In developing our business plan for fiscal year 2008, we conducted outreach meetings with FDIC Division Directors and their staffs to help shape our thinking on the issues and risks facing the FDIC. We then shared listings of our planned work with the Chairman and Vice Chairman of the FDIC and sought input from congressional stakeholders on our plans for the fiscal year. We appreciate the feedback from all involved in those initiatives. Our 2008 plan is a blueprint for our work throughout the year. To remain responsive to unforeseen issues or requests requiring our attention, however, we will modify this plan accordingly. During fiscal year 2008, I anticipate expanded investigative activity and results owing to an ongoing reorganization of our Office of Investigations, which will place Office of Investigations resources in several more of the FDIC’s regional offices. Our Office of Audits will address supervision, insurance, and consumer protection issues with more narrowly focused, risk-based objectives; continue to provide needed coverage of information security matters; and devote more

VISION

MISSION

STRATEGIC GOALS

Safety & Soundness

Insurance

Consumer Protection

Receivership Management

FDIC Resources Management

OIG Resources Management

FY 2008 PERFORMANCE GOALS

• Help ensure the effectiveness and efficiency of the FDIC’s supervision program
• Investigate and assist in prosecuting bank secrecy act violations, money laundering, terrorist financing, fraud, and other financial crimes in FDIC-insured institutions

• Evaluate corporate programs to identify and manage risks that can cause losses to the fund
• Evaluate selected aspects of implementation of deposit insurance reform

• Contribute to the effectiveness of the Corporation’s efforts to ensure compliance with consumer protections at FDIC-supervised institutions
• Conduct investigations of fraudulent representations of FDIC affiliation or insurance that negatively impact public confidence in the banking system

• Evaluate the FDIC’s plans and systems for managing bank resolutions
• Investigate crimes involved in or contributing to the failure of financial institutions or that lessen or otherwise affect recoveries by the Deposit Insurance Fund involving restitution or otherwise.

• Evaluate corporate efforts to manage human resources and operations efficiently, effectively, and economically
• Promote integrity in FDIC internal operations
• Promote alignment of IT with the FDIC’s business goals and objectives
• Promote IT security measures that ensure the confidentiality, integrity, and availability of corporate information
• Promote personnel and physical security
• Promote sound corporate governance and effective risk management and internal control efforts

• Effectively and efficiently manage OIG human, financial, IT, and physical resources
• Ensure quality and efficiency of OIG audits, evaluations, investigations and other projects and operations
• Encourage individual growth and strengthen human capital management and leadership through professional development and training
• Foster good client, stakeholder, & staff relationships
• Enhance OIG risk management activities

The following ongoing audit assignments will carry over to FY 2008:

• FDIC’s Assessment of Commercial Real Estate Concentration Risk
• The Division of Supervision and Consumer Protection’s (DSC) Examination Assessment of Interest Rate Risk
• FDIC’s Oversight of Subprime Credit Card Lending
• FDIC’s Implementation of the USA PATRIOT Act
• Examination Procedures for Assessing Controls to Protect Customer and Consumer Information at Multi-regional Data Processing Servicers
• Implementation of the FDIC’s Supervisory Guidance for Nontraditional Mortgage Products
• FDIC Laptop Computer Replacement

1. Material Loss Reviews

   The OIG of the respective primary federal regulator is required by the FDIC Improvement Act of 1991 (FDICIA) to perform a material loss review and report on failures of insured depository institutions resulting in losses to the deposit insurance fund which exceed the greater of $25 million or 2 percent of the institution’s assets. material loss reviews must be completed within 6 months from the time it is determined that a failure or payment of financial assistance will result in a material loss to the insurance fund.

   To maintain staff expertise and skills for material loss reviews, the IG may elect to conduct reviews of institutions losses that do not meet the materiality threshold established in the statute. These smaller losses may still identify potential improvements in the FDIC’s supervision program.

   The audit objectives, as required by FDICIA and incorporated into the FDI Act, section 38, are to determine (1) the causes for a material loss to a deposit insurance fund caused by an FDIC-supervised institution and (2) the adequacy of the FDIC’s supervision of the institution, including implementation of Prompt Corrective Action requirements.

   Benefits/Potential Outcomes: Improved supervision program for identifying and addressing unsafe and unsound banking practices to reduce or eliminate losses associated with institution failures.

2. CAMELS Ratings Process

   The Uniform Financial Institutions Rating System (UFIRS) was adopted by the Federal Financial Institutions Examination Council (FFIEC) on November 13, 1979. Under the UFIRS, each financial institution is assigned a composite rating by a federal or state banking agency based on an evaluation and rating of six essential components of an institution's financial condition and operations. These component factors address the adequacy of Capital, the quality of Assets, the capability of Management, the quality and level of Earnings, the adequacy of Liquidity, and the Sensitivity to market risk (otherwise known as CAMELS).

   The banking agencies assign composite and component ratings based on the results of periodic risk-management examinations. The composite rating generally bears a close relationship to the component ratings assigned. Assigned composite and component ratings are disclosed to the institution’s board of directors and senior management, but are not available to the public. The CAMELS are used as a supervisory tool for evaluating the soundness of financial institutions on a uniform basis and for identifying those institutions requiring special attention or concern.

   The audit objective is to determine the extent to which the FDIC has established controls to ensure uniformity in the CAMELS ratings process.

   Benefits/Potential Outcomes: Assurance that controls have been established and are functioning to ensure uniformity in the CAMELS ratings process

3. FDIC Policies and Procedures for Assessing Interest Rate Risk

   Interest rate risk is the exposure of a bank's earnings and capital to changes in interest rates. Interest rate fluctuations can affect earnings by changing net interest income and other interest-sensitive income and expense levels. Interest rate changes can also affect capital by changing the net present value of a bank's future cash flows, potentially impairing the net portfolio’s underlying value. Bank examiners’ assessment of interest rate risk is summarized in an assigned risk rating for the component known as sensitivity to market risk, which is the “S” part of the CAMELS rating system. The sensitivity to market risk component rates the degree to which changes in interest rates, foreign exchange rates, commodity prices, or equity prices can adversely affect a financial institution's earnings or economic capital. For most institutions, market risk primarily reflects exposures to changes in interest rates. Bank examiners assess the level of interest rate risk exposure in light of a bank's size, the nature and complexity of its activities, levels of capital and earnings, and most importantly, the effectiveness of the bank’s risk management processes. At the core of the interest rate risk examination process is a supervisory assessment of how well bank management identifies, measures, monitors, and controls market risk. Accepting interest rate risk is a normal part of banking and can be an important source of profitability and shareholder value. However, excessive interest rate risk can threaten banks' solvency.

   This is the second of two assignments on interest rate risk. The first assignment is focused on examiner compliance with policies and procedures addressing interest rate risk and the consideration of related off-site information. The second assignment will look at the appropriateness of these policies and procedures, with the assistance of an outside expert.

   The audit objective is to determine whether the FDIC has appropriate policies and procedures for assessing and addressing institutions’ sensitivity to interest rate changes, including sufficient data collection and risk metrics.

   Benefits/Potential Outcomes: Improved supervision program to identify, assess, and address interest rate risk.

4. The FDIC’s Process for Ensuring Financial Institutions Address Risks Associated with Nontraditional Mortgage Products

   The risks associated with loan terms and underwriting practices used for nontraditional mortgage products are outlined in interagency guidance issued in October 2006 and entitled, Interagency Guidance on Nontraditional Mortgage Product Risks. The federal financial institution regulatory agencies developed this guidance to assist financial institutions in managing the risks associated with the use of mortgage products that allow borrowers to defer payment of principal and, sometimes, interest. These products include “interest-only” mortgages and “payment option” adjustable-rate mortgages, that are at times combined with home equity lines of credit.

   The objective of this audit will be to assess examination coverage of loan terms and underwriting standards for nontraditional mortgage products at FDIC-supervised institutions.

   Benefits/Potential Outcomes: The audit may identify opportunities to strengthen the FDIC’s examination practices related to nontraditional mortgage products.

