To the Board of Directors The Federal Deposit Insurance Corporation
In accordance with section 17 of the Federal Deposit Insurance Act, as amended, and the Government Corporation Control Act, we are responsible for conducting audits of the financial statements of the funds administered by the Federal Deposit Insurance
Corporation (FDIC). In our audits of the Deposit Insurance Fund’s (DIF)
and the FSLIC Resolution Fund’s (FRF) financial statements1 for 2011
2010, we found
the financial statements as of and for the years ended
2011, and 2010, are presented fairly, in all material respects, in
conformity with U.S. generally accepted accounting principles;
although certain internal controls should be improved, FDIC maintained, in all material respects, effective internal control over financial reporting as of
December 31, 2011; and
no reportable noncompliance with provisions of laws and
The following sections discuss in more detail (1) these
conclusions; (2) our
audit objectives, scope, and methodology; and (3) agency comments.
Opinion on the DIF’s Financial Statements
The financial statements, including the accompanying notes, present fairly, in all material respects, in conformity with U.S. generally accepted accounting principles, the DIF’s assets, liabilities, and fund balance as of December 31, 2011, and 2010, and its income and fund balance and its cash flows for the years then ended.
As discussed in note 8 to the DIF’s financial statements, the banking industry continued to recover in 2011 from the effects of the financial crisis and the recession of 2007-09. During 2011, 92 insured banks with combined assets of $36.6 billion failed. However, the losses to the DIF from failures that occurred in 2011 fell short of the amount reserved at the end of 2010, as the aggregate number and size of institution failures in 2011-and their estimated cost to the DIF-were less than anticipated. The DIF's contingent liability for anticipated failures declined from $17.7 billion at December 31, 2010, to $6.5 billion at December 31, 2011. As discussed in note 17 to the DIF's financial statements, through April 11, 2012, 16 institutions have failed during 2012.
As of December 31, 2011, the DIF had a negative fund
$11.8 billion and its ratio of reserves to estimated insured deposits was 0.17 percent. In contrast, at December 31, 2010, the DIF had a
negative fund balance of $7.4 billion and its ratio of reserves to
insured deposits was a negative 0.12 percent. The improvement
primarily attributable to assessment revenues earned in 2011, lower losses from bank failures in 2011 than
projected at December 31, 2010, and a reduction in estimated losses from anticipated failures at December 31, 2011.
During 2011, FDIC continued
implementation of the Dodd-Frank Wall Street Reform and Consumer Protection Act2, which included significant provisions related to the capitalization of the DIF. The act set a statutory minimum designated reserve ratio for the DIF of not less than 1.35 percent of estimated insured deposits and requires that FDIC take such steps as may be necessary to achieve this reserve ratio by September 30, 2020. FDIC adopted a new DIF restoration plan in October 2010 in response to the act's requirements. As discussed in note 9 to the DIF's financial statements, in December 2011, the FDIC adopted a final rule to maintain the DIF's designated reserve ratio at 2 percent, based on its view that this level would enable it to withstand substantial losses consistent with FDIC's comprehensive long-term management plan. In addition, the act provides for a permanent increase in the standard deposit insurance coverage amount from $100,000 to $250,000 (retroactive to January 1, 2008), and unlimited deposit insurance coverage for non-interest-bearing transaction accounts through the end of 2012. The act also authorizes FDIC to undertake enforcement actions against depository institution holding companies if their conduct, or threatened conduct, poses a risk of loss to the DIF.
The DIF also continues to face some exposure as a result of actions taken pursuant to the systematic risk determination made in 2008. As discussed in note 16 to DIF's financial statements, pursuant to this systemic risk determination, FDIC established the Temporary Liquidity Guarantee Program (TLFP) in 2008. The only component of the TLGP remaining is the Debt Guarantee Program, under which FDIC guaranteed newly issued senior unsecured debt up to prescribed limits issued by insured institutions and certain holding companies. FDIC charged feeds to participants that are to be used to cover any losses under the Debt Guarantee Program. The guarantee covered each participating debt to the earliest of the related date of maturity, or December 31, 2012. As of December 31, 2011, the amount of debt guaranteed by FDIC under the Debt Guarantee Program was $167.4 billion.
Opinion on the FRF’s
The financial statements, including the accompanying
in all material respects, in conformity with U.S. generally accepted
accounting principles, the FRF’s assets, liabilities, and resolution equity
December 31, 2011, and 2010, and its income and accumulated deficit and
its cash flows for the years then ended.
Opinion on Internal Control
Although certain internal controls associated with the DIF's financial reporting should be improved, FDIC maintained, in all material respects, effective
financial reporting as of December 31, 2011. FDIC's internal control provided reasonable
assurance that misstatements, losses, or noncompliance material in
relation to the DIF financial statements and the FRF financial statements would be prevented or detected and
corrected on a timely basis. Our opinion is based on criteria
under 31 U.S.C. §3512 (c), (d), commonly known as the Federal Managers’
Financial Integrity Act of 1982 (FMFIA).
