Federal Deposit Insurance Corporation
Office of Audits
Office of Inspector General
Washington, D.C. 20434

DATE: June 14, 2002

TO: Fred S. Selby, Director, Division of Finance, and Arleas Upton Kea, Director, Division of Administration

FROM: Russell A. Rau [Electronically produced version; original signed by Russell Rau], Assistant Inspector General for Audits

SUBJECT: Review of the FDIC’s Strategy for Managing Improper Payments (Audit Report No. 02-022)

The Federal Deposit Insurance Corporation (FDIC) Office of Inspector General (OIG) has completed a review of the FDIC’s strategy for managing improper payments. We conducted the review based on a June 26, 2001, letter from the Chairman and Ranking Minority Member, Committee on Governmental Affairs, United States Senate (Committee). In this letter, the Committee requested that the 24 major federal agencies review an exposure draft of the U.S. General Accounting Office’s (GAO) executive guide entitled Strategies to Manage Improper Payments (GAO-02-69G, issued October 2001). The agencies’ reviews were to focus on evaluating the adequacy of each agency’s internal controls and implementation of those strategies that are appropriate for each agency.

Although the FDIC was not included in the request to the departments and agencies addressed in the Committee’s letter, we conducted this review to assess what steps the FDIC has taken to control improper payments and determine what additional measures should be taken. The objective of this review was to assess the FDIC’s strategy for managing such payments. Additional details on the review objectives, scope, and methodology are included in Appendix I.

BACKGROUND

The Congress created the FDIC under the Banking Act of 1933 to maintain stability and public confidence in the nation’s banking system. The intent was to provide a federal government guarantee of deposits in U.S. depository institutions so that customer funds would be safe and available to customers in the event of a financial institution failure. As required by current law, the FDIC maintains separate insurance funds for banks and savings associations and a resolution fund. (Note: The Financial Institutions Reform, Recovery, and Enforcement Act of 1989 (FIRREA) created the Bank Insurance Fund (BIF), the Savings Association Insurance Fund (SAIF), and the FSLIC Resolution Fund (FRF). It also designated the FDIC as the administrator of these funds. These three funds are maintained separately to carry out their respective mandates. The BIF and the SAIF are insurance funds responsible for protecting insured bank and thrift depositors from loss due to institution failures. The FRF is a resolution fund responsible for winding up the affairs of the former Federal Savings and Loan Insurance Corporation and liquidating the assets and liabilities transferred from the former Resolution Trust Corporation.) When an institution fails, the FDIC fulfills its role by paying insured depositors directly or arranging for the assumption of the deposits by another financial institution. After an institution has failed, the FDIC liquidates the failed institution’s assets to replenish the insurance fund.

During the period January 1, 2000 through December 31, 2001, the FDIC disbursed over $4.6 billion in its corporate capacity for program and administrative operations. About 57.8 percent of the disbursements were for failed financial institution resolutions. The remaining disbursements were primarily for the FDIC’s internal operations. These amounts include salaries and benefits (28.9 percent), payments to contractors for corporate activities (8.7 percent), and disbursements for other expenses such as employee travel and assets acquired from failed institutions (4.6 percent). The following chart shows the composition of the disbursements.

Figure 1: FDIC Disbursements from January 1, 2000 through December 31, 2001

[This figure appears in the non-508-compliant version of this report.]

Text description of Figure 1: Failed Financial Institution Resolutions were 57.8 percent of the total FDIC Disbursements from January 1, 2000 through December 31, 2001. Salaries/Benefits were 28.9 percent, Contractor Services were 8.7 percent, and Other was 4.6 percent of the FDIC Disbursements from January 1, 2000 through December 31, 2001.

Source for figure 1: FDIC General Ledger

In order to assist federal agencies in developing strategies for managing improper payments, GAO prepared an executive guide, Strategies to Manage Improper Payments. In developing the guide, the GAO identified private and public sector organizations, studied these organizations’ financial management practices, and obtained information on actions these organizations took and considered effective in reducing improper payments.

