Federal Deposit Insurance Corporation
Office of Audits
Office of Inspector General
Washington, D.C. 20434

DATE: March 27, 2003

TO: Fred S. Selby, Director, Division of Finance; Mitchell L. Glassman, Director, Division of Resolutions and Receiverships; and Arleas Upton Kea, Director, Division of Administration

FROM: Russell A. Rau [Electronically produced version; original signed by Russell A. Rau], Assistant Inspector General for Audits

SUBJECT: Internal Control Over Receivership Receipts (Audit Report Number 03-024)

This report presents the results of our audit of the Federal Deposit Insurance Corporation’s (FDIC) internal control over receivership receipts. The objective of the audit was to determine whether the FDIC has effectively implemented selected internal controls to safeguard recoveries from the liquidation of failed insured depository institution assets. (Note: Insured depository institutions include banks and savings institutions.) Our work was conducted to assist the U.S. General Accounting Office (GAO) with its audit of the Bank Insurance Fund (BIF), Savings Association Insurance Fund (SAIF), and Federal Savings and Loan Insurance Corporation (FSLIC) Resolution Fund (FRF) financial statements for the years ended December 31, 2002 and 2001. (Note: The Financial Institutions Reform, Recovery, and Enforcement Act of 1989 (FIRREA) created the BIF, SAIF, and FRF. The BIF and SAIF are insurance funds responsible for protecting insured bank and thrift depositors from loss due to institution failures. The FRF is a resolution fund from which funds are used to wind up the affairs of the former Federal Savings and Loan Insurance Corporation and liquidate the assets and liabilities transferred from the former Resolution Trust Corporation.) Additional details on the audit objective, scope, and methodology, including the specific controls tested, are included in Appendix I.

A receivership is a temporary entity that is established when the primary federal or state regulatory authority closes an insured depository institution and appoints the FDIC as receiver to manage the business affairs of the failed institution. The receivership receipts process encompasses those activities associated with receiving and controlling monetary items from all sources until they are deposited in the correct account or forwarded to the proper recipient. This process also includes preparing journal entries to record receipts and related transactions in the FDIC Financial Information Management System (FIMS). Policies and procedures applicable to the receipt process are described in the FDIC’s Field Financial Operations (FFO) Accounting Manual.

The FDIC’s Division of Resolutions and Receiverships (DRR), Field Operations Group, Accounting Operations (AO), located in Dallas, Texas, has overall responsibility for processing and accounting for all receivership receipts. The majority of the receipts received are wired and deposited directly into the receiverships’ bank depository account. The remaining receipts are generally sent either to the FDIC mailroom or to a lockbox maintained by Bank One. (Note: The lockbox in this instance is a unique United States Postal Service address used specifically to identify customer remittances.) An outside contractor provides mailroom services at the FDIC Dallas, Texas location. The mailroom is responsible for opening the mail, identifying which envelopes contain check receipts, recording the checks received, and forwarding the checks to AO for further processing. The FDIC also contracted with Bank One for lockbox services. Bank One is required to collect, open, and process all receipts received through the lockbox and deposit them directly into the receiverships’ bank depository account.

AO processes receipts for the BIF, the SAIF, and the FRF. These receipts generally consist of loan payments from debtors of failed financial institutions. The group also processes receipts for prior Resolution Trust Corporation receiverships, and these receipts generally consist of remittances for loan payments from contracted asset servicers. (Note: The RTC existed from August 1989 through December 1995 and was established by Congress as a temporary federal agency to clean up the savings and loan crisis after the Federal Savings and Loan Insurance Corporation was abolished. An asset servicer is a contractor acting on behalf of the FDIC in the administration and servicing of assets, such as loans. The servicer’s functions include collecting and recording payments from borrowers; negotiating, compromising, and restructuring loans; and reporting to the FDIC.) During the period January 1, 2002 through December 31, 2002, the FDIC recorded over $3.6 billion in receivership receipts transactions.

