Financial Audit: Federal Deposit Insurance Corporation's Internal
Controls as of December 31, 1992 (Chapter Report, 02/04/94,
GAO/AIMD-94-35).
GAO discovered weaknesses in the Federal Deposit Insurance Corporation's
(FDIC) internal controls designed to (1) ensure consistent oversight of
contractors hired to service and liquidate failed bank assets, (2)
prevent or detect data errors in FDIC's asset management information
system and reconcile that asset information with FDIC's general ledger
system, and (3) promptly complete reconciliations of the loan system of
FDIC's main servicer of commercial and residential loans with the
agency's own systems. These weaknesses undermined FDIC's ability to
manage, liquidate, and report on the large volume of assets acquired
from failed financial institutions. These weaknesses also affected
FDIC's ability to accurately report transactions associated with the
Bank Insurance Fund's and the FSLIC Resolution Fund's resolution and
liquidation activities and increased the risk of misappropriation of
assets, possibly adding to the losses on receivership assets being
incurred by the funds. GAO also found that FDIC's controls over its
time and attendance reporting did not ensure that employees adhered to
agency policies and procedures, increasing the risk of inappropriate
payroll expenditures.
--------------------------- Indexing Terms -----------------------------
REPORTNUM: AIMD-94-35
TITLE: Financial Audit: Federal Deposit Insurance Corporation's
Internal Controls as of December 31, 1992
DATE: 02/04/94
SUBJECT: Internal controls
Accounting procedures
Financial statement audits
Savings and loan associations
Corporate audits
Reporting requirements
Financial records
Funds management
Federal agency accounting systems
Federal corporations
IDENTIFIER: Bank Insurance Fund
FDIC Financial Information System
FSLIC Resolution Fund
FDIC Liquidation Asset Management Information System
Savings Association Insurance Fund
BIF
SAIF
**************************************************************************
* This file contains an ASCII representation of the text of a GAO *
* report. Delineations within the text indicating chapter titles, *
* headings, and bullets are preserved. Major divisions and subdivisions *
* of the text, such as Chapters, Sections, and Appendixes, are *
* identified by double and single lines. The numbers on the right end *
* of these lines indicate the position of each of the subsections in the *
* document outline. These numbers do NOT correspond with the page *
* numbers of the printed product. *
* *
* No attempt has been made to display graphic images, although figure *
* captions are reproduced. Tables are included, but may not resemble *
* those in the printed version. *
* *
* A printed copy of this report may be obtained from the GAO Document *
* Distribution Facility by calling (202) 512-6000, by faxing your *
* request to (301) 258-4066, or by writing to P.O. Box 6015, *
* Gaithersburg, MD 20884-6015. We are unable to accept electronic orders *
* for printed documents at this time. *
**************************************************************************
Cover
================================================================ COVER
Report to the Acting Chairman
Federal Deposit Insurance Corporation
February 1994
FINANCIAL AUDIT - FEDERAL DEPOSIT
INSURANCE CORPORATION'S INTERNAL
CONTROLS AS OF DECEMBER 31, 1992
GAO/AIMD-94-35
FDIC Internal Controls
Abbreviations
=============================================================== ABBREV
ACF2 - access control software package
BIF - Bank Insurance Fund
BLP - bypass label processing
COMB - Contractor Oversight and Monitoring Branch
DAS - Division of Depositor and Asset Services
DOF - Division of Finance
EDP - electronic data processing
FDIC - Federal Deposit Insurance Corporation
FDICIA - Federal Deposit Insurance Corporation Improvement Act of
1991
FICO - Financing Corporation
FIRREA - Financial Institutions Reform, Recovery, and Enforcement
Act of 1989
FIS - Financial Information System
FRF - FSLIC Resolution Fund
FSLIC - Federal Savings and Loan Insurance Corporation
GCR - gross cash recovery
LAMIS - Liquidation Asset Management Information System
OREO - other real estate owned
RTC - Resolution Trust Corporation
SAIF - Savings Association Insurance Fund
Letter
=============================================================== LETTER
B-253861
February 4, 1994
Mr. Andrew C. Hove, Jr.
Acting Chairman, Board of Directors,
Federal Deposit Insurance Corporation
Dear Mr. Hove:
This report presents the detailed results of our review of the
Federal Deposit Insurance Corporation's (FDIC) system of internal
accounting controls as of December 31, 1992. Our review was
performed as part of our audits of the calendar year 1992 financial
statements of the Bank Insurance Fund, the Savings Association
Insurance Fund, and the Federal Savings and Loan Insurance
Corporation Resolution Fund, for which FDIC, as administrator of the
three funds, has responsibility. Our opinions on the financial
statements of the three funds and on FDIC's system of internal
accounting controls as of December 31, 1992, and our assessment of
FDIC's compliance with laws and regulations during calendar year 1992
were presented in a separate report issued on June 30, 1993. We
conducted our work pursuant to the provisions of section 17(d) of the
Federal Deposit Insurance Act, as amended (12 U.S.C. 1827 (d)).
This report contains recommendations to you. We would appreciate
receiving your written statement on actions taken on these
recommendations within 60 days of the date of this letter.
We are sending copies of this report to the Chairman of the Board of
Governors of the Federal Reserve System; the Comptroller of the
Currency; the Acting Director of the Office of Thrift Supervision;
the Chairmen and Ranking Minority Members of the Senate Committee on
Banking, Housing and Urban Affairs and the House Committee on
Banking, Finance and Urban Affairs; the Secretary of the Treasury;
the Director of the Office of Management and Budget; and other
interested parties.
Please call me at (202) 512-9406 if you or your staff have any
questions concerning the report. Other major contributors to this
report are listed in appendix II.
Sincerely yours,
Robert W. Gramling
Director, Corporate Financial Audits
EXECUTIVE SUMMARY
============================================================ Chapter 0
PURPOSE
---------------------------------------------------------- Chapter 0:1
This report presents findings from our review of the Federal Deposit
Insurance Corporation's (FDIC) system of internal accounting
controls, which we conducted as part of our audits of the 1992
financial statements of the Bank Insurance Fund (BIF), the Savings
Association Insurance Fund (SAIF), and the Federal Savings and Loan
Insurance Corporation (FSLIC) Resolution Fund (FRF).\1 The purpose of
our review was to assess the effectiveness of FDIC's system of
internal accounting controls as of year-end 1992 in providing
reasonable assurance that the assets of the three funds were
safeguarded against loss from unauthorized use or disposition; that
transactions related to the three funds were executed in accordance
with FDIC management's authority and in accordance with applicable
laws and regulations; and that transactions were properly recorded,
processed, and summarized to permit the preparation of the financial
statements of the three funds in accordance with generally accepted
accounting principles and to maintain accountability for the assets
of the three funds.
--------------------
\1 Financial Audit: Federal Deposit Insurance Corporation's 1992 and
1991 Financial Statements (GAO/AIMD-93-5, June 30, 1993).
BACKGROUND
---------------------------------------------------------- Chapter 0:2
FDIC was established by the Banking Act of 1933 to provide deposit
insurance to protect bank depositors. The act authorized FDIC to
promulgate and enforce rules and regulations relating to the
supervision of insured banks and to perform regulatory duties
consistent with its responsibilities as insurer. In response to the
rising number and cost of thrift failures in the 1980s and the
resulting insolvency of FSLIC, the former federal insurer of thrift
deposits, the Congress enacted the Financial Institutions Reform,
Recovery, and Enforcement Act of 1989 (FIRREA). The act abolished
FSLIC and designated FDIC sole federal insurer of all banks and
savings associations. FIRREA also created three funds--BIF, SAIF,
and FRF--to be administered by FDIC.
When a BIF-insured institution fails and is closed by its chartering
authority, FDIC is usually appointed receiver. In its receivership
capacity, FDIC may acquire some or all of the assets of the failed
institution and attempt to dispose of these assets to cover the cost
of paying insured depositors and other obligations of the failed
institution. Assets acquired on behalf of BIF through resolution
activity are managed and liquidated by both FDIC personnel and by
servicing entities under contract with FDIC. Failed thrift assets
that FRF acquired from FSLIC are also managed and liquidated in this
manner.
FIRREA requires FDIC to account separately for the three funds under
its control and to allocate personnel, administrative, and other
overhead expenses among BIF, SAIF, and FRF. FDIC allocates a
majority of these expenses based upon the percentage of time
employees report having worked on activities related to each fund, as
reflected in their time and attendance reports.
RESULTS IN BRIEF
---------------------------------------------------------- Chapter 0:3
GAO found weaknesses in FDIC's internal controls over (1) ensuring
consistent oversight of contractors engaged to service and liquidate
significant pools of receivership assets associated with failed
banks, (2) preventing or detecting errors in the data maintained in
FDIC's asset management information system and in ensuring that asset
information in the system reconciled with its general ledger system,
and (3) the timely completion of reconciliations between the loan
system of FDIC's primary servicer for performing commercial and
residential loans and FDIC's asset management information and general
ledger systems. These weaknesses adversely affected FDIC's ability
to manage, liquidate, and report on the large volume of assets
acquired from failed financial institutions.
These weaknesses also affected FDIC's ability to accurately report
transactions associated with BIF's and FRF's resolution and
liquidation activity, and increased the risk of misappropriation of
assets, possibly adding to the losses on receivership assets being
incurred by the funds. This is of particular concern because FDIC is
scheduled to assume responsibility for managing and disposing of the
receivership assets currently under the control of the Resolution
Trust Corporation (RTC) when RTC terminates its asset disposition
operations on December 31, 1995. Unless FDIC acts to correct these
internal control weaknesses, its ability to effectively manage and
liquidate the additional assets will be hindered.
GAO also found that FDIC's controls over its time and attendance
reporting were not effective in ensuring that personnel adhered to
the policies and procedures governing this activity. The weaknesses
in FDIC's time and attendance processing controls increased the risk
of inappropriate payroll expenditures. In addition, these weaknesses
exposed SAIF to significant misallocations of payroll and other
overhead expenses, further decreasing its available resources at a
time when the fund is not well-capitalized.
PRINCIPAL FINDINGS
---------------------------------------------------------- Chapter 0:4
WEAKNESSES IN ASSET SERVICER
OVERSIGHT EXPOSED BIF TO
LOSSES AND ERRORS IN
RECOVERY ESTIMATES
-------------------------------------------------------- Chapter 0:4.1
GAO found that (1) asset balances reported by servicers were not
always promptly or completely reconciled to related balances recorded
in FDIC's financial information system, (2) FDIC did not have
sufficient controls to ensure that servicers prepared complete and
accurate estimates of recoveries on receivership assets and that the
methodology used by servicers to estimate recoveries was consistent
with the methodology used by FDIC personnel on assets managed
internally, and (3) asset servicer internal audits, which FDIC relied
on, were not consistently conducted to ensure coverage of critical
areas of servicer operations, and significant findings from internal
audits of servicer pool operations were not always communicated to
the servicer's oversight committee in a timely manner.
These weaknesses hindered FDIC's ability to effectively safeguard
receivership assets and exposed BIF to errors in the process used by
FDIC to determine the Fund's estimated losses on bank resolution
activity.
WEAK CONTROLS OVER FDIC'S
ASSET MANAGEMENT INFORMATION
SYSTEM AFFECTED DATA
INTEGRITY
-------------------------------------------------------- Chapter 0:4.2
Controls to ensure the integrity of data in FDIC's asset management
information system were not working effectively throughout 1992. The
lack of consistent maintenance and updating of data files within the
system resulted in errors in system-generated information on
estimated recoveries and related data on the condition of assets
acquired from failed financial institutions and managed internally
for BIF and FRF by FDIC personnel. Significant differences in
receivership asset book values existed during 1992 between FDIC's
receivership general ledger control accounts and the subsidiary
records maintained on the asset management information system for
both BIF and FRF. These weaknesses affected the reliability of
system-generated information on asset recoveries, and could result in
future misstatements to both BIF's and FRF's financial statements.
These weaknesses also reduced FDIC's ability to adequately safeguard
receivership assets and could result in additional losses to BIF and
FRF.
LACK OF RECONCILIATIONS
EXPOSED FUNDS TO POTENTIAL
LOSSES AND REPORTING ERRORS
-------------------------------------------------------- Chapter 0:4.3
FDIC experienced significant delays during 1992 in reconciling
receivership asset balances between its financial information and
asset management information systems and the records of its primary
servicer of performing commercial and residential loans acquired from
failed financial institutions. As of March 1993, reconciliations of
receivership asset book values through November 1992 had not been
performed for approximately half of the $2.8 billion in assets
managed by this servicer. The lack of complete and up-to-date
monthly reconciliations between the servicer's and FDIC's records
weakened FDIC's ability to adequately safeguard these assets, and
exposed both BIF and FRF to additional losses and errors in financial
reporting.
WEAKNESSES IN TIME AND
ATTENDANCE PROCESSES COULD
AFFECT EXPENSE ALLOCATIONS
AMONG FUNDS
-------------------------------------------------------- Chapter 0:4.4
FDIC did not consistently adhere to its time and attendance reporting
policies and procedures in 1992. Also, certain responsibilities
within the time and attendance reporting process were not segregated
to provide additional assurance that errors or irregularities would
be detected and corrected in a timely manner. Further, given the
significance of employee and overhead costs required to administer
and manage the assets of the three funds, and the fact that these
expenses are material to SAIF, the improper allocation of employee
time and associated costs to SAIF could result in material
misstatements in SAIF's financial statements and could
inappropriately decrease the fund's limited resources.
