2005
Annual Report
V. Management Controls
Enterprise Risk Management
The
Office of Enterprise Risk Management is responsible for corporate oversight
of internal control and enterprise risk management. This includes
ensuring that the FDIC’s operations and programs are effective and
efficient and that internal controls are sufficient to minimize exposure
to waste and mismanagement. The FDIC recognizes the importance of a strong
risk management and internal control program and has adopted a more proactive
and enterprise-wide approach to managing risk. This approach focuses on
the identification, quantification and mitigation of risk consistently
and effectively throughout the Corporation. An effective enterprise risk
management program ensures adequate compliance with key authorities, including
but not limited to the:
- Federal Managers’ Financial
Integrity Act (FMFIA)
- Chief Financial Officers Act (CFO Act)
- Government Performance and Results Act (GPRA)
- Federal Information Security Management Act (FISMA)
- OMB Circular A-123
The CFO Act extends to the FDIC the FMFIA requirements for establishing,
evaluating and reporting on internal controls. The FMFIA requires agencies
to annually provide a statement of assurance regarding the effectiveness
of management, administrative and accounting controls, and financial management
systems.
The FDIC has developed and implemented management, administrative and
financial system controls that reasonably ensure that:
- Programs are efficiently and effectively carried out in accordance with
applicable laws and management polices;
- Programs and resources are safeguarded against waste, fraud and mismanagement;
- Obligations and costs comply with applicable laws; and
- Reliable, complete, and timely data are maintained for decision-making
and reporting purposes.
The
FDIC’s control
standards incorporate the GAO’s Standards
for Internal Controls in the Federal Government. Good internal control
systems are essential for ensuring the proper conduct of FDIC business
and the accomplishment of management objectives by serving as checks and
balances against undesirable actions or outcomes.
As part of the
Corporation’s continued commitment to establish and
maintain effective and efficient internal controls, FDIC management routinely
conducts reviews of internal control systems. The results of these reviews,
as well as consideration of audits, evaluations and reviews conducted by
the U.S. Government Accountability Office (GAO), the Office of Inspector
General (OIG) and other outside entities, are used as a basis for the FDIC’s
reporting on the condition of the Corporation’s internal
control activities.
Material Weaknesses
Material
weaknesses are control shortcomings in operations or systems which,
among other things, severely impair or threaten the organization’s
ability to accomplish its mission or to prepare timely, accurate
financial statements or reports. The shortcomings are of sufficient
magnitude that
the Corporation is obliged to report them to external stakeholders.
To determine the
existence of material weaknesses, the FDIC has assessed the results
of management
evaluations and external audits of the Corporation’s
risk management and internal control systems conducted in 2005, as well
as management actions taken to address issues identified in these audits
and evaluations. Based on this assessment and application of other criteria,
the FDIC concludes that no material weaknesses existed within the Corporation’s
operations for 2005. This is the eighth consecutive year that the
FDIC has not had a material weakness; however, FDIC management
will continue
to focus on high priority areas, including IT systems security,
the New Financial Environment, , disaster recovery, privacy, and
contract oversight
management, among others. The FDIC will also address all control
issues raised by GAO in its 2005 financial statement audit report.
Management Report of Final Actions
As
required under amended Section 5 of the Inspector General’s Act,
the tables on the following pages provide information on final action taken
by management on audit reports for the federal fiscal year period, October
1, 2004 – September 30, 2005.
