documented in advance of the transaction by an individual other than the person responsible for executing the transaction.

VALIDATION OF COMPUTER-BASED FINANCIAL MODELS

DOF relies extensively on PORTIA® and certain Microsoft Excel®-based spreadsheets to monitor and report on the performance of investment securities in the DIF and to support the Corporation’s strategic and tactical investment management decisions. Although DOF has taken steps to help ensure the integrity of these computer-based financial models, periodic independent validations had not been performed on them to ensure they function as intended. Periodic independent validations of computer-based financial models is a recognized practice in the financial services industry for ensuring the reliability of the information that the models produce.

PORTIA® is the principal computer-based financial model DOF uses to manage overnight funds and investment securities. PORTIA® uses built-in financial algorithms and securities pricing information from a third-party service provider¹² to calculate the maturity, yield, value, and modified duration of investment securities. DOF uses PORTIA® to generate reports on the performance of investment securities in the DIF and to support key strategic and day-to-day investment management decisions. DOF also uses Excel®-based spreadsheets, some of which may be considered key, to support its investment management activities and to brief senior FDIC management. For example, DOF uses an Excel®-based spreadsheet to generate the Projected Monthly Cash Flow for the DIF. The spreadsheet uses mathematical formulas to determine whether anticipated cash receipts and disbursements will result in a cash flow surplus or deficit for the DIF. Such information is used to manage the DIF’s daily cash positions and support overnight and long-term investment management decisions.

DOF has taken steps to help ensure the integrity of PORTIA® and the Excel®-based spreadsheets it uses to monitor and report on the performance of investment securities. For example, DOF maintains these models on an access-restricted network shared drive that is regularly backed up. Additionally, DOF reviews data contained in the models to help ensure the accuracy of the data processed. While such steps are positive, DOF has not established a procedure to have periodic independent validations performed of PORTIA® and its key Excel®-based spreadsheets to help ensure the models function as intended.

¹² Each business day, TOU uploads the CUSIP®s of investment securities in the DIF to the Web site of a third-party service provider. The service provider updates the market prices for each security and notifies TOU, by e-mail, when the updates are complete. TOU then downloads the updated market prices from the service provider’s Web site and imports the data into PORTIA®.

The Office of the Comptroller of Currency (OCC) has published guidance for the national banks it supervises on the importance of conducting periodic independent validations of computer-based financial models (Bulletin 2000-16 regarding model validation).¹³ According to the bulletin, periodic independent validation of computer-based financial models is a leading practice for mitigating the risk of relying on erroneous information. The bulletin identifies three generic procedures that apply to any model validation: (1) an independent review of the model’s logical and conceptual soundness, (2) a comparison of the model against other models, and (3) a comparison of the model’s predictions against subsequent real-world events. Depending on the circumstances, any or all three of these generic procedures apply when validating a model’s input (i.e., assumptions and data), processing (i.e., mathematical computations and formulas), and reporting components. The OCC Bulletin also describes a common misconception that validations are not necessary for vendor models because the models have already “met the market test.” The bulletin states that validations of vendor models often identify material processing errors, illustrating that validation principles should be applied regardless of whether a model is purchased from a vendor or developed in house.

A key concept contained in the OCC bulletin is that the depth and frequency of model validation procedures should be consistent with the level of risk being managed and the complexity of the model being validated. With respect to the Excel®-based spreadsheets used by DOF, such models have relatively simple code that can be inexpensively checked to ensure that mathematical computations and code are correct. Although PORTIA® contains more complex mathematical algorithms, the integrity of the model’s computations, such as its modified duration computations, could be checked against an independent source, such as the Bloomberg Professional¹⁴ system, to help ensure computations are reliable. Because of its organizational independence, DOF’s Administration and Internal Controls Section could conduct validations of PORTIA® and DOF’s key Excel®-based spreadsheets as part of the internal assessments recommended earlier in this report.

Recommendation

We recommend that the Director, DOF:

5. Establish a procedure to perform periodic independent validations of PORTIA® and key Excel®- based spreadsheets used in the Corporate Investment Program.

¹³ In the winter 2005 publication of the FDIC’s Supervisory Insights, OCC Bulletin 2000-16 is identified as the primary source for formal regulatory guidance on financial model governance.
¹⁴ Bloomberg Professional is a trademark and servicemark of Bloomberg Finance L.P., a Delaware limited partnership, or its subsidiaries.

Objective

The objective of this performance audit was to assess the FDIC’s controls for ensuring that the DIF and NLF are managed consistent with the FDIC’s investment policies approved by the Board. We conducted this performance audit from September 2008 through January 2009 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective.