5. FDIC Activities Addressing Liquidity Risks

   Liquidity represents the ability to fund assets and meet obligations as they become due. Liquidity is essential in all banks to compensate for expected and unexpected balance sheet fluctuations and provide funds for growth. Liquidity risk is the risk of not being able to obtain funds at a reasonable price within a reasonable time period to meet obligations as they become due. Because liquidity is critical to the ongoing viability of any bank, liquidity management is among the most important activities that a bank conducts. The formality and sophistication of liquidity management depends on the size and sophistication of the bank, as well as the nature and complexity of its activities. Regardless of the bank, good management information systems, strong analysis of funding requirements under alternative scenarios, diversification of funding sources, and contingency planning are crucial elements of strong liquidity management.

   Bank examiners’ assessment of liquidity is summarized in an assigned component risk rating, which is the “L” part of the CAMELS rating system. The liquidity component should be assigned in the context of other financial factors. Banks with very strong capital positions and earnings fundamentals are likely to be able to easily fund ongoing operations and have no difficulty raising liquidity for even unforeseen events. Conversely, banks with low levels of capital, weak earnings, or asset deterioration, may find financing to be more expensive or borrowing line maturities reduced. In evaluating the adequacy of a financial institution's liquidity position, consideration should be given to the current level and prospective sources of liquidity compared to funding needs, as well as to the adequacy of funds management practices relative to the institution's size, complexity, and risk profile. In general, funds management practices should ensure that an institution is able to maintain a level of liquidity sufficient to meet its financial obligations in a timely manner and to fulfill the legitimate banking needs of its community at a reasonable cost.

   In the last year, liquidity concerns have been a major factor for problem institutions and institutions engaged in nontraditional mortgage lending. A shortage of funds can freeze payments, cause depositor runs, and lead to sudden bankruptcies. In addition, the FDIC Improvement Act of 1991 placed limits on funding sources for institutions with deteriorating capital levels, including restrictions on the use of brokered deposits and Federal Reserve bank advances.

   The audit objective is to determine the extent to which the FDIC addresses institution liquidity risk through various regulatory and supervisory activities, including: (1) institution and examination policies, procedures, and guidance; (2) examiner training; and (3) risk management examinations.

   Benefits/Potential Outcomes: Improved supervision program to identify, assess, and address liquidity risks.

6. Investment Policies

   The Secretary of the Treasury requires the FDIC to invest its non-appropriated cash in U.S. Treasury obligations that are purchased or sold through the Bureau of Public Debt’s Government Account Series Program. As of December 31, 2006, the book value of investments in U.S. Treasury obligations, net, was $46.1 billion. The FDIC seeks to maximize its return on such investments, subject to liquidity considerations. The FDIC considers liquidity requirements and current and prospective market conditions, including U.S. Treasury yields, when developing quarterly investment strategies. In our audit of The FDIC’s Investment Policies (Report No. 05-025, dated July 14, 2005), we recommended, and the FDIC Chairman agreed, that the FDIC should retain outside experts to conduct periodic, independent reviews of the Corporation’s investment program. Such reviews should take place every 3 years and include consideration of the investment policies applicable to the National Liquidation Fund.

   The audit objective is to determine whether the FDIC’s Deposit Insurance Fund investments and its National Liquidation Fund investments are meeting their objectives related to return, volatility, and liquidity, while maintaining adequate controls over the investment process.

   Benefits/Potential Outcomes: The audit may identify opportunities to strengthen the FDIC’s investment management practices related to the Deposit Insurance Fund.

   Benefits/Potential Outcomes: The audit may identify opportunities to strengthen the FDIC’s investment management practices related to the Deposit Insurance Fund.

7. Off-site Monitoring for Insurance Risk

   The primary purpose of the Off-site Review Program is to ensure that institutions receive appropriate supervisory follow-up. The Off-site Review Program is designed to identify emerging supervisory concerns and potential problems so that supervisory strategies can be appropriately adjusted. Off-site Reviews are performed quarterly for each bank that appears on the Off-site Review List (ORL). Regional management is responsible for implementing procedures to ensure that Off-site Review findings are factored into examination schedules and other supervisory activities. The ORL is generated after Call Report data is updated each quarter. Banks are selected for review based on the following:

   • Statistical CAMELS Off-site Rating (SCOR)⁵ and SCOR-Lag.⁶ The ORL includes those 1- and 2-rated institutions identified by SCOR or SCOR-Lag as having a 35 percent or higher probability of a downgrade to 3 or worse. The bank must have filed four or more consecutive Call Reports or Thrift Financial Reports.
   • Growth Monitoring System (GMS)⁷. The ORL includes institutions with a composite rating of 1 or 2 and in the 98th or 99th GMS growth percentile. The bank must have filed five or more consecutive Call Reports or Thrift Financial Reports. The model excludes de novo institutions; however, the regions are encouraged to perform additional off-site activity for de novo and other high-growth institutions.
   • Manual Selection. The ORL includes institutions that were added for review by the Regions.

   Each institution on the ORL must have an Off-site Review. The Tracking Section within ViSION documents the reviewer’s findings and supervisory strategy. In particular, the reviews identify which of the following eight risk measures are applicable to the institution (a risk flag is assigned to an identified/applicable risk measure):

   • SCOR,
   • SCOR-Lag,
   • Real Estate Stress Test (REST),⁸
   • GMS,
   • Consistent Grower,
   • Quarterly Lending Alert,
   • Young Institutions, and
   • Multiflag.

   Based on the information available during the review, the reviewer assigns a level of risk as Low, Medium, or High. The reviewer must provide supporting comments for those institutions with a risk level of “Medium” or “High.” The reviewer must also designate the risk trend as Decreasing, Stable, or Increasing. In addition, the reviewers are required to document their actions during the review as well as their suggested follow-up actions. If the Off-site Review indicates that the institution poses a greater risk to the insurance fund than indicated by the composite rating, a rating change should be initiated.

   The audit objective is to determine whether DSC makes appropriate use of SCOR, GMS, and REST data for off-site monitoring purposes and takes appropriate action to follow up on significant concerns in a timely manner.

   Benefits/Potential Outcomes: Provide assurance that the FDIC is making effective use of Call Report data for off-site monitoring of insurance risks

8. The FDIC’s Receipt and Assessment of Savings Association Subsidiary Notices

   As the deposit insurer for approximately 8,600 financial institutions, the FDIC is responsible for monitoring the risks these institutions pose to the Deposit Insurance Fund. For about 5,200 of these institutions, the FDIC is the primary federal regulator and conducts periodic onsite risk management examinations to assess insurance risk in coordination with state supervisors. For the other 3,400 institutions, the FDIC monitors its insurance risk through its review of information and reports provided by the federal and state banking supervisors, analysis of quarterly Call Reports and other available off site data, and the review of applications and notices submitted by insured institutions.

   For over 800 federal and state chartered insured savings associations supervised by the Office of Thrift Supervision (OTS), section 18(m) of the FDI Act requires each of these savings associations to notify the FDIC and the OTS not less than 30 days prior to the establishment or acquisition of a subsidiary, or the start of any new activity through a subsidiary that the savings association controls. With respect to any subsidiary of an insured savings association, the FDIC and the OTS each has enforcement powers pursuant to sections 8 and 18 of the FDI Act.

   The audit objective is to determine whether there are controls in place to ensure that the FDIC (1) receives savings association subsidiary notices in a timely manner and (2) reviews these notices to assess possible risks posed to the Deposit Insurance Fund.

   Benefits/Potential Outcomes: Improved assessment and mitigation of risks posed to the Deposit Insurance Fund from activities conducted by savings association subsidiaries.

9. Collection of Deposit Insurance Assessments

   On February 8, 2006, the President signed the Federal Deposit Insurance Reform Act of 2005 (Reform Act) into law. The Federal Deposit Insurance Reform Conforming Amendments Act of 2005 which the President signed into law on February 15, 2006, contains necessary technical and conforming changes to implement deposit insurance reform, as well as a number of study and survey requirements. The FDIC’s Board of Directors has adopted the following final rules implementing the Reform Act: (1) Inflation Index; Certain Retirement Accounts and Employee Benefit Plan Accounts; (2) One-time Assessment Credit; (3) Assessment Dividends; (4) Operational Processes Governing the FDIC's Deposit Insurance Assessment System; (5) Risk-Based Assessment System; (6) Designated Reserve Ratio; (7) Official FDIC Sign and Advertising of the FDIC Membership; and (8) Proposed Guidelines on Adjustments to Large Institution Assessment Rates.