Table 1
MANAGEMENT REPORT ON FINAL ACTION
ON AUDITS WITH DISALLOWED COSTS
For Fiscal Year 2005
|
Audit Reports |
Number of Reports |
Disallowed Costs (000s) |
A. |
Management decisions final action not taken
at beginning of period |
6 |
$3,764 |
B. |
Management decisions made during the period |
2 |
$1,968 |
C. |
Total reports pending final action during the period (A and B) |
8 |
$5,732 |
D. |
Audit reports on which final action was taken during the period: |
1. Recoveries: |
4 |
$1,324 |
(a) Collections & offsets |
4 |
$1,324 |
(b) Other |
0 |
$0 |
2. Write-offs |
4 |
$2,4391 |
3. Total of 1(a), 1(b), & 2 |
62 |
$3,763 |
E. |
Audit reports needing final action at the end of the period |
2 |
$1,9693 |
1. The FDIC agreed to coordinate with the General Services
Administration (GSA) on potential cost recoveries from the contractor,
but after reviewing the OIGs findings, GSA declined to take action
to pursue recoveries from the contractor. |
2. Two reports had both collections
and write-offs, thus the total of 1(a), 1(b), and 2 is six. |
3. The total is off due to rounding. |
Table 2
MANAGEMENT REPORT ON FINAL ACTION ON AUDITS
WITH RECOMMENDATIONS TO PUT FUNDS TO BETTER USE
For Fiscal Year 2005
|
Audit Reports |
Number of Reports |
Funds
Put To Better Use (000s) |
A. |
Management decisions final action not taken
at beginning of period |
0 |
$0 |
B. |
Management decisions made during the period |
1 |
$602 |
C. |
Total reports pending final action during the period (A and B) |
1 |
$602 |
D. |
Final Action taken during the period: |
|
|
1. Value of recommendations implemented (completed) |
1 |
$602 |
2. Value of recommendations that management concluded should
not or could not be implemented or completed |
0 |
$0 |
3. Total of 1 and 2 |
1 |
$602 |
E. |
Audit reports needing final action at the end of the period |
0 |
$0 |
Table 3: Audit Reports Without Final Actions
But With Management Decisions Over One Year Old
For Fiscal Year 2005
Management Action in Process
Report No. and Issue Date |
OIG Audit Finding |
Management Action |
Disallowed Costs |
1. 03-007
11/27/2002 |
The OIG made recommendations for improvements
in the FDICs internal
network controls. |
FDIC is working to secure sensitive data in conjunction with
implementation of the enterprise encryption project. Expected completion
date: 1st quarter 2006. |
$0 |
2. 03-028
4/14/2003 |
The OIG recommended that the FDIC take a number of actions for
improvements related to the public key infrastructure. |
Additional time is required to accomplish tasks related to the
Intranet PKI components. The FDIC is in process of issuing MOUs
to external users of sensitive data. Expected completion date:
2nd quarter 2006. |
$0 |
3. 03-041
9/17/2003 |
The OIG made recommendations related to the established process
metrics for accurate insurance determinations. |
The FDIC agreed to establish a process to routinely test the
accuracy of insurance determinations and evaluate results in relationship
to established benchmarks within requirements of a proposed new
system. Expected completion date: 2nd quarter 2006. |
$0 |
4. 04-002
1/15/2004 |
The OIG made recommendations to improve the service line rate-setting
process. |
The FDIC agreed to explore options for estimating budgeted service
line program maintenance costs and determining reasonable adjustments
for such costs. It is expected that the necessary information will
be available through the New Financial Environment. Expected completion
date: 4th quarter 2006. |
$0 |
5. 04-016
3/30/2004 |
The OIG made recommendations to improve the accuracy
of the data used to manage the FDICs personnel security program. |
The FDIC would continue with its data integrity review of the
Corporate Human Resources Information System data and initiate
investigations as appropriate. Expected completion date: 1st quarter
2006. |
$0 |
6. 04-019
4/30/2004 |
The OIG made recommendations to improve the system development
control framework. |
Staffing of the newly created Project Management Organization
is in progress. Expected completion date: 4th quarter 2005. |
$0 |
7. 04-029
8/9/2004 |
The OIG made recommendations to strengthen the
quality of the FDICs Business Continuity Plan. |
The FDIC is working to ensure that current contracts essential
to business continuity include backup arrangements. Additional
time is required to complete the standard language and modify the
effected contracts. Expected completion date: 1st quarter 2006. |
$0 |
8. 04-039
9/23/2004
|
The OIG made recommendations to strengthen capital
planning and investment management related guidance, including
guidance related
to the FDICs investment management governance structure. |
The Chief Information Officers Council is reviewing
all information technology projects. Expected completion date:
2nd quarter 2006. |
$0 |