Scope and Methodology

To accomplish our objective, we:

• Interviewed key FDIC officials with responsibility for managing and implementing the Corporate Investment Program, including the CFO; Director, DOF; Deputy Director and Treasurer, DOF; Manager, TMS; and TOU and FIU personnel. We also interviewed FDIC personnel in the Division of Insurance and Research to gain an understanding of the manner in which information from the Financial Risk Committee flows to FIU. In addition, we met with GAO officials working on the annual audit of the FDIC’s funds financial statements to obtain an understanding of the work they perform.
• Reviewed relevant FDIC policies, procedures, guidelines, and plans, including, but not limited to the:
  • Corporate Investment Policy
  • Liquidation Investment Policy
  • TMS FIU procedures
  • Corporate Liquidity Guidelines
  • DOF TMS Management Control Plan
  • GAO’s financial statement audit process summary memoranda on the Corporate Investment Process and Cash and Cash Equivalents
  • Treasury Operating Circular, Responsibilities Relating to Government Investment Accounts and Investment in Government Account Series (GAS) Treasury Securities
• Examined relevant FDIC reports summarizing the FDIC’s investment activities. Such reports included, but were not limited to, quarterly CFO Reports to the Board and Monthly Investment Status Reports for the DIF and NLF portfolios.
• Observed the October 22, 2008 IAG meeting.
• Identified and documented the FDIC’s governance structure for managing the DIF and NLF.
• Performed detailed analyses of the FDIC’s investment processes, including policy reporting requirements, investment trade execution, investment trade compliance, cash flow modeling, and cash reconciliations.

Our work did not include an assessment of the sufficiency of deposit insurance assessments or other funding sources to cover anticipated losses from insured depository institutions.

Internal Control

We assessed the Corporation’s internal controls and practices pertaining to investment activities in the DIF and NLF for consistency with relevant portions of the criteria listed below. These criteria, or portions thereof, may not be legally binding on the FDIC. However, we considered them during the audit because they define prudent business practices.

• GAO’s Standards for Internal Control in the Federal Government, dated November 1999
• Treasury Operating Circular, entitled Responsibilities Relating to Government Investment Accounts and Investment in Government Account Series (GAS) Treasury Securities, dated October 1, 2008
• The Board of Governors of the Federal Reserve System’s Trading and Capital-Markets Activities Manual, dated April 2003
• Basel Committee on Banking Supervision’s Principles for Sound Liquidity Risk Management and Supervision, dated September 2008
• FIL-84-2008, Liquidity Risk Management, dated August 26, 2008
• OCC Bulletin 2000-16 regarding model validation, dated May 2000
• Buy Side Risk Managers Forum and Capital Market Risk Advisors’ Risk Principles for Asset Managers, dated February 25, 2008
• Federal Housing Finance Board Office of Supervision Advisory Bulletin (06-02), Model Documentation and Validation, dated March 20, 2006
• The Financial Services Roundtable, Guiding Principals in Risk Management For U.S. Commercial Banks, dated June 1999
• Institute of International Finance, Principles of Liquidity Risk Management, dated March 2007
• Senior Supervisors Group, Observations on Risk Management Practices during the Recent Market Turbulence, dated March 6, 2008
• • Committee of European Banking Supervisors’ Second Part Of CEBS’S Technical Advice to the European Commission on Liquidity Risk Management, dated June 17, 2008

Reliance on Computer-processed Information

Our audit objective did not require that we separately assess the reliability of computer-processed data to support our findings, conclusions, and recommendations. Additionally, in performing this performance audit, we did not consider it necessary to evaluate the effectiveness of information system controls in order to obtain sufficient, appropriate evidence.

Performance Measurement

The FDIC’s 2008 Annual Performance Plan did not contain performance goals directly related to our audit objective. However, DOF had developed a Balanced Scorecard containing performance measurement information for both the DIF and NLF. Among other things, the Balanced Scorecard measured the total return of the DIF investment portfolio against the Merrill Lynch 1-10 Year U.S. Treasury Index and the total return of the NLF investment portfolio against the average yield of the generic 3-month U.S. Treasury bill. We considered information contained in DOF’s Balanced Scorecard in planning and conducting our audit work.

Compliance with Laws and Regulations

We determined that the following statutory provisions were relevant to our audit objective.

