June 14, 2010
Mr. Steven J. Sebastian
Director, Financial Management and Assurance
U.S. Government Accountability Office
441 G Street, NW
Washington, DC 20548
Re: FDIC Management Response on the GAO 2009 Financial Statements Audit Report
Dear Mr. Sebastian:
Thank you for the opportunity to comment on the U.S. Government Accountability Office's (GAO's) draft report titled, Financial Audit: Federal Deposit Insurance Corporation Funds' 2009 and 2008 Financial Statements, GAO-10-705. We are pleased that the Federal Deposit Insurance Corporation (FDIC) received an unqualified opinion for the eighteenth consecutive year on the financial statements of its funds: the Deposit Insurance Fund (DIF) and the Federal Savings and Loan Insurance Corporation (FSLIC) Resolution Fund (FRF). The unqualified opinion demonstrates our continued dedication to sound financial management. GAO reported that the funds' financial statements were presented fairly, in all material respects, in conformity with U.S. generally accepted accounting principles (GAAP) and that there was no reportable noncompliance with the laws and regulations that were tested. During the course of the audit, GAO and the FDIC also held detailed discussions regarding the level and sufficiency of internal controls during the surge in bank resolution and related crisis workload, with GAO concluding that a material weakness existed in the loss share estimation process, resulting in an opinion that internal controls over financial reporting were not effective in an overall sense. Separately, GAO identified a significant deficiency over information systems.
The perspective that the FDIC shared with GAO regarding the loss share estimation process was that despite the surge in resolution workload, a general review framework existed for the loss share agreements, with additional review on the larger agreements, albeit without our normal, well-documented audit trail. The weakness related to the loss share estimation process resulted in an absolute value error of $611 million, with the net effect of overstating the estimated loss share liability by $138 million against the overall loss share liability of $22.2 billion, or 2.75 percent absolute value and 0.62 percent net effect. Once corrected, this increased the "Receivables from Resolutions, Net" line item on the DIF's balance sheet by $138 million to $38.4 billion. Moreover, 68 percent of the overall absolute value error is attributable to loss share estimates for three receiverships. Though acknowledging that controls over the loss share estimation processes needed improvement during 2009, the FDIC believes that additional resources added throughout 2009, control improvements implemented during the fourth quarter of 2009, and control enhancements to be completed by the end of the second quarter of 2010 will largely address GAO's concerns in this area. The FDIC's action plans in this regard have previously been shared with GAO. The FDIC is confident about the comprehensiveness of these control enhancements, which are straightforward in design, and does not expect GAO to identify repeat findings in the loss share estimation process for 2010. Similar control improvements are underway in the IT security area to resolve the identified control deficiencies in 2010.
During 2009, new audit standards went into effect that required management to provide a written assertion about the effectiveness of its internal control over financial reporting. In complying with this requirement, the FDIC prepared Management's Report on Internal Control over Financial Reporting (see attachment). The report acknowledges management's responsibility for establishing and maintaining internal control over financial reporting and provides the FDIC's conclusion regarding the effectiveness of its internal control.
The past year was unusually challenging due to the significant increase in bank resolution activity over prior years, coupled with unprecedented FDIC initiatives such as the Temporary Liquidity Guarantee Program (TLGP) and the successful collection of nearly $46 billion in prepaid assessments. However, as the FDIC continues to fulfill its mission to maintain stability and public confidence in the nation's financial system, we will continue to ensure that effective financial management remains a priority. The FDIC recognizes the significance that internal control plays in achieving its mission and goals and therefore will seek continual improvement in its internal control environment.
As always, we appreciated the professionalism and dedication of the GAO staff during the audit and look forward to continuing our productive and successful relationship during the 2010 audit. If you have any questions or concerns, please do not hesitate to contact me.
Steven O. App
Deputy to the Chairman
and Chief Financial Officer
Management's Report on Internal Control over Financial Reporting
The Federal Deposit Insurance Corporation's (FDIC's) internal control over financial reporting is a
process effected by those charged with governance, management, and other personnel, designed to
provide reasonable assurance regarding the preparation of reliable financial statements in accordance
with U.S. generally accepted accounting principles (GAAP), and compliance with applicable laws
and regulations. The objective of the FDIC's internal control over financial reporting is to reasonably
assure that (1) transactions are properly recorded, processed and summarized to permit the preparation
of financial statements in accordance with GAAP, and assets are safeguarded against loss from
unauthorized acquisition, use, or disposition; and (2) transactions are executed in accordance with the
laws and regulations that could have a direct and material effect on the financial statements.
Management is responsible for establishing and maintaining effective internal control over financial
reporting. Management assessed the effectiveness of the FDIC's internal control over financial
reporting as of December 31, 2009, through its enterprise risk management program that seeks to
comply with the spirit of the following standards, among others: Federal Managers' Financial Integrity
Act (FMFIA); Chief Financial Officers Act (CFO Act); Government Performance and Results
Act (GPRA); Federal Information Security Management Act (FISMA); and OMB Circular A-123. In
addition, other standards that the FDIC considers are the framework set forth by the Committee of
Sponsoring Organizations of the Treadway Commission's Internal Control-Integrated Framework
and the U.S. Government Accountability Office's (GAO's) Standards for Internal Control in the Federal
Based on our evaluation, FDIC management concluded that as of December 31, 2009, the Corporation
generally maintained effective internal controls, with the exception of a material weakness related
to its process for estimating losses on loss-sharing arrangements. Therefore, the Corporation did not
maintain, in all material respects, effective internal control over financial reporting.
Federal Deposit Insurance Corporation
June 14, 2010