OTHER WEAKNESSES INHIBITED
THE EFFECTIVENESS OF FDIC'S
INTERNAL CONTROLS
-------------------------------------------------------- Chapter 0:4.5
GAO identified other weaknesses in FDIC's internal controls which
affected its ability to ensure that internal control objectives were
achieved. These weaknesses included (1) lack of safeguards to
protect data files, computer programs, and computer hardware from
unauthorized access and modification, (2) ineffective controls to
ensure adequate safeguards over collections from the servicing and
liquidation of failed institution assets and proper recording of
these collections, and (3) ineffective controls to ensure that (a)
assessment income due SAIF was properly recorded in the fund's
financial records, (b) all exit fee income was recorded in SAIF's
financial records when financial institutions changed their insurance
coverage from SAIF to BIF, and (c) adjustments to the financial
statements of the three funds were properly authorized.
RECOMMENDATIONS
---------------------------------------------------------- Chapter 0:5
GAO is making a number of recommendations to FDIC to improve internal
controls over the (1) oversight of contracted asset servicing
entities, (2) integrity of data in FDIC's asset management
information system, (3) reconciliation process between FDIC and its
principal performing loan servicer, (4) information systems access,
(5) accounting for receivership collections, (6) recording of
assessment and exit fee income, and (7) adjustments to the three
funds' financial statements.
AGENCY COMMENTS
---------------------------------------------------------- Chapter 0:6
FDIC acknowledged that improvements are needed in its system of
internal controls relating to the liquidation of receivership assets
by outside servicing entities and stated that it was taking or
intended to take action to address many of these weaknesses. FDIC
has already taken actions designed to address weaknesses GAO
identified in its time and attendance processing controls.
FDIC also acknowledged that improvements are needed to enhance the
accuracy of data maintained in its asset management information
system, but stated that GAO had not demonstrated that the weaknesses
it identified have either resulted or could result in errors in
estimates of asset recoveries that are considered material to BIF's
and FRF's financial statements. FDIC also disagreed that delays in
completing reconciliations between its financial and asset management
information systems and the systems of its primary servicer of
performing commercial and residential loans exposed BIF and FRF to
additional losses. In several other cases, FDIC disagreed that
weaknesses existed or disagreed with GAO's assessment of the
significance of weaknesses.
GAO believes that the examples of inadequate support for estimates of
asset recoveries found in its review clearly demonstrate the
potential for material misstatements to BIF's and FRF's financial
statements. GAO also believes that current, routine reconciliations
between control accounts and subsidiary records, particularly when
the records reside with a servicing entity, are critical to ensuring
the integrity of reported information and the safeguarding of assets.
In addition, GAO believes that its review confirms the existence of
other internal control weaknesses which, if not corrected, will
continue to hinder FDIC's ability to ensure accurate financial
reporting and proper safeguarding of assets.
FDIC's comments are discussed and evaluated in chapters 2 and 3 and
are included in appendix I.
INTRODUCTION
============================================================ Chapter 1
As part of our audits\1 of the 1992 financial statements of the Bank
Insurance Fund (BIF), the Savings Association Insurance Fund (SAIF),
and the Federal Savings and Loan Insurance Corporation (FSLIC)
Resolution Fund (FRF), we conducted an evaluation of the Federal
Deposit Insurance Corporation's (FDIC) internal accounting controls.
The purpose of this report is to present the results of this review,
along with recommendations to address weaknesses we identified in
FDIC's system of internal accounting controls.
--------------------
\1 Financial Audit: Federal Deposit Insurance Corporation's 1992 and
1991 Financial Statements (GAO/AIMD-93-5, June 30, 1993).
BACKGROUND
---------------------------------------------------------- Chapter 1:1
FDIC was established by the Banking Act of 1933 to provide deposit
insurance to protect bank depositors. The act authorized FDIC to
promulgate and enforce rules and regulations relating to the
supervision of insured banks and to perform regulatory duties
consistent with its responsibilities as insurer. In response to the
rising number and cost of thrift failures in the 1980s and the
resulting insolvency of FSLIC, the former federal insurer of thrift
deposits, the Congress enacted the Financial Institutions Reform,
Recovery, and Enforcement Act of 1989 (FIRREA). FIRREA abolished
FSLIC and designated FDIC sole federal insurer of all banks and
savings associations. FIRREA created (1) BIF, which insures deposits
of all BIF-insured commercial and savings banks, (2) SAIF, which
insures deposits of all SAIF-member institutions (principally
thrifts),\2 and (3) FRF, which is responsible for liquidating assets
and satisfying obligations associated with certain FSLIC resolution
actions. The act also designated FDIC the administrator of the three
funds.
FIRREA requires FDIC to account separately for the three funds under
its control and to allocate personnel, administrative, and other
overhead expenses among BIF, SAIF, and FRF. FDIC allocates a
majority of these expenses based upon the percentage of time
employees report having worked on activities related to each fund, as
reflected in their time and attendance reports. Consequently, the
controls designed to ensure the accuracy of these reports play a
major role in ensuring that such expenses are properly allocated.
--------------------
\2 FIRREA also established the Resolution Trust Corporation (RTC) to
resolve thrifts whose deposits had been insured by FSLIC and that
were placed into conservatorship or receivership from January 1,
1989, through August 8, 1992. The Resolution Trust Corporation
Refinancing, Restructuring, and Improvement Act of 1991 (Public Law
102-233, enacted on December 12, 1991) extended RTC's resolution
authority to thrifts placed into conservatorship or receivership
through September 30, 1993. More recently, the Resolution Trust
Corporation Completion Act (Public Law 103-204, enacted on December
17, 1993) further extended RTC's resolution authority to thrifts
placed into conservatorship or receivership through such date as is
determined by the Chairperson of the Thrift Depositor Protection
Oversight Board, but no earlier than January 1, 1995, and no later
than July 1, 1995. However, any thrift requiring resolution after
the expiration of RTC's resolution authority which had previously
been under RTC conservatorship or receivership may be transferred
back to RTC for resolution. Through the expiration of RTC's
resolution authority, SAIF is responsible for the resolution costs of
any federally insured thrift that was not previously insured by
FSLIC. Additionally, pursuant to section 5(d)(3) of the Federal
Deposit Insurance Act, banks can acquire deposits of thrift
institutions without changing insurance coverage for these acquired
deposits.
FDIC'S ASSET MANAGEMENT
PROCESS
-------------------------------------------------------- Chapter 1:1.1
When a federally insured depository institution is closed by its
chartering authority, FDIC is usually appointed receiver. FDIC
establishes a receivership for the failed institution and advances
the receivership funds to cover insured depositors and other
obligations of the failed institution. These advances become a
claim, or receivable, which FDIC has against the receivership's
assets. FDIC records the amounts advanced to receiverships as
receivables from bank resolutions for BIF and as receivables from
thrift resolutions (initiated by the now-defunct FSLIC) for FRF.
Amounts disbursed by FDIC to terminate receiverships, acquire
receivership assets, or purchase covered assets are recorded as
investments in corporate-owned assets for both funds. At December
31, 1992, BIF's and FRF's financial statements included $52.8 billion
and $14.5 billion, respectively, in receivables from resolutions and
investments in corporate-owned assets.
Funds used to repay amounts advanced are generated from FDIC's
management and liquidation of BIF's and FRF's inventories of failed
institution assets. Because the management and disposition of these
assets normally will not generate amounts equal to the advances to
resolve failed institutions or the book values of the corporate-owned
assets in BIF's and FRF's inventories of failed institution assets,
FDIC establishes an allowance for losses against the receivables and
corporate-owned assets. The allowance for losses, which equaled
$23.8 billion and $12.9 billion for BIF and FRF, respectively, at
December 31, 1992, represents the difference between amounts advanced
and the expected repayment, net of all estimated liquidation costs.
The expected repayment is based primarily on the estimated recovery
values of BIF's and FRF's inventories of failed institution assets.
FRF's inventory of failed institution assets has declined since the
Fund's creation in 1989. At December 31, 1989, FRF held failed
institution assets with a book value of $10.4 billion. At December
31, 1992, the book value of FRF's inventory of failed institution
assets had declined to $5.2 billion. In contrast, BIF's inventory of
failed bank assets has increased significantly in recent years as a
result of the high level of bank failures that have occurred since
the late 1980s. At December 31, 1989, BIF held assets from failed
banks with a book value of about $11.5 billion. By December 31,
1992, the book value of BIF's failed bank asset inventory had
increased to about $38.1 billion.
FDIC has traditionally managed and liquidated assets acquired from
resolution activity through the use of permanent and temporary
personnel in its Division of Depositor and Asset Services (DAS).\3
DAS uses the Liquidation Asset Management Information System (LAMIS)
to assist in managing the assets of failed institutions that are
primarily serviced internally by DAS personnel.\4 LAMIS serves as a
subsidiary system of BIF's and FRF's general ledger, which is
maintained by FDIC's Financial Information System (FIS). LAMIS
controls, accounts for, and reports upon the acquisition, management,
and ultimate disposition of assets acquired through resolution
activity. LAMIS also contains the estimates of recoveries
anticipated from the management and disposition of assets maintained
on the system. These estimates of recovery values, known as gross
cash recovery values, are used by FDIC's Division of Finance (DOF) in
developing the allowance for losses on BIF's and FRF's receivables
from resolution activity and investments in corporate-owned assets.
With the number and size of bank failures increasing in the latter
half of the 1980s and early 1990s, FDIC began contracting with
private-sector entities to service large pools of receivership and
corporate-owned assets from failed banks resolved by BIF. By
December 1992, FDIC had contracted with 10 outside servicing entities
to manage and dispose of the assets of 10 asset pools from various
failed banks. Seven of the pools are composed of assets from 26
receiverships, and their book value, as reflected in FIS, totaled
$11.6 billion, or approximately 30 percent of the total book value of
BIF's entire failed bank asset inventory at December 31, 1992. The
seven pools are referred to as "on-book" serviced asset pools. The
remaining three pools were purchased by the servicing entity with the
option to sell the assets back to FDIC at the end of their 5-year
servicing term. These three pools are referred to as "off-book"
serviced asset pools.
For both the on-book and off-book serviced asset pools, FDIC
reimburses the servicers for the costs of managing and liquidating
the pool assets and pays the servicers an incentive fee as defined
under each servicing agreement. For this purpose, FDIC provides
oversight to both the on-book and off-book serviced asset pools.
Proceeds from the management and disposition of the on-book assets
will be used to repay approximately $11.8 billion in amounts BIF
advanced to the 26 receiverships to satisfy insured depositors' and
other creditors' claims, and amounts paid by BIF to purchase assets
of failed institutions. Estimates of recoveries on the assets in the
on-book asset pools, like those developed for assets managed
internally and maintained on LAMIS, are a component used in
developing BIF's allowance for losses from resolution activity and
investments in corporate-owned assets.
DAS's Contractor Oversight and Monitoring Branch (COMB) is
responsible for overseeing the asset servicing agreements FDIC
established with the servicing entities. Specifically, COMB is
responsible for approving servicers' annual business plans,
operations and credit manuals, asset liquidation strategies, and
overall compliance with the asset servicing agreements between the
servicer and FDIC. COMB accomplishes these functions through (1)
oversight committees established for each servicing pool, (2) COMB
personnel on-site at each servicer, (3) visitation groups which visit
each servicer at least twice a year, and (4) servicer internal audit
departments. COMB is headquartered in Dallas, Texas, but reports
directly to the Director of DAS in Washington.
The subsidiary records of the receivership assets managed by
contracted asset servicers are maintained on each servicer's
information and accounting systems. Control totals for each general
ledger account are maintained by FDIC on FIS at a receivership level
at the FDIC consolidated offices where the failed institution's
assets would have been serviced had they been retained and managed
internally by FDIC personnel. However, the FIS general ledger
accounts are by major asset category or type, and are not specific to
individual assets of the receivership. Therefore, transactions
recorded by FDIC reflect monthly processing of activity and account
balances as reported in the aggregate by the servicers. FDIC does
not maintain a copy of the servicers' subsidiary records, nor does it
have the ability to access the servicers' information and accounting
systems. Consequently, the individual servicing entities maintain
the only subsidiary records and support for these receivership
assets.
--------------------
\3 This division was formerly called the Division of Liquidation. In
October 1993, FDIC renamed it the Division of Depositor and Asset
Services.
\4 LAMIS also maintains control totals for performing commercial
loans and mortgages serviced for FDIC by two third-party asset
servicing entities. These two servicing entities maintain detail
information on the loans and mortgages they service.
OBJECTIVES, SCOPE, AND
METHODOLOGY
---------------------------------------------------------- Chapter 1:2
The objectives of our review were to determine whether any material
weaknesses or reportable conditions existed in FDIC's system of
internal controls as of December 31, 1992.\5 The objectives of FDIC's
system of internal controls are to ensure that (1) assets of the
three funds administered by FDIC are safeguarded against loss from
unauthorized use or disposition, (2) transactions are executed in
accordance with FDIC management's authority and with relevant laws
and regulations, and (3) transactions are properly recorded,
processed, and summarized to permit the preparation of financial
statements of the three funds and to maintain accountability for fund
assets.
To assess whether these internal control objectives were met during
1992, we reviewed policies and procedures and tested accounts and
transactions related to the following significant transaction cycles:
troubled institutions,
assistance to closed institutions,
assistance to open institutions,
assessments,
expenses,
treasury, and
financial reporting.