During our 2011 audit, we identified
deficiencies in controls over FDIC’s process for deriving and reporting estimates of losses to the DIF from resolution transactions involving shared loss agreements. These deficiencies resulted in errors in the draft 2011 DIF financial statements that FDIC did not detect and that necessitated FDIC adjustments in finalizing the financial statements. While these deficiencies, individually and collectively, do not constitute a material weakness in internal control over financial reporting,3 they nevertheless increase the risk of additional undetected errors or irregularities in the DIF's financial statements. Consequently, we believe they collectively represent a significant deficiency in FDIC's internal control over financial reporting for the DIF4.
Since 2009, FDIC has used purchase and assumption agreements with accompanying shared loss agreements as the primary means of resolving failed financial institutions. Under such agreements, FDIC sells a failed institution to an acquirer with an agreement that FDIC, through the DIF, will share in any losses that acquirer experiences in servicing and disposing of assets purchased and covered under the shared loss agreement. Typically, these shared loss agreements are structured such that FDIC assumes 80 percent of any such losses.
For financial reporting purposes, FDIC developed a process to calculate an estimate of losses under these shared loss agreements. The estimate was $42.8 billion (46 percent) of the total DIF allowance for losses related to the Receivables from resolutions, net line item on the DIF's balance sheet at December 31, 2011. As an integral part of this shared loss estimation process, FDIC developed a series of computerized programs that are commonly referred to as the shared loss model.
As part of our audit, we reviewed the process by which FDIC derived its estimates of losses to the DIF from shared loss agreements. We identified deficiencies in internal control over this process that allowed significant errors in the shared loss estimate to occur and not be detected or corrected. During prior financial audits, we identified and reported on control deficiencies in FDIC's process for estimating losses from shared loss agreements5. Although FDIC has taken steps intended to address the deficiencies that we previously identified, the controls put in place were not sufficient to prevent, detect, and correct errors in the shared loss model. During our 2011 audit, the following three control deficiencies were identified that adversely affected FDIC's shared loss estimation process:
FDIC lacked effective controls over testing and verifying the shared loss model. FDIC's tests were not designed to consistently verify that the model's logic and test results were consistent with the objectives of the model. Further, the tests did not evaluate all portions of the model's loss calculation. As a result, FDIC's tests did not detect three separate programming errors in the model, such as double counting of some losses that led to errors in the shared loss estimate in the draft DIF financial statements. The lack of effective controls resulted in undetected gross errors in the draft DIF financial statements' overall allowance for losses of $578 million and a $184 million net reduction in the loss estimate. FDIC subsequently corrected this error in finalizing the DIF's 2011 financial statements.
FDIC lacked effective controls over the integrity of source data used by the shared loss model in deriving the shared loss estimates. FDIC's controls did not fully provide reasonable assurance that the source data used by the model were accurate. FDIC recognized that the model depended on accurate source data. However, in testing the model, FDIC did not develop steps to verify either the model's input or results with original source documents. As a result, we identified errors, not only in the source data but also in the model itself that FDIC's testing had not previously identified. This control deficiency resulted in undetected gross errors in the draft DIF financial statements' overall allowance for losses of $191 million and a $90 million net reduction in the loss estimate. FDIC subsequently corrected this error in finalizing the DIF's 2011 financial statements.
FDIC lacked effective documentation for key aspects of its shared loss estimation process that hindered an adequate review of both the process and the shared loss model and, ultimately, the loss estimates derived from the model. As a result, FDIC's multiple reviews and approvals did not identify programming errors that existed within the model. We reported in 2009 and again in 2010 that FDIC did not have clear and comprehensive documentation over this process to allow for such a review.6 FDIC attempted to address this continuing issue by strengthening its internal controls over the entire shared loss estimation process in 2011 through documenting flow charts, data dictionaries, and high-level descriptions of the process. However, FDIC did not adequately document how the model should perform calculations or how the calculations link to its estimation methodology. As a result, FDIC's review of the model was not fully effective at identifying errors.
As a direct result of these deficiencies in internal control over the shared loss model, FDIC did not detect errors in the calculation of the shared loss estimate in preparing the draft 2011 DIF financial statements. Given the significance of this process and its impact on the DIF's financial statements, it is critical that FDIC design and implement effective controls and ensure that all steps in the shared loss model are fully documented to allow for appropriate review of key steps in the process. We will be making recommendations to FDIC to address the issue that make up this significant deficiency in a separate report.
We identified other less significant matters concerning FDIC's internal control that we will report separately, along with recommended corrective actions for these matters.
