United States Government Accountability Office
Washington, D.C. 20548
To the Board of Directors
The Federal Deposit Insurance Corporation
We have audited the balance sheets as of December 31, 2006 and 2005, for the
two funds administered by the Federal Deposit Insurance Corporation (FDIC),
the related statements of income and fund balance (accumulated deficit), and
the statements of cash flows for the years then ended. In our audits of the
Deposit Insurance Fund (DIF) and
the FSLIC Resolution Fund (FRF), we found
the financial statements of each fund are presented fairly, in all material
respects, in conformity with U.S. generally accepted accounting principles;
FDIC had effective internal control over financial reporting and
compliance with laws and regulations for each fund; and
no reportable noncompliance with laws and regulations we tested.
The following sections discuss our conclusions in more detail. They also present
information on the scope of our audits and our evaluation of FDIC management's
comments on a draft of this report.
on DIF's Financial Statements
The financial statements, including the accompanying notes, present fairly,
in all material respects, in conformity with U.S. generally accepted accounting
principles, DIF's financial position as of December 31, 2006, and 2005, and the results
of its operations and its cash flows for the years then ended.
As discussed in note 1 to DIF's financial statements,
on February 8, 2006, the President signed into law the Federal Deposit Insurance Reform Act of 2005 (the Act).
Among its provisions, the Act called for the merger of the Bank Insurance Fund (BIF) and Savings Association
Insurance Fund (SAIF) into a single deposit insurance fund. In accordance with the Act, on March 31, 2006,
FDIC established the DIF with the merger of the BIF and SAIF. As further discussed in note 2 to DIF's financial
statements, the merger resulted in a new reporting entity. The financial results of the newly formed DIF were
retrospectively applied as though they had been combined at the beginning of the reporting year as well as for
prior periods presented for comparative purposes.
on FRF's Financial Statements
The financial statements, including the accompanying notes, present fairly,
in all material respects, in conformity with U.S. generally accepted
accounting principles, FRF's financial position as of December
31, 2006 and 2005, and the results of its operations and its cash flows
for the years then ended.
Opinion on Internal Control
FDIC management maintained, in all material respects, effective internal control over
financial reporting (including safeguarding assets) and compliance as of
December 31, 2006, that provided reasonable assurance that misstatements, losses, or
noncompliance material in relation to FDIC's financial statements for each fund would be
prevented or detected on a timely basis. Our opinion is based on criteria established
under 31 U.S.C. 3512 (c), (d) [commonly known as the Federal Managers' Financial Integrity Act (FMFIA)].
In our prior year audit,1 we reported on weaknesses we identified in FDIC's information system
controls, which we considered to be a reportable condition.2 Specifically, FDIC had implemented a new
financial system May 2005 and, in doing so, did not ensure that controls were adequate to accommodate
its new systems environment.
During 2006, FDIC corrected many of these weaknesses and implemented mitigating or compensating controls
to provide protection for the corporation's financial and sensitive information in the new systems environment.
These improvements enabled us to conclude that the remaining issues related to information systems controls do
not constitute a significant deficiency. However, continued management commitment to an effective information
security program will be essential to ensure that the corporation's financial and sensitive information will be
adequately protected. In light of the evolving nature of information security, and with new exposures and
threats continuing to develop, the corporation's information security program will need to dynamically adapt
to address changing information security challenges. As FDIC continues to enhance its new financial system,
which is based on an integrated financial management software package, the corporation's reliance on controls
implemented in the single, integrated financial system will increase. The continued effectiveness of FDIC's
controls will be dependent on sound implementation of the integrated financial management software and its
We did identify control deficiencies during our 2006 audits that we do not consider
to be significant deficiencies. We will be reporting separately to FDIC management on these matters.
Compliance with Laws and Regulations
Our tests for compliance with selected provisions of laws and regulations disclosed no instances
of noncompliance that would be reportable under U.S. generally accepted government auditing standards.
However, the objective of our audits was not to provide an opinion on overall compliance with laws and
regulations. Accordingly, we do not express such an opinion.
Objectives, Scope, and Methodology
FDIC management is responsible for (1) preparing the annual financial statements in conformity with U.S.
generally accepted accounting principles; (2) establishing, maintaining, and assessing internal control
to provide reasonable assurance that the broad control objectives of FMFIA are met; and (3) complying with
applicable laws and regulations.
