Federal Deposit
Insurance Corporation

2009 Annual Report

IV. Financial Statements and Notes

Government Accountability Office's Audit Opinion

The Federal Deposit Insurance Corporation
In accordance with Section 17 of the Federal Deposit Insurance Act, as amended, we are responsible for conducting audits of the financial statements of the two funds administered by the Federal Deposit Insurance Corporation (FDIC). In our audits of the Deposit Insurance Fund’s (DIF) and the FSLIC Resolution Fund’s (FRF) financial statements for 2009 and 2008, we found

• the financial statements as of and for the year ended December 31, 2009, and 2008, are presented fairly, in all material respects, in conformity with U.S. generally accepted accounting principles;
• FDIC's internal control over financial reporting was not effective as of December 31, 2009 because of a material weakness in its process for estimating losses on loss-sharing agreements; and
• no reportable noncompliance with provisions of laws and regulations we tested.

The following sections discuss in more detail (1) these conclusions; (2) our audit objectives, scope, and methodology; and (3) agency comments and our evaluation.

Opinion on DIF’s Financial Statements
The financial statements, including the accompanying notes, present fairly, in all material respects, in conformity with U.S. generally accepted accounting principles, DIF's assets, liabilities, and fund balance as of December 31, 2009, and 2008, and its income and fund balance and its cash flows for the years then ended.

However, misstatements may nevertheless occur in other financial information reported by FDIC and not be detected as a result of the material weakness in internal control described in this report related to FDIC's process for estimating losses on loss-sharing agreements.¹

As discussed in note 8 to DIF's financial statements, FDIC-insured financial institutions continued to face significant challenges in 2009. The difficult economic and credit environment continued to challenge the soundness of many FDIC-insured institutions. In 2009, 140 banks, with combined assets of over $170 billion, failed. The DIF recognized losses totaling an estimated $58 billion associated with these bank failures and other insured institutions the banking regulators have determined are likely to fail. Regulatory and market data suggest that the banking industry will continue to experience elevated levels of stress over the coming year. In addition to the losses reflected on the DIF's financial statements as of December 31, 2009, FDIC has identified additional risk as of year-end 2009 that could result in further estimated losses to the DIF of up to approximately $24 billion should other potentially vulnerable insured institutions ultimately fail. FDIC continues to evaluate the ongoing risks to affected institutions in light of current economic and financial conditions, and the effect of such risks on the DIF. Actual losses, if any, will largely depend on future economic and market conditions and could differ materially from FDIC's estimates. As discussed in note 17 to DIF's financial statements, through June 14, 2010, 82 institutions have failed during 2010.

As of December 31, 2009, the DIF had a negative fund balance of $20.9 billion, and its ratio of reserves to estimated insured deposits was a negative 0.39 percent. During 2009, the FDIC took action to maintain the DIF's ability to continue to resolve problem institutions. As discussed in note 9 to the DIF's financial statements, FDIC supplemented the DIF's cash resources by charging and collecting from FDIC-insured institutions a special assessment of $5.5 billion in September 2009. Additionally, on December 30, 2009, FDIC charged and collected from insured institutions approximately 3 years of assessments paid in advance - prepaid assessments - totaling about $46 billion. These funds are included in the "Cash and cash equivalents" and "Unearned revenue - prepaid assessments" line items on DIF's balance sheet. Further, as discussed in notes 4 and 7 of DIF's financial statements, during 2009, FDIC expanded the use of purchase and assumption resolution transactions containing loss-sharing agreements with acquirers of failed institutions as a means of both conserving the initial cash outlay required by the DIF in resolving a troubled institution and as a longer-term means of attempting to further minimize the ultimate losses to the DIF. Under such agreements, which typically cover a 5- to 10- year period, an acquiring institution assumes all of the deposits and purchases most, if not all, of the assets of a failed institution. FDIC, in turn, agrees to cover a large percentage of any losses on assets covered under the agreements up to a stated threshold amount. During 2009, 90 of the 140 institutions that failed and were resolved by FDIC were handled through the use of loss-sharing agreements with acquirers of these institutions.

