IV. Management Controls - Matters for Continued Monitoring
For purposes of this report, matters for continued monitoring are medium-risk areas with ineffective internal controls with minor or no mitigating controls in place, posing medium risk to the Corporation. These areas warrant continued monitoring of corrective actions through completion.
The Corporation's evaluation and assessment process identified four matters that warrant continued monitoring. Three of these matters (numbers 2 - 4 below) were also included in the 2002 Annual Report.
1. Systems Development Project Management The Corporation is engaged in several multi-million dollar large scale development projects, including the New Financial Environment (NFE) and the Central Data Repository (CDR). As noted by the OIG, without effective project management, the FDIC runs the risk that corporate requirements and user needs may not be met in a timely, cost-effective manner. For instance, the OIG reviewed the project control framework for the NFE and determined that a formally defined integrated framework for the project was needed. OIG felt that it would be difficult to ensure accountability and a corporate approach on the project without this integrated framework. They further determined that improvements were needed in scope management, project oversight, and time management. If corrective actions undertaken by the FDIC are not completed promptly, the project is less likely to be deployed on schedule, which may increase overall project costs.
NFE will provide an integrated financial system that focuses on data-sharing, state-of-the-art computing technology, and the ability to grow and change with the Corporation's future financial management and information needs. Given the scope and complexity of the overall project, current delays from the original aggressive schedule, and control deficiencies identified by leadership and reinforced in the OIG's audit report number 03-045 entitled New Financial Environment Scope Management Controls, it is appropriate to maintain a heightened level of attention and focus on this major corporate initiative.
Also, at the FDIC's request, the OIG is reviewing issues that could impact the cost and timely completion of the CDR project. The FDIC, the Office of the Comptroller of the Currency (OCC), and the Federal Reserve Board (FRB), collectively referred to as the Federal Financial Institutions Examination Council (FFIEC) Call Agencies, want to improve the collection and management of the consolidated reports of condition and income (Call Reports) and publication of the Uniform Bank Performance Reports. This project presents potential risks and challenges as a result of the reliance on new technology and involvement of multiple agencies.
Additional audits are being planned for other large system-development efforts like Virtual Supervisory Information on the Net (ViSION). ViSION is an internet-based data system that provides the FDIC and staff of the other federal banking agencies and state authorities access to supervisory information about financial institutions. Phase IV of this project has experienced delays and potentially presents risks to timely and efficient data resource and reporting needs. Therefore, the FDIC will continue to focus heightened attention on this major initiative as well.
By continuing management focus on large scale system-development efforts, the FDIC can strengthen its internal controls and mitigate risks that could hinder the Corporation from successfully achieving its goals and objectives.
2. Contractor Oversight Maintaining strong internal controls and effective oversight of contracting activities is critical to the FDIC's success. The Corporation's exposure to risk is greater with increased reliance on outsourcing, if those contracts are not properly managed. The FDIC is working to improve contract-management practices, including possible consolidation of the large number of existing contracts into fewer, larger, long-term contracts. This would substantially reduce the number of outstanding contractual relationships, thus allowing contract managers to focus on a more manageable number of contracts. Also, the FDIC strengthened its contract-management function by developing and implementing 25 Web-based training courses for contract oversight managers and technical monitors.
In prior years, the FDIC implemented results-oriented contracting structures for multi-year, complex high-dollar-value contracts, that linked contractor compensation with performance and greatly decreased contract administration risk. In 2003, greater emphasis (2003 Procurement Plan approved by the FDIC Board of Directors) was placed on awarding more consolidated, performance based contracting vehicles that will further enhance contractor performance and gain greater administrative efficiencies and contracting oversight.
The FDIC currently awards and administers over 50 percent of all contracting actions to support Information Technology (IT) activities within the Corporation. Other major system initiatives, in addition to NFE, CDR, and ViSION, include the Assessment Information Management System II (AIMS II), and the Corporate Human Resources Information System (CHRIS).
AIMS II is the platform that provides the FDIC with a flexible robust tool to efficiently track deposit insurance assessments levied since the creation of the BIF and SAIF in 1989. It takes into account any changes pending deposit insurance reform legislation might require, including possible credits or refund calculations. AIMS II is in production and produced the last three quarterly insurance invoices in 2003.
CHRIS is an integrated human resources processing and information system that will bring together many functions and data that now reside in multiple, stand-alone systems. CHRIS is being implemented incrementally utilizing a phased approach over a four-year period. The FDIC is currently planning the implementation of the fourth phase, which should be in production in early 2005.
A major non-systems related procurement effort now underway is the construction of Phase II of the Seidman Center (Virginia Square Phase II). This is a project that involves the addition of a two-tower office building and multi-purpose facility at the FDIC's existing Virginia Square campus. The new buildings will accommodate staff presently housed at three leased locations in Washington, DC, and will save the FDIC an estimated $78 million (in net present value terms) over a 20 year period. In September 2003, the FDIC broke ground for this new facility, which is expected to be occupied in 2006.
3. Risk Designation Levels/Background Investigations The FDIC adopted the risk designation system established by the U.S. Office of Personnel Management to provide corporate officials with a systematic, consistent and uniform way of determining the risk levels of its positions. The risk designation system requires FDIC officials to designate risk levels for every position in the Corporation to determine the type of background investigations required. In 2003, the FDIC revised its directive entitled "Security Policy and Procedures for FDIC Contractors and Subcontractors," which provides guidance and procedures for contractor risk-level designations and background investigations. The Corporation has implemented the revised requirements in this directive.
Additionally, the FDIC has revised its circular on "Personnel Suitability Program," which will give current guidance on conducting the position-based background investigations discussed above.
4. Business Continuity Plan Business continuity planning helps to minimize the potential negative impacts of adverse developments affecting the Corporation and allows the FDIC to continue meeting mission-critical requirements. During 2003, a series of tabletop exercises and security taskforce meetings were held to evaluate current response plans and capabilities. Based on the results of these drills, response plans were revised to include lessons learned from the changing security environment.
Another related effort involved disaster recovery testing. One disaster recovery test was conducted in 2003, with several others planned for 2004 and beyond. Results of the 2003 test revealed a need to update the call listing of essential personnel and to issue new guidelines and procedures to be utilized for disaster recovery purposes.