• Sections 11(a) and (d), Deposit Insurance, Powers and Duties of Corporation as Conservator or Receiver
• Section 13(a), Investment of Corporation’s Funds
• Section 14, Borrowing Authority
• Section 15(c), Limitation on Borrowing

• Section 136(a)(3), Borrowing Limits Temporary Lifted

We found no instances of noncompliance with these statutory provisions. In addition, we assessed the risk of fraud and abuse related to the audit objective in the course of evaluating audit evidence.

Prior Coverage

We considered the FDIC OIG’s July 2005 report, entitled The FDIC’s Investment Policies (Report No. 05-025), in planning and conducting our work. The objective of this prior audit was to determine whether the FDIC’s investment strategy and portfolio management procedures provide the highest possible investment returns for the FDIC, taking into consideration the applicable legal and regulatory framework established for investments by the BIF, SAIF, and Federal Savings and Loan Insurance Corporation Resolution Fund. The report contained five recommendations, all of which were resolved and closed prior to the start of our work.

Available-for-Sale (AFS)
Debt and equity securities not classified as either HTM securities or trading securities are classified as AFS securities and reported at fair value, with unrealized gains and losses excluded from earnings and reported in a separate component of shareholders’ equity (see definition for Financial Accounting Standard 115 below). In the case of the DIF’s financial statements, these gains and losses are shown as a separate line item in arriving at comprehensive income. In addition, the DIF does not have any investment securities classified as trading securities.

Bureau of Public Debt (BPD)
BPD is an agency within the Treasury that borrows funds needed to operate the federal government through the issuance of such securities as U.S. Savings Bonds, Treasury Bills, and Treasury Notes. The BPD pays interest on these borrowings and when the borrowings mature, BPD redeems the securities.

Committee on Uniform Security Identification Procedures (CUSIP®)
CUSIP® typically refers to both the Committee on Uniform Security Identification Procedures and the 9- character alphanumeric security identifiers that the committee distributes for all North American securities for the purposes of facilitating clearing and settlement of trades. The CUSIP® distribution system is owned by the American Bankers Association and is operated by Standard & Poor’s. The CUSIP® Service Bureau acts as the National Numbering Association for North America, and the CUSIP® serves as the National Securities Identification Number for products issued from both the United States and Canada.

Designated Reserve Ratio (DRR)
Under the Federal Deposit Insurance Reform Act of 2005, the FDIC must, by regulation, set the DRR for the DIF within a range of 1.15 percent to 1.50 percent. The DRR is defined as the DIF’s net worth to the value of the aggregate estimated deposits insured by the fund.

Duration
In finance, the duration of a financial asset measures the sensitivity of the asset’s price to interest rate movements, expressed as a number of years. Duration is useful primarily as a measure of the sensitivity of a bond’s market price to interest rate (i.e., yield) movements. It is approximately equal to the percentage change in price for a given change in yield. For example, for small interest rate changes, the duration is the approximate percentage by which the value of the bond will fall for a 1 percent per annum increase in market interest rates. So a 15-year bond with a duration of 7 would fall approximately 7 percent in value if interest rates increased by 1 percent per annum. In this respect, duration is the elasticity of a bond’s price in relation to interest rates.

Financial Accounting Standard (FAS) 115
FAS 115 addresses the accounting and reporting for investments in equity securities that have readily determinable fair values and for all investments in debt securities. Those investments are to be classified in three categories and accounted for as follows:

• Debt securities that the enterprise has the positive intent and ability to hold to maturity are classified as HTM securities and reported at amortized cost.

• Debt and equity securities that are bought and held principally for the purpose of selling them in the near term are classified as trading securities and reported at fair value, with unrealized gains and losses included in earnings.
• Debt and equity securities not classified as either HTM securities or trading securities are classified as AFS securities and reported at fair value, with unrealized gains and losses excluded from earnings and reported in a separate component of shareholders’ equity (see definition for AFS above for additional clarification).

Federal Financing Bank (FFB)
The FFB is a government corporation, created by the Congress in 1973, under the general supervision of the Treasury Secretary. The FFB was established to (among other things) centralize and reduce the cost of federal borrowing, as well as federally-assisted borrowing from the public. The FFB has statutory authority to purchase any obligation issued, sold, or guaranteed by a federal agency to ensure that fully guaranteed obligations are financed efficiently.

Government Account Series (GAS) Program
On a daily basis, BPD offers special-issue, non-marketable Treasury securities that are direct obligations of the United States and are offered exclusively in book-entry form. Although the GAS program is not available to the general public, securities can be purchased and sold through the program at current market prices. The Treasury Secretary has restricted federal agencies with investment authority, including the FDIC, to buying and selling such securities through the GAS program.