   According to FDIC’s Rules and Regulations, deposit insurance assessments are collected after each quarterly period being insured. The FDIC Board of Directors sets assessment rates for each risk category. The FDIC makes available to each insured depository institution, via the FDIC’s secure e-business Web site, FDICconnect, a quarterly certified statement invoice for each assessment period. The first invoices were made available in June 2007 and payment was required within 15 days. The quarterly certified statement invoice reflects the institution’s risk assignment to a risk category, assessment base, assessment computation, and assessment amount. Each institution is required to review the quarterly certified statement invoice and, if it agrees that the invoice is true, correct, and complete, make payment. The FDIC Rules and Regulations also provide procedures for institutions to use in the event there is disagreement with the invoice. Assessment revenue is estimated to grow from about $650 million in 2007 to over $2.4 billion in 2008. This increase in revenue, in part, recognizes the use of assessment credits provided to certain institutions. In 2007, assessment credits used are estimated to be about $3 billion but decline to $1.5 billion in 2008.

   The audit objective is to determine whether the FDIC has established and implemented effective controls to ensure compliance with the statutory and regulatory requirements related to invoicing and collection of deposit insurance assessments.

   Benefits/Potential Outcomes: Assurance that a sound internal control structure is in place for collection of deposit insurance assessments.

10. Consumer Credit Underwriting Practices in Community Banks

    Financial institutions must consider multiple sources of information in underwriting consumer credit, including sources of payment, credit bureau scores, and the value of collateral, if applicable. Few institutions have an automated underwriting system which is used exclusively to make the credit decision. Some level of human review is usually present to provide the flexibility needed to address individual circumstances. For community banks, in particular, much of this process is performed manually, which can lead to inconsistencies and errors in underwriting.

    Manual steps in the underwriting process may include verification of income, consideration of any guarantees, appraisals of collateral, and consideration of consumer credit history. Institutions typically establish a minimum cut-off score below which applicants are denied and a second cutoff score above which applicants are approved. However, there is usually a range, or "gray area," in between the two cut-off scores where credits are manually reviewed and credit decisions are judgmentally determined.

    To ensure these processes are reliable, bank management should have a system of controls in place that includes written policies and procedures, employee training, adequate levels of supervision, and periodic internal audit coverage.

    As a further precaution, institutions that rely on credit bureau scores as part of the credit underwriting process should sample and compare credit bureau reports to determine which credit bureau most effectively captures data for the market(s) in which the institution does business. For institutions that acquire credit from multiple regions, use of multiple scorecards may be appropriate, depending on apparent regional credit bureau strength. In some instances, it may be worthwhile for institutions to pull scores from each of the major credit bureaus and establish rules for selecting an average value. By tracking credit bureau scores over time and capturing performance data to differentiate which score seems to best indicate probable performance outcome, institutions can select the best score for any given market. Efforts to differentiate and select the best credit bureau score should be documented.

    The audit objective is to assess the FDIC’s approach to assessing consumer credit underwriting practices in community banks.

    Benefits/Potential Outcomes: Provide assurance that FDIC examiners are appropriately assessing credit underwriting practices for consumer lending.

11. FDIC Supervision of Financial Institution Compliance with the Real Estate Settlement Procedures Act

    The Real Estate Settlement Procedures Act of 1974 (RESPA) is applicable to all federally-related mortgage loans, except for certain types of loans which are exempted. Congress determined that significant reforms in the real estate settlement process were needed to ensure that consumers were (1) provided greater and timely information on the nature and costs of the settlement process and (2) protected from unnecessarily high settlement charges caused by certain abusive practices. RESPA requires lenders, mortgage brokers, or servicers of home loans to provide borrowers with pertinent and timely disclosures regarding the nature and costs of the real estate settlement process. RESPA also protects borrowers against certain abusive practices, such as kickbacks, and places limitations upon the use of escrow accounts and is applicable to all federally-related mortgage loans, including refinances secured by a first or subordinate lien on residential real property.

    Although overall authority for RESPA compliance and enforcement remains with the Department of Housing and Urban Development, the FDIC and other federal banking agencies examine financial institutions for compliance. Section 10(b) of the FDI Act provides the FDIC general authority to examine for RESPA compliance at FDIC-supervised financial institutions, and Section 8 provides general authority for enforcement. RESPA also provides specific authority to the FDIC to enforce compliance.

    A review of RESPA compliance is important because of the:

    • significant risk due to downturns in the residential real estate market, which could cause mortgage lenders to be more aggressive in their lending practices;
    • anticipation of large restructuring and refinancing of nontraditional real estate loans in the near future; and
    • need to determine whether financial institutions are providing adequate disclosure to make sure consumers understand the types of real estate loans they are obtaining.

    The objective of this audit will be to assess FDIC supervision of financial institution compliance with key provisions of RESPA, as amended.

    Benefits/Potential Outcomes: An assessment of (1) RESPA-related policies, procedures, and guidance for institutions and examinations; (2) examiner training on RESPA requirements; (3) examination planning and reporting; and (4) supervisory follow-up of RESPA deficiencies and violations.

12. FDIC Benefits Contracts

    The FDIC negotiated certain “non-federal” employee benefits with the National Treasury Employees Union (NTEU) as part of the 2006-2009 Compensation Agreement. FDIC Choice, the Corporation’s Flexible Cafeteria Benefits Plan, describes these benefits. The FDIC has established agreements with benefits service providers to support its employee benefits program including, but not limited to, agreements with Metropolitan Life Insurance Company (“MetLife”) for Dental and Life insurance, VSP for Vision, and MyEnroll.com for online information about FDIC Choice programs. The audit will focus on the reasonableness of costs paid to benefits service providers and the efficiency and effectiveness of services provided.

    The audit objective is to determine whether key FDIC service provider contracts provide for the efficient and effective delivery of benefit services to FDIC employees.

    Benefits/Potential Outcomes: The audit may result in potential costs savings and efficiencies in the administration of the FDIC’s benefits contracts.

13. Contract Oversight Management of Infrastructure Services Contract

    In early 2004, the FDIC entered into an Interagency Agreement with the General Services Administration (GSA) for IT support services. Under GSA's Federal Systems Integration Management Center (FEDSIM) Millennia contract, GSA issued the Infrastructure Services Contract to SRA International, Inc. (SRA) to provide IT goods and services for the FDIC. SRA participates as one of the Millennia contactors. The 5 year, performance-based Infrastructure Services Contract has an estimated value of more than $300 million over its life cycle. IT services and goods procured under the contract include program management, client and help desk support, data center operations and local area network administration, security operations and support, systems engineering and integrations, and IT equipment.

    The objectives of the audit will be to assess (1) the FDIC's contract oversight management of SRA and its subcontractors, including subcontractor selection and performance, and (2) support for payments made by the FDIC for IT goods and services provided by SRA and its subcontractors.

    Benefits/Potential Outcomes: We expect that the audit will identify opportunities for the FDIC to strengthen its contract oversight management practices related to SRA and its subcontractors. We also expect that the audit will provide the FDIC greater assurance that expenditures for IT services and goods are accurate, properly authorized, and supported with adequate documentation.

14. Supervisory Information on Insured Institutions

    The FDIC’s DSC has primary responsibility for conducting safety and soundness examinations of FDIC-supervised institutions to assess their overall financial condition, management practices and policies, and compliance with applicable laws and regulations, including consumer protection and fair lending laws. In addition, DSC is responsible for monitoring the condition of insured institutions supervised by other federal regulators, and may make rating changes, conduct special examinations, and take enforcement actions as needed. In fulfilling its responsibilities, DSC collects, maintains, and reports vast amounts of financial institution-related information. DSC has a number of information systems to support its business operations, which are used to monitor problem banks, develop regulatory policy, and conduct research and analysis on important banking issues. DSC also relies extensively on information technology to support its operations and manage its information.

    The objective of the assignment will be to identify areas of potential risk associated with DSC’s use of information technology to support its business operations.

    Benefits/Potential Outcomes: The assignment may identify opportunities for DSC to achieve efficiencies and reduce risk in its use of information technology to support its business operations.