For each of the transaction cycles listed above, we interviewed FDIC
officials; reviewed FDIC policy, procedure, and accounting manuals;
and documented our understanding of the transaction processes and
relevant internal controls. We then designed procedures to test the
relevant controls in each of the transaction cycles, including tests
for proper authorization, execution, accounting, and reporting of
transactions comprising the activity in each of the transaction
cycles.
We also assessed the adequacy of general controls over FDIC's
information systems. To make this assessment, we interviewed FDIC
officials on information systems configurations and general controls
established for these systems. In addition, we reviewed relevant
reports on information systems prepared by the FDIC's Office of
Inspector General and a report prepared by an independent contractor
hired by FDIC to conduct a review of security controls over FDIC's
systems hardware and software. We interviewed inspector general
personnel to discuss the scope of their work, the nature of their
findings, and the status of corrective action to implement their
report recommendations. We also reviewed the work of the inspector
general and contractor to determine the extent to which we could rely
on their respective report findings.
Due to the increasing significance of FDIC's asset management and
liquidation activities and FDIC's strategy to contract more of this
activity to third party servicers, we designed and performed
procedures to test the existence and effectiveness of oversight
controls over FDIC's contracted asset servicers. We also designed
and performed procedures to test controls over the completeness and
accuracy of information on in-house managed assets maintained on
LAMIS. In addition, we designed and performed procedures to test
relevant internal accounting controls at FDIC's consolidated
receivership offices that impact the completeness and accuracy of
asset management and liquidation activity reported on the financial
statements of the funds.
To assess the adequacy of controls over FDIC's contracted asset
servicers, we reviewed FDIC's reconciliations of the seven on-book
serviced asset pool balances for 1992 between the servicers' detail
records and the control accounts maintained on FIS. In the case of
performing commercial and residential loans serviced by one servicing
entity, we also reviewed reconciliations prepared during 1992 between
the servicer's detail records and information maintained on LAMIS.
We also reviewed FDIC's procedures for ensuring the completeness and
accuracy of servicer-prepared estimates of recoveries on serviced
assets. In addition, we reviewed recovery estimates for a judgmental
sample of 27 assets serviced by six of the seven on-book asset
servicers to assess the reasonableness of the methodologies used by
the servicers in developing these estimates and to compare these
methodologies with those used by FDIC personnel to estimate
recoveries on assets managed in-house. We also reviewed the scope,
timing, and frequency of servicer-performed internal audits of
servicing operations in 1992, and the nature of internal audit report
findings as contained in 215 servicer internal audit reports issued
in 1992, including the timing of communication of audit findings to
servicer oversight committees and the extent of follow-up procedures
performed as a result of significant audit findings.
To assess the adequacy of controls over the completeness and accuracy
of information on assets managed internally by FDIC personnel, we
selected samples of 562 assets from over 18,000 BIF and FRF assets
maintained on LAMIS whose estimates of recoveries are developed by
account officers. Our samples were selected on a statistically
random basis to provide reasonable assurance that the samples would
be representative of the population. Our sampling included assets at
all 17 consolidated field offices that existed during 1992. We
selected separate samples for BIF and FRF assets. Our sample sizes
were based on a 95 percent confidence level.\6
For the sampled assets, we reviewed the working files account
officers maintained to determine whether adequate documentation was
contained in the files to support the existence of the assets, FDIC's
ownership rights with respect to the assets, and the reasonableness
of the recovery estimates established for the assets. We also
reviewed asset certification reports to ensure appropriate account
officer and supervisory sign-off with respect to the adequacy of the
recovery estimates established for the assets. In addition, we
reviewed reconciliations between asset balances reported in LAMIS at
September 30, 1992, and December 31, 1992, and the applicable control
accounts maintained on FIS to assess the completeness and accuracy of
transactions reported in both subsidiary detail accounts and general
ledger control accounts.
To assess the adequacy of controls at FDIC's consolidated
receivership offices, we tested controls over the conversion of
failed institution assets and liabilities onto the FIS receivership
general ledger and onto LAMIS for a judgmental sample of 30 bank
failures out of a universe of 120 bank failures that occurred during
1992. We also tested controls for judgmental samples of 165
consolidated field office receipts and 322 check and wire
disbursements related to 11 of the consolidated field offices we
visited. We tested these receipts and disbursements for proper
authorization, accounting, and reporting on both the receivership
general ledger and LAMIS. In addition, we tested controls over
reconciliations of several significant receivership general ledger
accounts, including suspense accounts and cash accounts.
Specifically, we reviewed account reconciliations for completeness,
timeliness, and accuracy as well as evidence of supervisory approval.
To test the adequacy of FDIC's time and attendance processing
controls, we selected a judgmental sample of employee time cards and
reviewed them for required signatures and agreement with certain
payroll reports. In addition, we reviewed the time cards and related
payroll reports for conformance with FDIC's applicable policies and
procedures.
We performed our work from July 1992 through May 1993, in accordance
with generally accepted government auditing standards. Our work was
performed at FDIC's headquarters offices in Washington, D.C., and
Arlington, Virginia, and at the following FDIC field office
locations: Dallas, Houston, and San Antonio, Texas; Oklahoma City,
Oklahoma; Franklin and Brockton, Massachusetts; East Hartford,
Connecticut; Monmouth Junction, New Jersey; Irvine, San Jose, and
Encino, California; Denver, Colorado; Rosemont, Illinois; Shreveport,
Louisiana; Orlando, Florida; and Atlanta, Georgia.
We provided FDIC with all of our findings and conclusions, and with
our recommendations to correct the material weaknesses presented in
chapter 2, through briefings and correspondence. FDIC provided
written comments, which are presented and evaluated in chapters 2 and
3 and are included in appendix I.
--------------------
\5 Reportable conditions involve matters coming to the auditor's
attention relating to significant deficiencies in the design or
operation of internal controls that, in the auditor's judgment, could
adversely affect an entity's ability to (1) safeguard assets against
loss from unauthorized use or disposition, (2) ensure the execution
of transactions in accordance with management's authority and in
accordance with laws and regulations, and (3) properly record,
process, and summarize transactions to permit the preparation of
financial statements and to maintain accountability for assets. A
material weakness is a reportable condition in which the design or
operation of the internal controls does not reduce to a relatively
low level the risk that losses, noncompliance, or misstatements in
amounts that would be material in relation to the financial
statements may occur and not be detected within a timely period by
employees in the normal course of their assigned duties.
\6 The confidence level is a measure (usually expressed as a
percentage) of the degree of assurance that the estimate obtained
from a sample differs from the population parameter being estimated
by less than the measure of precision (sampling error). This means
that if you were to determine an estimate for 100 different random
samples of the same size from this population, in this case, 95 out
of 100 times the estimate would fall within the confidence interval.
In other words, the true value is between the lower and upper limits
of the confidence interval 95 percent of the time.
MATERIAL WEAKNESSES HAMPERED
FDIC'S ABILITY TO SAFEGUARD ASSETS
AND ENSURE ACCURATE REPORTING
============================================================ Chapter 2
This chapter discusses material weaknesses that existed in FDIC's
system of internal accounting controls during 1992 over its
management and liquidation of assets acquired from failed financial
institutions and over its time and attendance reporting processes,
along with actions needed by FDIC management to correct these
weaknesses. The weaknesses in FDIC's internal accounting controls
over failed institution assets adversely affected its ability to
safeguard these assets against loss from unauthorized use or
disposition and ensure that transactions were executed in accordance
with management's authority and were properly reported on the
financial statements to maintain accountability for assets. These
weaknesses increase the risk of additional losses to BIF and FRF in
resolving failed banks and thrifts.
Weaknesses in FDIC's internal accounting controls over its time and
attendance reporting process adversely affected its ability to ensure
that payroll and other related expenses were properly allocated among
BIF, SAIF, and FRF. Time and attendance reporting is the primary
means by which FDIC allocates payroll and other overhead expenses
among the funds it administers. Given the relative sizes of the
three funds FDIC administers,\1 only SAIF's financial statements are
likely to be materially affected by misallocation of expenses caused
by unreliable time and attendance reporting.
--------------------
\1 At December 31, 1992, SAIF's total assets equaled about $471
million. In comparison, at December 31, 1992, BIF's and FRF's total
assets equaled about $34.9 billion and $4.4 billion, respectively.
CONTROLS OVER ASSET SERVICERS
EXPOSED BIF TO LOSSES AND
ERRORS IN ASSET RECOVERY
ESTIMATES
---------------------------------------------------------- Chapter 2:1
Internal accounting controls over entities contracted to service and
liquidate significant pools of receivership assets from failed banks
resolved by BIF were not consistently implemented or were too limited
to effectively assist FDIC in overseeing these servicers. Several
serviced asset pools, with combined asset book values totaling $6.7
billion at December 31, 1992, had not been reconciled to the asset
balances recorded in FIS in a timely manner. Additionally, FDIC did
not have adequate procedures to ensure that the servicers prepared
complete and accurate gross cash recovery (GCR) estimates on pool
assets in liquidation. The methodologies the servicers used to
calculate GCRs were not consistent with those FDIC used on assets it
manages, which could create significant differences in GCR values
that would impact BIF's allowance for losses. Also, FDIC's audit
oversight of servicers did not ensure that audits of all asset pool
servicers included critical areas such as (1) inception asset pool
balances, (2) general ledger reconciliations, and (3) GCR
calculations. Finally, significant findings from internal audits of
servicer pool operations were not communicated to the servicers'
oversight committees in a timely manner. These weaknesses in
oversight of the asset servicers could result in errors which affect
BIF's estimated losses on bank resolution activity, and raise
concerns about FDIC's ability to ensure adequate safeguarding of
receivership assets. Additionally, the reconciliation problems FDIC
experienced with three of the seven serviced asset pools diminished
its ability to exercise the level of oversight necessary to prevent
BIF losses and to help ensure servicer accountability.
RECONCILIATIONS OF SERVICED
ASSET POOLS NOT COMPLETED
PROMPTLY
-------------------------------------------------------- Chapter 2:1.1
FDIC relies on contracted servicers to manage and dispose of assets
of failed institutions and to retain detailed support for
transactions related to the serviced pools. Thus, it is critical
that FDIC perform, or instruct the servicing entities to perform,
complete and timely reconciliations between the information on asset
pool balances contained in FIS and that found in servicers' records
to ensure the safeguarding of, and accountability for, the serviced
assets and to ensure accurate financial reporting. We found that
during 1992, neither FDIC nor the servicers had completed or
performed timely reconciliations for several of the on-book serviced
asset pools. Of the seven serviced asset pools, FDIC could not
provide timely or current reconciliations for two pools, and FDIC
excluded part of a third pool's balance from its reconciliation.
These three asset pools collectively held $6.7 billion in assets at
December 31, 1992, or 57 percent of the total book value of the seven
asset pools and 17 percent of the total book value of BIF's failed
bank asset inventory.
FDIC had not prepared a detailed reconciliation between FIS and the
servicer's reported balance for one asset pool since its inception in
August 1991. This asset pool had a reported balance of $1.3 billion
per FIS as of December 31, 1992. Additionally, FDIC's
reconciliations of another serviced asset pool, with a reported
balance of $4.0 billion per FIS as of December 31, 1992, were not
completed in a timely manner. At the end of our fieldwork, FDIC had
only completed the reconciliation for this asset pool through August
1992. The August 1992 reconciliation identified over 250 reconciling
items which netted to $93 million. Some of these reconciling items
had existed since the serviced asset pool's inception in July 1991.
Although FDIC did perform reconciliations for a third serviced asset
pool, they excluded $25.2 million in pool assets that were recorded
on FIS. Of this amount, $23.5 million in book value of loans had not
been recorded on the servicer's records of the asset pool. This pool
had a reported balance of $1.3 billion per FIS as of December 31,
1992.
Several factors prevented FDIC from reconciling the balances of these
asset pools between FIS and the servicers' records in a timely
manner. For example, one servicer did not provide sufficient
supporting documentation to DOF personnel to enable them to
adequately investigate and clear reconciling items in a timely
manner. According to DOF personnel, the timely reconciliation of
this servicer pool was further hampered by a 6-week time lag in
obtaining and providing to the servicer copies of the FIS monthly
general ledgers for those receiverships whose assets are included in
this asset pool. For another servicer, FDIC did not include all of
the necessary FIS accounts in the reconciliation because this asset
pool shared a general ledger on FIS with a related, but separate,
asset pool under the same receivership. Consequently, FDIC personnel
were uncertain as to which FIS balances applied to the asset pool.
FDIC was aware of these reconciliation deficiencies during 1992 and
assigned special task forces to resolve these conditions. We were
able to verify that during 1993, significant progress had been made
to complete the serviced asset pool reconciliations and resolve the
reconciling items.
SERVICER OVERSIGHT NOT
EFFECTIVE IN ENSURING
COMPLETE AND ACCURATE ASSET
RECOVERY ESTIMATES
-------------------------------------------------------- Chapter 2:1.2
During 1992, FDIC did not have adequate procedures in place to ensure
that GCR estimates reported semi-annually by the contracted asset
servicers to FDIC for use in estimating BIF's allowance for losses
were complete, accurate, and developed on a consistent basis. FDIC's
reviews of GCR estimates were limited in nature and scope, and
follow-up reviews of exceptions were not sufficient to ensure the
accuracy of the GCRs reported to DOF. Also, the methodologies the
servicers used to estimate GCRs on their serviced asset pools were
not consistent with the methodology FDIC used on internally managed
assets. Finally, the reporting periods for servicer-prepared GCRs
were not consistent among the servicers.