Held-to-Maturity (HTM)
Debt securities that the holder has the positive intent and ability to hold to maturity. HTM securities are reported at amortized cost (see FAS 115).

Interest Rate Risk
Interest rate risk is the potential that changes in interest rates may adversely affect the value of a financial instrument or portfolio or the condition of the institution as a whole. In general, the values of longer-term instruments are more sensitive to interest rate changes than the values of shorter-term instruments. Interest rate risk is commonly measured by a bond’s duration.

Liquidity
Liquidity is the ability to fund increases in assets and meet obligations when they come due.

Liquidity Risk
Liquidity risk is the risk that an organization will not be able to meet its obligations when they come due. Relevant liquidity risk concepts include:

• Market Liquidity Risk, which refers to the inability of an organization to sell its assets at or near market value.
• Funding Liquidity Risk, which refers to cash flow estimation or mismatch risk for both assets and liabilities.
• Contingency Planning (including stress testing), which refers to how, in the absence of market funding liquidity, an organization can continue to meet its obligations, particularly under periods of stress.

Liquidity Risk Management
Liquidity risk management involves the processes, controls, and infrastructure for mitigating liquidity risk.

Maximum Obligation Limitation
The MOL refers to the provisions of Section 15(c) of the FDI Act that limit the DIF’s ability to incur obligations other than deposit insurance guarantees. The MOL is the sum of: (a) DIF’s cash and investments in Treasury securities valued at market value; (b) DIF’s other assets valued at 90 percent of estimated market value; and (c) the $30 billion line of credit with Treasury pursuant to Section 14(a) of the FDI Act. “Obligations” include guarantees issued by the FDIC, amounts borrowed under section 14 of the FDI Act, and obligations for which the FDIC has a direct or contingent liability to pay.

Reserve Ratio
The reserve ratio is a numeric figure reflecting the DIF balance divided by the DIF’s estimated insured deposits. The reserve ratio is a key measure used by the FDIC in assessing the adequacy of the fund’s balance and in formulating deposit insurance assessment policy.

Part II

Corporation Comments and OIG Evaluation

CORPORATION COMMENTS AND OIG EVALUATION

On May 8, 2009, the CFO and Director, DOF, provided a written response to a draft of this report. Management’s response is presented in its entirety beginning on the next page. Management generally concurred with KPMG’s findings and recommendations.

In response to recommendation 1, the CFO plans to update the Corporate Investment Policy (where appropriate) and present it to the Board for review and approval by October 31, 2009. When updating the policy, the CFO will discuss with the Board its preference with respect to the appropriate interval between investment policy updates and incorporate the Board’s preferences for making such updates into the policy. In addition, the CFO plans to update DOF’s detailed investment procedures and guidelines (where appropriate) by December 31, 2009. The CFO will periodically bring these updated procedures and guidelines, as appropriate, to the IAG for review and approval.

In response to recommendation 2, the Director, DOF, plans to conduct independent internal reviews of the Corporate Investment Program every 18 months, or more frequently if conditions warrant. DOF will conduct the first of these reviews in the second half of 2009. In response to recommendation 3, the CFO and Director, DOF, will strengthen the FDIC’s contingency funding plans by incorporating appropriate language regarding FDIC’s contingency funding authorities and strategies into the Corporate Investment Policy and present it to the Board for approval in the fourth quarter of 2009.

In response to recommendation 4, the Director, DOF, will amend existing procedures for purchasing and selling Treasury securities to require an original approval signature of an authorized DOF staff member on the trade ticket. In addition, the individual who approves the purchase and sale of a security will not be the same individual who subsequently executes the transaction. DOF plans to implement this new control for all securities transactions occurring after June 30, 2009. In response to recommendation 5, DOF will verify key computations within PORTIA® (such as its modified duration computations) whenever the software is upgraded. Such verifications will be performed as part of the periodic internal reviews described in DOF’s response to recommendation 2. In addition, DOF will ensure that formulas contained in key Excel®-based spreadsheets that DOF has developed for regular analysis and reporting on investments are periodically verified as a part of the division’s periodic internal reviews.

A summary of management’s response to the recommendations is on page II-6. DOF’s planned actions are responsive to KPMG’s recommendations. The recommendations are resolved, but will remain open until we determine that the agreed-to corrective actions have been completed and are responsive.

CORPORATION COMMENTS

---

This table presents management’s responses to the recommendations in KPMG’s report and the status of the recommendations as of the date of report issuance.