Federal Deposit
Insurance Corporation

 
III. Financial Statements and Notes
 

Comptroller General of the United States

To the Board of Directors
The Federal Deposit Insurance Corporation

We have audited the statements of financial position as of December 31, 2002 and 2001, for the three funds administered by the Federal Deposit Insurance Corporation (FDIC), the related statements of income and fund balance (accumulated deficit), and the statements of cash flows for the years then ended. In our audits of the Bank Insurance Fund (BIF), the Savings Association Insurance Fund (SAIF), and the FSLIC Resolution Fund (FRF), we found

• the financial statements of each fund are presented fairly, in all material respects, in conformity with U.S. generally accepted accounting principles;



• although certain internal controls should be improved, FDIC had effective internal control over financial reporting (including safeguarding of assets) and compliance with laws and regulations; and



• no reportable noncompliance with the laws and regulations that we tested.

The following sections discuss our conclusions in more detail. They also present information on (1) the scope of our audits, (2) a reportable condition¹ related to information system control weaknesses, (3) BIF's reserve ratio, and (4) our evaluation of FDIC management's comments on a draft of this report.

Opinion on BIF's Financial Statements

The financial statements, including the accompanying notes, present fairly, in all material respects, in conformity with U.S. generally accepted accounting principles, BIF's financial position as of December 31, 2002 and 2001, and the results of its operations and its cash flows for the years then ended.

Opinion on SAIF's Financial Statements

Opinion on FRF's Financial Statements

The financial statements, including the accompanying notes, present fairly, in all material respects, in conformity with U.S. generally accepted accounting principles, FRF's financial position as of December 31, 2002 and 2001, and the results of its operations and its cash flows for the years then ended.

Opinion on Internal Control

Although certain internal controls should be improved, FDIC management maintained, in all material respects, effective internal control over financial reporting (including safeguarding assets) and compliance as of December 31, 2002, that provided reasonable but not absolute assurance that misstatements, losses, or noncompliance material in relation to FDIC's financial statements would be prevented or detected on a timely basis. Our opinion is based on criteria established under 31 U.S.C. 3512 (c), (d) [Federal Managers' Financial Integrity Act (FMFIA)].

Our work identified weaknesses in FDIC's information system controls, which we describe as a reportable condition in a later section of this report. The reportable condition in information system controls, although not considered material, represents a significant deficiency in the design or operation of internal control that could adversely affect FDIC's ability to meet its internal control objectives. Although the weaknesses did not materially affect the 2002 financial statements, misstatements may nevertheless occur in other FDIC-reported financial information as a result of the internal control weaknesses.

Compliance with Laws and Regulations

Our tests for compliance with selected provisions of laws and regulations disclosed no instances of noncompliance that would be reportable under U.S. generally accepted government auditing standards. However, the objective of our audits was not to provide an opinion on overall compliance with selected laws and regulations. Accordingly, we do not express such an opinion.

Objectives, Scope, and Methodology

FDIC management is responsible for (1) preparing the annual financial statements in conformity with U.S. generally accepted accounting principles, (2) establishing, maintaining, and assessing internal control to provide reasonable assurance that the broad control objectives of FMFIA are met, and (3) complying with selected laws and regulations.

We are responsible for obtaining reasonable assurance about whether (1) the financial statements are presented fairly, in all material respects, in conformity with U.S. generally accepted accounting principles, and (2) management maintained effective internal control, the objectives of which are

• financial reporting-transactions are properly recorded, processed, and summarized to permit the preparation of financial statements in conformity with U.S. generally accepted accounting principles, and assets are safeguarded against loss from unauthorized acquisition, use, or disposition, and



• compliance with laws and regulations-transactions are executed in accordance with laws and regulations that could have a direct and material effect on the financial statements.

We are also responsible for testing compliance with selected provisions of laws and regulations that have a direct and material effect on the financial statements.

In order to fulfill these responsibilities, we

• examined, on a test basis, evidence supporting the amounts and disclosures in the financial statements;



• assessed the accounting principles used and significant estimates made by management;



• evaluated the overall presentation of the financial statements;



• obtained an understanding of internal control related to financial reporting (including safeguarding assets) and compliance with laws and regulations;



• tested relevant internal controls over financial reporting and compliance, and evaluated the design and operating effectiveness of internal control;



• considered FDIC's process for evaluating and reporting on internal control based on criteria established by FMFIA; and



• tested compliance with selected provisions of the Federal Deposit Insurance Act, as amended, and the Chief Financial Officers Act of 1990.

We did not evaluate all internal controls relevant to operating objectives as broadly defined by FMFIA, such as those controls relevant to preparing statistical reports and ensuring efficient operations. We limited our internal control testing to controls over financial reporting and compliance. Because of inherent limitations in internal control, misstatements due to error or fraud, losses, or noncompliance may nevertheless occur and not be detected. We also caution that projecting our evaluation to future periods is subject to the risk that controls may become inadequate because of changes in conditions or that the degree of compliance with controls may deteriorate.