The FDIC effectively implemented the selected internal controls to safeguard recoveries from the liquidation of failed insured depository institution assets. We identified the following controls that were in place and operating:

• The FDIC receives image copies of checks deposited through the lockbox and also receives a confirmation of funds wired to the receiverships’ bank account.
  
  
• Control totals are established for checks received in the FDIC mailroom, the lockbox, and wires received. (Note: A control total can include an individual listing of the receipts and the total dollar amount of the receipts.)
  
  
• The total checks deposited, wires received, items placed on hold, and checks released to third parties are reconciled to the total receipts processed in the FDIC’s receipts processing system. The total receipts processed are further reconciled to the FDIC’s FIMS general ledger. (Note: A general ledger is a collection of all asset, liability, equity, revenue, and expense accounts.)
  
  
• The bank statements are reconciled to the FDIC general ledger within 30 calendar days of the period covered by the bank statement.
  
  
• FDIC management reviews aging reports to identify receipts that have not been applied to the proper account. (Note: Aging reports identify the elapsed time that an item has been held in suspense and not charged to an appropriate asset or income account.)
  
  
• Journal entries are reviewed and approved to record and apply receipts received.

However, we noted the following deficiencies in controls related to receivership receipts processing.

• Contractor mailroom employees did not follow FFO Accounting Manual procedures that require opening mail under dual control. Dual control in this instance means that two employees open and record mail receipts. Dual control provides reasonable assurance that checks received are handled appropriately to prevent unauthorized access and use.
  
  
• The mailroom employees did not promptly establish a record of receipts in accordance with the FFO Accounting Manual. The contractor personnel held receipts overnight before recording them, rather than promptly recording and processing them as required by the manual. Prompt recording of receipts prevents loss of accountability due to error or fraud.
  
  
• The AO group responsible for the cashiering function processes receipts in an unrestricted area. All FDIC employees as well as contractor employees have access to the area where receipts are processed. (Note: The cashier function is responsible for assuming and retaining control of monetary items from the time of receipt until proper disposition. This process also includes controlling monetary payments that cannot be deposited due to restrictive endorsements, cannot be identified to a liquidation, or belong to a non-FDIC entity.) The FFO Accounting Manual requires that access to the area be limited to personnel designated by Division of Finance (DOF) management and that cipher locks and fireproof file cabinets be utilized to protect receipts.
  
  
• AO did not perform an annual site visit in calendar year 2002 to observe the operations of the contractor performing lockbox services for the FDIC. Such observations are important to ensuring that internal control is operating as intended. The FDIC represented that site visits of lockbox operations were performed in prior years, but DRR did not observe the operations for calendar year 2002.
  
  
• The FDIC FFO Accounting Manual has not been updated to reflect the current organization structure and responsibilities resulting from the reorganization of DOF and DRR. An up-to- date manual helps ensure that receipts are handled in accordance with established policies and procedures.

We provided the results of our audit, including the deficiencies, to the GAO for its consideration in evaluating the Corporation’s internal control over financial reporting and compliance with laws and regulations. Accordingly, we are not making recommendations to address the deficiencies, and the GAO will determine whether they are either individually or in the aggregate material weaknesses or reportable conditions that warrant further reporting in the reports on the FDIC’s financial statements. (Note: The American Institute of Certified Public Accountants standards define a material weakness as a reportable condition in which the design or operation of one or more of the internal control components does not reduce to a relatively low risk that misstatements caused by error or fraud in amounts that would be material in relation to the financial statements being audited may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions. A reportable condition is a matter coming to the auditor’s attention that in his (or her) judgment, should be communicated to the audit committee because the matter represents significant deficiencies in the design or operation of the internal control that could adversely affect the FDIC’s ability to initiate, record, process, and report financial data consistent with the assertions of management in the financial statements.)

Our report does not include recommendations for corrective actions. However, we provided our draft report to the Director, Division of Finance, Director, Division of Resolutions and Receiverships, and the Director, Division of Administration. The Division of Finance and the Division of Resolutions and Receiverships responded that they had no comments.