The DIF has other resources available to carry out its insurance responsibilities. At December 31, 2009, the DIF had $5.5 billion in investments in U.S. Treasury obligations in addition to $54 billion in cash and cash equivalents, which provide a ready source of funds to carry out its insurance activities. In addition, as discussed in note 1 to DIF's financial statements, FDIC has a note agreement with the Federal Financing Bank enabling it to borrow up to $100 billion, and also has authority to borrow up to $100 billion and, in certain circumstances through 2010, up to $500 billion from the U.S. Treasury. FDIC may also borrow from Treasury, notwithstanding these amount limitations, any amount necessary to fund the temporary increase in deposit insurance coverage from $100,000 to $250,000.

In accordance with the Federal Deposit Insurance Reform Act of 2005, FDIC adopted a restoration plan in October 2008 calling for an increase in the assessment rates charged to insured institutions to replenish the DIF's reserves to the minimum ratio of 1.15 percent of insured deposits within a 5-year period. The FDIC has since amended this plan twice-the latest amendment was adopted in September 2009. The amended restoration plan calls for the DIF's reserves to be replenished to the minimum reserve ratio of 1.15 percent of insured deposits within an 8-year period.²

The DIF also faces continued exposure from actions taken by the federal government in 2008 to avoid further adverse effects on the nation's economic condition and financial stability. Specifically, during 2008, the Department of the Treasury, in consultation with the President and upon recommendation of the Boards of the FDIC and the Federal Reserve, made "systemic risk" determinations under a provision of the Federal Deposit Insurance Corporation Improvement Act of 1991 to counter identified systemwide crises in the nation's financial sector. As discussed in note 16 to DIF's financial statements, in response to systemic risk determinations in October 2008, FDIC established the Temporary Liquidity Guarantee Program (TLGP). The TLGP consists of a (1) Debt Guarantee Program, under which FDIC guarantees newly issued senior unsecured debt up to prescribed limits issued by insured institutions and certain holding companies, and (2) Transaction Account Guarantee Program, under which FDIC provides unlimited coverage for non-interest-bearing transaction accounts held by insured institutions. FDIC charges fees to participants that are to be used to cover any losses under both guarantee programs. As of December 31, 2009, the amount of debt guaranteed by FDIC under the Debt Guarantee Program was $309 billion, while FDIC's maximum exposure under the Transaction Account Guarantee Program was $834 billion, for total exposure under the TLGP of $1.14 trillion as of December 31, 2009. As further discussed in note 16, a total of 525 institutions elected to exit the Transaction Account Guarantee Program after year-end 2009. Consequently, at January 1, 2010, FDIC's maximum exposure under the Transaction Account Guarantee Program declined to $266 billion, and its maximum exposure under the TLGP declined to $575 billion.

Opinion on FRF’s Financial Statements
The financial statements, including the accompanying notes, present fairly, in all material respects, in conformity with U.S. generally accepted accounting principles, FRF's assets, liabilities, and resolution equity as of December 31, 2009, and 2008, and its income and accumulated deficit and its cash flows for the years then ended.

Opinion on Internal Control
Because of the material weakness in internal control discussed below, FDIC did not maintain, in all material respects, effective internal control over financial reporting as of December 31, 2009, and thus did not provide reasonable assurance that material misstatements in relation to the financial statements would be prevented or detected and corrected on a timely basis. Our opinion is based on criteria established under 31 U.S.C. 3512 (c), (d), commonly known as the Federal Managers' Financial Integrity Act of 1982 (FMFIA).

