|
2005
Annual Report
IV. Financial Statements and Notes - GAO's Audit Opinion
Comptroller General
of the United States
United States Government Accountability Office
Washington, D.C. 20548 |
To the Board of Directors
The Federal Deposit Insurance Corporation
We have audited the balance sheets as of December 31, 2005 and 2004, for the
three funds administered by the Federal Deposit Insurance Corporation (FDIC),
the related statements of income and fund balance (accumulated deficit), and
the statements of cash flows for the years then ended. In our audits of the
Bank Insurance Fund (BIF), the Savings Association Insurance Fund (SAIF), and
the FSLIC Resolution Fund (FRF), we found
- the financial statements of each fund are presented fairly, in all material
respects,
in conformity with U.S. generally accepted accounting principles;
- although certain internal controls should be improved, FDIC had effective
internal
control over financial reporting and compliance with laws and regulations for
each
fund; and
- no reportable noncompliance with laws and regulations we tested.
The following sections discuss our conclusions in more detail. They also present
information on the scope of our audits and our evaluation of FDIC management's
comments on a draft of this report.
Opinion
on BIF's Financial Statements
The financial statements, including the accompanying notes, present fairly,
in all material respects, in conformity with U.S. generally accepted
accounting principles, BIF's financial position as of December
31, 2005 and 2004, and the results of its operations and its cash flows
for the years then ended.
As discussed in note 1
to BIF's financial statements, on February
8, 2006, the President signed into law the Federal Deposit Insurance
Reform Act of 2005. Among its provisions, the Act calls for the merger of
BIF and SAIF into a single Deposit Insurance
Fund no later than the first day of the first calendar quarter that begins
after the end of the 90-day period beginning on the date of enactment, which
would be July 1, 2006.
Opinion
on SAIF's Financial Statements
The financial statements, including the accompanying notes, present fairly,
in all material respects, in conformity with U.S. generally accepted
accounting principles, SAIF's financial position as of December
31, 2005 and 2004, and the results of its operations and its cash flows
for the years then ended.
As discussed in note 1
to SAIF's
financial statements, on February 8, 2006, the President signed into law
the Federal Deposit Insurance Reform Act
of 2005. Among its provisions, the Act calls for the merger of SAIF and BIF
into a single Deposit Insurance Fund no later than the first day of the first
calendar quarter that begins after the end of the 90-day period beginning on
the date of enactment, which would be July 1, 2006.
Opinion
on FRF's Financial Statements
The financial statements, including the accompanying notes, present fairly,
in all material respects, in conformity with U.S. generally accepted
accounting principles, FRF's financial position as of December
31, 2005 and 2004, and the results of its operations and its cash flows
for the years then ended.
Opinion on Internal Control
Although certain internal controls should be improved, FDIC management
maintained, in all material respects, effective internal control over
financial reporting (including safeguarding assets) and compliance
as of December 31, 2005, that provided reasonable assurance that misstatements,
losses, or noncompliance material in relation
to FDIC's financial statements of each fund would be prevented or
detected on a timely basis. Our opinion is based on criteria established
under 31 U.S.C. 3512 (c), (d) [commonly known as the Federal Managers'
Financial Integrity Act (FMFIA)].
Weaknesses that we identified in FDIC's information system controls,
which we consider to be a reportable condition, are described in a later
section of this report. The reportable condition in information system
controls, although not considered material, represents a significant deficiency
in the design or operation
of internal control that could adversely affect FDIC's ability to
meet its internal control objectives. Although the weaknesses did not materially
affect the 2005 financial statements of each of the three funds, misstatements
may nevertheless occur in other FDIC-reported financial information as
a result of the internal control weaknesses.
In addition to the reportable condition concerning information system controls,
we noted other less significant matters involving FDIC's internal
controls. We will be reporting separately to FDIC management on these matters.
Compliance with Laws and Regulations
Our tests for compliance with selected provisions of laws and regulations
disclosed no instances of noncompliance that would be reportable
under U.S. generally accepted government auditing standards. However,
the objective of our audits was
not to provide an opinion on overall compliance with laws and regulations.
Accordingly, we do not express such an opinion.
Objectives, Scope, and Methodology
FDIC management is responsible for (1) preparing the annual financial
statements in conformity with U.S. generally accepted accounting
principles; (2) establishing, maintaining, and assessing internal
control to provide reasonable assurance
that the broad control objectives of FMFIA are met; and (3) complying
with applicable laws and regulations.
We are responsible for obtaining reasonable assurance about whether (1) the
financial statements are presented fairly, in all material respects, in conformity
with U.S. generally accepted accounting principles, and (2) management maintained
effective internal control, the objectives of which are the following:
- financial reporting–transactions
are properly recorded, processed, and summarized to permit the preparation
of financial statements in conformity
with U.S. generally accepted accounting principles, and assets are safeguarded
against loss from unauthorized acquisition, use, or disposition, and
- compliance with laws and regulations–transactions
are executed in accordance with laws and regulations that could have a
direct and material
effect on the financial statements.
We are also responsible for testing compliance with selected provisions of
laws and
regulations that could have a direct and material effect on the financial statements.
In order to fulfill these responsibilities, we
- examined, on a test basis, evidence supporting the amounts and disclosures
in the financial statements;
- assessed the accounting principles used and significant estimates made
by management;
- evaluated the overall presentation of the financial statements;
- obtained an understanding of internal control related to financial reporting
(including safeguarding assets) and compliance with laws and regulations;
- tested relevant internal controls over financial reporting and compliance,
and evaluated the design and operating effectiveness of internal control;
- considered FDIC's process
for evaluating and reporting on internal control based on criteria established
by FMFIA; and
- tested compliance with certain laws and regulations, including selected
provisions of the Federal Deposit Insurance Act, as amended, and the Chief
Financial Officers Act of 1990.