According to the GAO guide, improper payments can include inadvertent errors, such as duplicate payments and miscalculations, payments for unsupported or inadequately supported claims, payments for services not rendered, and fraud and abuse by program participants and/or federal employees. The guide notes that the basic or root causes of these improper payments can typically be traced to a lack of or a breakdown in internal controls. The guide further highlights the actions taken by the study participants to reduce improper payments and categorized these actions into the five general components of internal control: control environment, risk assessment, control activities, information and communications, and monitoring. Each component is described as follows:

• Control Environment – creating a culture of accountability by establishing a positive and supportive attitude toward improvement and the achievement of established program outcomes.
• Risk assessment – performing comprehensive reviews and analyses of program operations to determine if risks exist and the nature and extent of the risks identified.
• Control activities – taking actions to address identified risk areas and help ensure that management’s decisions and plans are carried out and program objectives met.
• Information and communications – using and sharing relevant, reliable, and timely financial and non-financial information in managing improper payment-related activities.
• Monitoring – tracking improvement initiatives over time and identifying additional actions needed to further improve program efficiency and effectiveness.

The Senate Committee on Governmental Affairs asked specific questions related to each of these components of internal control, and using their questions and GAO’s guide, we evaluated the adequacy of the FDIC’s actions for managing improper payments in the five general components of internal control. Our general assessment of the FDIC’s efforts is presented in this report, and we summarize the responses to the specific questions and our overall review results in the Results of Review section of this report.

RESULTS OF REVIEW

The FDIC has implemented an adequate control environment and has responsive action ongoing to address the other four components of internal control over the payment process. Although the FDIC has not established a plan that specifically addresses improper payments, the FDIC has established effective strategies to control payments and mitigate the risk of improper payments.

The GAO, with the assistance of the OIG, audits the FDIC’s annual financial statements of the BIF, SAIF, and the FRF. On May 21, 2002, GAO issued its audit report on the FDIC funds’ 2001 and 2000 financial statements. The GAO concluded that although certain internal controls should be improved, FDIC management maintained, in all material respects, effective internal control over financial reporting (including safeguarding assets) and compliance as of December 31, 2001, that provided reasonable assurance that misstatements, losses, or noncompliance that were material in relation to the FDIC funds’ financial statements would be prevented or detected on a timely basis. (Note: GAO identified weaknesses in FDIC’s information system controls that it considered as a reportable condition. Also, GAO tests for compliance with selected provisions of laws and regulations disclosed no instances of noncompliance that would be reportable under U.S. generally accepted government auditing standards. However, the objective of the financial statement audits was not to provide an opinion on overall compliance with laws and regulations.)

The Corporation recognizes the need to properly control payments and, for the most part, has taken appropriate actions to do so. During our review, the Corporation began to identify the level of improper payments and in the Statement of Internal Accounting and Administrative Controls section of the 2001 Chief Financial Officers Act Report, the Corporation plans to report the amount of improper payments made to contractors. For the period January 1, 2000 through November 15, 2001, the Corporation identified contractor-related improper payments totaling $4.4 million (less than 1 percent of total payments made to contractors). Also, the Corporation plans to take collection actions depending on the nature and magnitude of such payments. Our assessment of the FDIC’s efforts related to the Committee’s specific questions is shown in the following table.

Table: FDIC OIG’s Assessment of FDIC’s Efforts to Manage the Risk of Improper Payments

OIG’S EVALUATION OF THE FDIC’s INTERNAL CONTROL COMPONENTS

As a part of this review, we evaluated the FDIC’s internal control components with a focus on determining what strategies suggested by GAO may be appropriate for the FDIC. Presented below are the questions asked by the Committee and details of our analysis for each internal control component related to managing the risk of improper payments.

Control Environment

What does your agency plan to do to create a culture of accountability that provides a positive and supportive attitude toward improvement and the achievement of established program outcomes?