We did not test compliance with all laws and regulations applicable to FDIC. We limited our tests of compliance to those deemed applicable to the financial statements for the year ended December 31, 2002. We caution that noncompliance may occur and not be detected by these tests and that such testing may not be sufficient for other purposes.

We performed our work in accordance with U.S. generally accepted government auditing standards.

FDIC management provided comments on a draft of this report. They are discussed and evaluated in a later section of this report and are reprinted in appendix I.

Reportable Condition

In connection with the funds' financial statement audits, we reviewed FDIC's information system controls. Effective information system controls are essential to safeguarding financial data, protecting computer application programs, providing for the integrity of system software, and ensuring the continued computer operations in case of unexpected interruption. These controls include the corporatewide security management program, access controls, system software, application development and change control, segregation of duties, and service continuity controls. During 2002, FDIC made progress in improving information system controls. Of the 41 prior year recommendations that we made, FDIC had completed action on 18 and partially completed or had action plans to address those remaining. During our current review, FDIC also corrected several newly identified weaknesses.

Nevertheless, continuing and newly identified vulnerabilities involving information system controls continue to impair FDIC's ability to ensure the reliability, confidentiality, and availability of financial data. For example, FDIC did not have information system controls to adequately ensure that (1) users had only the access needed to perform their assigned duties, (2) its network was secured from unauthorized access, and (3) comprehensive programs were in place to routinely oversee and monitor access to its computer data to identify unusual or suspicious access. The effect of these weaknesses increases the risk of unauthorized disclosure of critical FDIC financial and sensitive personnel and bank examination information, disruption of critical financial operations, and loss of assets.

As we have previously reported, the primary reason for FDIC's information system control weaknesses is that it has not fully developed and implemented a comprehensive corporatewide security management program. An effective program would include assessing risks, establishing a central security function, establishing policies and related controls, raising awareness of prevailing risks and mitigating controls, and regularly evaluating the effectiveness of established controls. During the past year, FDIC has made progress in implementing such a program, including establishing a central security staff to provide guidance and oversight, enhancing its security awareness program, and continuing efforts to develop and update security policy. However, FDIC has not yet fully established a risk assessment process and the recently implemented program to assess the effectiveness of controls does not address all critical evaluation areas.

A complete risk assessment process would assist management in making decisions on necessary controls. Similarly, an ongoing comprehensive program of tests and evaluations of the effectiveness of established controls would enable FDIC to identify and correct information security weaknesses, such as those reported in this review.

We determined that other management controls mitigated the effect of the information system control weaknesses on the preparation of the funds' financial statements. Because of their sensitive nature, the details surrounding these weaknesses are being reported separately to FDIC management, along with our recommendations for corrective actions.

BIF's Reserve Ratio

The Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA) requires FDIC to maintain BIF fund balance at a designated reserve ratio of at least 1.25 percent of estimated insured deposits.² Under FDIC's required risk-based assessment system, as long as BIF's reserve ratio is at or above the designated reserve ratio, FDIC cannot charge premiums to institutions that are well-capitalized and highly rated by supervisors. Currently, over 90 percent of the industry does not pay for deposit insurance. In 1991, BIF's reserve ratio was significantly below the designated reserve ratio and did not reach the designated reserve ratio of 1.25 percent of estimated insured deposits until May 1995.³ During the years ended December 31, 1995 through 2000, BIF's reserve ratio ranged from 1.30 to 1.38. As of December 31, 2001, and September 30, 2002, BIF's ratio decreased to 1.26 and 1.25, respectively. At its November 12, 2002, meeting, the FDIC Board of Directors voted to maintain the existing BIF assessment rate schedule for the first semiannual assessment period of 2003 based on the board's determination that the reserve ratio would likely remain at or near 1.25 during the first half of 2003. Most of BIF's income comes from the interest earned on investments with the U.S. Treasury. FDIC describes the recent legislative initiatives to reform the federal deposit insurance system in note 1 of the financial statements for BIF and SAIF.

FDIC Comments and Our Evaluation

In commenting on a draft of this report, FDIC's Chief Financial Officer (CFO) was pleased to receive unqualified opinions on BIF's, SAIF's, and FRF's 2002 and 2001 financial statements. FDIC's CFO also acknowledged the information system weaknesses we identified and plans to continue efforts to strengthen its information system program and to incorporate our recommendations into its security plans for 2003. We plan to evaluate the effectiveness of the corrective actions as part of our 2003 audit.

David M. Walker
Comptroller General of the United States

February 27, 2003

²Section 302 of FDICIA amended section 7(b) of the Federal Deposit Insurance Act. FDICIA requirements are the same for both BIF and SAIF. SAIF reached the designated reserve ratio in 1996, and as of September 30, 2002, SAIF's reserve ratio was 1.38 percent.

³If the reserve ratio falls below 1.25 percent of estimated insured deposits, FDICIA requires the FDIC Board of Directors to set semiannual assessment rates for BIF members that are sufficient to increase the reserve ratio to the designated reserve ratio not later than 1 year after such rates are set, or in accordance with a recapitalization schedule of 15 years or less.