Because of the significance of GCR estimates to the reporting of
BIF's allowance for losses on its balances of receivables from
resolution activity and assets acquired from receiverships, it is
critical that such estimates be based on complete and current
information and be updated for changes in liquidation strategies. It
is also critical that the servicers prepare estimates for consistent
time periods and use consistent methodologies for similar assets.
FDIC requires that each asset servicer review the GCR calculations of
the 25 largest loan relationships\2 and the 25 largest other real
estate owned (OREO) relationships on a quarterly basis, and document
the results of this review on status reports prepared for each of
these assets. The status reports resulting from these reviews are
examined quarterly by the oversight committees for each servicer.
This quarterly review is supplemented by semiannual reviews performed
by the COMB visitation groups of the asset management and liquidation
strategies, including the GCR calculation, of assets sampled from the
servicers' loan and OREO portfolios.
However, we found that FDIC's review of the supportability and
accuracy of the GCR estimates was typically cursory in nature. For
most of the serviced asset pools, we found that the oversight
committees did not review the asset files which contain, among other
things, the underlying support for the estimates of cash recoveries,
nor did they review the actual GCR calculations. Furthermore, COMB's
visitation groups did not perform specific procedures to test the
accuracy of GCR estimates for OREO.
The visitation groups did perform some review procedures of GCR
estimates for loans. These procedures required the visitation groups
to review GCRs for loans to ensure they were consistent with the
liquidation strategy the servicers were following for the loans at
the time of the review. In conducting these reviews, the visitation
groups found numerous instances where GCRs were not consistent with
the current liquidation strategy. However, the review procedures did
not require the visitation groups to expand their reviews if
significant exceptions were found, nor did they require follow-up on
previously identified exceptions. Consequently, the visitation
groups did not expand their reviews when they found significant
exceptions in the GCRs for assets they reviewed, nor did they perform
specific follow-up procedures to ensure that GCRs were corrected in
time to prevent the exceptions from affecting FDIC's 1992 year-end
calculation of BIF's allowance for losses. In addition, the loans of
one serviced pool were not reviewed by the visitation groups during
1992, and only a small portion of another serviced pool's loans were
subject to GCR review in 1992. These pools held assets with reported
book values at December 31, 1992, of $1.3 billion and $1.4 billion,
respectively.
The lack of adequate reviews of the supporting documentation and
underlying assumptions used in servicer-prepared estimates of
recoveries precluded FDIC from having reasonable assurance that the
GCR values reported by the servicers and used in FDIC's calculation
of BIF's allowance for losses reflected realistic estimates of the
ultimate collectibility of the serviced assets. This weakness also
increased the risk that errors in these estimates would not be
identified or corrected in time to prevent a misstatement of the
total estimated recoveries on assets in liquidation.
We also identified significant inconsistencies between the
methodologies the servicers used to develop GCR estimates and the
criteria used by FDIC on assets managed internally in our review of a
sample of the quarterly status reports for the top 25 loan and OREO
relationships. For example, on performing loans, we found that the
servicers varied among themselves as to how interest was factored
into their GCR estimates, and none of the servicers followed the
criteria FDIC used on its internally managed assets. Some of the
servicers projected both the principal and interest through the
loan's maturity, while one servicer projected interest through the
term of the servicing agreement. In contrast, the GCRs for
performing loans managed by FDIC internally included the total
principal plus 4 quarters of interest. If the liquidation strategy
for a particular performing loan is to dispose of the asset quickly,
projecting future interest beyond the period in which the loan is
anticipated to be sold overstates the estimated recovery by the
amount of interest projected beyond the estimated disposition date.
Inconsistencies in the methodologies used to develop GCR estimates
significantly impact the reliability of the aggregate estimated
recovery on BIF's inventory of failed institution assets, and could
lead to significant errors in the reported recovery estimates.
We also found that FDIC did not require uniform cut-off dates for GCR
estimates. The cut-off dates for GCR estimates prepared by the
servicers and used in the calculation of BIF's year-end allowance for
losses varied among servicers, and varied with the cut-off date used
for internally managed assets. FDIC used a GCR cut-off date of
September 30, 1992. However, the cut-off date used by two of the
seven asset servicers differed. One of these servicers used a
cut-off date of June 30, 1992, and the second servicer used a cut-off
date of October 31, 1992. The lack of consistent cut-off periods for
GCRs could result in recovery estimates being included for assets
that have already been sold or liquidated and recovery estimates not
being included for any assets transferred to the servicers' pools
after the servicer's cut-off date.
The asset servicing agreements only require the servicers to
calculate GCR estimates semiannually. The servicers were not
required to update estimates of cash recovery values when the
liquidation strategy for a given asset was changed or when more
current information on the condition and outlook for the asset became
available. Consequently, the servicers' estimates of cash recovery
values may not reflect the impact of changes in liquidation
strategies or current market conditions. Also, the asset servicing
agreements provided guidance to servicers on the preparation of asset
recovery estimates that varied by agreement and was inconsistent with
the guidance in FDIC's Credit Manual. The asset servicing agreements
also contained GCR cut-off dates that were inconsistent with the
Credit Manual and inconsistent among the servicing entities.
--------------------
\2 Asset relationships refer to separate assets that are in some way
related, either through the same borrower or backed by the same
collateral.
EFFECTIVENESS OF SERVICERS'
INTERNAL AUDIT FUNCTION
LIMITED
-------------------------------------------------------- Chapter 2:1.3
The internal audit departments of both the on-book and off-book asset
servicers did not perform audit procedures on servicer functions
critical to effectively manage and account for the serviced asset
pools. Additionally, findings from internal audit reviews of
serviced asset pool operations were not always communicated to the
servicers' oversight committees in a timely manner. The absence of
audit coverage over these functions, and significant delays in
communicating audit findings to the oversight committees, prevented
FDIC from having assurance that receivership assets managed by the
servicing entities were adequately safeguarded and that transactions
relating to the serviced asset pools were properly reported by the
servicers and recorded in FDIC's general ledger.
The servicers' internal audit departments are a critical extension of
FDIC's asset servicer oversight function. Their audits are the
primary means by which FDIC, through COMB, obtains assurance that
servicer billings are valid and accurate, that collections are
remitted to FDIC completely and promptly, that balances reported to
FDIC reconcile to the servicers' systems, and that internal controls
over the servicers' operations related to its asset servicing
activities adequately safeguard pool assets. Consequently, the
internal audits must provide adequate coverage of servicer operations
critical to the effective management of the asset pools, and findings
from these audits must be communicated to FDIC in a timely manner to
ensure that any corrective action necessary to address findings or
control weaknesses is implemented as soon as possible.
We found that the timing and structure of audits conducted by the
servicers' internal audit departments varied significantly. Internal
audits of critical areas were not consistently conducted or were not
performed on a timely basis by all servicers' internal audit
departments. For most of the servicing entities, we found no
evidence that audits were performed to ensure coverage of critical
control areas such as opening, or inception, balances of asset pools;
general ledger reconciliation; and asset recovery estimates. While
most servicers' internal audit departments did conduct reviews of
controls over cash receipts and disbursement processes, we found two
instances where controls over the servicers' cash receipt process
were not reviewed and one instance where controls over the servicer's
cash disbursement process were not reviewed during 1992.
We also found that significant delays existed between the time some
of the servicing entities' internal auditors completed their reviews
and the time the findings from these reviews were communicated to the
servicers' oversight committees. During 1992, only two oversight
committees received audit reports within an average of 8 weeks of
completion of the auditors' fieldwork. Other oversight committees
received audit reports ranging from 10 to 24 weeks after completion
of the auditors' fieldwork. In one instance, we found that one audit
report was submitted to the oversight committee 13 months after
fieldwork was completed.
COMB's practice has been to allow the servicers' internal audit
departments to assess the risks associated with their respective
asset pool and structure the timing and scope of their audits
accordingly. Consequently, no standardization exists regarding the
frequency and structure of the internal audits to provide FDIC
assurance that certain critical aspects of servicers' operations are
subject to adequate and periodic review.
WEAK CONTROLS OVER LAMIS
CONTINUED TO RESULT IN DATA
INTEGRITY PROBLEMS
---------------------------------------------------------- Chapter 2:2
Controls to ensure the integrity of data provided by LAMIS for
estimating recoveries from the management and liquidation of
receivership assets were not working effectively. The lack of
consistent maintenance and updating of data files within the system
has resulted in significant errors in system-generated information on
estimated recoveries and related data on the condition of
receivership assets. These weaknesses, which were also identified
during our audits of the 1991 BIF and FRF financial statements,\3
resulted in misstatements in BIF's and FRF's December 31, 1992,
allowance for losses on receivables from bank and thrift resolutions
and investments in corporate-owned assets. Additionally, material
differences in receivership asset book values existed at December 31,
1992, between FDIC's general ledger control accounts on FIS and the
subsidiary records on LAMIS. Such differences reduced FDIC's ability
to adequately safeguard receivership assets because, by not
maintaining accurate and up-to-date records on its inventory of
failed institution assets, FDIC cannot maintain accountability for
these assets. These weaknesses in controls over LAMIS data integrity
could result in future misstatements in both BIF's and FRF's
financial statements if FDIC management does not take appropriate
corrective action.
At December 31, 1992, LAMIS, as the subsidiary system for BIF's and
FRF's inventory of failed institution assets, maintained detail
information on the condition and estimated recoveries for
approximately 270,000 BIF and FRF assets managed internally by DAS
account officers. GCR estimates for assets maintained on LAMIS are
either derived by formulas or calculated by account officers who
manage the assets. Assets with book values below $250,000, except
for judgments, claims, and restitutions, have GCR values derived by
formulas. The formulas will generate GCR values between 0 and 100
percent of an asset's book value depending on the asset type and its
performance status. At December 31, 1992, these assets had an
aggregate book value of about $4.3 billion and GCR value of about $2
billion.
For all assets with book values of $250,000 or more, and for all
judgments, claims, and restitutions, LAMIS assigns a GCR value equal
to 50 percent of the asset's book value when FDIC initially enters
the asset on the system. Account officers assigned to manage and
dispose of the assets later revise the GCR after developing their own
estimates of the recovery value of the assets. While those assets
whose GCRs are specifically determined by account officers make up a
relatively small percent of the total number of assets on LAMIS, they
comprise approximately 85 percent of the total estimated recovery
value for assets maintained on LAMIS. The reliability and
reasonableness of the GCRs maintained on LAMIS that are estimated by
the account officers depend on (1) account officers having current
and complete collateral appraisals and financial information on
borrowers or guarantors and (2) controls to ensure that account
officers make timely and accurate updates to GCR information in
LAMIS.
--------------------
\3 Financial Audit: Bank Insurance Fund's 1991 and 1990 Financial
Statements (GAO/AFMD-92-73, June 30, 1992) and Financial Audit:
FSLIC Resolution Fund's 1991 and 1990 Financial Statements
(GAO/AFMD-92-75, June 30, 1992).
RECOVERY ESTIMATES WERE NOT
ALWAYS SUPPORTED BY ASSET
FILES
-------------------------------------------------------- Chapter 2:2.1
Estimates of recoveries on assets in liquidation maintained on LAMIS
were not always supported by documentation in files maintained for
each asset by DAS account officers. In many cases, the documentation
in the files was outdated or incomplete. In others, more current
information on the asset's condition and potential for recovery was
not reflected in the GCR prepared by the account officer and recorded
in LAMIS. Additionally, procedures FDIC developed in June 1992
requiring account officers and their supervisors to certify the
completeness and accuracy of information for each asset maintained on
LAMIS were not implemented for all assets at FDIC's consolidated
receivership sites at the time of our reviews. For those offices
that had implemented the procedures, they did not consistently and
effectively ensure data integrity.
We found that GCR values estimated by account officers and recorded
in LAMIS were not accurate for 121 of 409 (30 percent) BIF assets and
for 59 of 153 (39 percent) FRF assets selected for review. We
discussed our findings with the appropriate account officers and they
generally agreed with our conclusions. Based on the results of our
review of the assets in our samples, we projected that the estimates
of asset recovery values used in developing BIF's and FRF's December
31, 1992, allowance for losses on their respective balances of
receivables from resolution activity and investments in
corporate-owned assets were overstated by about $310 million and $150
million, respectively.
There are several reasons for the significant number of errors in the
GCR values for the assets we reviewed. For 52 percent of the 180
cases with inaccurate GCRs, account officers had not promptly updated
the GCR values in LAMIS with current available information, such as
recent appraisals and settlement or sales agreements. Outdated
appraisals were used in 14 percent of the cases for which the primary
basis of the GCR estimate was the appraised value. In 23 percent of
the 180 cases, account officers did not follow the FDIC Credit Manual
procedures for estimating recovery values. In most of these cases,
the noncompliance was attributable to account officers not following
FDIC procedures regarding the exclusion of expenses and inclusion of
interest and operating income for OREO.
Other factors also contributed to the GCR exceptions. For example,
asset files did not contain adequate documentation, such as
borrowers' financial statements and asset appraisals, to justify the
account officer's basis for the GCR estimate. In addition, the asset
data sheets which are required for each asset did not always provide
enough information for an independent reviewer to determine how the
estimate was developed.