15. Federal Information Security Management Act

    On December 17, 2002, the President signed into law H.R. 2458, the E-Government Act of 2002 (Public Law 107-347). Title III of this act is the Federal Information Security Management Act of 2002 (FISMA). FISMA directs federal agencies, including the FDIC, to have an annual independent evaluation performed of their information security programs and practices and to report the results of the evaluation to the Office of Management and Budget (OMB). FISMA states that the independent evaluation is to be performed by the agency Inspector General or an independent external auditor as determined by the Inspector General.

    The audit objective is to evaluate the effectiveness of the FDIC’s information security program and practices, including the FDIC's compliance with FISMA and related information security policies, procedures, standards, and guidelines.

    Benefits/Potential Outcomes: The audit may identify information systems vulnerabilities and opportunities for the FDIC to strengthen its information security program controls and practices.

16. Consolidated Appropriations Act, Section 522 Compliance

    Section 522 of the Consolidated Appropriations Act, 2005 (Division H, The Transportation, Treasury, Independent Agencies, and General Government Appropriations Act, 2005) requires, among other things, that agencies, including the FDIC, establish and implement comprehensive privacy and data protection procedures and have an independent third-party review performed of their privacy programs and practices. According to the Act, agency Inspectors General are to contract with an independent firm to conduct the review. The review is required to be conducted at least every 2 years.

    The audit objectives will be to (1) evaluate the agency’s use of information in identifiable form (i.e., personally identifiable information (PII)) and the FDIC’s privacy and data protection procedures and (2) recommend strategies and specific steps to improve privacy and data protection management practices.

    Benefits/Potential Outcomes: Enhanced protection of the Corporation’s PII and strengthened privacy and data protection management practices.

17. General Ledger Accounting Processes

    The General Ledger was implemented on May 2, 2005 as the central component of the New Financial Environment (NFE). A module within PeopleSoft’s Financials software, version 8.4, the general ledger, provides accounting, reporting, and decision making information for FDIC business managers. All financial transactions post, either individually or in summary, to the general ledger, regardless of the origin of the transaction. Key general ledger processes include (a) general ledger editing and posting; (b) allocations, accruals, and month-end/year-end closings; and (c) general ledger analysis and reconciliation. Although the GAO reviews internal controls related to the general ledger as part of its annual audit of the FDIC’s financial statements, GAO’s work is not designed to assess all aspects related to the efficient and effective operation of the general ledger. Accordingly, we plan to assess whether the general ledger provides the FDIC the ability to meet its current and future financial management needs in an efficient and effective manner. The audit will also assess whether key user and system documentation is up-to-date and whether general ledger reporting meets user information needs.

    The audit objective is to evaluate whether the NFE general ledger allows the FDIC to satisfy its accounting needs in an efficient and effective manner.

    Benefits/Potential Outcomes: The audit may identify potential system or process enhancements that could (a) reduce time and effort spent on accounting tasks (such as through reduced manual processes or improved reporting), (b) strengthen data integrity and management controls, and (c) improve financial management reporting.

18. Financial Reporting Through the Government-wide Financial Report System

    Pursuant to the Government Management Reform Act of 1994, GAO conducts an annual audit of the Consolidated Financial Statements of the U.S. government. In conducting the audit, GAO relies upon financial information reported by government agencies (including the FDIC) to the U.S. Treasury Department via the Government-wide Financial Report System (GFRS). GAO has requested that the OIG attest to the accuracy of financial information reported by the FDIC through the GFRS as of September 30, 2007. This assignment will involve verifying whether the FDIC’s financial data submissions in the U.S. Treasury’s Closing Package are current, accurate, and complete. The audit work will be conducted in accordance with generally accepted government auditing standards, which incorporate financial audit and attestation standards established by the American Institute of Certified Public Accountants. These standards provide guidance for performing and reporting the results of our verification procedures.

    The audit objective is to verify and attest to the financial information reported by the FDIC to the U.S. Treasury Department via the GFRS as of September 30, 2007.

    Benefits/Potential Outcomes: By performing this work, GAO can reduce the level of effort expended on the FDIC’s annual financial statement audit. The audit will provide outside parties assurances regarding the integrity of key financial information reported by the FDIC.

19. Purchase Card Program

    The FDIC implemented a procurement credit card program to provide a simplified method for procuring low-dollar-value goods or services (i.e., $5,000 or less) and reducing the administrative timeframes generally associated with these types of procurements. Cardholders and approving officials manage their credit card statements (including verification, approval, and invoice reconciliation) on-line through the New Financial Environment. The Procurement Credit Card Program is administered by the Division of Administration’s (DOA) Acquisition Services Branch. The GAO has identified control weaknesses in the General Services Administration’s Government-wide Procurement Card Program. In addition, a recent DOA internal review identified deficiencies in the FDIC’s Procurement Credit Card Program.

    The audit objective is to evaluate the controls over the FDIC’s procurement card program, including whether the proper delegated authority exists for use of credit cards and whether cards are issued and used in accordance with policy.

    Benefits/Potential Outcomes: The audit will provide assurance regarding whether disbursements through the Procurement Credit Card Program comply with FDIC policies and procedures and are properly monitored, justified, and approved. The effectiveness of such controls are key to mitigating the risk of fraudulent, improper, or abusive charges.

20. International Travel

    The FDIC defines international travel as travel to destinations outside the United States and its territories (i.e., Puerto Rico, Guam, American Samoa, the U.S. Virgin Islands, Johnston Atoll, Midway Islands, Northern Mariana Islands, and Wake Island). The FDIC expects employees traveling internationally on official business to exercise the same prudent care in incurring reimbursable expenses as though traveling on personal business. In addition, international travel requires that the Chairman or the Chairman’s designee pre-approve the travel and authorize a specific travel authorization. The FDIC’s General Travel Regulations (GTR), Volume I, outlines the provisions that apply to individuals on official travel for the FDIC. The category of travel and reimbursement is determined by the length of time at the temporary duty assignment. The regulations also address travel that has other special characteristics, such as foreign travel, invitational travel, Board member travel, first-class travel, and business class travel. Since 2002, the OIG has completed 3 travel-related reviews:

    • Controls over Board Members’ Travel (October 3, 2002 – Report No. 03-003)
    • The FDIC’s Management of Travel Costs (September 2005 – Report No. 05-036)
    • Inside Board Member and Executive Manager Travel (June 2005 – Report No. 05-024)

    The audit objective will be to determine whether (a) the FDIC has established international travel policies that are consistent with FFIEC agencies and (b) international travel is authorized, approved, and paid in accordance with the FDIC’s GTR.

    Benefits/Potential Outcomes: The audit may identify opportunities to strengthen the FDIC’s monitoring and controls over international travel.

The following ongoing audit assignments will carry over to FY 2008:

• FDIC’s Assessment of Commercial Real Estate Concentration Risk
• DSC’s Examination Assessment of Interest Rate Risk
• FDIC’s Oversight of Subprime Credit Card Lending
• FDIC’s Implementation of the USA PATRIOT Act
• Examination Procedures for Assessing Controls to Protect Customer and Consumer Information at Multi-regional Data Processing Servicers
• Implementation of the FDIC’s Supervisory Guidance for Nontraditional Mortgage Products
• FDIC Laptop Computer Replacement

• FDIC’s Transit Subsidy Program
• Contract Rationalization
• FDIC’s Internal Risk Management Program
• FDIC’s Telework Program
• FDIC’s Claims Administration System

1. FDIC Consumer Response Center

   The objective is to evaluate to what extent the FDIC uses Consumer Response Center (CRC) trend and activity report information in developing supervisory policy and carrying out its examination process. In July 2002, the FDIC centralized its consumer affairs function by expanding the mandate of its Credit Card Center, in Kansas City, by renaming it the CRC. The FDIC’s CRC is responsible for (1) investigating all types of consumer complaints about FDIC supervised institutions and (2) responding to consumer inquiries about consumer laws and regulations and banking practices. Potential areas of focus may include:

   • the reporting capability and data integrity of the specialized tracking and reporting system,
   • any other summary reporting and trend analysis performed by the CRC,
   • the distribution of the CRC reports and analysis, and
   • how the CRC information is used by the FDIC in developing policy and conducting examinations.

   Benefits/Potential Outcomes: Verify that the CRC is compiling and providing to appropriate FDIC divisions and offices summary and trend information that is used to ensure effective examination policies and processes.