We are responsible for obtaining reasonable assurance about whether
(1) the financial statements are presented fairly, in all material respects, in conformity with U.S. generally accepted accounting principles; and
(2) management maintained effective internal control, the objectives of which are the following:
financial reporting-transactions are properly recorded,
processed, and summarized to permit the preparation of financial statements in conformity with U.S. generally
accepted accounting principles; and assets are safeguarded against loss from unauthorized acquisition, use,
or disposition; and
compliance with laws and regulations-transactions
are executed in accordance with laws and regulations that could have a direct and material effect on the
We are also responsible for testing compliance with selected provisions of laws and
regulations that could have a direct and material effect on the financial statements.
In order to fulfill these responsibilities, we
examined, on a test basis, evidence supporting the amounts and disclosures in the financial statements;
assessed the accounting principles used and significant estimates made by management;
evaluated the overall presentation of the financial statements;
obtained an understanding of internal control related to financial reporting (including safeguarding assets) and compliance with laws and regulations;
tested relevant internal controls over financial reporting and compliance, and evaluated the design and operating effectiveness of internal control;
considered FDIC's process for evaluating and reporting on internal control based on criteria established by FMFIA; and
tested compliance with certain laws and regulations, including selected provisions of the Federal Deposit Insurance Act, as amended, the Federal Deposit Insurance Reform Act of 2005, and the Chief Financial Officers Act of 1990.
We did not evaluate all internal controls relevant to operating objectives as broadly defined by FMFIA,
such as those controls relevant to preparing statistical reports and ensuring efficient operations. We limited
our internal control testing to controls over financial reporting and compliance. Because of inherent limitations
in internal control, misstatements due to error or fraud, losses, or noncompliance may nevertheless occur
and not be detected. We also caution that projecting our evaluation to future periods is subject to the risk that
controls may become inadequate because of changes in conditions or that the degree of compliance with controls
We did not test compliance with all laws and regulations applicable to FDIC. We limited our tests of
compliance to those laws and regulations that could have a direct and material effect on the financial
statements for the year ended December 31, 2006. We caution that noncompliance may occur and not be detected by
these tests and that such testing may not be sufficient for other purposes.
We performed our work in accordance with U.S. generally accepted government auditing standards.
FDIC Comments and Our Evaluation
In commenting on a draft of this report, FDIC's Chief Financial Officer (CFO) was pleased to receive
unqualified opinions on the DIF and FRF financial statements and to note that there were no material
weaknesses identified during the 2006 audits. FDIC's CFO appreciated that we recognized the improvements
that FDIC made over the past year to its information systems environment. Also, the CFO stated that FDIC's
sustained commitment to enhancing information systems controls adequately addressed the concerns that we
highlighted in the prior year report and enabled us to conclude that the remaining issues related to such controls
do not constitute a significant deficiency. Finally, the CFO stated that FDIC's goal is to maintain an effective
information security program going forward, and has pledged to work diligently to resolve control issues that we
identified during the 2006 audits, as well as any that may arise in the future.
The complete text of FDIC's comments is reprinted in appendix I.
David M. Walker
Comptroller General of the United States
January 31, 2007
1 GAO, Financial Audit: Federal Deposit Insurance Corporation Funds' 2005 and 2004
Financial Statements, GAO-06-146 (Washington, D.C.: Mar. 2, 2006).
2 Reportable conditions involve matters coming to the auditor's attention that, in the auditor's judgment, should be communicated because they represent significant deficiencies in the design or operation of internal control and could adversely affect FDIC's ability to meet the control objectives described in this report. In May 2006, the American Institute of Certified Public Accountants (AICPA) issued Statement on Auditing Standard (SAS) 112, which became effective for audits of financial statements for periods ending on or after December 15, 2006. SAS 112 established standards and provides guidance on the auditor's responsibilities for identifying, evaluating, and communicating matters related to an entity's internal control over financial reporting identified in an audit of financial statements. Under the new SAS, the auditor is required to communicate control deficiencies that are significant deficiencies or material weaknesses in internal controls. A significant deficiency is a control deficiency, or combination of deficiencies, that adversely affects the entity's ability to initiate, authorize, record, process, or report financial data reliably in accordance with generally accepted accounting principles such that there is more than a remote likelihood that a misstatement of the entity's financial statements that is more than inconsequential will not be prevented or detected. As a result of SAS 112, the term reportable condition is no longer used.