FDIC's Credit Manual requires that account officers update GCRs for
assets whenever more recent information becomes available or recent
events result in significant changes in the potential recovery for
the asset. FDIC also has procedures which call for the account
officers and their supervisors to review the completeness and
accuracy of GCRs semiannually. This review is to be supplemented by
a monthly review and certification of certain data contained in
LAMIS, including asset recovery estimates. The semiannual review,
which is required by the end of the second and fourth quarters of
each calendar year, is FDIC's primary control to ensure the
completeness and accuracy of GCRs. Although the semiannual reviews
had been performed for 93 percent of the assets sampled, these
reviews, as evidenced by the results of our work, were not effective
in ensuring the validity of the GCRs reported at September 30, 1992,
which were used in the year-end calculation of BIF's and FRF's
allowance for losses, because they did not coincide with the GCR
reporting date.
In response to recommendations in our 1991 audit report, FDIC issued
a directive to regional and consolidated offices in June 1992
requiring the review and certification of certain data elements in
LAMIS, including GCR values. Of the 562 assets we reviewed, we found
that the review had been performed for 402 assets. For 68 assets,
the reviews were not required because the assets were new or recently
transferred either from other consolidated offices or other
servicers. For the remaining 92 assets, the reviews were required,
but we were unable to substantiate that they were performed due to a
lack of documentation. Other than our review of the adequacy of the
GCR estimates, we did not verify the accuracy of the specific data
elements included in this review and certification. However, based
on the high percentage of inaccurate and outdated GCRs found in our
sample, this control was not effective throughout 1992.
UNRESOLVED DIFFERENCES
BETWEEN SYSTEM BALANCES
INCREASED RISK OF LOSS AND
REPORTING ERRORS
-------------------------------------------------------- Chapter 2:2.2
Material unresolved differences in the reported book values of
receivership assets existed between FDIC's general ledger control
accounts and the subsidiary records maintained on LAMIS as of
December 31, 1992, for both BIF and FRF. The lack of a uniform
system for tracking differences between the subsidiary records and
control accounts has exacerbated this problem. The inability to
adequately resolve these differences on a timely basis and consider
what impact, if any, they may have on the GCRs reported, reduces
FDIC's ability to adequately safeguard receivership assets through
the loss of accountability for these assets, and thus increases the
potential for additional losses to the funds. In addition, it could
result in misstating BIF's and FRF's estimates of recovery values on
their inventories of failed institution assets.
As discussed previously, FDIC maintains on LAMIS the book value and
the estimated GCR value for each individual asset of each
receivership managed internally by FDIC personnel. The book values
of all assets for each receivership are required by FDIC to be
reconciled on a daily basis to the respective receivership's general
ledger control account totals on FIS to ensure proper accountability
over the assets.
Despite FDIC's requirement that FIS and LAMIS be reconciled daily, we
found significant differences between the aggregate book values of
receivership assets reported by FIS and LAMIS for both BIF and FRF.
At December 31, 1992, the aggregate book value of receivership assets
maintained on LAMIS exceeded the amount recorded in the FIS general
ledger control accounts by $1.7 billion for BIF and by $291 million
for FRF. We found similar differences at September 30, 1992. At
that time, the aggregate book value of receivership assets maintained
on LAMIS for BIF was $2.5 billion less than the aggregate amount
recorded on FIS, while the aggregate book value of the LAMIS assets
exceeded the aggregate amount recorded on FIS by $484 million for
FRF.
One of the reasons for these persistent differences is that FDIC has
no uniform system for tracking the differences between FIS and LAMIS.
The lack of a uniform management tracking system gives rise to
inconsistencies in how the reconciliation process is performed by
each office. At the consolidated offices we visited, we noted
inconsistencies in how differences between FIS and LAMIS receivership
asset book values were reported. One office did not have a system
which specifically tracked or aged differences between FIS and LAMIS.
Another two offices tracked differences only after they were 30 days
old, but did not age the differences. By not including all
differences in reconciliation reports, the magnitude of all
differences between FIS and LAMIS could not be assessed. Finally,
two other offices did not age differences as of September 30, 1992,
but did prepare aging reports on differences between FIS and LAMIS by
December 31, 1992.
Most of the FIS/LAMIS reconciliation reports prepared by the
consolidated offices simply identified the amount of the differences,
with some including a brief description of how each individual
difference occurred, and the identity of the party responsible for
its resolution. However, none of the reports summarized the amount
of differences by their cause and none tracked the disposition of the
differences by correcting entries needed to FIS and LAMIS.
LACK OF AUTOMATED
RECONCILIATIONS EXPOSED FUNDS
TO POTENTIAL LOSSES AND
FINANCIAL REPORTING ERRORS
---------------------------------------------------------- Chapter 2:3
FDIC experienced significant delays during 1992 in reconciling asset
balances between FIS and its primary contracted servicer for
performing commercial and residential loans acquired from failed
financial institutions. As of the completion of our fieldwork,
approximately half of the total $2.8 billion in book value of assets
serviced by this contractor had not been reconciled through November
1992. As reconciliations become more delinquent, the ability to
successfully resolve reconciling items may become more difficult.
The lack of reconciliations of these serviced assets and timely
follow-up of differences between the servicer's and FDIC's records
adversely affected FDIC's ability to adequately safeguard these
assets and exposed both BIF and FRF to additional losses and errors
in financial reporting.
FDIC has contracted with an outside entity to service the performing
commercial and residential loans of approximately 500 BIF and FRF
receiverships. Control totals are maintained on FIS and LAMIS for
the assets serviced by this entity in aggregate at the receivership
level. This servicer estimates GCR values for the assets it services
and provides these estimates to DAS, along with asset book values.
DAS then uses the GCR information it receives from the servicer to
update recovery values on LAMIS. Reconciliations are to be performed
monthly, by receivership, between the asset book values on the
servicer's records and the control totals for the asset book values
in LAMIS and in the general ledger control account totals on FIS.
We found that the reconciliations of asset book values between the
servicer's records and the control totals in LAMIS, and in the
general ledger control account totals on FIS, were significantly
behind. As of March 1993, reconciliations of receivership asset book
values through November 1992 had not been performed between FIS,
LAMIS, and the servicer's loan system for 85 receiverships. The
aggregate book value of assets associated with these receiverships
was approximately $1.3 billion, or 46 percent of the total $2.8
billion pool. Of these 85 receiverships, 71, with aggregate book
values of $734 million (27 percent), had not been reconciled since
June 1992.
The primary reason these reconciliations were not completed in a
timely manner is that the reconciliation process is manual and thus
extremely labor intensive. FDIC's and the servicer's systems are not
electronically linked to allow for automated reconciliations.
Consequently, FDIC must manually reconcile each receivership's
balances and investigate and resolve the differences.
WEAKNESSES IN TIME AND
ATTENDANCE PROCESSES COULD
AFFECT EXPENSE ALLOCATIONS
AMONG FUNDS
---------------------------------------------------------- Chapter 2:4
FDIC was not consistently adhering to its policies and procedures
over its time and attendance reporting process. We first reported
this condition in our report on the results of our 1991 audit of
SAIF's financial statements.\4 In addition, certain responsibilities
within the time and attendance reporting process were not segregated
to provide assurance that errors can be detected and corrected in a
timely manner. FDIC's time and attendance reporting is its primary
means for allocating payroll and other overhead expenses among the
three funds it administers. Given the relative sizes of the three
funds, improper allocation of employee time and associated costs are
more likely to result in material misstatements of SAIF's financial
statements and could inappropriately decrease the fund's limited
resources. SAIF's fund balance at December 31, 1992, was $279
million, making its ratio of reserves to insured deposits negligible.
In our 1991 audit, we selected a statistically valid random sample of
time cards and reviewed them for required signatures and agreement
with various payroll reports. We also reviewed the time cards and
related payroll reports for conformance with FDIC's "Time and
Attendance Reporting Directive." Our 1991 audit disclosed numerous
instances in which (1) time cards and related payroll reports were
missing required supervisor and/or timekeeper signatures, (2)
timekeepers made changes to time card data without required approval
from the employee or the employee's supervisor, (3) payroll reports
were not reconciled to the time cards as required in order to verify
that the data on the time cards were properly recorded in the system,
and (4) employees were not provided a copy of their processed time
card data as required, which would allow them to review the accuracy
of their attendance data.
For our 1992 audit, we judgmentally selected a sample of employee
time cards to determine if the conditions we identified during our
1991 audit still existed at December 31, 1992. We found similar
conditions to those identified in 1991, indicating that there were
still significant weaknesses regarding the completion and review of
employees' time cards and related payroll reports. Our work in 1992
further disclosed a number of instances in which (1) time cards were
missing required employee signatures, (2) payroll reports did not
agree with the time card data with regard to fund charged, hours
worked, or leave balances, and (3) the fund to be charged was omitted
from the time card, requiring the timekeeper to judgmentally
determine what fund or activity the employee should have charged.
FDIC's Office of Inspector General conducted a review of internal
controls over FDIC's time and attendance reporting between March 1992
and December 1992. This review identified many of the same problems
we identified in our audit, as well as additional concerns. The
inspector general found that employees did not always have a
reasonable basis to charge their time to a particular fund. This was
mainly because employees were not required to formally track and
document what fund or activity they spent their time on in a given
day. As a result, employees estimated their time usage when
completing their time cards, often resulting in unreasonable payroll
charges to a particular fund and an insupportable basis for
determining percentages to use in allocating other overhead expenses
among the funds.
The inspector general also found instances in which the fund charged
on the time card was not accurately recorded in the general ledger
and instances in which the timekeeper incorrectly changed the fund
code that an employee specified on his or her time card. These two
conditions resulted from the lack of reconciliations between payroll
reports and time cards and the lack of segregation of duties between
the timekeeper and the data entry functions, both of which were not
addressed by existing FDIC policy. As a result, payroll expenses
were not always charged to the proper fund.
In our report on the results of our audit of SAIF's 1991 financial
statements, we recommended that FDIC enforce the policies and
procedures documented in FDIC's "Time and Attendance Reporting
Directive" to ensure that employees' time charges are valid and that
payroll expenses are charged to the correct fund. In our briefings
with FDIC officials during our 1992 audits and in correspondence, we
reiterated the need for FDIC to take corrective action in response to
this recommendation. In addition, we recommended that FDIC revise
its directive to separate the timekeeping, data input, and
reconciliation functions to help ensure that data entry errors or
irregularities are detected.
In response to our recommendations, FDIC has taken steps to address
the conditions noted during our 1991 and 1992 audits. In July 1993,
FDIC issued a revised "Time and Attendance Reporting Directive" which
specifically requires the separation of the timekeeping, data input,
and reconciliation functions over time and attendance reporting
activity. FDIC issued further guidance in August, September, and
October 1993 regarding the importance of charging time to the proper
fund; situations warranting the use of the common services fund code
to record time charges; and the review of biweekly time and
attendance reports. These procedures and guidance, if adhered to,
should reduce the likelihood of significant misallocations of payroll
and other overhead expenses among the three funds.
--------------------
\4 Financial Audit: Savings Association Insurance Fund's 1991 and
1990 Financial Statements (GAO/AFMD-92-72, June 30, 1992).
CONCLUSIONS
---------------------------------------------------------- Chapter 2:5
The internal accounting control weaknesses in FDIC's asset management
activities adversely affected FDIC's ability to manage, liquidate,
and report on the large volume of failed institution assets for which
it was responsible. These weaknesses affected FDIC's ability to
accurately report transactions associated with BIF's and FRF's
resolution and liquidation activity and increased the risk of
misappropriation of assets, possibly adding to the losses on
receivership assets being incurred by BIF and FRF. This is a matter
of particular concern because FDIC is scheduled to assume
responsibility for managing and disposing of receivership assets
currently under the control of the Resolution Trust Corporation (RTC)
when it terminates its asset disposition operations on December 31,
1995. Unless FDIC acts to correct these internal control weaknesses,
it will be hindered in effectively managing and liquidating the
additional assets likely to be transferred to its failed institution
asset inventory.
The weaknesses in FDIC's controls over its time and attendance
processes continued to expose SAIF to improper and significant
allocations of payroll and other overhead expenses, and thus could
further decrease its available resources at a time when the fund is
not well-capitalized. However, FDIC's recent actions designed to
address these weaknesses should assist in strengthening controls over
its time and attendance processes and reduce the likelihood of
significant misallocations of expenses in the future if its revised
procedures are effectively implemented.
RECOMMENDATIONS
---------------------------------------------------------- Chapter 2:6
To address the weaknesses identified in the oversight of asset
servicing entities, we recommend that the Acting Chairman of the
Federal Deposit Insurance Corporation direct the heads of the
Division of Finance and the Division of Depositor and Asset Services
to
reconcile asset pools promptly and routinely among the servicing
entities' records and the general ledger control accounts
maintained on FIS,
obtain adequate and timely audit coverage of all critical areas of
serviced asset pool operations through the efforts of asset
servicing entities' internal audit departments and FDIC's
visitation groups,
expand review procedures when excessive error rates in GCRs are
detected and perform follow-up procedures on those assets where
errors were detected to ensure the accuracy of the GCRs being
used in BIF's allowance for losses calculation,
require asset servicing entities to update GCRs when the
liquidation strategy affecting an asset has changed,
require GCRs for both internally managed assets and assets serviced
by outside entities to be determined based on consistent
methodologies using consistent cut-off dates, and
develop written policies and procedures that require more
standardization in the frequency and structure of audits
conducted by servicing entities' internal audit departments to
ensure that audit findings are completed and communicated to
oversight committees in a timely manner and that the audit
procedures address areas critical to ensuring the accuracy of
financial reporting and safeguarding of receivership assets.