During our 2009 financial audit, we identified several control deficiencies over FDIC's process for deriving and reporting estimates of losses to the DIF from resolution transactions involving loss-sharing agreements. These deficiencies led to misstatements in the draft DIF financial statements which were ultimately corrected through adjustments to achieve fair presentation in the final financial statements. Although the net adjustments were ultimately not material to the DIF's financial statements, the nature of the control deficiencies we identified were such that a reasonable possibility existed that a material misstatement of the DIF's financial statements would not be prevented, or detected and corrected on a timely basis. Thus, these control deficiencies collectively represent a material weakness in FDIC's internal control over financial reporting. This material weakness is discussed in more detail later in this report.

In FDIC's Management Report on Internal Control over Financial Reporting, which is presented in appendix I to this report, FDIC asserted that it did not maintain, in all material respects, effective internal control over financial reporting as of December 31, 2009, due to a material weakness related to its process for estimating losses on loss-sharing agreements.

Despite its material weakness in internal control over financial reporting, FDIC was able to prepare financial statements that were fairly stated in all material respects for 2009 and 2008. However, the material weakness in internal control over financial reporting may adversely affect any decision by FDIC's management that is based, in whole or in part, on information that is inaccurate because of this weakness. In addition, unaudited financial information reported by FDIC may also contain misstatements resulting from this weakness. We considered the material weakness in determining the nature, timing, and extent of our audit procedures on the 2009 financial statements. We caution that misstatements may occur and not be detected by our tests and that such testing may not be sufficient for other purposes.

In addition to the material weakness noted above and discussed later in this report, we identified a significant deficiency³ that, although not a material weakness, represents a combination of control deficiencies that, collectively, we believe should be brought to the attention of those charged with governance. This significant deficiency concerns the effectiveness of FDIC's security over information systems. This significant deficiency is discussed in more detail later in this report.

We will be reporting additional details concerning the material weakness and the significant deficiency separately to FDIC management, along with recommendations for corrective actions. We also identified other deficiencies in FDIC's system of internal control which we do not consider to be material weaknesses or significant deficiencies but which merit FDIC management's attention and correction. We have communicated these matters to FDIC management and, as appropriate, will be reporting them in writing to FDIC separately, along with recommendations for corrective actions.

Compliance with Laws and Regulations
Our tests for compliance with selected provisions of laws and regulations disclosed no instances of noncompliance that would be reportable under U.S. generally accepted government auditing standards. However, the objective of our audits was not to provide an opinion on overall compliance with laws and regulations. Accordingly, we do not express such an opinion.

Objectives, Scope, and Methodology
FDIC management is responsible for (1) preparing the annual financial statements in conformity with U.S. generally accepted accounting principles; (2) establishing and maintaining effective internal control over financial reporting and evaluating its effectiveness; and (3) complying with applicable laws and regulations. Management evaluated the effectiveness of FDIC's internal control over financial reporting as of December 31, 2009, based on criteria established under FMFIA. FDIC management provided an assertion concerning the effectiveness of its internal control over financial reporting (see appendix I).

We are responsible for planning and performing the audit to obtain reasonable assurance and provide our opinion about whether (1) the financial statements are presented fairly, in all material respects, in conformity with U.S. generally accepted accounting principles, and (2) FDIC management maintained, in all material respects, effective internal control over financial reporting as of December 31, 2009. We are also responsible for testing compliance with selected provisions of laws and regulations that have a direct and material effect on the financial statements.

In order to fulfill these responsibilities, we

• examined, on a test basis, evidence supporting the amounts and disclosures in the financial statements;
• assessed the accounting principles used and significant estimates made by FDIC management;
• evaluated the overall presentation of the financial statements;
• obtained an understanding of FDIC and its operations, including its internal control over financial reporting;
• considered FDIC's process for evaluating and reporting on internal control over financial reporting based on criteria established under FMFIA;
• assessed the risk that a material misstatement exists in the financial statements and the risk that a material weakness exists in internal control over financial reporting;
• tested relevant internal control over financial reporting;
• evaluated the design and operating effectiveness of internal control over financial reporting based on the assessed risk;
• tested compliance with certain laws and regulations, including selected provisions of the Federal Deposit Insurance Act, as amended; and
• performed such other procedures as we considered necessary in the circumstances.