The FDIC’s Audit Committee along with the Chief Financial Officer and the Chief Operating Officer set the "tone at the top" for a culture of accountability that provides a positive and supportive attitude toward improvement and the achievement of program outcomes. The Audit Committee fulfills oversight responsibilities for the Board of Directors with respect to financial reporting, internal controls, and compliance with laws and regulations and assesses the sufficiency of the FDIC internal control structure. In addition to the Audit Committee, FDIC seeks overall to foster a positive environment toward internal control and conscientious management. As evidence of the FDIC’s commitment to strong internal control, the Corporation has established the Office of Internal Control Management (OICM) to administer the corporate internal control program. This office works in partnership with all FDIC divisions and offices to help them evaluate, monitor, and manage their risks. OICM also works closely with the FDIC’s Office of Inspector General and the GAO in coordinating audit activities and tracking the status of corrective actions resulting from audit findings. OICM periodically gives presentations and workshops, provides risk management training, and issues guidance in the form of directives, manuals, and memoranda to enhance awareness of internal control throughout the Corporation.

As further evidence of a positive control environment, the GAO has issued unqualified opinions on the financial statements of the BIF, SAIF, and the FRF. The unqualified opinion rendered on the 2001 financial statements marks the tenth consecutive year for this achievement. In addition, the GAO has not identified any material internal control weaknesses or instances of non-compliance with laws and regulations for the last 8 years.

Also, 31 U.S.C. 3512(d), originally enacted as Section 2 of the Federal Managers’ Financial Integrity Act of 1982, requires executive agencies to evaluate internal control systems and report to Congress the results of the evaluation, along with material weaknesses and plans for corrective actions. The agency reports the results of its evaluation in the form of a Statement of Internal Accounting and Administrative Controls (SIAAC). Though not considered an executive agency for purposes of FMFIA, the FDIC includes its SIAAC in the annual Chief Financial Officers Act report. Accordingly, the FDIC conducts an annual, corporate-wide process that requires managers to evaluate and certify (through their division/office directors) as to the adequacy of their systems of internal control to identify and correct control weaknesses and other significant vulnerabilities. The FDIC plans to discuss the amount of and goals for reducing improper payments in its 2001 SIAAC. The OIG conducts a limited review of this evaluation and reporting process and issues a memorandum to the Chairman on the results of the review. Since the internal control program became fully established in 1993, the OIG has reported that the evaluation and reporting process has provided a reasonable basis for management’s conclusion regarding its systems of internal control, as stated annually in a SIAAC. However, as an additional aspect of each of our annual reviews, the OIG makes observations of problems or areas needing improvement in the process to OICM as program administrator, and we provide corresponding suggestions for program improvements.

Finally, the OIG contributes to the positive control environment at the FDIC in other ways. The OIG continues to fulfill its mission of promoting economy, efficiency, and effectiveness in FDIC programs and operations and protecting against fraud, waste, and abuse. From the period January 1, 2000 through September 30, 2001, the OIG identified questioned costs and funds put to better use totaling $6.2 million related to contractor payments. (Note: The Inspector General Act of 1978, as amended, defines the term "questioned cost" as a cost that is questioned by the Office because of a) an alleged violation of a law, regulation, contract, grant, cooperative agreement, or other agreement or document governing the expenditure of funds; b) a finding that, at the time of audit such cost is not supported by adequate documentation; or c) a finding that the expenditure of funds for the intended purpose is unnecessary or unreasonable. Also, the amount of funds put to better use represents the amount of funds to be used more efficiently rather than amounts that may need to be eventually recovered.) A portion of this amount is also reflected in the $4.4 million reported by FDIC management in the 2001 SIAAC.

To what extent are improper payments in your agency the result of agency error, the need for improved oversight and monitoring, inadequate eligibility controls, fraud, or other causes? What is the amount of improper payments your agency has made in the last two fiscal years? If you do not know yet the nature and extent of your agency’s improper payments, what is your agency doing to find out?

The second component of internal control is "risk assessment," and the GAO guide suggests that agencies undertake this process to determine the nature and extent of the problem. The FDIC has responsive action in process for the risk assessment component. During our review, the FDIC determined the extent and cause of improper payments made to contractors. These improper payments primarily resulted from the need to improve contractor oversight. However, according to the Corporation, the amount, $4.4 million over a 22-month period, was not considered significant because it represented less than 1 percent of total contractor payments. In addition, the Corporation believes that the amount of such payments in other programs and operations is not significant due to the adequacy of internal control and the lack of significant amounts of improper payments identified in internal control reviews and audits conducted by the OIG and GAO.