To address the weaknesses in LAMIS data integrity, we recommend that
the Acting Chairman of the Federal Deposit Insurance Corporation
direct the heads of the Division of Depositor and Asset Services and
the Division of Finance to
perform asset data integrity reviews and certifications in a manner
that ensures a review of the data elements critical to
accurately determine GCRs for assets in liquidation,
modify the timing of the semiannual reviews to coincide with the
September 30 GCR report date to ensure accurate reporting of
GCRs submitted to the Division of Finance,
direct account officers and managing liquidators to perform timely
updates of asset recovery estimates to reflect the most current
information available,
promptly investigate and resolve differences in receivership asset
information between FIS and LAMIS and adjust the balances in
each system accordingly, and
implement a uniform system for tracking and aging all differences
between FIS and LAMIS that identifies all differences by asset
type and responsibility center and enables management to
determine whether the differences have a direct impact on the
financial reporting process.
To address the weaknesses in reconciliations between FDIC and its
principal performing loan servicer, we recommend that the Acting
Chairman of the Federal Deposit Insurance Corporation direct the
heads of the Division of Finance and the Division of Depositor and
Asset Services to
monitor reconciliation activity between the servicer's loan system
and LAMIS and FIS to ensure that delinquent reconciliations are
promptly completed and any adjustments to the receivership asset
balances are promptly made and
automate the reconciliation process between the servicer's loan
system and LAMIS and FIS to assist in the timely and accurate
preparation of reconciliations of receivership asset balances.
AGENCY COMMENTS AND OUR
EVALUATION
---------------------------------------------------------- Chapter 2:7
FDIC concurred that its system of internal controls can be improved.
However, it disagreed with our characterization of certain internal
control weaknesses as material. FDIC stated that we failed to
recognize compensating controls put in place by FDIC management that,
it contended, alleviate the potential for material reporting errors
and loss of assets.
FDIC agreed that improvements are needed in internal controls
relating to the liquidation of receivership assets by outside
servicing entities. In fact, FDIC cited numerous actions it is
taking or intends to take to address many of our findings and
recommendations over the contracted asset servicing activity.
However, FDIC disagreed that material weaknesses existed in this
area. FDIC stated that existing oversight committee reviews,
visitations, and internal audits of servicer activity provide
sufficient controls over the servicer asset recovery estimation
process. Similarly, FDIC disagreed that the audit oversight process
for servicer internal audit departments is materially weak, and cited
servicer internal audits as being just one of several controls which,
taken as a whole, provide effective audit coverage of critical
aspects of servicer operations. FDIC also disagreed with our
recommendation that more standardization is needed in the frequency
and structure of audits conducted by servicer internal audit
departments, and stressed the need for each servicer to analyze the
risk factors inherent in its own operations and design audit
procedures commensurate with this risk.
Some of the weaknesses in controls we identified in the asset
servicing function are not necessarily, in and of themselves,
material weaknesses. However, taken together, we believe they
significantly increase the risk that material errors in reported
asset book values and recovery estimates may occur and not be
promptly detected, and that receivership assets are not properly
safeguarded. The compensating controls over this activity FDIC
referred to are not operating consistently or effectively. For
example, this chapter notes that the oversight committee reviews of
assets were not sufficient to ensure the integrity of the recovery
estimates developed by servicers. While some visitation groups did
review recovery estimates, the reviews were not consistent among the
servicers, and follow-up procedures and expansion of the reviews were
not performed when the visitation teams noted numerous
inconsistencies.
Furthermore, FDIC's own policies with regard to servicer-prepared
asset recovery estimates as documented in the asset servicing
agreements were inconsistent with the policies governing such
estimates for internally managed assets. Finally, while we agree
that certain asset pools and servicers have their own different areas
of risk that may call for unique audit approaches to address this
risk, consistent audit coverage of critical control areas, such as
inception balances of pool assets, general ledger reconciliations,
cash receipts, cash disbursements, and asset recovery estimates, are
fundamental to the effectiveness of these audits as a reliable
control over FDIC's contracted asset servicing operations.
With regard to data integrity problems over LAMIS, FDIC acknowledged
that improvements can and will be made to enhance the accuracy of the
data maintained in this system. However, FDIC stated that we had not
demonstrated that the weaknesses we identified in LAMIS have
resulted, or could result, in errors in asset recovery estimates that
are considered material to the financial statements of BIF or FRF.
FDIC stated that reviews and analyses of asset recovery estimates
performed quarterly mitigate the potential for significant
misstatements in the financial statements. FDIC also stated that we
did not adequately demonstrate that material differences existed in
asset book values reported by FIS and LAMIS, and that receivership
assets were not properly safeguarded. FDIC contended that we used
inappropriate data in determining the differences in FIS and LAMIS
reported asset book values, and that we did not expand our work to
review common explanations for "out-of-balance" conditions.
Our review of a statistical sample of assets in LAMIS found a range
of errors that go to the very heart of the integrity of data on asset
recovery estimates. While our projected level of misstatement on
BIF's and FRF's 1992 financial statements fell just below an amount
that would have been considered material in relation to the
respective financial statements of the two funds, the examples of
outdated, inconsistent, and nonexistent support for asset recovery
estimates clearly demonstrate the potential for material
misstatements if corrective action is not taken. While quarterly
reviews are performed at a macro level by the Division of Finance,
these procedures (1) only identify potential errors in recovery
estimates if the aggregate asset recovery estimates for a given
receivership exceeds the outstanding balance of the claim FDIC has on
the receivership and (2) do not provide for more detailed reviews of
the aggregate asset recovery estimates for a given receivership if
they do not change from quarter to quarter. Such review procedures,
we believe, do not mitigate the potential for material errors in
recovery estimates.
With regard to the differences in reported asset book values between
FIS and LAMIS, the information we used for our comparison was
provided to us by FDIC. As of the date of this report, FDIC has not
provided us a more appropriate comparison of the two systems' asset
balances. Additionally, it is FDIC's responsibility to establish and
maintain a system of internal controls that includes consistent,
routine reconciliations of the two systems, with clear explanations
as to the nature and ultimate resolution of reconciling items in the
aggregate. Had such routine reconciliations been performed, the
magnitude, nature, and potential reporting consequences of any
differences in reported book values between FIS and LAMIS in the
aggregate would have been apparent.
With regard to the lack of timely reconciliations between FDIC's
records and those of its primary servicer for performing commercial
and residential loans of receiverships and corporate-owned assets,
FDIC disagreed that the delays in completing these reconciliations
have exposed BIF and FRF to additional losses. FDIC stated that the
reconciliation process was extremely labor intensive but that, as of
June 25, 1993, 94 percent of the March 1993 book value of the loan
portfolio with this servicer had been reconciled, with reconciling
items substantially cleared. FDIC also noted that, despite the
reconciliation delays, no write-offs had been taken on the portfolio
and, consequently, BIF and FRF did not suffer any losses due to the
reconciliation delays.
We do not believe that the writing off of assets should be the only
measure of the impact of reconciliation differences. Current,
routine reconciliations between control accounts and subsidiary
detail, particularly where such detail resides with the servicing
entity, are critical to ensure the integrity of reported information
as well as the safeguarding of assets. In addition, one of the
primary reasons we believe reconciliations between FDIC's and the
servicer's records should be automated is that the current process is
so cumbersome and labor intensive.
As discussed previously, FDIC has issued a revised directive on time
and attendance reporting and other guidance that (1) provides
direction for completing all time sheets, (2) separates the
timekeeping, data entry, and reconciliation functions, (3) specifies
that financial institution numbers and other codes should be entered
properly on the time sheets, (4) specifies the number of employees
that each timekeeper and data entry staff should process, (5)
requires employees to complete their own time sheets and supervisors
to review and approve employee time sheets,
(6) requires supervisors to maintain tracking procedures, such as
logs, to ensure that employee time sheets are properly reported and
approved, and (7) requires employees involved in the time and
attendance reporting process to receive proper training. These
procedures and guidance, if properly followed, should address the
weaknesses we noted in FDIC's time and attendance processes during
our audits.
OTHER REPORTABLE CONDITIONS COULD
AFFECT FINANCIAL REPORTING AND
SAFEGUARDING OF FUND ASSETS
============================================================ Chapter 3
This chapter discusses reportable conditions that existed in FDIC's
system of internal accounting controls during 1992 that warrant FDIC
management's attention. These conditions hindered the ability of
FDIC's system of internal accounting controls to ensure accurate
reporting of financial transactions and proper safeguarding of
assets. Weaknesses in FDIC's general controls over its information
systems exposed these systems to unauthorized access and use. The
absence of adequate controls over cash receipts at some FDIC
consolidated receivership sites throughout most of 1992 precluded
FDIC from having reasonable assurance that all collections from the
servicing and disposition of failed institution assets managed
internally were adequately safeguarded and were completely and
accurately recorded for BIF and FRF.
Additionally, internal accounting controls did not provide for
consistency in the accounting methods used for contracted asset
servicing activity. Internal controls were also not effective in
ensuring that assessment revenue due to SAIF was properly recorded in
the Fund's financial records, and that all exit fee transactions
arising from financial institutions changing their insurance coverage
from SAIF to BIF were properly recorded. Finally, formal procedures
did not exist during 1992 to ensure proper authorization of all
adjustments to the financial statements of the three funds.
WEAKNESSES IN GENERAL CONTROLS
OVER FDIC'S INFORMATION SYSTEMS
---------------------------------------------------------- Chapter 3:1
General controls over FDIC's computerized information systems did not
provide adequate assurance that data files, computer programs, and
computer hardware were being protected from unauthorized access and
modification. FDIC uses its computerized systems extensively, both
in its daily operations and in processing and reporting financial
information. Therefore, general controls over the systems are
critical to FDIC's ability to produce accurate and reliable financial
statements.
General controls are the policies and procedures that apply to an
entity's overall effectiveness and security of operations and that
create the environment in which application controls\1 and certain
user controls\2 operate. General controls include the organizational
structure, operating procedures, software security features, and
physical protections designed to ensure that only authorized changes
are made to computer programs, that access to data is appropriately
restricted, that back-up and recovery plans are adequate to ensure
the continuity of essential operations, and that physical protection
of facilities is provided. The effectiveness of general controls is
a significant factor in ensuring the integrity and reliability of
financial data.
During our 1992 audit, we assessed FDIC's general controls over its
information systems. Additionally, in 1992, FDIC's Office of the
Inspector General reviewed security over FDIC's telecommunications
network and data center, and an independent contractor performed a
review of FDIC's mainframe operating system\3 and security access
software.\4 These reviews indicated that FDIC did not have adequate
security controls in place to ensure that computer programs and
hardware were protected against unauthorized access. Without these
controls, the opportunity for unauthorized modifications to data
files and programs, as well as misuse of computer hardware, is
greatly increased.
--------------------
\1 Application controls provide reasonable assurance that data are
complete, accurate, and properly authorized.
\2 User controls are designed to provide independent control over the
submission and acceptance of input, system processing procedures, and
the reconciliation of the results of electronic data processing
(EDP).
\3 An operating system is a series of programs that manage computer
resources and that serve as an interface between application programs
and system hardware. These programs manage and control the execution
of application programs and provide the services these programs
require. These services may include job scheduling, disk and tape
management, job accounting, program compiling, testing, and
debugging.
\4 CA-ACF2 Product Review: Federal Deposit Insurance Corporation,
prepared by Computer Associates Services, Inc., February 7, 1992.
WEAK CONTROLS OVER SYSTEMS
ACCESS
-------------------------------------------------------- Chapter 3:1.1
FDIC utilizes an access control software package (ACF2) to provide
security over its computer resources.\5 When properly installed and
used, this package helps ensure system and data integrity and
protects the confidentiality of sensitive information. ACF2
accomplishes this by requiring the use of passwords and user
identification codes before granting access to the mainframe
operating systems, application programs, and data files, and by
providing the capability for audit trails of security violations.
However, FDIC has not properly regulated access to the system, or
provided policies and procedures governing investigations of
unauthorized access attempts or security violations.
As part of its general controls, an entity should establish
procedures regulating who may access a system, and what information
they may access. However, FDIC had not adopted such rigorous
standards. Instead, FDIC assigned system access identification codes
to all FDIC employees regardless of job responsibility or position.
More importantly, some employees were given greater access authority
than they needed for their job functions.
FDIC also did not regulate its system access rules,\6 thus allowing
too many users access to systems data that they should not normally
have had the authority to obtain. These broad access rules could
allow an individual to override the normal restrictions and security
features of the system. For example, 56 users had been given bypass
label processing (BLP) privileges, which permit a user to access data
stored on tape. Although the use of BLP is logged under ACF2, FDIC
personnel were not required to review this report to oversee use of
BLP.
Compounding these problems was FDIC's lack of policies or procedures
governing the investigation of unauthorized access attempts. Without
this guidance, FDIC personnel did not review or follow up on security
violations, such as unauthorized access attempts to FDIC's mainframe
computers, which are recorded on an audit trail by ACF2.
The significance of these weak controls was illustrated by the
inspector general's security review of FDIC's telecommunications
network. Inspector general personnel were able to use a mainframe
subsystem to bypass access controls and eventually penetrate other
sensitive subsystems. FDIC has four mainframe subsystems that were
not subject to ACF2 protection, relying instead on internal security
features within each subsystem. However, FDIC allowed password
access to these subsystems to be optional. In addition, access
capability restrictions, such as "read-only," were not used or were
easily bypassed. Consequently, inspector general personnel were able
to access the subsystems and then perform most subsystem functions,
such as viewing and duplicating information and user profiles.