An entity's internal control over financial reporting is a process effected by those charged with governance, management, and other personnel, the objectives of which are to provide reasonable assurance that (1) transactions are properly recorded, processed, and summarized to permit the preparation of financial statements in accordance with U.S. generally accepted accounting principles, and assets are safeguarded against loss from unauthorized acquisition, use, or disposition; and (2) transactions are executed in accordance with laws and regulations that could have a direct and material effect on the financial statements.

We did not evaluate all internal controls relevant to operating objectives as broadly defined by FMFIA, such as controls relevant to preparing statistical reports and ensuring efficient operations. We limited our internal control testing to controls over financial reporting. Because of inherent limitations in internal control, internal control may not prevent or detect and correct misstatements due to error or fraud, losses, or noncompliance. We also caution that projecting any evaluation of effectiveness to future periods is subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with policies and procedures may deteriorate.

We did not test compliance with all laws and regulations applicable to FDIC. We limited our tests of compliance to those laws and regulations that have a direct and material effect on the financial statements for the year ended December 31, 2009. We caution that noncompliance may occur and not be detected by these tests and that such testing may not be sufficient for other purposes.

We performed our audit in accordance with U.S. generally accepted government auditing standards. We believe our audit provides a reasonable basis for our opinions and other conclusions.

Material Weakness in Controls over Loss Share Estimation Process
During our 2009 audit, we identified deficiencies in controls over FDIC's process for deriving and reporting estimates of losses to the DIF from resolution transactions involving loss-sharing agreements. These deficiencies resulted in errors in the draft 2009 DIF financial statements provided to us that went undetected by FDIC and that necessitated adjustments in finalizing the financial statements. Although the net effect of these errors was ultimately not material in relation to the financial statements taken as a whole, the nature of the control deficiencies we identified that resulted in these errors occurring and going undetected is such that there is a reasonable possibility that they could have led to material misstatements to DIF's financial statements that would not have been timely detected and corrected.

In 2009, FDIC began using whole bank purchase and assumption agreements with accompanying loss-sharing agreements as the primary means of resolving failed financial institutions. Under such an agreement, FDIC sells a failed institution to an acquirer with an agreement that the FDIC, through the DIF, will share in any losses the acquirer experiences in servicing and disposing of assets purchased and covered under the loss-sharing agreement.⁴ Typically, during 2009, loss-sharing agreements were structured such that FDIC assumed 80 percent of any such losses.⁵ Ninety of the 140 resolutions of failed institutions were structured with such loss-sharing agreements in 2009, compared to 3 such agreements entered into for 25 failed institutions resolved in 2008. For financial reporting purposes, FDIC reflected the cumulative estimate of the losses that will likely be incurred on these loss-sharing agreements in the line item "Receivables from resolutions, net" on the DIF's balance sheet, as a component of the $60 billion allowance for losses established against this line item at December 31, 2009.⁶ The FDIC's estimate of future payments (losses) under these loss-sharing agreements represented $22.2 billion (37 percent) of the total DIF allowance for losses as of December 31, 2009.

As part of our audit, we reviewed the process by which FDIC developed and reported on its estimates of losses to the DIF from loss-sharing agreements for the 2009 financial statements. In reviewing and testing this process, we identified control deficiencies that led to computational errors in the calculations and reporting of the year-end loss estimates that went undetected by FDIC. Control deficiencies existed throughout the loss-share estimation process, including the development of the initial estimates, the oversight or review of the calculations, the documentation of significant assumptions used, and the reporting of the estimates as part of the allowance for losses against the Receivable from Resolutions on DIF's financial statements.

