IV. Financial Statements and Notes
Government Accountability Office’s Audit Opinion
To the Board of DirectorsThe Federal Deposit Insurance Corporation
In accordance with section 17 of the Federal Deposit Insurance Act, as amended, we are responsible for conducting audits of the financial statements of the funds administered by the Federal Deposit Insurance
Corporation (FDIC). In our audits of the Deposit Insurance Fund’s (DIF)
and the FSLIC Resolution Fund’s (FRF) financial statements1 for 2010
and
2009, we found
- the financial statements as of and for the years ended
December 31,
2010, and 2009, are presented fairly, in all material respects, in
conformity with U.S. generally accepted accounting principles;
- FDIC’s internal control over financial reporting was
effective as of
December 31, 2010; and
- no reportable noncompliance with provisions of laws and
regulations
we tested.
The following sections discuss in more detail (1) these
conclusions; (2) our
audit objectives, scope, and methodology; and (3) agency comments and
our evaluation.
Opinion on the DIF’s Financial Statements
The financial statements, including the accompanying notes, present fairly, in all material respects, in conformity with U.S. generally accepted accounting principles, the DIF’s assets, liabilities, and fund balance as of December 31, 2010, and 2009, and its income and fund balance and its cash flows for the years then ended.
As discussed in note 8 to the DIF’s financial statements, FDIC-insured financial institutions continued to face significant challenges in 2010. The slowly recovering economy and credit environment continued to challenge the soundness of many DIF-insured institutions. In 2010, 157 banks with combined assets of approximately $93 billion failed, costing the DIF an estimated $24 billion—this cost was generally recognized
in the
DIF’s 2009
financial statements. Regulatory and market data suggest that the
banking
industry will continue to experience elevated levels of stress over the
coming year. In addition to the losses reflected on the DIF’s financial
statements, FDIC has identified additional risk as of year-end 2010 that
could result in further estimated losses to the DIF of up to
approximately
$25 billion should other potentially vulnerable insured institutions
ultimately faiL. FDIC continues to evaluate the ongoing risks to
affected
institutions in light of current economic and financial conditions, and
the
effect of such risks on the DIF. Actual losses, if any, will largely
depend on
future economic and market conditions and could differ materially from
FDIC’s estimates. As discussed in note 17 to the DIF’s financial
statements,
through March 14, 2011, 25 institutions failed during 2011.
As of December 31, 2010, the DIF had a negative fund
balance of
$7.4 billion and its ratio of reserves to estimated insured deposits was
a
negative 0.12 percent. In contrast, at December 31, 2009, the DIF had a
negative fund balance of $20.9 billion and its ratio of reserves to
estimated
insured deposits was a negative 0.39 percent. The improvement in 2010
was
primarily attributable to lower losses from 2010 bank failures than
projected at December 31, 2009, and lower estimates of losses from
anticipated failures at December 31, 2010. During 2010, FDIC continued
its
efforts to maintain the DIF’s ability to resolve problem institutions.
As
discussed in notes 4 and 7 of DIF’s financial statements, FDIC
continued
the use of purchase and assumption resolution transactions containing
loss-share agreements with acquirers of failed institutions as a means
of
both conserving the initial cash outlay required by the DIF in resolving
a
troubled institution and as a longer-term means of attempting to
further
minimize the ultimate losses to the DIF. Under such agreements, which
typically cover a 5- to 10-year period, an acquiring institution
assumes all
of the deposits and purchases most, if not all, of the assets of a
failed
institution. FDIC, in turn, agrees to cover a large percentage of any
losses
on assets covered under the agreements up to a stated threshold. During
2010, 130 of the 157 institutions that failed and were resolved by FDIC
were
handled through the use of loss-share agreements with acquirers of
these
institutions.
The DIF has a variety of resources available to carry out
its
insurance
responsibilities. At December 31, 2010, the DIF had $12.4 billion in
investments in U.S. Treasury obligations in addition to $27 billion in
cash
and cash equivalents, which provide a ready source of funds for its
insurance activities. These funds were primarily obtained through FDIC’s
charging the industry approximately 3 years of advanced assessments at
the end of 2009. In addition, as discussed in note 1 to DIF’s financial
statements, FDIC can borrow up to $100 bilion from the U.S. Treasury
and
it also has a note agreement with the Federal Financing Bank enabling
it to
borrow up to $100 billion. However, the total amount that FDIC can
borrow
from these sources for the DIF would be subject to the DIF’s statutory
maximum obligation limitation, which equaled $106.3 billion as of
December 31, 2010.