Access to the user profiles allowed inspector general personnel to
gain ACF2 user identification codes and passwords belonging to FDIC
management personnel. With these codes and passwords, the personnel
were then able to access other mainframe subsystems disguised as
management personnel.
--------------------
\5 Computer resources include computer usage, data, transactions,
accounts, and programs.
\6 Access rules are used to specify which and under what conditions
users can access data.
WEAK MONITORING OF FDIC'S
OPERATING SYSTEM
-------------------------------------------------------- Chapter 3:1.2
Because operating systems manage and oversee both application
software and access and security software, it is important that FDIC
have controls in place to monitor the operating system. Without such
monitoring, individuals can access and override features built into
the system, as well as manipulate the audit trail that the system
normally provides. FDIC had several exposures, such as access to the
operating system, that resulted from the implementation of FDIC's
mainframe operating system.
For example, when implementing or modifying a system, system
programmers were granted access to the operating system in order to
write or modify software code. However, the independent contractor
reviewing the mainframe operating system determined that FDIC had not
fully monitored programmer changes or addressed system exposures.
INADEQUATE CONTROLS OVER
DATA CENTER PHYSICAL
SECURITY
-------------------------------------------------------- Chapter 3:1.3
In addition to protecting data files and programs, general controls
also include the physical security of computer resources. FDIC's
data center is located in the L. William Seidman Center in
Arlington, Virginia. The data center supports the majority of FDIC's
data processing requirements. The data center's main entrance was
monitored by an automated physical access control system. However,
FDIC had not established adequate operating practices for
administering the automated system used for building and data center
physical security. For example, access was granted to the data
center without written authorization, and established access lists
were not reviewed to ensure that they were correct and appropriate.
Additionally, FDIC employees responsible for administering the access
control system had not undergone formal system training and,
consequently, were unable to explain, demonstrate, or perform basic
system functions. Finally, FDIC did not have written procedures to
address activity and violation reports and the monitoring of access
profiles to ensure their appropriateness.
Both the inspector general and the independent contractor recommended
a number of actions FDIC management should take to correct these
weaknesses in general controls. FDIC management is aware of these
general control problems and is in the process of addressing the
Inspector General's and independent contractor's recommendations. We
concur with these recommendations and will follow up on management's
actions during our 1993 audit.
WEAKNESSES IN CASH RECEIPTS
PROCESSING CONTROLS
---------------------------------------------------------- Chapter 3:2
FDIC did not have adequate controls over cash receipt processes at
four consolidated receivership sites during most of 1992 to provide
reasonable assurance that all collections from the servicing and
liquidation of failed institution assets managed internally by FDIC
personnel were adequately safeguarded and completely and accurately
recorded for BIF and FRF. As a result, BIF and FRF may not have
deposited and recorded all proceeds from collections and sales of
assets in liquidation during 1992.
Controls over cash receipt processes should include procedures to
establish accountability for all receipts received on a daily basis.
At a minimum, control procedures should include the existence and
maintenance of receipt control logs or some other mechanism to
account for and track all receipts received at their point of entry.
Prior to September 1992, FDIC had not established uniform procedures
to ensure the accountability of all receipts received in its
consolidated offices. Due to the lack of specific guidance,
procedures did not exist for most of 1992 that would ensure adequate
control over checks received at 4 of the 11 consolidated offices for
which we performed testing of receipt processing controls. These
offices had been processing checks into FDIC's cashier system without
initially establishing a control total or a control log for checks
received at various entry points at the sites.
FDIC revised its Regional Accounting Manual in September 1992 to
adopt uniform procedures for ensuring that all receipts received at
the consolidated offices were properly accounted for on a daily
basis. The revised manual requires DOF personnel at the consolidated
offices to establish control totals for each initial point of
receipt, including post office boxes and mail rooms. The manual
requires DOF personnel to reconcile the total of each day's receipts
processed through the cashier system back to the sum of these control
totals. According to FDIC, these procedures were implemented in
November 1992 by three of the consolidated offices where such
controls did not previously exist and in December 1992 by the fourth
office. We concur with these revised procedures and believe that, if
effectively implemented, they should help establish accountability
for, and ensure safeguarding of, all receipts received.
WEAK CONTROLS OVER ACCOUNTING
FOR SERVICER COLLECTIONS
---------------------------------------------------------- Chapter 3:3
The accounting method used in applying collections for two of the
seven large serviced asset pools did not comply with the requirements
of receivership accounting. This resulted in servicer reported
balances of receivership assets being compromised and the need for
significant adjustments to the receivership general ledgers for these
asset pools. Additionally, FDIC's method of accounting for servicer
collections and remittances on FIS varied between the two FDIC
regional offices responsible for recording such activity. This
inconsistency was further complicated by the regional offices'
improper use of standard receivership accounts on FIS. As a result,
FDIC personnel did not have accurate information on the composition
of receivership accounts, which is necessary to adequately safeguard
receivership assets. A clear understanding of the nature of recorded
transactions is essential to ensure accurate accounting and reporting
of asset management and liquidation activity and to maintain
accountability for the failed institution asset inventory.
LACK OF COMPLIANCE WITH
RECEIVERSHIP ACCOUNTING
RESULTED IN ADJUSTMENTS TO
ASSET POOL BALANCES
-------------------------------------------------------- Chapter 3:3.1
Serviced asset pools are required to be maintained on a basis of
accounting consistent with FDIC policies for receiverships. Under
receivership accounting, collections on an asset are applied among
principal, interest, and other income so that the legal balance\7 of
loans can be maintained. Because FDIC does not maintain a subsidiary
record of each asset's legal balance for those assets included in
servicer pools, it is critical that the integrity of the aggregate
pool balance for each asset pool be maintained accurately on FIS.
For two of the contracted asset servicers, we found that the asset
servicing agreements, which outline the servicers' basic
responsibilities, did not require that receivership accounting be
used. Instead, the agreements outlined different procedures for
applying collections on assets in the pools. The pool accounting
under these agreements required that all collections be treated as a
principal reduction to the book value of an asset until the book
value reached zero. Although not specifically stated in the
agreements, FDIC confirmed that cumulative collections which exceeded
an asset's book value were to be recorded as interest income. Under
this basis of accounting, a legal asset could still exist even though
the servicers' pool records would reflect a zero balance. The two
servicers accounted for the assets they serviced in a manner
consistent with the asset servicing agreements and did not allocate
collections among principal, interest, and other income until June
1992 and July 1992, respectively. Consequently, the balances in the
FIS general ledger control accounts for the assets serviced by these
entities were misstated until correcting entries were made in
December 1992 and January 1993, respectively. Thus, controls to
ensure adequate safeguarding of, and accountability for, all assets
with a positive legal balance were compromised.
For one of the servicers, collections received prior to June 1992
were recorded on FIS in a "cash collections-in-process" account. A
total of $102 million, representing collections on the pool assets
from August 1991 through May 1992, were recorded in this account
before FDIC required this servicer to convert to a receivership basis
of accounting. During December 1992, a correcting entry of $19.1
million was made to transfer amounts out of the cash
collections-in-process account and appropriately record them in the
"principal collections" and "interest income" accounts. An
additional $66.9 million was reclassified in January 1993. The
remaining $16 million had not been reclassified at the time of our
field work.
For the other servicer, all collections received from its inception
date, June 1991, to July 1992 had been recorded on FIS in a
"principal collections" account in accordance with the accounting
guidance contained in the asset servicing agreement. In December
1992, an adjusting entry was made to reclassify $308.5 million in
interest income that had been incorrectly recorded as principal
collections.
FDIC was aware of the weaknesses in accounting guidance for servicers
during 1992 and took corrective action that allowed the above
adjusting entries to be recorded to the servicers' pool records and
to the proper FIS accounts so that legal balances could be restored.
Additionally, FDIC took steps to ensure that the language in
subsequent asset servicing agreements complied with receivership
accounting policies.
--------------------
\7 The legal balance represents the amount of indebtedness or
liability legally due and owed by an obligor, including principal and
accrued and unpaid interest, late fees, attorneys' fees and expenses,
taxes, insurance premiums, and similar charges, if any.
STANDARD RECEIVERSHIP
COLLECTION ACCOUNTS WERE
USED INCONSISTENTLY
-------------------------------------------------------- Chapter 3:3.2
DOF personnel at FDIC's New York regional office were responsible for
maintaining the FIS accounting records for six of seven serviced
asset pools, while DOF personnel at the Dallas regional office were
responsible for the FIS accounting records for the remaining pool.
We found inconsistencies in how the two regions accounted for
servicer collections on FIS. The New York region recorded servicer
collections on FIS after they were remitted to FDIC. In contrast,
the Dallas region recorded both the remitted and unremitted servicer
collections on FIS.
Accounting for the unremitted collections significantly increases the
amount of assets (cash) and liabilities (cash collections-in-process)
reflected within a receivership on FIS. An additional $14.3 million
was reflected in FIS records for the serviced asset pool accounted
for by the Dallas region at September 30, 1992. Additionally,
because FIS does not have an account specifically designated for the
recording of unremitted collections, the Dallas region utilized the
"cash collections-in-process" account to record unapplied and
unremitted collections, and used the "accounts payable" account to
record unapplied remittances. In contrast, the New York region used
just one account, "cash collections-in-process," to record unapplied
collections that had been remitted by the servicers.
The inconsistent accounting procedures followed by the two regions
was primarily due to the absence of standard policies and guidance by
headquarters DOF officials for accounting for servicer activity on
FIS. Generally accepted accounting principles require consistent
application of accounting practices for transactions of a similar
nature. Inconsistency in the accounting practices followed by the
two regions distorted the integrity of the reported FIS balances, and
resulted in inaccurate data on the nature of the transactions
recorded in the accounts.
WEAKNESSES IN CONTROLS OVER
RECORDING SAIF ASSESSMENT
INCOME RESULTED IN REPORTING
ERRORS
---------------------------------------------------------- Chapter 3:4
FDIC did not have effective controls in place to ensure that
assessment income due SAIF was properly recorded in the Fund's
financial records. Errors in the calculation of assessments
submitted to FDIC by banks with both BIF- and SAIF-insured deposits
were not detected through verification procedures recently
implemented by FDIC in time to prevent misstatements to the Fund's
financial statements. As a result, SAIF's assessment revenue has
been understated since 1990, and significant adjustments were
required to SAIF's current and prior years' financial statements to
correct these errors.
From SAIF's inception with the enactment of FIRREA on August 9, 1989,
until December 31, 1992, all of SAIF's assessment income came from
banks whose deposit base included deposits acquired from thrift
institutions.\8 FDIC relies on each of these banks to calculate their
insurance assessments and requires them to submit a completed and
signed certified statement with a check for the assessment amount by
January 31 and July 31 of each calendar year. Prior to July 1992,
FDIC did not have procedures in place to verify that these banks were
accurately completing their certified statements.
In July 1992, FDIC began performing a detailed review of all insured
banks' certified statements received from SAIF's inception through
July 1992 to determine if the banks properly calculated their
insurance assessments. Based on these reviews, FDIC determined that
adjustments to SAIF's 1992 and 1991 financial statements totaling
$11.6 million and $5.6 million, respectively, were necessary as of
December 31, 1992, to reflect previously unrecorded assessments.
Additionally, FDIC determined that an adjustment of $1.2 million was
necessary to reflect previously unrecorded assessment revenue in
SAIF's opening 1991 fund balance. These adjustments were needed to
account for assessments due SAIF that were recorded in BIF's general
ledger and additional assessments owed SAIF by banks with
thrift-acquired deposits. As a result of errors in these
institutions' calculations of assessment premiums owed SAIF and
FDIC's lack of verification procedures over SAIF's assessment income
prior to July 1992, SAIF's assessment income had been understated by
$18.4 million over the life of the Fund prior to the adjustments
recorded as of December 31, 1992.
In 1993, FDIC began receiving insurance assessments from all
SAIF-member depository institutions, except those amounts required by
the Financing Corporation (FICO) for the payment of interest and
custodial costs on bonds it previously issued to recapitalize FSLIC.
The increase in assessment income makes it critical that appropriate
controls such as the internal reviews of certified statements be in
place and maintained to ensure that SAIF receives all assessment
income to which it is rightfully due and to ensure that SAIF's
assessment income is properly recorded in the period earned.
--------------------
\8 Pursuant to section 5(d)(3) of the Federal Deposit Insurance Act,
banks can acquire deposits of thrift institutions without changing
insurance coverage for these acquired deposits. Accordingly,
acquired thrift deposits continued to be insured by SAIF and assessed
at SAIF's assessment rate.
WEAK CONTROLS OVER RECORDING
SAIF'S EXIT FEES RESULTED IN
AUDIT ADJUSTMENTS
---------------------------------------------------------- Chapter 3:5
FDIC did not establish procedures to ensure that all exit fee income
from financial institutions that changed their insurance coverage
from SAIF to BIF were properly recorded in SAIF's financial records.
Reconciliations between general ledger control accounts used to
record exit fee income and detailed entrance and exit fee activity
reports were not performed, and significant levels of adjustments
arising from other verification procedures were not recorded in the
general ledger for SAIF. As a result, significant adjustments were
required to SAIF's financial records to properly reflect all income
from exit fees.