In developing the initial loss estimates, although FDIC issued written guidance in February 2009 related to these calculations, we found that the methodology was inconsistently applied and that FDIC did not have adequate controls to reasonably assure that loss-sharing calculations were accurate. Specifically, we found differences in the formulas used by FDIC personnel in performing the calculations and differences in how certain types of assets were combined into consolidated asset categories.⁷ Additionally, FDIC asserted that a review process was in place by which a limited number of staff prepared the calculations and reviewed each other's work for accuracy. However, there was no documentary evidence that supervisory or independent review or monitoring was performed on the calculations developed by FDIC personnel.

As a result of these control deficiencies, we identified significant error rates in FDIC's calculations of loss estimates that were not identified and corrected by FDIC through a review or monitoring process. Of 51 institutions with loss-sharing agreements in 2009 we sampled for testing, we found errors in the calculations of estimated losses for 9. After we apprised FDIC of these errors, management reviewed the computations for the remaining institutions with loss-sharing agreements and found another 16 institutions where the estimated loss calculations contained errors. In total, over 25 percent of the 93 individual loss share estimates for 2009 contained errors. While many of the individual errors were not large, some were significant. For example, one error resulted in an estimate of loss for an institution that was twice the amount it should have been. These computational errors in the loss share amounts FDIC estimated it would have to pay out under loss-sharing agreements totaled $386 million on an absolute value basis. Despite the large percentage of estimates with errors and the relatively high dollar impact of these errors, they were not detected by FDIC in the normal course of preparing the initial estimates, when updating the amounts for year-end reporting, or in its process for preparing and reviewing the DIF's 2009 financial statements. Once corrected, the computational errors lowered the loss-share cost estimates and resulted in a net increase to the "Receivables from resolutions" line item on the DIF's financial statements of about $270 million. The Standards for Internal Control in the Federal Government ⁸ provide that control activities are to help ensure that all transactions are completely and accurately recorded. These standards also state that internal control should generally be designed to assure that ongoing monitoring occurs in the course of normal operations.

In addition to the computational errors, we could find no documentation supporting the assumptions contained in the complex spreadsheets that FDIC used to calculate its 2009 loss estimates, nor did we identify documentation demonstrating management's review and approval of the assumptions contained in the spreadsheets.⁹ Because these assumptions can significantly affect the estimated losses under loss-sharing agreements, such evidence is critical to ensuring that management has reviewed and is in agreement with the underlying assumptions used in deriving these estimates. Similarly, we found no evidence that the data used in the program developed to assist in updating the loss estimates on loss-sharing agreements for financial reporting at December 31, 2009, was reviewed for accuracy.¹⁰ This greatly increases the risk that inaccurate or incomplete data is used in the year-end calculations for a significant estimate on the DIF's financial statements. The Standards for Internal Control in the Federal Government provide that internal control and all transactions and other significant events need to be clearly documented, and the documentation should be readily available for examination. The documentation should appear in management directives, administrative policies, or operating manuals. While we performed audit procedures on the assumptions and data accuracy, this weakness results in a risk of misstatements in FDIC's loss-sharing computations.

Finally, our review of FDIC's financial reporting of the loss-share estimates through its Loan Loss Reserve process identified multiple additional errors that were not identified and corrected by FDIC's review or routine monitoring controls.¹¹ After we apprised FDIC of these additional errors, management reviewed all of the spreadsheets used in this process-one for each failed institution receivership-to identify and correct errors and inconsistencies. In total, 13 of the 93 spreadsheets for institutions with loss-sharing agreements (14 percent) used in the calculation of DIF's year-end allowance for losses contained errors. These errors totaled $225 million on an absolute value basis. When FDIC corrected these additional errors, it resulted in an increase to the loss-share cost estimates and a net decrease to the "Receivables from resolutions" line item on the DIF's financial statements totaling about $132 million.

The lack of effective controls over the estimation process and the reporting of those estimates resulted in misstatements in the initial draft of the DIF's 2009 financial statements, which FDIC corrected. In total, FDIC's initial 2009 financial reporting related to loss-share estimates contained gross errors of over $611 million. Because the errors included both those that increased and decreased individual loss estimates, the errors resulted in a $138 million net decrease in the allowance for losses and a corresponding net increase to the "Receivables from resolutions" line item that the FDIC made to correct the DIF's 2009 financial statements.