We reviewed the FDIC’s risk assessments related to its disbursement processes. FDIC accountability unit managers prepare these assessments. As part of its mission to resolve failed institutions, the FDIC disburses funds to cover its obligation to insured depositors, and these disbursements can be substantial. For example, in 2001, the FDIC disbursed over $1 billion to resolve one failed institution. The FDIC recognizes the risks associated with these payments, and accountability unit managers document the risk assessment in their Management Control Plans (MCP). Concerning resolution disbursements, the MCP includes all the factors suggested by GAO’s Internal Control Management and Evaluation Tool (GAO-01-1008G, issued August 2001). (Note: GAO’s Internal Control Management and Evaluation Tool suggests that the following factors be included in a risk assessment: establishment of objectives, identification of risks, analysis of the risks identified, and management of risks (deciding what internal control activities are required to mitigate those risks).)

GAO’s Internal Control Management and Evaluation Tool also suggests that an agency consider any risks resulting from its interactions with other federal entities. The National Finance Center (NFC) is responsible for processing the FDIC’s payroll, the second largest area of disbursements for the FDIC. Since 1997, the NFC has received adverse or qualified opinions on its internal controls. The FDIC has evaluated the results of audits related to NFC’s internal control and has established additional control activities to mitigate the risks resulting from the processing of its payroll. These controls are discussed below in the control activities section of the report.

Also, the OIG has conducted billing reviews of FDIC contractors that resulted in questioned costs and funds put to better use totaling approximately $6.2 million. Due in part to such findings, the FDIC organized a Contract Oversight Management Committee consisting of management officials from each division that does major contracting at the FDIC and developed a project plan to improve contractor oversight. The project plan includes several action items that the Committee believes will help reduce the number of findings related to contractor oversight. The OIG is continuing to perform periodic audits of the oversight and monitoring function to ensure that process improvements are effective in mitigating the risks of improper payments.

In addition, other audits by the OIG and internal reviews by corporate management either did not identify improper payments or the amount identified was minimal. As mentioned earlier, the GAO conducted audits of the FDIC’s financial statements and management’s assertion on the effectiveness of internal control. These audits did not identify instances of improper payments.

Control Activities

What efforts are underway at your agency to design and implement a plan for significantly reducing the amount of and the potential for making improper payments?

According to the GAO guide, once an organization has identified its risks, management should design control activities to address the risks. Rather than developing a single plan related to improper payments, the FDIC is strengthening a variety of payment-related controls. The FDIC has responsive action in process for the control activities component of the model. For instance, in its 2001 SIAAC, the FDIC plans to report $4.4 million of improper payments due to improvements needed in contractor oversight. Although the Corporation does not consider this level to be significant, the FDIC has developed plans to strengthen contractor oversight controls. Specifically, the Contract Oversight Management Committee developed a project plan that defines solutions for improving contract oversight at the FDIC. While the plan does not specifically address improper payments, the actions taken should serve to further reduce the risk of improper payments within the FDIC’s programs and operations. The action plan includes the following key initiatives: (1) Host a best practices conference, (2) Restructure the contractor oversight training program, (3) Implement tools for contractor oversight manager training, (4) Review ethical issues in contracts, (5) Review contract structure, and (6) Automate contractor oversight. In addition to this project plan, the FDIC has implemented other payment controls, including oversight managers’ and contracting officers’ prepayment reviews, post payment reviews, and internal control reviews.

The FDIC has internal control activities to reduce the risk of improper payments in other areas and has taken action to implement additional activities to further reduce the risk of future improper payments. For example, in order to mitigate the risk of improper payments during the resolution of failed institutions, the FDIC established control activities such as separation of duties, authorization of the transaction by appropriate personnel, proper classification and prompt recording of transactions, and complete and accurate documentation of the transaction. These control activities were reviewed during the audits of the FDIC’s financial statements and were found to be effective. No improper payments or weaknesses were identified during the audits.