On March 24, 2003, the Division of Administration responded via email that it would not be providing a formal written response to the draft report since the report contains no findings or recommendations. The Division of Administration further stated that two internal control concerns were presented to DOA by the OIG as "Matters for Further Consideration (MFC)" in an email dated February 5, 2003. (Note: The Matters for Further Consideration form is used to document the request for further information from the FDIC regarding discrepancies and potential internal control weaknesses found during the audit.) As stated in DOA’s response to the MFC, DOA staff members in Dallas have taken necessary corrective actions to address the issues at hand. Specifically, according to DOA, the corrective actions already taken are as follows:

• Upon implementation of the mailroom contract, dual control procedures were discussed with the contractors by the FDIC employees. In January 2003, the FDIC Oversight Manager met with the contractor’s Project Manager and alternate, instructing them thoroughly on the dual control process. The importance of each step in the dual control process was emphasized to all contract employees. Additionally, the Oversight Manager has been instructed to spend time each day in the mailroom overseeing the dual control process and to prepare a report on the result of his observations. Frequent oversight by the Oversight Manager and Technical Monitors will ensure the dual control process is strictly adhered to.
  
  
• The contractor has been instructed on procedures for logging cash items/receipts immediately upon receipt. All receipts are now entered onto a log and copied immediately, within dual control guidelines. If the cut-off time for DOF processing has elapsed, the recorded items are placed in a safe until the next morning.

While the corrective actions taken by DOA address several of the deficiencies noted in our report, we did not review them as part of our audit and cannot conclude on their effectiveness.

The objective of the audit was to determine whether the FDIC has implemented effective internal control to safeguard recoveries from the liquidation of failed insured depository institution assets. Our work was not intended to express, and we do not express, opinions on the fair presentation of the balances for corporate receivables for 2002 or 2001, or related internal control over financial reporting and compliance with laws and regulations. Such opinions, if expressed, are the responsibility of the GAO as the principal auditor for the FDIC’s corporate financial statements.

To achieve our objective, we followed the process outlined in the GAO/President’s Council on Integrity and Efficiency Financial Audit Manual. Specifically, we:

• Observed the mailroom processing procedures in Dallas, Texas. The OIG auditor was accompanied by an employee of the outside contractor and FDIC management during the observation.
  
  
• Made inquiries to DRR and DOA personnel regarding the processing of receivership receipts.
  
  
• Verified that receipts charged to cash suspense were monitored by FDIC management. (Note: Cash suspense is a general ledger account used to record and accommodate timing differences between the receipt of cash collections and their posting to the appropriate asset or income accounts.)
  
  
• Conducted tests to determine whether the FDIC was reconciling the bank statements for the depository bank accounts to the FIMS general ledger.
  
  
• Selected and evaluated a statistical attribute sample of 45 receivership receipts transactions recorded in FIMS during the period of January 1, 2002 through December 31, 2002. (Note: An attribute sample is a sample designed to determine what percentage or proportion of a population has the characteristic an auditor is interested in.) Transactions between the FDIC and receiverships were excluded from the sample.

We relied on computer processed data to complete our audit; therefore, we tested the reliability of data by comparing the data in FIMS to source documentation. We found no instances of non-compliance with significant provisions of applicable laws and regulations as they relate to the processing of receivership receipts. The applicable laws identified were: the FDI Act Sections 11(a) (4) (A) and 11A(a)(1), codified to 12 U.S.C. sections 1821 and 1821a, which require the FDIC to separately maintain and not commingle the BIF, SAIF, and FRF. There are no performance measures with which the FDIC must comply regarding the processing of receivership receipts. Therefore, we did not perform testing related to performance objectives. We performed fieldwork at the FDIC's Regional Office in Dallas, Texas. We conducted the audit from November 2002 through February 2003 in accordance with generally accepted government auditing standards.