The Dodd-Frank Wall Street Reform and Consumer Protection
Act
(Dodd-Frank Act)2 contains significant provisions related to
assessments and
capitalization of the DIF. One of these provisions requires FDIC to
define
the assessment base as average consolidated total assets minus average
tangible equity. This contrasts with the previous assessment base
consisting of domestic deposits. This change will broaden the
assessment
base and is intended to better measure the risk that a bank poses to
the
DIF. The act also sets the statutory minimum designated reserve ratio
of
not less than 1.35 percent of estimated insured deposits, or the
comparable
percentage of the new assessment base, and requires that FDIC take such
steps as may be necessary to achieve this reserve ratio by September 30,
2020. This change, intended to strengthen the DIF, increases the
minimum
designated reserve ratio from 1.15 percent, but as noted above,
extends the
target date for the DIF to achieve this minimum designated reserve ratio
from December 31, 2016. FDIC adopted a new restoration plan on October
19, 2010 in response to the above requirements. In addition, the act
provides for a permanent increase in the standard deposit insurance
coverage amount from $100,000 to $250,000 (retroactive to January 1,
2008)
and unlimited deposit insurance coverage for noninterest-bearng
transaction accounts for 2 years to the end of 2012. The act also
authorizes
FDIC to undertake enforcement actions against depository institution
holding companies if their conduct or threatened conduct poses a risk
of
loss to the DIF.
The DIF continues to face some exposure as a result of
actions
taken
pursuant to the systemic risk determnation made in 2008 by the
Department of the Treasury, in consultation with the President and upon
recommendation of the Boards of FDIC and the Federal Reserve. As
discussed in note 16 to the DIF’s financial statements, FDIC
established the
Temporary Liquidity Guarantee Program (TLGP). The TLGP consists of the
(1) Debt Guarantee Program, under which FDIC guaranteed newly issued
senior unsecured debt up to prescribed limits issued by insured
institutions
and certain holding companies, and (2) Transaction Account Guarantee
Program (TAGP), under which, through December 31, 2010, FDIC provided
unlimited coverage for noninterest-bearing transaction accounts held by
participating insured institutions. FDIC charged fees to participants
that
are to be used to cover any losses under both guarantee programs. The
unlimited deposit insurance coverage for noninterest-bearing
transaction
accounts under the Dodd-Frank Act essentially replaces the TAGP, except
that FDIC will not charge a separate assessment fee for insuring the
transaction accounts. As discussed in note 16, as of December 31, 2010,
the
amount of debt guaranteed by FDIC under the Debt Guarantee Program
was $267 billion.
Opinion on the FRF’s
Financial Statements
The financial statements, including the accompanying
notes,
present fairly,
in all material respects, in conformity with U.S. generally accepted
accounting principles, FRF’s assets, liabilities, and resolution equity
as of
December 31, 2010, and 2009, and its income and accumulated deficit and
its cash flows for the years then ended.
Opinion on Internal Control
FDIC maintained, in all material respects, effective
internal
control over
financial reporting as of December 31, 2010, which provided reasonable
assurance that misstatements, losses, or noncompliance material in
relation to the financial statements would be prevented or detected and
corrected on a timely basis. Our opinion is based on criteria
established
under 31 U.S.C. 3512 (c), (d), commonly known as the Federal Managers’
Financial Integrity Act of 1982 (FMFIA).
Resolution of Prior Year
Material Weakness
In our 2009 audit report³ we reported a material weakness4 in FDIC’s
controls over its process for deriving and reporting estimates of
losses to
the DIF from resolution transactions involving loss-share agreements5 because existing controls were not fully effective in preventing or
detecting
and correcting errors in developing and reporting loss-share loss
amounts
in FDIC’s draft 2009 financial statements of the DIF. As described in
our
audit report, we identified weaknesses in FDIC’s controls over (1) the
development of initial loss-share loss estimates, including verifying the
accuracy of the calculations; (2) managerial review and oversight of
the
initial loss-share estimation process and its underlying assumptions;
and
(3) reporting of the loss-share loss estimates as part of the allowance
for
losses against the Receivables from resolutions, net on the DIF’s
balance
sheet. We subsequently provided further details of the control
deficiencies
related to this material weakness as well as recommendations for
corrective actions in a separate report to FDIC management.6 To correct
these control deficiencies, we recommended that FDIC officials (1)
establish mechanisms for monitoring implementation of newly issued
policies and procedures over the process for calculating initial
loss-share
loss estimates; (2) develop specific procedures for documenting
assumptions underlying initial loss-share loss estimates, including
periodic
managerial review and approval of assumptions and changes over time;
and (3) establish and document detailed procedures for ensuring the
completeness and accuracy of the overall allowance for loss
calculations,
including loss-share related losses.