2. Contingency Contracts

   The objective is to evaluate the viability of DRR’s resolution contingency contract approach. A contingency contract is a contract vehicle put in place without an immediate need for the defined goods or services, but with justification supporting an expectation of a future need. DRR has prequalified vendors for seven contingency contracts that may be awarded quickly in the event of an increase in resolution activity or a large non-systemic bank failure. These contracts involve the following services:

   • Payroll,
   • Credit card consulting,
   • Developing loss sharing assistance agreements,
   • Receivership assistance,
   • Destruction of computers,
   • Call Center, and
   • Imaging and indexing documents.

   This assignment will address how DRR ensures that contingency contractors (1) maintain on a continuing basis the requisite technical skills and experience and (2) will be immediately available to assist the FDIC if there is an increase in resolution activity or a large non-systemic bank failure.

   Benefits/Potential Outcomes: (1) Provide assurance that DRR’s contingency contracting approach enables the Corporation to have immediate access to the contractor support it needs to efficiently and effectively resolve failed banks and manage receiverships and/or (2) identify opportunities for DRR to improve its approach.

3. Addressing Obstacles Related to Closing a Large Bank

   The objective is to evaluate the FDIC’s planning and preparation for identifying and addressing obstacles and logistics related to closing a large bank. The DRR closing manual provides general guidance for handling a bank failure and is not intended to address every situation that may arise, as the financial world and banking services are constantly changing. DRR has indicated that a large non-systemic bank failure can be approached in the same manner as a small bank failure, except that more personnel and/or contractor expertise and support will be needed, and more extensive forward planning will be required. DRR has completed a confidential study on a plan for closing a very large, non-systemic bank. In addition, the Corporate University sponsored a Strategic Readiness Simulation on May 10-11, 2007 with the following as one of its objectives: simulate and stress the FDIC’s decision-making processes, strategies, and planning for a large bank failure. The Chairman, Vice Chairman and their staffs participated in this simulation along with FDIC Senior Executives from multiple divisions within the FDIC.

   Benefits/Potential Outcomes: (1) Identify gaps in DRR’s plans to address obstacles/logistics related to closing a large bank and (2) suggest opportunities to improve DRR’s planning efforts for a large bank failure.

4. Performance-Based Acquisitions

   The objectives are to (1) identify FDIC contracts that have had performance-based aspects and (2) determine the extent to which the FDIC’s performance-based contracts are consistent with FDIC and applicable government-wide guidance. Performance-Based Acquisition - formerly Performance-Based Contracting - is a technique for structuring all aspects of an acquisition around the purpose and outcome desired as opposed to the process by which the work is to be performed. In 2001, the Office of Management and Budget (OMB) established annual goals for agencies to award a certain percentage of contracts over $25,000 as performance based acquisitions (45 percent of procurement actions over $25,000 in 2007). An Interagency-Industry Partnership in Performance came up with a guide geared to the greater acquisition community (especially program offices) breaking down performance-based service acquisition into seven simple steps.

   • Establish an integrated solution team
   • Describe the problem that needs solving
   • Examine private-sector and public-sector solutions
   • Develop a performance work statement or statement of objectives
   • Decide how to measure and manage performance
   • Select the right contractor
   • Manage performance

   Benefits/Potential Outcomes: (1) Identify the extent to which the FDIC has implemented the performance-based contracting in its acquisition of services and (2) identify opportunities to improve award and management of performance-based acquisitions.

5. Corporate Employee Program

   The objective is to assess FDIC’s efforts to implement the Corporate Employee Program (CEP), including: (1) status on number of corporate employees and level of program completion, (2) whether the CEP has stated measurements for gauging program effectiveness, (3) participant and management views on the benefits and success of the CEP. The CEP is an initiative at the FDIC to provide opportunities for employees at all levels to identify, develop, and apply skills in multiple corporate functions through various training opportunities and cross-divisional work assignments. This initiative was developed at the FDIC to respond to the growing consolidation and complexity within the financial services industry. The program eventually will encompass FDIC business and support lines to create a workforce that possesses a common corporate perspective, with training and experience in multiple corporate functions, and capable of responding rapidly to shifting priorities and changes in workload.

   Benefits/Potential Outcomes: (1) Confirmation that the CEP is working as intended and (2) Constructive ideas for refining and further improving the CEP program.

6. Energy Efficiency of FDIC Datacenters and IT Equipment

   The objective is to evaluate the Corporation’s efforts to conserve energy in its operation of data centers and IT equipment. Datacenters are consuming an increasing amount of electricity to process, store, and manipulate the exploding amount of digital data. Datacenters and servers in the United States accounted for 1.5 percent of all electrical consumption in 2006, double the consumption in 2000, according to an Environmental Protection Agency (EPA) report. No information exists for the number of federal datacenters and servers, but the EPA estimates that the federal government accounts for 10 percent of the national consumption of electricity by all datacenters and servers. EPA also reported that the federal government, working with the private sector, should develop a standard method to measure and report how much electricity datacenters consume and install cost-effective equipment that leads to reduced energy consumption. In addition, Sun Microsystems recently unveiled a suite of programs and services that will help information technology managers construct more energy-efficient datacenters and implement state-of-the art power-saving technologies.

   Benefits/Potential Outcomes: : (1) Increase energy efficiency of FDIC datacenters and IT equipment and (2) correspondingly reduce the expenses for energy consumption.

7. Management of Commercial off-the-Shelf Applications

   The objective is to identify best practices in other federal agencies and the private sector for managing Commercial off-the-Shelf (COTS) software. COTS software is released to users as pre-configured by the vendor in its “shrink-wrapped’ form. DIT usually modifies only the installation scripts or configuration items to ensure network compatibility. However, DIT modifies some COTS applications to suit user needs prior to release to the production environment.

   COTS or component-based development is generally considered to be a lower risk strategy than in-house development. COTS software provides a simple and rapid mechanism for increasing system functionality and capability. However, systems with a lot of COTS components can have problems with versioning, both with the versioning of the COTS and with the underlying operating system. For example, different customer-vendor evolution cycles may result in uncertainty about how often COTS components in a system may have to be replaced and the extent of the impact of such a change on the rest of the system. This makes it difficult to plan and predict costs over the life cycle of a system. Further, upgrading to a new version of COTS software poses other risks, such as:

   • Hidden incompatibilities may cause unforeseen side effects in the system, necessitating a complete system update.
   • Changes in the quality attributes of a new version of COTS software (e.g., performance, security, safety, reliability etc.) may be incompatible with the user requirements and may adversely affect the operational capabilities of the system.

   Finally, when you have multiple interrelated COTS packages, as the packages are updated, interfaces from one COTS package might interfere with other COTS interfaces and system and hardware requirements might conflict.

   Benefits/Potential Outcomes: As requested by FDIC management, we will identify best practices in other federal agencies and the private sector for managing information technology in a COTS software environment. In doing so, we hope to provide the FDIC with methods for increasing the efficiency of its use and maintenance of COTS software.

8. Data Conversion Related to NFE Migration to UNIX

   The objective is to evaluate whether the FDIC has proper controls in place to ensure an efficient and effective transfer of data when the New Financial Environment (NFE) software is upgraded and migrated to a UNIX environment.

   NFE is a system developed for the Division of Finance (DOF) using Peoplesoft 8.4 software. NFE was placed on the FDIC’s mainframe to operate. The Division of Information Technology (DIT) recently decided to migrate this software to a UNIX environment to make NFE more efficient. At the same time, DIT plans to upgrade the NFE software from Peoplesoft version 8.4 to version 9.0. An effective data conversion process is important to maintaining data integrity and quality after the NFE software is upgraded and moved to the UNIX environment. To that end, this review is intended to assist the FDIC in developing and implementing a successful data conversion strategy. Areas covered could include:

   • Understanding source data,
   • Defining target data specifications,
   • Defining and measuring target data quality,
   • Choosing and mapping correct sources for target data elements,
   • Ensuring data quality throughout the conversion process.

   Benefits/Potential Outcomes: An efficient, quality-focused approach to data conversion during the NFE upgrade and migration.