In 2009, FDIC substantially expanded the use of loss-sharing agreements in its resolution strategy to both minimize the initial outlay of funds by the DIF in resolving failed institutions and to attempt to minimize the ultimate loss incurred by the DIF through working to keep the assets of failed institutions in the market. Given the significance of these types of transactions and their impact on DIF's financial statements, it is critical that FDIC establish effective controls to ensure that all steps in the estimation process are fully documented and that appropriate review and monitoring of key steps in the process, including all manual computations, assumptions used, and source input, are both performed and documented. In 2009, the controls over this highly manual process were not sufficient to ensure that the loss-share calculations were consistent and accurate, and that independent verification was performed to timely identify and correct errors that could impact the financial statements. While the actual net misstatements ultimately were not material to the year-end financial statements, due to the nature of the control deficiencies we identified, there is a reasonable possibility that a material misstatement of the DIF's financial statements could have occurred and not been detected and corrected absent the audit process. Consequently, we believe that the control deficiencies we identified in the process for deriving estimates under loss-sharing agreements collectively represented a material weakness in internal controls as of December 31, 2009.

FDIC has developed a corrective action plan to address the control deficiencies we identified in its loss-share estimation process. This action plan outlines specific steps FDIC indicates it has or is in the process of implementing, along with targeted dates for completion of the actions. We will review the effectiveness of FDIC's corrective actions as part of our 2010 financial audits. As discussed earlier, we will also be reporting additional details concerning the material weakness over FDIC's process for estimating losses under loss-sharing agreements in a separate report, along with our recommendations for corrective actions.

Significant Deficiency over Information Systems
As an integral part of our audits of the 2009 financial statements of the DIF and FRF, we reviewed FDIC's information system controls. Effective information system controls are essential to safeguarding financial and other critical data, protecting the integrity of computer application programs, securing networks, and ensuring continued computer operations in case of unexpected interruption. These controls include a corporatewide security management program, access controls, configuration management, segregation of duties, and contingency planning. They also include business process application controls.

During our 2009 financial audits, we identified FDIC information system control deficiencies that increased the risk of unauthorized modification and disclosure of financial and other sensitive information, and disruption of critical operations. These control deficiencies, which collectively constitute a significant deficiency, reduced FDIC's ability to ensure that authorized users had only the access needed to perform their assigned duties, and that its systems were sufficiently protected from unauthorized access. This significant deficiency affects the confidentiality, integrity and availability of financial and other sensitive information processed, stored, and transmitted on FDIC's systems. Additionally, FDIC's controls to monitor the effectiveness of its information system controls were not fully effective. Examples of these deficiencies follow:

• FDIC had not controlled access to computer systems and a business application in a manner that effectively limited individuals' access to only those functions and data necessary to perform their assigned duties. To accommodate system updates and growth, FDIC changed network configurations that resulted in the ability for users to obtain unauthorized access to network controls and control information. In another case, FDIC had granted users inappropriate and excessive access privileges to a business application supporting resolution and receivership activities. As a result, users could obtain inappropriate access to and potentially modify information processed through this application.
• FDIC's policies and procedures governing the assignment, use, and monitoring of mainframe user identifications (IDs) intended to support technical assistance to business processes were not enforced. We found that audit logs showed a long-term, systemic pattern of questionable use of privileges that provided a limited number of system administrators full access to all data and programs on the mainframe. However, FDIC's review of audit logs did not identify and trigger corrective actions or management follow-up to determine if mainframe user IDs were being used to obtain inappropriate access.
• FDIC did not appropriately configure certain key systems, potentially allowing the systems to be manipulated by internal users without detection. For example, powerful mainframe programs that, if misused, could expose all data and programs on the system to unauthorized internal user access were not configured in accordance with FDIC policy. This resulted in FDIC's inability to detect unauthorized changes to the programs. FDIC's security monitoring and configuration management controls had not identified this situation and FDIC was not aware of this configuration.
• FDIC did not have policies and procedures in place to prevent users from having inappropriate or incompatible access to multiple applications. For example, FDIC did not have policies and procedures to identify and govern the assignment of access privileges to combinations of systems that create logical access to data that is otherwise prevented by applications. As a result, a combination of access privileges were assigned to individuals that allowed for the circumvention of an accounting application's access controls. Additionally, FDIC did not have technical controls in place to identify or prevent the assignment of such combinations of access privileges that expose the data associated with certain applications from access outside of the access controls implemented within the functions of those applications. As a result, individuals could inappropriately obtain access to data in certain applications.
• FDIC made major changes to important accounting and system administration applications during 2009, but did not effectively test and verify that all system interfaces were properly configured for the new systems before placing them into production. We identified deficiencies in the interfaces of two applications that had not been detected by FDIC's pre-implementation testing and were not subsequently identified through FDIC's periodic monitoring activities. These deficiencies increased the risk of errors in data as it is transferred from one system to another.

Several of the vulnerabilities we identified with respect to FDIC's security over its information systems should have been identified through FDIC's routine monitoring of access privileges, audit logs, and adherence to established policies and procedures. Although FDIC has an information security monitoring program, deficiencies existed which had not been identified by this program, some of which resulted in significant reductions in FDIC's capability to maintain effective controls.

The Standards for Internal Control in the Federal Government¹² state that internal control should generally be designed to assure that ongoing monitoring occurs in the course of normal operations. Also, the Committee on Sponsoring Organizations of the Treadway Commission, in its Guidance on Monitoring Internal Control Systems,¹³ notes that ongoing and/or separate evaluations enable management to determine whether other components of internal control continue to function over time, and notes that organizations can select from a wide variety of monitoring procedures, including but not limited to continuous monitoring programs built into information systems and supervisory reviews of controls. In addition, the National Institute of Standards and Technology in its Recommended Security Controls for Federal Information Systems¹⁴ states that as part of a comprehensive continuous monitoring program, organizations should initiate specific actions to determine if there is a need to update the current security controls.

The deficiencies we identified were the result of ineffective monitoring of systems, including a failure to detect noncompliance with published policies and procedures. While the deficiencies we identified represent internal exposures-that is, they could only be exploited internally by individuals with system knowledge-FDIC needs to consider the significant increase in its business activities, its establishment of new physical locations to conduct its work, and its substantial expansion of staffing levels including a large influx of contractors. These realities, in light of FDIC's increased resolution activities, create increased risk from internal threats that need to be fully considered in FDIC's risk management decisions.

Based on the information system control deficiencies we identified, we conclude that, for 2009, FDIC's controls over information systems were not fully effective in preventing unauthorized access to data, systems configurations, or programs and did not provide management with sufficient capabilities to detect and respond to anomalous or unauthorized activity on internal networks and systems.

FDIC Comments and Our Evaluation
In commenting on a draft of this report, FDIC's Chief Financial Officer (CFO) noted that he was pleased to receive unqualified opinions on the DIF's and FRF's 2009 and 2008 financial statements. The CFO pointed out that the past year was unusually challenging and stated that FDIC recognizes the significance that internal control plays in achieving its mission and goals. Further, the CFO stated that financial management remains a high priority. With respect to the internal control weaknesses we identified in FDIC's loss share estimation process and over its information systems, FDIC's CFO acknowledged that controls needed improvement, that such improvements are underway, and that our concerns should be resolved in 2010. We will evaluate the effectiveness of FDIC's corrective actions as part of our 2010 financial audits.

The complete text of FDIC's comments, and its Management Report containing its assertion on the effectiveness of its internal control over financial reporting, are reprinted in appendix I.