Also, as previously mentioned, the NFC is responsible for processing salary and benefit payments for FDIC employees. To address the NFC’s processing control weaknesses, the FDIC has taken several actions to mitigate the risk of improper payments resulting from the processing of its payroll. Initially, the FDIC established a task force to address the risks presented by the NFC. The task force identified existing control activities within the FDIC that mitigate the risks of errors occurring during payroll processing and also proposed new control activities. The new controls implemented by the FDIC include confirming gross payroll between the FDIC and the NFC and reconciling total employee counts and hours. In addition to these control activities, the FDIC established internal payroll reviews within each office or division and reviews differences between amounts submitted and amounts processed by the NFC. These controls are evaluated during the annual financial statement audit conducted by the GAO and were found to be effective and operating as intended.

In voluntary compliance with the Federal Financial Management Improvement Act (FFMIA) and the government-wide Joint Financial Management Improvement Program (JFMIP), the FDIC also initiated the New Financial Environment (NFE) project in calendar year 2000 to review FDIC business processes and recommend a financial environment that can best serve and support the FDIC in the future. The FDIC’s current financial system was implemented in 1986 and has been periodically upgraded to maintain and increase its functionality. The FDIC also has many other systems in its overall financial environment to perform activities that its main system does not perform. This arrangement requires many interfaces and reconciliations between the systems. The NFE project team has recommended an integrated system solution to further enhance the FDIC’s ability to meet current and future financial management and financial information needs. This integrated financial system should serve to decrease the FDIC’s potential for making improper payments and reduce the risk of other errors occurring in processing its financial data.

Information and Communications

How does this plan address security and privacy concerns related to information needed to carry out the plan? What is your assessment of your agency’s plans to address these issues, the goals it expects to achieve, and the timetable for completing these actions?

The FDIC has responsive actions in process regarding the information and communications internal control component. For instance, the Government Information Security Reform Act (GISRA) provides a comprehensive framework for establishing and ensuring the effectiveness of controls over information resources that support federal operations. (Note: Under GISRA, the FDIC is required to provide the results of an annual review of its information security program and practices. To assist agencies in implementing this practice, OMB directed the agencies to address 14 questions. Also under GISRA, the OIG is responsible for evaluating the FDIC’s security program and practices; in doing so, the OIG responded to the same questions as the FDIC. The results of the OIG’s evaluation are reported in its report entitled Independent Evaluation of the FDIC’s Information Security Program Required by the Government Information Security Reform Act (Audit Report No. 01-022, dated September 20, 2001).) Office of Management and Budget Circular A-130, Appendix III, requires agencies to implement and maintain a program to ensure adequate security is provided for all information collected, processed, transmitted, stored, or disseminated through general support systems and major applications. The OIG noted in its GISRA report that the FDIC had established the management controls needed to provide reasonable assurance that its risk management program provided adequate security. However, the FDIC had only partially implemented these controls. Once these controls are fully implemented, we believe that the FDIC will have more reasonable assurance that it is effectively securing and protecting information from loss, misuse, unauthorized access, or modification. We will continue to monitor FDIC actions to ensure that its plan is effective at addressing the security and privacy concerns and that the plan is implemented in a timely manner. Our 2002 GISRA review will assess the FDIC’s progress in implementing information security controls.

Monitoring

How will your agency track and report on its progress? Does it, or will it, establish agency-specific goals or measures for reducing improper payments? Will your agency provide its estimates of improper payments in its annual financial statements or in some other transparent way?

The FDIC has responsive action in process for the monitoring component of internal control, which suggests that agencies track their improvements over time. Notwithstanding the fact that there is a low risk of improper payments in the FDIC’s programs and operations, OICM continues to ensure that the FDIC operates in an environment that is conducive to strong internal controls. In doing so, OICM conducts independent internal control reviews (ICRs) on issues of corporate significance to assess whether internal accounting and administrative control procedures or functions are operating as intended and are accomplishing the control objectives. OICM also administers the corporate audit and review tracking system – the Internal Risks Information System (IRIS). IRIS is used to monitor corrective actions taken on audit recommendations. OICM uses IRIS as a tool to help ensure that problems identified by audits and other reviews are resolved in a timely manner.

