2006
Annual Report
V. Management Control
Enterprise Risk Management
The Office of Enterprise Risk Management, under the auspices of the
Chief Financial Officer organization, is responsible for corporate oversight of internal control and enterprise risk management (ERM).
This includes ensuring that the FDIC's operations and programs are effective and efficient and that internal controls are sufficient
to minimize exposure to waste and mismanagement. The FDIC recognizes the importance of a strong risk management and internal control
program and has adopted a more proactive and enterprise-wide approach to managing risk. This approach focuses on the identification
and mitigation of risk consistently and effectively throughout the Corporation, with emphasis on those areas/issues most directly
related to our overall missions. As an independent government corporation, the FDIC has different requirements than the mainstream
federal government; nevertheless, its ERM program seeks to comply with the spirit of the following standards, among others:
- Federal Managers’ Financial
Integrity Act (FMFIA);
- Chief Financial Officers Act (CFO Act);
- Government Performance and Results Act (GPRA);
- Federal Information Security Management Act (FISMA); and
- OMB Circular A -123.
The CFO Act extends to the FDIC the FMFIA requirements for establishing,
evaluating and reporting on internal controls. The FMFIA requires agencies
to annually provide a statement of assurance regarding the effectiveness
of management, administrative and accounting controls, and financial management
systems.
The FDIC has developed and implemented management, administrative and
financial system controls that reasonably ensure that:
- Programs are efficiently and effectively carried out in accordance with
applicable laws and management policies;
- Programs and resources are safeguarded against waste, fraud and mismanagement;
- Obligations and costs comply with applicable laws; and
- Reliable, complete, and timely data are maintained for decision-making
and reporting purposes.
The
FDIC’s control
standards incorporate the Government Accountability Office’s (GAO) Standards
for Internal Control in the Federal Government. Good internal control
systems are essential for ensuring the proper conduct of FDIC business
and the accomplishment of management objectives by serving as checks and
balances against undesirable actions or outcomes.
As part of the Corporation’s continued
commitment to establish and maintain effective and efficient internal controls, FDIC management
routinely conducts reviews of internal control systems. The results of these reviews, as well
as consideration of the results of audits, evaluations and reviews conducted by the GAO, the
Office of Inspector General (OIG) and other outside entities, are used as a basis for the FDIC’s
reporting on the condition of the Corporation’s internal control activities.
Material Weaknesses
Material weaknesses are control shortcomings in operations or systems that,
among other things, severely impair or threaten the organization’s ability to accomplish
its mission or to prepare timely, accurate financial statements or reports. The shortcomings
are of sufficient magnitude that the Corporation is obliged to report them to external stakeholders.
To determine the existence of material weaknesses, the FDIC has assessed the results
of management evaluations and external audits of the Corporation’s risk management
and internal control systems conducted in 2006, as well as management actions taken
to address issues identified in these audits and evaluations. Based on this assessment
and application of other criteria, the FDIC concludes that no material weaknesses
existed within the Corporation’s operations for 2006. This is the ninth consecutive
year that the FDIC has not had a material weakness; however, FDIC management will continue
to focus on high priority areas, including various aspects of deposit insurance reform,
IT systems security, contract acquisition management, the New Financial Environment,
emergency response plan, privacy, and records management, among others. The FDIC will
also address all control issues raised by GAO related to its 2006 financial statement
audit report.
Management Report of Final Actions
As
required under amended Section 5 of the Inspector General Act of 1978,
the tables on the following pages provide information on final action taken
by management on audit reports for the federal fiscal year period, October
1, 2005, through September 30, 2006.
Table 1
MANAGEMENT REPORT ON FINAL ACTION
ON AUDITS WITH DISALLOWED COSTS
For Fiscal Year 2006
Table 2
MANAGEMENT REPORT ON FINAL ACTION ON AUDITS
WITH RECOMMENDATIONS TO PUT FUNDS TO BETTER USE
For Fiscal Year 2006
|
Audit Reports |
Number of Reports |
Funds
Put To Better Use (000s) |
A. |
Management decisions final action not taken
at beginning of period |
0 |
$0 |
B. |
Management decisions made during the period |
0 |
$0 |
C. |
Total reports pending final action during the period (A and B) |
0 |
$0 |
D. |
Final Action taken during the period: |
1. Value of recommendations implemented (completed) |
0 |
$0 |
2. Value of recommendations that management concluded should
not or could not be implemented or completed |
0 |
$0 |
3. Total of 1 and 2 |
0 |
$0 |
E. |
Audit reports needing final action at the end of the period |
0 |
$0 |
Table 3: Audit Reports Without Final Actions
But With Management Decisions Over One Year Old
For Fiscal Year 2006
Management Action in Process
Report No. and Issue Date |
OIG Audit Finding |
Management Action |
Disallowed Costs |
1. 03-007
11/27/2002 |
The OIG made recommendations for improvements
in the FDICs internal network controls. |
FDIC is working to secure sensitive data in conjunction with
implementation of the enterprise encryption project. Expected completion date: 1st quarter 2007. |
$0 |
2. 04-019
04/30/2004 |
The OIG identified best
practices that should be associated with the System Development Life Cycle methodology and related
control framework that will be adopted by the Corporation. |
Management is in the
process of reviewing closure documentation. Expected completion date: 1st quarter 2007.
|
$0 |
3. 05-031
09/08/2005 |
The OIG made
recommendations to establish an organizational policy and system-specific procedures to
ensure proper configuration management of operating system software. |
Management is in the
process of reviewing closure documentation. Expected completion date: 1st quarter 2007.
|
$0 |
4. 05-036
09/21/2005 |
The OIG made a
recommendation to research the General Services Administration’s (GSA’s) e-Travel Programs
and determine whether the travel services available under the programs could improve or
replace the FDIC’s current travel program. |
Management is in the
process of reviewing the benefits of each of GSA’s e-Travel programs.
Additionally, management will review other commercial travel processing
systems along with FDIC’s travel system to determine the feasibility of
adding capabilities available in GSA’s programs. Expected completion date: 3rd quarter 2007.
|
$0 |