As part of the Corporation's continued commitment to establish and maintain effective and efficient internal controls, FDIC management routinely conducts ongoing evaluations of internal accounting and administrative control systems. The results of these evaluations, as well as consideration of audits and reviews conducted by the U.S. General Accounting Office (GAO), the Office of Inspector General (OIG) and other outside entities, are used as a basis for the FDIC's reporting on the condition of the Corporation's internal controls.
The FDIC's management concludes that the system of internal accounting and administrative controls at the FDIC, taken as a whole, complies with internal control standards prescribed by the GAO and provides reasonable assurance that the related objectives are being met. This standard reflects the fact that all internal control systems, no matter how well designed, have inherent limitations and should not be relied upon to provide absolute assurance, and that control systems may vary over time because of changes in conditions.
The Corporation's evaluation processes, the OIG audits and the GAO financial statements audits have identified certain areas where existing internal controls should be improved. FDIC management uses the chart below in the evaluation process to determine the appropriate classification for these areas.
Effectiveness of Internal Controls
Controls are working as intended
Controls are not working as intended, but mitigating controls exist
Controls are not working as intended and minor/no mitigating controls exist
*High, Medium, and Low are measured on how potentially critical the area or operation is to achieving the mission and objectives of the Corporation. Additionally, consideration is given to the risk to the Corporation, absent the area or operation.
For purposes of this report, FDIC management considers a weakness material if it:
Violates statutory or regulatory requirements;
Significantly weakens safeguards against waste, loss, unauthorized use or misappropriation of funds, property or other assets;
Significantly impairs the mission of the FDIC;
Fosters a conflict of interest;
Deprives the public of needed services; or
Merits the attention of the Chairman, the FDIC Board of Directors or Congress.
To determine the existence of material weaknesses, the FDIC has assessed the results of management evaluations and external audits of the Corporation's risk management and internal control systems conducted in 2002, as well as management actions taken to address issues identified in these audits and evaluations. Based on this assessment and application of the above criteria, the FDIC concludes that no material weaknesses existed within the Corporation's operations for 2002 and 2001.
High Vulnerability Issues
For purposes of this report, FDIC management has designated a high vulnerability issue as a high-risk or medium-risk area with identified deficiencies and ineffective internal controls with minor or no mitigating controls. These areas warrant special attention of management, with the need to strengthen controls. The FDIC identified Information Systems Security as a high vulnerability issue for 2002 and 2001.
Highly sensitive information is just one critical corporate resource that must be protected and managed effectively so that the FDIC can fulfill its mission. Information and analysis on banking, financial services and the economy form the basis for the development of sound public policies and promote public understanding and confidence in the nation's financial system. A strong enterprise-wide information security program is essential to the successful accomplishment of the FDIC's goals.
The FDIC has made considerable progress over the past two years in establishing a strong, effective information security program. FDIC management recognizes that this cannot be accomplished overnight but will require continual commitment by management and the organization over a period of several years. In its report entitled, Independent Evaluation of the FDIC's Information Security Program - 2002, the OIG concluded that "the Corporation had established and implemented management controls that provided limited assurance of adequate security of its information resources." The OIG reported that in three of ten management areas (Contractor and Outside Agency Security, Capital Planning and Investment Control, and Performance Measurement), the FDIC had no assurance that adequate security had been achieved. The FDIC is aggressively pursuing management actions in these areas.
As part of the audits of the FDIC's 2002 financial statements, the GAO identified weaknesses in the FDIC's information system controls as a reportable condition. The weaknesses, although not considered material by the GAO, represented a significant deficiency in the design or operations of internal controls that could adversely affect the FDIC's ability to meet its internal control objectives. Although the GAO reported that the FDIC made progress in addressing previously identified weaknesses, the GAO stated that the lack of a fully developed and implemented comprehensive corporate-wide security management program was the primary reason for the continued weaknesses in this area. The weaknesses did not materially affect the 2002 financial statements.
In February 2002, the FDIC's Information Security Strategic Plan was approved to address these deficiencies. The plan provides for a sound information security structure and assures the integrity, confidentiality and availability of corporate information assets by proactively protecting them from unauthorized access and misuse.
During the latter part of 2002, the FDIC undertook a self-assessment of its information technology (IT) area with primary focus on information security. This self-testing was necessary to ensure that the FDIC was prepared for the 2002 GAO financial statements audit. During the self-assessment, the FDIC evaluated its progress in addressing GAO findings from earlier audits, and reviewed additional key IT areas likely to be examined by GAO during the 2002 audit. Upon completion of the self-testing, the assessment team and management recognized that continued and immediate efforts were needed to address prior audit findings as well as newly identified high-risk areas. As a result of the self-assessment, the FDIC information security program will be considerably strengthened through more rigorous policies and procedures.