9. Physical Security – Guard Services

   The objective is to evaluate to what extent DOA has balanced security needs and cost efficiency in administering guard services. The current guard services contract was competitively awarded in June 2004 for the Headquarters locations (Washington, D.C. and Arlington, VA) and expires May 31, 2009. In January 2006, Regional and Area Office guard services were consolidated under the Headquarters contract to improve efficiency and operational uniformity. On July 9, 2007, DOA requested and received FDIC Board approval to award a competitive contract for nationwide guard services. DOA expects to award the new contract in November 2007. The estimated expense for these services is $75 million over 7 years, based on historical expenditures, and incorporates an annual labor escalation of 3 percent as presented below:

   • Base Period (3 years): $30M
   • Option Period 1 (2 years): $22M
   • Option Period 2 (2 years): $23M

   Benefits/Potential Outcomes: (1) Provide assurance that the FDIC has reasonably balanced protecting FDIC employees, property, and the general public with achieving efficiencies. (2) Identify opportunities for reducing costs of guard services while maintaining an adequate level of protection.

10. Integrity of Information Technology Procurements and Governance

    The Chairman has requested an evaluation addressing various controls and issues associated with ensuring the integrity of information technology (IT) procurements from pre-award through contract administration, to include the:

    • Decision to contract versus perform functions in-house
    • Procedures and controls for maintaining separation between FDIC employees and contractors (personal service contracts)
    • Process for contracting decisions, including extent to which there is third-party review
    • Confidentiality and security of procurement sensitive information
    • Controls to prevent improper financial relationships between FDIC officials and contractors, such as:
      • Background investigations
      • Ethics disclosure requirements
      • Confidentiality and non-disclosure agreements
    • Degree to which former FDIC employees work on FDIC contracts:
      • How decisions to rehire former employees are made,
      • Post employment restrictions that apply.

    All of the areas of interest to the Chairman will be evaluated against FDIC policies and procedures, government-wide rules and regulations, and best practices. This key effort will require several evaluation teams and multiple products.

    Benefits/Potential Outcomes: This key effort will provide the Chairman with information and recommendations that will enable her to have greater assurance that information technology procurements are carried out and monitored with verifiable integrity through proper and transparent governance processes.

11. Budget Execution

    The objective is to evaluate the budget execution and budget reporting process, including controls over reallocations of funds between budget categories. The Corporation’s senior leadership establishes high-level budgetary and planning guidance. DOF coordinates with divisions and offices in the development of proposed budgets in accordance with this guidance. After the Corporation’s annual Corporate Operating Budget and related performance plans are approved by the Board, individual divisions and offices are primarily responsible for budget execution. DOF is responsible for monitoring and providing reports to the senior leadership of the Corporation on the Divisions’ and Offices’ performance of these responsibilities. Our evaluation will focus on DOF’s responsibility for budget execution and the Chief Financial Officer’s authority to reallocate funds between budget categories. We have completed earlier evaluations on the Corporate Planning Cycle and the establishment of Corporate Performance Measures.

    Benefits/Potential Outcomes: (1) Improvements in the process for monitoring and reporting of the execution of Corporation’s Operating Budget and (2) validation that controls over budget execution are appropriate.

The following ongoing evaluation assignments will carry over to FY 2008:

• FDIC’s Transit Subsidy Program
• Contract Rationalization
• FDIC’s Internal Risk Management Program
• FDIC’s Telework Program
• FDIC’s Claims Administration System

1. Continue to respond to and investigate allegations of fraud and other financial crimes affecting FDIC-insured institutions, referred to the OIG by the FDIC, U.S. Attorneys’ Offices, and other law enforcement agencies, or identified through review and analysis of Suspicious Activity Report filings

   Objective/Description: The investigative objective is to help ensure that offenders that harm or threaten to harm the nation’s banks are criminally prosecuted, support FDIC in facilitating successful parallel enforcement proceedings banning offenders from banking, and deter others from carrying out similar crimes.

   Benefits/Potential Outcomes: Given the serious limitations on law enforcement resources devoted to combating financial institution fraud, OI focuses its limited resources and unique expertise to investigate complex and significant financial institution fraud that otherwise will go unaddressed. In doing so, OI helps the FDIC ensure that proven offenders are removed from the banking industry, limiting their ability to cause further harm to FDIC-insured institutions; contributes to government-wide efforts to enforce Title 18 to punish and deter criminal activity; and obtains forfeiture, restitution or other forms of recovery for losses sustained by the FDIC and other victims of these crimes.

2. Continue to develop and provide training to the FDIC, FFIEC, and industry officials related to financial and electronic crimes that can threaten FDIC institutions

   Objective/Description: As the only law enforcement arm within the FDIC, OI agents have unique training and expertise in conducting criminal investigations of financial institution fraud and electronic crimes. By sharing this expertise, and “lessons learned” from OIG investigations, the OIG can help educate the FDIC, other law enforcement organizations, financial regulators, industry officials, and the public regarding red flags, trends, and other indicia of financial institution fraud and identity theft.

   Benefits/Potential Outcomes: Heightened awareness of the various signs of fraud, methods to prevent fraud, and strategies to help combat fraud and prosecute offenders. Training presentations by OIG agents also broaden understanding/appreciation of the OIG’s mission and accomplishments.

3. Maintain and continue to refine the OIG’s Suspicious Activity Report (SAR) Database to better enable OI to identify and prioritize financial institution fraud cases of significance to the FDIC

   Objective/Description: OI has developed unique software systems to more effectively and efficiently review Financial Crimes Enforcement Network’s SAR database. OI will continue to maintain and update the SAR database, accessible to OI agents and examiners designated by the Division of Supervision and Consumer Protection (DSC). OI will continue to refine this tool based on agent/examiner feedback and will continue to make the tool available to the FDIC for the agency’s use in its regulatory and enforcement missions.

   Benefits/Potential Outcomes: Increased ability and efficiency in reviewing and analyzing SAR data in order to identify potential fraud and significant trends, and to support current and future investigations and FDIC enforcement programs and operations.

4. Continue to coordinate and communicate regularly with DSC and the Legal Division regarding financial institution fraud cases

   Objective/Description: OI will continue to notify DSC when initiating investigations into fraud at open financial institutions and will continue to issue quarterly reports to keep FDIC officials abreast of the status of these cases. OI will continue to meet regularly with DSC headquarters staff to discuss investigative and/or enforcement cases of mutual interest or concern, coordination issues, and fraud trends/developments potentially impacting the industry. Additionally, OI will continue to participate on a regular basis with DSC/Legal regional staff to review and discuss SARs that may warrant investigative/regulatory attention.

   Benefits/Potential Outcomes: Effective coordination and communication leads to a greater mutual understanding of particular law enforcement or regulatory/enforcement concerns associated with specific cases or types of cases. Participation in regular meetings helps OI identify cases of importance to the FDIC. Through these meetings, OI can provide a law enforcement perspective to DSC and the Legal Division in their assessment of pertinent SARs, while developing potential matters for criminal investigation consonant with OI’s mission and responsibilities.

5. Participate in law enforcement/regulatory task forces and working groups to identify cases warranting FDIC OIG attention, and identify trends and concerns relating to fraud affecting the industry and the banking public

   Objective/Description: OI will continue to be an active participant in the National Bank Fraud Working Group and its sub-groups, including the Mortgage Fraud Working Group and Cyberfraud Working Group, where information relating to financial institution fraud, of concern to both financial institution regulators and law enforcement, is shared and strategies for combating fraud are discussed. OI will also continue to participate in regional SAR Review Teams, and other law enforcement/regulatory working groups and task forces that have been established across the country to address emerging areas of financial institution fraud.

   Benefits/Potential Outcomes: Identification of cases warranting OI attention. Improved coordination with other law enforcement and regulatory agencies, leading to more efficient and timely exchanges of information of benefit to this community and possibly to the development of more effective investigation strategies that maximize limited resources available within multiple agencies.

6. Continue to work with DSC, IT and the Legal Division to identify phishing, pharming, and other schemes that prey on the public for purposes of fraud, identity theft or to disrupt computer operations (malicious attacks)

   Objective/Description: Further develop our activities in detecting, investigating, and deterring theft of identities and fraud schemes involving misrepresentations of FDIC insurance or affiliation.