We did not evaluate all internal controls relevant to operating objectives
as broadly defined by FMFIA, such as those controls relevant to preparing statistical
reports and ensuring efficient operations. We limited our internal control
testing to controls over financial reporting and compliance. Because of inherent
limitations in internal control, misstatements due to error or fraud, losses,
or noncompliance may nevertheless occur and not be detected. We also caution
that projecting our evaluation to future periods is subject to the risk that
controls may become inadequate because of changes in conditions or that the
degree of compliance with controls may deteriorate.
We did not test compliance with all laws and regulations applicable to FDIC.
We limited our tests of compliance to those laws and regulations that could
have a direct and material effect on the financial statements for the year
ended December 31, 2005. We caution that noncompliance may occur and not be
detected by these tests and that such testing may not be sufficient for other
purposes.
We performed our work in accordance with U.S. generally accepted government
auditing standards.
Reportable Condition
In
connection with our audits of the financial statements of the three funds
administered by FDIC,
we reviewed
FDIC's information system controls. Effective information system controls
are essential to safeguarding financial data, protecting computer application
programs, providing for the integrity of system software, and ensuring continued
computer operations in case of unexpected interruption. These controls include
the corporatewide security management program, access controls, system software,
application development and change control, segregation of duties, and service
continuity controls.
In years prior to our 2004 financial audit, we reported on weaknesses we identified
in
FDIC's information system controls, which we considered to be a reportable
condition. Over a period of years, FDIC made progress in correcting these information
system control weaknesses and, in 2004, made substantial progress by correcting
most of the weaknesses we had identified in prior years, including taking steps
to fully establish a comprehensive information security program. These improvements
enabled us to conclude that the remaining issues related to information system
controls no longer constituted a reportable condition. However, we noted in our
2004 audit report1 that FDIC's implementation of a new financial system
in 2005 would significantly change its information systems environment and the
related information system controls necessary for their effective operation and
that, consequently, continued commitment to an effective information security
program would be essential
to ensure that the corporation's financial and sensitive information would
be adequately protected in the new environment.
FDIC implemented its new financial system in May 2005. However, in doing so,
FDIC did not ensure that controls were adequate to accommodate its new systems
environment. Our audit identified information system control weaknesses, which
we consider to be a reportable condition that increased the risk of unauthorized
modification and disclosure of critical FDIC financial and sensitive personnel
information,
disruption of critical operations, and loss of assets.
Specifically, FDIC did not (1) adequately restrict access to critical financial
programs and data; (2) ensure incompatible systems-related functions, duties,
and capabilities were appropriately segregated; and (3) sufficiently monitor
access
to system
programs and data. Such weaknesses affected FDIC's ability to ensure that
users only had the access needed to perform their assigned duties and that its
systems
were sufficiently protected from unauthorized users.
We determined that other management controls mitigated the effect of the information
system
control weaknesses on the preparation of the funds' financial statements
for 2005. However, it is important going forward that FDIC work to address these
weaknesses to ensure its information system controls appropriately safeguard
the integrity of its financial and other data. Because of their sensitive nature,
the details surrounding these weaknesses will be reported separately to FDIC
management, along with recommendations for corrective actions.
FDIC Comments and Our Evaluation
In
commenting on a draft of this report, FDIC's Chief Financial Officer (CFO) was pleased to receive unqualified
opinions on BIF's, SAIF's, and FRF's 2005 and 2004 financial
statements, and to note that there were no material weaknesses identified during
the 2005 audits. With respect to our reporting as a reportable condition in 2005
weaknesses in information system controls, FDIC's CFO acknowledged but
did not share our assessment regarding the severity of the risks or the magnitude
of the vulnerability posed by the issues identified during the audit. The CFO
expressed confidence in the sufficiency of the FDIC's information systems
environment
and related controls based on the corporation's view that it had a deliberate,
comprehensive program designed to integrate not only system controls, but procedural,
managerial, and audit controls into a balanced and cost-effective control framework.
The CFO nonetheless acknowledged that the corporation would work diligently with
us over the next audit cycle to both reconcile the two differing viewpoints and,
where
it feels changes are appropriate, to augment the corporation's program.
We are pleased that FDIC's CFO has pledged his commitment to work with
us on these matters during the 2006 audits. However, the issues we identified
during our 2005 audits, including (1) lack of adequate restriction of access
to critical financial programs and data; (2) inappropriate segregation of incompatible
systems-related functions, duties, and capabilities; and (3) lack of an effective
process to sufficiently monitor access to systems programs and data, collectively,
we believe, create a significant risk that critical financial and sensitive personnel
information could be inappropriately disclosed and modified, assets lost, and
critical systems operations disrupted. While we acknowledge that certain management
controls FDIC had in place were able to mitigate the effect of these weaknesses
with respect
to preparation of the three funds' 2005 financial statements, the weaknesses
nonetheless
represent
significant vulnerabilities in FDIC's information system controls and
thus constitute a reportable condition.
The complete text of FDIC's comments is reprinted in appendix I.
David M. Walker
Comptroller General
of the United States
January 31, 2006
1 GAO, Financial Audit: Federal
Deposit
Insurance Corporation Funds' 2004 and 2003 Financial Statements, GAO-05-281
(Washington, D.C.: Feb. 11, 2005).
|