Steven J. Sebastian
Director
Financial Management and Assurance

June 14, 2010

Footnotes:
1 A material weakness is a deficiency, or a combination of deficiencies, in internal control such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or detected and corrected on a timely basis. A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct misstatements on a timely basis. back

2 As discussed in Note 1 to the DIF's financial statements, the Helping Families Save Their Homes Act of 2009, Pub. L. No. 111-22, div. A, §204(b), 123 Stat.1632,1648 (May 20, 2009), extended the time limit for a restoration plan to rebuild the reserve ratio of the DIF from 5 years to 8 years. back

3 A significant deficiency is a control deficiency, or combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. back

4 Losses covered under the loss-sharing agreements include losses incurred through the sale, foreclosure, loan modification, or write-down of loans in accordance with the terms of the loss-share agreement. back

5 The agreements varied in 2009, but typically included a provision whereby the acquiring institution would absorb losses up to a certain dollar amount (called a first tranche), at which point FDIC would begin sharing in the losses by paying the acquirer for 80 percent of the losses it experienced. If losses experienced by the acquirer are higher than expected, the agreements generally have a threshold at which the FDIC would begin paying 95 percent of the losses the acquiring institution experiences on the acquired assets. back

6 The allowance for losses represents the difference between the amount owed to the DIF by a receivership for payment of insured deposits and other resolution expenses and the amount expected to be repaid from the servicing and liquidation of the receivership's assets (such as from sale of loans and other assets of the failed institution). back

7 The process by which FDIC estimates the expected loss to the DIF from loss-sharing agreements is complex and multifaceted. FDIC contracts with asset specialists to review the asset portfolio of the failed institution and to develop an anticipated loss rate, expressed as a percentage of book value, on the various categories of the failed bank's asset portfolio. During 2009, FDIC instructed the contractors to derive both high and low estimated loss rates on the various categories of assets. FDIC personnel took the contractor's estimates and consolidated them into two large asset category pools-single family mortgage loans and commercial loans. FDIC then calculated an estimated loss rate for each of these consolidated categories of assets, attempting to derive a midpoint estimated loss rate from the contractor's work. back

8 GAO, Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1, (Washington, D.C.: November 1999). back

9 The loss-share estimates calculated by FDIC personnel are manually inputted into a spreadsheet-called the Loss Share Worksheet-to calculate an estimate of the loss on the portfolio of a failed institution's assets that FDIC expects to incur. The spreadsheet contains a series of built-in assumptions, such as estimated holding periods for assets and discount rates, which can significantly modify the original estimates developed by contracted asset specialists. A Loss Share Worksheet was prepared for each of the institutions with loss-sharing agreements prior to the time of resolution. back

10 To facilitate year-end reporting so as to avoid the time-consuming process of preparing revised individual Loss Share Worksheets for each institution, FDIC developed a Statistical Analysis System (SAS) program to reproduce the results of the worksheet. The SAS program takes the updated loss amounts-derived by taking the mid-point loss rate calculated by FDIC personnel for each consolidated category of assets and multiplying it by the updated book value of covered assets held by the acquiring institution-and, replicating the formulas and assumptions in the Loss Share Worksheet, calculates updated loss estimates. The output from this SAS program is then used in the calculation of the allowance for losses on DIF's Receivables from Resolutions. back

11 To calculate the allowance for losses, FDIC uses a separate spreadsheet-called the Loan Loss Reserve (LLR) template-for each failed institution receivership. For failed institutions resolved using a loss-sharing agreement, the estimate of future loss share payments is included as one of the resolution expenses included in the allowance for losses calculation. back

12 GAO, Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999). back

13 Committee on Sponsoring Organizations of the Treadway Commission, Guidance on Monitoring Internal Control Systems, January 2009. back

14 National Institute of Standards and Technology, Special Publication 800-53 (Revision 2), Recommended Security Controls for Federal Information Systems, December 2007. back