   Benefits/Potential Outcomes: Enforcement of Title 18 in order to punish and deter related criminal activity and to obtain recoveries on behalf of victims, protect consumers, and support government-wide efforts to defend financial e-markets against concerted criminal efforts that would undermine critical business activity.

7. Monitor proposed legislation to strengthen FDIC enforcement authority with regard to individuals that make false representations regarding FDIC affiliation/insurance and coordinate with the FDIC to implement processes for mutual referral of such allegations for criminal/administrative action

   Objective/Description: : Assist the FDIC in obtaining new authority to conduct enforcement actions against individuals who misuse the FDIC’s name or products to further fraudulent or other criminal activity.

   Benefits/Potential Outcomes: Defend the integrity of the FDIC’s name and franchise and protect consumers against crimes harming them through the misuse of FDIC’s name or products.

8. Continue to provide a team of OI agents, to include computer forensic agents, to participate in the event of any bank closing where fraud is suspected and aggressively pursue criminal investigations of any fraud that contributed to an institution failure

   Objective/Description: Through effective coordination and proper training, maintain the capability and expertise to assemble and send teams of agents who are prepared to respond on short notice in the event of a bank closing.

   Benefits/Potential Outcomes: Early collection and preservation of evidence and information needed to support a criminal prosecution; effective sharing of information with the FDIC to help support resultant civil/regulatory actions.

9. Pursue with DRR/DSC integration in a training module of one or more presentations on OI investigative processes/concerns in the context of bank closings

   Objective/Description: Develop better access to real-time information for planning in the event of a closing and familiarizing potential closing team members with the responsibilities of the OIG in the event of a financial institution failure.

   Benefits/Potential Outcomes: More effective participation in closings, better understanding of the institution to enable more targeted investigative efforts at the moment of a closing, more efficient exchanges of information with the FDIC in its efforts to minimize the cost of closings to the DIF.

10. Establish more systematic process for coordination with DSC, DRR and the Legal Division in the agency’s preparation for potential closings

    Objective/Description: Develop more effective procedures for access to information and resolve access to information issues between the agency and the OIG before having to do so in the environment of a closing.

    Benefits/Potential Outcomes: Clearer lines of communication with the agency in the closing environment; better methods of identifying and preserving evidence, taking into account the business needs of the agency and the needs of a criminal investigation; more effective planning for the use of scarce resources (e.g., closing team assets and OI resources, including electronic crimes group assets) in the context of closings.

11. Continue to conduct investigations referred by the Legal Division and DRR of suspected criminal concealment of assets by individuals owing restitution to the FDIC

    Objective/Description: Work with the Legal Division, DRR, and U.S. Attorneys’ Offices, to identify, investigate and successfully prosecute individuals who criminally conceal assets from the FDIC to avoid payment of court-ordered restitution. The goal is to help the FDIC in recovery of funds it is owed and to hold criminal offenders accountable.

    Benefits/Potential Outcomes: Imposition of criminal penalties against these “repeat offenders”; deterring others from committing similar offenses; recovery of funds for the FDIC.

12. Continue to respond to and investigate allegations of crimes and serious misconduct or ethical violations involving FDIC employees and contractors

    Objective/Description: Address allegations of corruption or serious misconduct involving financial or significant reputational risk to the FDIC.

    Benefits/Potential Outcomes: Ensuring that the FDIC is perceived as honest and an actor with integrity by the public and the industry in furtherance of the agency’s responsibility to maintain confidence and trust in the nation’s banking system.

13. Continue to operate and manage the OIG Hotline, referring to the FDIC any management issues or trends warranting attention

    Objective/Description: Provide an independent mechanism for reporting allegations of misconduct or corruption to the OIG.

    Benefits/Potential Outcomes: Receipt of allegations that may result in investigations in support of the FDIC’s and the OIG’s mission.

14. Continue to coordinate with DIT and DOA with respect to instances of potential computer intrusion and abuse

    Objective/Description: Cooperate with the FDIC in ensuring that the agency’s computing environment is secure.

    Benefits/Potential Outcomes: Contribute to a functioning network that fully supports the activities of the agency under any circumstances.

15. Implement a reorganization designed to more effectively and efficiently carry out OI’s work in jurisdictions covered by FDIC’s six regional offices

    Objective/Description: Align the OI field structure with that of the FDIC, particularly DSC.

    Benefits/Potential Outcomes: Improved coordination with FDIC field offices and the development of cases that benefit the public, the industry and the FDIC in all of the FDIC’s regions. Improved efficiencies in addressing a geographically dispersed workload.

16. Continue to conduct internal reviews of OI regional offices for compliance with OI policies and PCIE standards

    Objective/Description: Ensure OI operations are conducted in compliance with all OI policies and procedures as well as standards applicable to Federal OIG Offices of Investigation and OIGs generally.

    Benefits/Potential Outcomes: Preparation for peer reviews, enhancement of the OIG’s efficiency and credibility as the preeminent law enforcement organization in the country in our areas of expertise.

17. Support PCIE efforts to enhance and maintain high quality investigative training for the OIG community

    Objective/Description: Participate in the Inspector General Criminal Investigator Academy (IGCIA) by providing instructional/facilitator support to the various IGCIA training programs in 2008. Continue to participate on the IGCIA’s Curriculum Review Committee by systematically reviewing the Academy’s basic training programs and recommending appropriate changes to the Assistant Inspectors General for Investigations and the Investigations Committee of the PCIE. Provide technical support and expertise in IGCIA’s efforts to become accredited.

    Benefits/Potential Outcomes: Increased relevance of training to FDIC OIG agents, enhanced standing of the FDIC OI within the IG community, and enhancement of the IGCIA.

1. Review Management of Corporate Credit Card and Recommend Approach of Usage

   The objective of this key effort is to review the OIG’s current management of the FDIC e-procurement card usage, and recommend an approach that will be most efficient to the OIG operations.

   Benefits/Potential Outcomes:

   • Continuous facilitation of purchases in a timely and efficient manner.
   • Agreed-upon program for more inclusive approach.
2. Strengthen Succession Planning

   The FDIC defines succession planning as an ongoing strategically-aligned process of systematically identifying, assessing, and developing internal talent and identifying and assessing external measures to ensure leadership continuity for all key positions in an organization. The objectives of this key effort are to: (1) determine the extent to which the OIG’s succession planning program identifies and addresses OIG key competencies and future critical office staffing and leadership needs; and (2) identify opportunities for strengthening and improving the program. We will also evaluate whether our succession planning initiatives and efforts are consistent with the seven key principles for effective succession management identified by GAO, the Office of Personnel Management, the Corporate Leadership Council, and the National Academy of Public Administration.

   Benefits/Potential Outcomes:

   • Assurance of leadership continuity and organizational stability.
   • Identification of gaps in mission critical skills, competencies, and knowledge.
   • More effective training and leadership development programs.
   • Enhanced managerial and executive talent level and skills.
   • Retention of valued staff.
3. Document IG-Specific Personnel, Financial, and Information Technology Processes

   The objective of this key effort is to establish an official resource center for the documentation of the processes of the major operations in the Office of Management. This will involve creating handbooks for each specific operation including personnel, financial, and information technology and other mandatory functions that identify the requirements, procedures, guidelines, and examples of each function.

   Benefits/Potential Outcomes:

   • Efficient transition when an employee leaves the OIG. New staff will be able to continue with the assignments in an orderly fashion.
   • During the absence of an employee, another staff member will be able to fill in more easily.
   • Identification of possibilities to streamline current OM processes.
4. Strengthen the OIG’s Records Management Program

   The objective of this key effort is to update and strengthen the OIG’s records management program. In coordination with other OIG offices, we will assess overall compliance with the FDIC’s Records Management Program. We will also assess our program’s effectiveness in assuring the timely and complete inventorying, archiving, and retrieval of records consistent with OIG requirements for document access and in consideration of office space constraints. Finally, we will evaluate the retention practices for certain documents that support decisions and business practices (such as budget worksheets) to determine whether such records are subject to retention policy. Priority will be given to Office of Counsel records management, including developing protocol that reflects recent changes in the Federal Rules of Civil Procedure governing the discovery of electronically stored information (E-Discovery initiative).