GAO also suggests that agencies establish specific goals and measures for reducing improper payments. In the SIAAC section of its annual Chief Financial Officers Act report, the FDIC plans to include performance goals and measures that specifically address reducing improper payments. The FDIC plans to report improper payments of less than one percent of payments made to contractors and will strive toward a zero percent goal. In addition, the FDIC’s 2001 Annual Performance Plan included a performance measure to enhance the FDIC’s contractor oversight program in accordance with the FDIC Contract Oversight Management Committee’s project plan. By accomplishing the action items in the project plan, the FDIC believes that it will ultimately further reduce its improper payments. Our review of the SIAAC will help ensure these actions are completed.

Additionally, the FDIC’s Division of Finance (DOF) monitors improper payments through its reviews of expense reports and comparisons of actual budget results with planned results associated with resource workloads. Details of a current year’s expenditures are compared to the prior year’s expenditures as well as the next year’s budget in order to determine the reasonableness and relationships between expense amounts. If significant variances are identified, these amounts are analyzed to determine whether the cause of such variance is appropriate. In addition, DOF produces an accounts payable suspect report to identify duplicate payments and suspicious amounts. This report is produced daily and is reviewed by accounts payable staff prior to checks being released.

SUMMARY

The FDIC will shortly complete its calendar year 2001 Chief Financial Officers Act report. Together with the agency evaluation required under GISRA, these activities will provide a means to measure progress in strengthening controls and reducing vulnerability to improper payments. The OIG has initiated a contract audit program that will include examination of contractor billings and that provides regular coverage of disbursements related to receiverships. Together with the annual financial statement audits by GAO, the corporate internal control program, and senior level commitment to a sound internal control structure, the FDIC is on track to having an effective strategy to manage improper payments.

CORPORATION COMMENTS AND OIG EVALUATION

Our report does not include recommendations for corrective actions. However, we provided our draft report to the Director of DOF and the Director of the Division of Administration. These divisions responded that they had no comments.

Objective

The objective of the review was to assess the FDIC’s strategy for managing improper payments. Specifically, we determined whether the Corporation has assessed the risk of improper payments; the extent to which the Corporation has considered the benefits of implementing strategies to reduce improper payments; and the effectiveness of internal control activities within the Corporation related to improper payments, including the establishment of appropriate goals and measures.

Scope and Methodology

To accomplish our objective, we interviewed key representatives from selected divisions and offices who were in positions to establish policy or those responsible for identifying and taking actions to reduce improper payments. The divisions included the Divisions of Administration (DOA), Finance (DOF), Resolutions and Receiverships (DRR), Information Resources Management (DIRM), Legal Division, and the Office of Internal Control Management (OICM). We did not conduct evaluations in offices or divisions that had a minimal impact on the payments process.

In conducting our review, we obtained the 96 management control plans (MCPs) and reviewed the reasonableness of the risk assessments prepared by the FDIC’s accountability unit managers for calendar year 2001. We focused particularly on those units that had the greatest impact on improper payments, such as contract oversight management, contract administration, and disbursements. We also reviewed the FDIC’s 2001 Annual Performance Plan to determine whether the FDIC had established performance goals and measures related to improper payments.

Our evaluation included a review of relevant FDIC policies and procedures; the U.S. General Accounting Office’s (GAO’s) Executive Guide: Strategies to Manage Improper Payments (GAO-02-69G), issued October 2001; GAO’s Standards for Internal Control in the Federal Government (GAO/AIMD-00-21.3.1), issued November 1999; and other OIG and GAO audit reports and internal control management tools related to improper payments and disbursement controls.

Our work was designed to address questions posed by the Chairman and Ranking Minority Member, Committee on Governmental Affairs, United States Senate. We examined management control designed to prevent improper payments and reviewed MCPs and the FDIC performance plan. We also relied on earlier work, including the work performed by the GAO during its financial statement audits, on which we assisted. The review was conducted from the period August 2001 through May 2002 in accordance with generally accepted government auditing standards.