Compliance with Laws
Our tests for compliance with selected provisions of laws
disclosed no instances of noncompliance that would be reportable under
U.S. generally accepted government auditing standards. However, the
objective of our audits was not to provide an opinion on overall
with laws and regulations. Accordingly, we do not express such an
Objectives, Scope, and
FDIC management is responsible for (1) preparing the
statements in conformity with U.S. generally accepted accounting
principles; (2) establishing and maintaining effective internal control
financial reporting and evaluating its effectiveness; and (3) complying
applicable laws and regulations. Management evaluated the effectiveness
of FDIC’s internal control over financial reporting as of December 31,
based on criteria established under FMFIA. FDIC management provided an
assertion concerning the effectiveness of its internal control over
reporting (see App. I).
We are responsible for planning and performing the audit
reasonable assurance and provide our opinion about whether (1) the
financial statements are presented fairly, in all material respects, in
conformity with U.S. generally accepted accounting principles, and
(2) FDIC management maintained, in all material respects, effective
internal control over financial reporting as of December 31, 2011. We
also responsible for testing compliance with selected provisions of
and regulations that have a direct and material effect on the financial
In order to fulfill these responsibilities, we
examined, on a test basis, evidence supporting the amounts
disclosures in the financial statements;
assessed the accounting principles used and significant
by FDIC management;
evaluated the overall presentation of the financial
obtained an understanding of FDIC and its operations,
internal control over financial reporting;
considered FDIC’s process for evaluating and reporting on
control over financial reporting based on criteria established under
assessed the risk that a material misstatement exists in
statements and the risk that a material weakness exists in internal
control over financial reporting;
tested relevant internal control over financial reporting;
evaluated the design and operating effectiveness of internal control over financial reporting based on the assessed risk;
tested compliance with certain laws and regulations,
provisions of the Federal Deposit Insurance Act, as amended; and
performed such other procedures as we considered necessary in
An entity’s internal control over financial reporting is
process affected by
those charged with governance, management, and other personnel, the
objectives of which are to provide reasonable assurance that
(1) transactions are properly recorded, processed, and summarized to
permit the preparation of financial statements in conformity with U.S.
generally accepted accounting principles, and assets are safeguarded
against loss from unauthorized acquisition, use, or disposition, and
(2) transactions are executed in accordance with laws and regulations
could have a direct and material effect on the financial statements.
We did not evaluate all internal controls relevant to
operating objectives as
broadly defined by FMFIA, such as controls relevant to preparing
reports and ensuring efficient operations. We limited our internal control
testing to controls over financial reporting. Because of inherent
in internal control, internal control may not prevent or detect and
misstatements caused by error or fraud, losses, or noncompliance. We also
caution that projecting any evaluation of effectiveness to future
subject to the risk that controls may become inadequate because of
changes in conditions, or that the degree of compliance with policies
procedures may deteriorate.
We did not test compliance with all laws and regulations
FDIC. We limited our tests of compliance to those laws and regulations
have a direct and material effect on the financial statements for the
ended December 31, 2011. We caution that noncompliance may occur and
not be detected by these tests and that such testing may not be
for other purposes.
We performed our audit in accordance with U.S. generally
government auditing standards. We believe our audits provide a
basis for our opinions and other conclusions.
In commenting on a draft of this report, FDIC’s Chief
(CFO) noted that the agency was pleased to receive unqualified
opinions on the DIF and FRF financial statements and that we reported that it had effective internal controls over financial reporting and compliance with laws and regulations for each fund.
FDIC's CFO also stated that during the audit year, FDIC management and staff continued to take steps to strengthen and improve controls over the shared loss estimation process and will continue to focus on this area in the coming audit year. The CFO added that FDIC recognizes the important role a strong internal control program plays in an agency achieving its mission, and that FDIC's dedication to sound financial management has been and will remain a top priority.
Steven J. Sebastian
Financial Management and Assurance
April 11, 2012
1 A third fund managed by FDIC, the Orderly Liquidation Fund, established by section 210 of the Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub. L. No. 111-203, 124 Stat. 1376, 1506 (July 21, 2010), is unfunded and did not have any transactions during 2010 and 2011.
3 A material weakness is a deficiency, or a combination of deficiencies, in internal control such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented or detected and corrected on a timely basis. A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect and correct misstatements on a timely basis.
4A significant deficiency is a deficiency, or combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention of those charged with governance.
5 GAO, Financial Audit: Federal Deposit Insurance Corporation Funds’ 2009 and 2008 Financial Statements, GAO-10-705 (Washington, D.C.: June 25, 2010); Management Report: Opportunities for Improvements in FDIC’s Internal Controls and Accounting Procedures, GAO-11-23R (Washington, D.C.: Nov. 30, 2010); and Management Report: Opportunities for Improvements in FDIC's Internal Controls and Accounting Procedures, GAO-11-687R (Washington, D.C.; Aug. 5, 2011).