   Benefits/Potential Outcomes:

   • Enhanced and updated program and policy that provides for a records management process that is consistent with the corporate program, OIG needs, and our organizational structure.
   • A revised OIG records disposition schedule that addresses OIG access needs and statutory requirements.
   • Identification of OIG records eligible for off-site storage or destruction.
   • Improved protection of records from inappropriate and unauthorized access.
   • Increased ability to respond to civil and criminal discovery under the new rules.
5. Strengthen the OIG’s Information Security Management (ISM) Program, Including Shared Folder Initiative

   The main focus of the OIG's Information Security Program is to ensure the protection of the OIG's information resources and the uninterrupted continuation of OIG operations. The objective of this key effort is to ensure that the OIG’s information security program is consistent with the Corporation’s policy, and to protect sensitive information from loss, misuse, and unauthorized access or modification. Additionally, we will perform a comprehensive review of all OIG shared network folders to include usage level, continued need, data content, access rights, and access control monitoring procedures.

   Benefits/Potential Outcomes:

   • Compliance with FDIC’s policy on protecting sensitive information (FDIC Circular 1360.9)
   • Enhanced protection and security of OIG sensitive information and employee privacy.
   • Reduced risk of loss, misuse, or unauthorized access to or modification of OIG sensitive information which could adversely impact the OIG in carrying out its mission.
   • Improved consistency and standardization in OIG’s use of network shared folders.
6. Explore opportunities to leverage the capabilities of ECU and Audit computer labs, staffs, equipment, and those currently possessed by IT staff in the Office of Management

   The OIG currently staffs both an audit and investigative IT lab. These labs are maintained at considerable cost, and associated training costs for OA and OI staff are also significant. Additionally, the Office of Management includes staff charged with addressing the OIG’s internal IT needs. Perhaps there are ways to better leverage the resources of all OIG groups involved in IT in the interest of the OIG as a whole and the many, varied activities that the OIG undertakes.

   Benefits/Potential Outcomes:

   • Better understanding of various roles/responsibilities/capabilities of OIG IT staff in our component offices.
   • More effective use/leveraging of the OIG’s IT staff and related resources to accomplish OIG goals.

7. Evaluations—Procedures Review and Update

   The OE became a separate component of the OIG during FY 2007. As such, it is not currently involved in OA-related activities designed to change and make more efficient processes, procedures, and reporting. The Evaluations group will develop and update policies and procedures to guide its work. Such an effort will be undertaken in line with the PCIE’s Quality Standards for Inspections.

   Benefits/Potential Outcomes:

   • More efficient, effective means for conducting assignments and reporting results.
   • Adherence to quality standards.
8. Administer Expert Services Contract

   The objective of this key effort is to administer a multi-year contract with a qualified firm to evaluate the FDIC’s compliance with FISMA and Section 522 of the Consolidation Appropriations Act and to conduct other audits and evaluations, as needed. The contract will also require the firm to provide technical expertise and assistance on an as needed basis in support of OIG audits and evaluations. The estimated value of the contract for FY 2008 is $1.1 million. It is anticipated the contract will have a 5-year performance period (one base year with four option years.)

   Benefits/Potential Outcomes:

   • Enhanced expertise on OIG audits and evaluations.
   • Ability to address more complex and technical FDIC risks, issues, and challenges.
   • More efficient and higher quality audits and evaluations.
9. Secure Communications with Department of Justice Project

   The OIG will participate in multi-agency efforts to research and pursue methodologies to enhance the security of sensitive law enforcement communications between agencies. We anticipate coordinating closely with others in the IG and law enforcement communities, and with the FDIC’s Division of Information Technology as we pursue this initiative.

   Benefits/Potential Outcomes:

   • Assurance that the OIG’s communications with law enforcement partners throughout the government are properly secure.
10. Quality control reviews of OA, OE, and OI offices for compliance with OA, OE and OI policies and PCIE standards

    OIG component offices will continue to conduct quality control reviews, with the objective of ensuring that audit, evaluation, and investigative operations are conducted in compliance with OIG policies and procedures as well as standards applicable to federal OIGs.

    Benefits/Potential Outcomes: Preparation for peer reviews, quality OIG products and processes.

11. Mentoring Program

    Continue the OIG’s mentoring program, in conjunction with the corporate program and explore ways of enriching the OIG’s program.

    Benefits/Potential Outcomes:

    • Enhanced mentorees’ professional growth and development and understanding of the OIG.
    • Opportunities for more experienced OIG staff to share/pass along workplace experiences and knowledge.
12. Support of Banking School Enrollments and Pursuit of Professional Certifications and Advanced Degrees

    The OIG will continue to encourage and support staff seeking to advance professionally by pursuing training opportunities. Of note, the OIG will continue to select staff to attend graduate programs at banking schools, a practice begun in 2007.

    Benefits/Potential Outcomes: Enhanced knowledge and increased expertise.

13. Employee Advisory Group

    Continue practice of convening an EAG comprised of non-managerial staff from OIG headquarters and field office locations. The group will meet quarterly with the IG.

    Benefits/Potential Outcomes:

    • Provide a voice to non-managerial OIG employees.
    • Enhance employee morale.
    • Bring issues of employee concern to the IG’s attention.
    • Promote communication among headquarters and field sites/staff.
14. Support of Corporate Diversity Efforts

    Continue OIG practice of informing OIG staff of corporate diversity events, participating in such events, and contributing to the FDIC’s annual report of Diversity activities.

    Benefits/Potential Outcomes:

    • Heightened awareness of diversity in the workplace.
    • Enhanced working relationships with FDIC colleagues and other stakeholders.
15. Support of IG Community

    The FDIC OIG will be an active participant and supporter of the efforts of the IG community. OIG staff will make a number of contributions by participating in meetings, trainings, forums, cross-cutting initiatives, data calls, and special projects.

    Benefits/Potential Outcomes:

    • Opportunity to serve and support the IG community at large.
    • Opportunity to share best practices with others.
    • Opportunity to learn from experiences of other OIGs.
    • Opportunity to engage others in the FDIC OIG on special projects, with learning opportunities.
16. Congressional Outreach

    Continue the OIG’s practice of monitoring congressional interest in FDIC business lines and coordinating with FDIC counterparts on congressional issues. Emphasize increased communications with congressional clients to keep them fully and currently informed about OIG work and issues relating to FDIC programs and operations.

    Benefits/Potential Outcomes:

    • Increased awareness as to the financial regulatory issues that the Congress oversees.
    • Opportunity to add value to OIG work by contributing congressional perspective.
    • Increased congressional interest in OIG products.
    • Increased interaction and dialogue with congressional staff

17. Establish a More Comprehensive Enterprise Risk Management Program

    The objective of this key effort is to establish a more comprehensive OIG Enterprise Risk Management Program. This will be done in a number of ways. First, we will address management controls and activities within our strategic framework and across the organization boundaries. The enhanced program will place greater emphasis on the processes and controls over key deliverables that must be timely and accurate in order to carry out the OIG mission. This aspect of the key effort has been developed, in part, as a result of major revisions to the management control review process that were initiated by OERM.

    Benefits/Potential Outcomes:

    • Establishment of an OIG Enterprise Risk Management Program for identifying and evaluating management controls and activities within our strategic framework.
    • Enhanced justification and support for the OIG’s annual assurance statement on management controls
    • Increased management awareness of its ongoing responsibilities for monitoring and evaluating controls.
    • A clearer understanding of the risks that could impact the OIG and how these risks may be managed.

    Second, we will continue to develop a more risk-based approach to planning processes by more fully incorporate risk management, “events-based” thinking as a prism in determining areas on which the OIG should focus audit/evaluation/investigative attention.

    Benefits/Potential Outcomes:

    • Greater assurance that OIG resources are focused on doing the right work.
    • Better ability to prioritize OIG work and schedule efforts and timeframes in a way that makes better sense.

    Third, we plan to hold quarterly meetings to assess progress on our execution of the OIG Business Plan and to discuss related budgetary implications. Such an approach will be helpful in keeping OIG activities and spending on track. With a more systematic process, we can better monitor performance results, spending, milestones, and projects that are ahead of or behind schedule.

    Benefits/Potential Outcomes:

    • Opportunity for Executive management team to assess/discuss progress of OIG key efforts more frequently.
    • More real-time means of keeping projects and OIG spending on track.
    • Opportunity to better integrate budget and performance.