FIRREA directs that insured depository institutions converting from
SAIF to BIF must pay an appropriate fee to each fund. A financial
institution electing to exit SAIF and enter BIF calculates its own
fee on an entrance and exit fee certified statement and submits the
completed statement to FDIC. FDIC sends the institution a bill for
the fee and establishes a receivable for the fee in SAIF's general
ledger until it receives payment in full. Because FDIC relies on
each institution to accurately calculate its own exit fee, it
performs review procedures to verify the accuracy of the exit fee
certified statements submitted by the institutions. Based upon the
results of these reviews, adjustments to the fees are sometimes
required.
We found weaknesses in FDIC's internal accounting controls over the
recording of exit fees during 1992 that led to errors in SAIF's
general ledger accounts used to record exit fee transactions. For
example, we found that general ledger balances used to account for
exit fee income were not reconciled to supporting exit fee activity
reports to ensure that all appropriate transactions had been
recorded. As a result, $2.3 million in exit fee income was earned
but not recorded in SAIF's general ledger accounts in 1992. Also, we
found that adjustments that arose from the internal verification
procedures FDIC performs on the certified statements were not always
recorded in the general ledger. Of 45 institutions we selected at
random that had adjustments made to their fees as a result of FDIC's
verification procedures, we found that the adjustments for 33
institutions (73 percent) had not been recorded in SAIF's general
ledger.
FDIC's failure to reconcile the general ledger control accounts used
for exit fees to supporting activity reports increased the risk of
errors in accounting for exit fee activity. Similarly, FDIC's
failure to ensure that adjustments arising from its internal
verification procedures are recorded in the general ledger defeats
the purpose of this important control, and significantly increases
the risk that exit fees could become materially misstated in the
future.
WRITTEN PROCEDURES FOR
FINANCIAL REPORTING ADJUSTMENTS
WERE LACKING
---------------------------------------------------------- Chapter 3:6
FDIC did not have written procedures to ensure that adjustments to
the financial statements of the three funds were properly authorized.
In addition, there were no written procedures to ensure that all
transactions that should be recorded through adjustments were
properly considered in preparing the financial statements. The lack
of such written procedures could result in misstatements to the
financial statements of the three funds.
Although the financial statements of the three funds encompass the
effects of transactions through December 31 of each calendar year,
the general ledgers maintained on FIS for each of the three funds are
not officially closed until several weeks after the end of the
reporting period to permit the recording of transactions which
originated in the reporting period. In addition, transactions that
have not been entered into FIS before the general ledgers are
officially closed, but whose effects should be reflected in the
reporting period covered by the financial statements, are recorded
manually as post-closing adjustments.
We examined 49 post-closing adjustments to the December 31, 1992,
financial statements for the three funds, whose aggregate dollar
impact on the three funds totaled $6.4 billion. Of these, we found
that seven adjustments, whose aggregate dollar impact on the three
funds totaled $320 million, were missing supervisory approval. While
supporting documentation we reviewed indicated that the adjustments
were appropriate for purposes of presentation in each fund's
financial statements, the lack of supervisory approval and written
procedures to ensure that all post-closing adjustments are
appropriately considered could allow inappropriate adjustments to be
made to the funds' financial statements. Also, the lack of such
controls could result in needed adjustments not being made to the
financial statements.
CONCLUSIONS
---------------------------------------------------------- Chapter 3:7
The weaknesses that existed in FDIC's system of internal accounting
controls during 1992 resulted in adjustments to BIF's receivership
accounts, SAIF's general ledger control accounts, and SAIF's
financial statements. These adjustments illustrate the impact that
the internal control weaknesses had on FDIC's ability to ensure that
transactions were properly recorded and summarized. Additionally,
the weaknesses in FDIC's general controls over its information
systems precluded it from having reasonable assurance that systems
hardware and applications were not accessed without appropriate
authorization and, consequently, that assets were safeguarded from
unauthorized use. The lack of adequate cash receipts processing
controls at several of its consolidated receivership sites throughout
much of 1992 precluded FDIC from having reasonable assurance that all
collections were appropriately deposited and accurately recorded in
BIF's and FRF's receivership accounts.
FDIC took action during 1992 to address the weaknesses in its cash
receipts processing procedures, which should provide reasonable
assurance concerning the completeness of consolidated office
collections. Additionally, the changes FDIC made in the standard
language of asset servicing agreements regarding the appropriate
method of accounting for serviced asset pools by servicers should
result in more consistent and appropriate accounting of collections
to ensure that the integrity of the legal balances of the asset pools
are maintained.
RECOMMENDATIONS
---------------------------------------------------------- Chapter 3:8
To address the weaknesses identified in general controls over its
computerized information systems, we recommend that the Acting
Chairman of the Federal Deposit Insurance Corporation direct the head
of the Division of Information Resources Management to
implement the recommendations of the inspector general and the
independent contractor, particularly with respect to (1)
regulating access to the systems and establishing policies and
procedures to investigate unauthorized access attempts and
security violations, (2) fully monitoring programmer changes and
addressing system exposures, and (3) improving existing
practices for administering the automated building and data
center physical security system.
To address the inconsistencies in the use of standard receivership
collection accounts, we recommend that the Acting Chairman of the
Federal Deposit Insurance Corporation direct the head of the Division
of Finance to
establish (1) centralized leadership within DOF to provide
accounting guidance to the regional offices tasked with the
responsibility of accounting for transactions associated with
the serviced asset pools, and (2) a standard accounting policy
manual to assist in the application of consistent accounting
procedures for these pools.
To address weaknesses in controls over recording SAIF's assessment
income, we recommend that the Acting Chairman of the Federal Deposit
Insurance Corporation direct the head of the Division of Finance to
routinely perform detailed reviews of all insured institutions'
certified statements to ensure that these institutions properly
calculate their insurance assessments and record any adjustments
resulting from these reviews in SAIF's financial statements in
the period in which the assessments were earned.
To address weaknesses in controls over recording SAIF's exit fees, we
recommend that the Acting Chairman of the Federal Deposit Insurance
Corporation direct the head of the Division of Finance to
routinely reconcile the general ledger control accounts used for
exit fees to supporting activity reports and
promptly and accurately record all adjustments resulting from
internal verification procedures in the general ledger.
To address weaknesses in controls over financial reporting
adjustments, we recommend that the Acting Chairman of the Federal
Deposit Insurance Corporation direct the head of the Division of
Finance to
establish written procedures for approving post-closing adjustments
to the financial statements which would include guidance
regarding the appropriate level of supervisory approval required
for adjustments.
AGENCY COMMENTS AND OUR
EVALUATION
---------------------------------------------------------- Chapter 3:9
FDIC concurred with some of the reportable conditions we identified,
but disagreed with others either because it disagreed with our
findings or because it disagreed that such findings constituted
reportable conditions.
FDIC concurred with the reportable condition regarding weaknesses in
general controls over its information systems, but pointed out that
these weaknesses were largely identified by an independent contractor
hired by FDIC to review its mainframe operating system and security
access software. As stated in chapter 1 of this report, we reviewed
the work of the independent contractor as well as the inspector
general's work on FDIC's telecommunications network and data center,
and concurred with their findings.
FDIC disagreed with our finding of weaknesses in cash receipts
processing at its consolidated receivership sites. FDIC pointed out
a number of internal control procedures developed over the last 6
years to ensure adequate controls over this activity. FDIC also
noted that additional internal control procedures were incorporated
into its Regional Accounting Manual in September 1992 to ensure that
all receipts from various sources were properly accounted for on a
daily basis. However, FDIC itself noted that four consolidated
offices did not already have such procedures in place. We concur
that these additional control procedures should ensure appropriate
accountability for all receipts received at these offices in the
future. However, this control was not in place during most of 1992
for these four offices and, therefore, FDIC did not have assurance
that all checks received at these four offices during 1992 were
deposited, recorded, and applied to the proper accounting period.
FDIC concurred that there was a lack of compliance and consistency in
the use of receivership accounting and standard receivership
accounts, but did not believe that this should be characterized as a
reportable condition. FDIC acknowledged that there were
inconsistencies in accounting for serviced asset pools, but stated
that it recently began to include in all subsequent asset servicing
agreements the requirement that servicers adhere to receivership
accounting. FDIC also noted that the inconsistency regarding the
accounting for remittances in one serviced asset pool did not cause
any material misstatement in the financial statements. FDIC agreed
that some inconsistencies resulted from the usage of certain general
ledger liquidation accounts based on differing collection reporting
methodologies and stated that the establishment of a Contractor
Accounting Oversight Group within the Division of Finance, created to
provide overall accounting for the serviced asset pools, should
assist in providing adequate control over, and timely financial
reporting of, assets serviced by third parties.
As stated in this chapter, the modified language that FDIC adopted
for new asset servicing agreements to require servicers to account
for the serviced asset pools under receivership accounting should
help ensure that the servicers account for their serviced pools in an
appropriate and consistent manner in the future. However, the lack
of such clarifying language in the earlier servicing agreements
resulted in inconsistencies and improper methods of accounting for
two serviced asset pools, the effects of which were not fully
corrected until January 1993. We also concur that the inconsistency
in accounting for remittances did not cause a material misstatement
to the financial statements. It does, however, make it difficult to
understand the nature of the transactions recorded in the accounts,
and could result in comparing incompatible information on
collections. In addition, a deficiency in the design or operation of
internal controls does not require a demonstrated effect of a
misstatement to be deemed a reportable condition. Rather, the
deficiency or weakness need only have the potential for causing a
misstatement for it to be considered a reportable condition.
With regard to weaknesses we identified in FDIC's process for
recording SAIF's assessment income, FDIC intends to continue the
process it established in July 1992 for routine audits of assessment
fees. Further, FDIC stated that it intends to reflect any
adjustments arising from these audits in the period in which the
audits were completed as opposed to the period in which the fees were
earned. We believe FDIC should consider the materiality of these
adjustments relative to SAIF's financial statements in determining
which period to reflect the impact of these adjustments. To do
otherwise would not be in accordance with generally accepted
accounting principles and could result in material misstatements to
SAIF's financial statements.
FDIC took exception to our finding of weak controls over the
recording of SAIF's exit fees. FDIC stated that procedures were
established to ensure that both exit and entrance fee transactions
were recorded in SAIF's financial records. FDIC noted that
reconciliations are performed on a monthly basis between the general
ledger and detailed entrance and exit fee reports, and that any
adjustments needed are made at the time the reconciliations are
completed. As discussed in this chapter, however, contrary to FDIC's
assertions, we found that such reconciliations were not performed
during 1992 and that, as a result, $2.3 million in exit fee income
was earned but not recorded in SAIF's general ledger. We also found
that adjustments arising from the internal review procedures on
certified statements were not always recorded in the general ledger.
Consequently, we believe FDIC should ensure that general ledger
control accounts used for exit fee activity are routinely reconciled
to the detailed activity reports, and that all adjustments arising
from the internal review procedures are promptly and accurately
recorded in SAIF's general ledger.
With regard to our finding that FDIC lacks formal procedures to
ensure the proper authorization and appropriate consideration of
adjustments to BIF's, SAIF's, and FRF's financial statements, FDIC
stated that, while not formally documented, it does have such control
procedures. We believe the results of our work clearly show the risk
of not formally documenting procedures. Despite FDIC's assertions
that its procedures provide sufficient control over the financial
reporting adjustment process, we found that a number of adjustments,
whose impact on the financial statements of the three funds is
considered significant, were made without the required supervisory
approval. We believe that formalizing procedures for approving
adjustments to the financial statements will institute more
discipline in the process and will provide better assurance to FDIC
that all necessary adjustments are appropriately considered and
approved by responsible parties. FDIC has agreed to document its
policies and procedures over the post-closing adjustment process.
(See figure in printed edition.)Appendix I
COMMENTS FROM THE FEDERAL DEPOSIT
INSURANCE CORPORATION
============================================================ Chapter 3
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)
MAJOR CONTRIBUTORS TO THIS REPORT
========================================================== Appendix II
ACCOUNTING AND INFORMATION
MANAGEMENT DIVISION,
WASHINGTON, D.C.
-------------------------------------------------------- Appendix II:1
Steven J. Sebastian, Assistant Director
Cheryl E. Clark, Audit Manager
Charles R. Fox, Audit Manager
Salim R. Mawani, Audit Manager
Lynda E. Downing, Senior Auditor
Cynthia Jackson, Senior Auditor
Vera M. Seekins, Senior Auditor
Keith A. Thompson, Senior Auditor
DALLAS REGIONAL OFFICE
-------------------------------------------------------- Appendix II:2
Shannon D. Rapert, Audit Manager
Kenneth R. Rupar, Audit Manager
George Jones, Site Senior
Miguel A. Salas, Site Senior
Ruth K. Joseph, Evaluator
Angela J. Reznicek, Evaluator
Sandra H. Vice, Evaluator
DENVER REGIONAL OFFICE
-------------------------------------------------------- Appendix II:3
Bennet E. Severson, Regional Manager
Paul S. Begnaud, Site Senior
Billie J. North, Site Senior
Alva J. Cain, Evaluator
Gina M. Guarascio, Evaluator
CHICAGO REGIONAL OFFICE
-------------------------------------------------------- Appendix II:4
Daniel S. Meyer, Site Senior
Lenny R. Moore, Evaluator
Richard S. Tsuhara, Evaluator
NEW YORK REGIONAL OFFICE
-------------------------------------------------------- Appendix II:5
John E. Thompson, Regional Manager
Vincent R. Morello, Site Senior
Jeremy D. Cox, Evaluator
Tobie W. Davis, Evaluator
Allen W. Gendler, Evaluator
Francis K. Hopp, Evaluator
Lucine R. Moore, Evaluator