In response to the material weakness in internal control,
FDIC
developed
and implemented a corrective action plan that included additional
controls
to address the control deficiencies we identified. Specifically, FDIC
- implemented a new review process and documentation
procedures over
the development of initial loss-share loss amounts;
- established additional monitoring and review of loss-share
estimates
with the creation of the Closed Bank Financial Risk Committee
dedicated to oversight of the loss-share agreement process, including
approval of underlying assumptions in loss-share related calculations
and ongoing periodic reviews of initial and updated loss-share loss
estimates; and
- enhanced controls over both the inclusion of loss-share
related losses in
the allowance for loss determination and the overall process for
calculating the allowance for loss related to the Receivables from
resolutions, net line item on the DIF’s balance sheet.
During our audit, we found that FDIC’s actions
significantly
reduced the
risk that a material misstatement would not be detected and timely
corrected, and concluded that remaining control deficiencies in FDIC’s
process of deriving and reporting estimates of losses involving
loss-share
agreements do not individually or collectively constitute a material
weakness or significant deficiency.7
Although FDIC made significant improvements to its
controls
over its
process for estimating losses related to loss-share agreements, it
continues
to face risk because of ongoing financial institution failures and the
highly
manual process FDIC employs in its loss-share estimation process.
Although improved, FDIC’s current loss-share estimation process is
complex, is not fully documented, and involves multiple manual data
entries. As a result, the process relies heavily on effective reviews
and
oversight for ensuring data accuracy. The determination of the overall
allowance for losses associated with receivables from resolution
activity
equally depends upon a highly complex series of integrated spreadsheets
that draw information from multiple, often manually input, data
sources, and thus also relies heavily on effective supervisory review
and oversight
for ensuring data accuracy. Because of the nature of this process, FDIC
will
need to continue to provide effective review and oversight controls to
accurately report estimated loss-share losses and the overall allowance
for
loss related to resolution activity on the DIF’s financial statements.
Resolution of Prior Year
Significant Deficiency
In our 2009 audit report, we reported a significant
deficiency
concernng
the effectiveness of FDIC’s security over its information systems,
which
reduced FDIC’s ability to ensure that authorized users had only the
access
needed to perform their assigned duties, and that its systems were
sufficiently protected from unauthorized access. The audit report
highlighted the control issues that constituted the significant
deficiency.
Specifically, FDIC did not (1) adequately control access to its computer
systems; (2) enforce its policies and procedures governing the
assignment,
use, and monitoring of mainframe user identifications (IDs);
(3) appropriately configure certain key systems, potentially allowing
the
systems to be manipulated by internal users without detection; (4) have
policies and procedures in place to prevent users from having
inappropriate or incompatible access to multiple applications; and
(5) effectively test and verify that all system interfaces were properly
configured for major changes to some important accounting and system
administrative applications. Subsequently, we provided more details on
these issues and reported additional underlying control weaknesses,
along
with recommendations for corrective actions, to FDIC management.8
During 2010, FDIC made substantial progress in correcting
many
of the
underlying control issues that constituted the significant deficiency.
Specifically, FDIC did the following:
- Corrected weaknesses in controls over access to computer
systems and
a business application that had not effectively limited individuals’
access to only those functions and data necessary to perform their
assigned duties. For example, FDIC strengthened network
configurations such that users are now prevented from obtaining
unauthorized access to network controls and control information.
Additionally, FDIC addressed weaknesses that had resulted in granting
users inappropriate and excessive access privileges to a business
application supporting resolution and receivership activities.
- Corrected weaknesses in enforcing revised policies and
procedures
governing the assignment, use, and monitoring of mainframe user IDs
intended to support technical assistance to business processes. FDIC
also greatly reduced the incidence of the use of access privileges that
provide a limited number of system administrators full access to all
data
and programs on the mainframe.
- Corrected the configuration of certain key systems,
significantly
reducing the potential for the misuse of powerful mainframe programs.
- Made progress in resolving deficiencies in controls
designed to prevent
users from having inappropriate or incompatible access to multiple
applications.
- Corrected deficiencies in the interfaces of two
applications that
increased the risk of errors in data as it is transferred from one
system
to another.
As a result of the improvements we noted in FDIC’s
information
system
controls, we concluded that the remaining unresolved prior year issues
and
new issues identified in our 2010 audit do not individually or
collectively
constitute a material weakness or significant deficiency. In order to
sustain
the progress FDIC has made in improving its information system controls,
it will be important for FDIC to continue to place a high level of
emphasis
on this area, especially with respect to continuous and periodic
monitoring
activities.
During our 2010 audit, we identified other deficiencies
in
FDIC’s system of
internal control that we do not consider to be material weaknesses or
significant deficiencies but merit FDIC management’s attention and
correction. We have communicated these matters to FDIC management
and as appropriate, will be reporting them in writing to FDIC
separately,
along with recommendations for corrective actions.
Compliance with Laws
and Regulations
Our tests for compliance with selected provisions of laws
and
regulations
disclosed no instances of noncompliance that would be reportable under
U.S. generally accepted government auditing standards. However, the
objective of our audits was not to provide an opinion on overall
compliance
with laws and regulations. Accordingly, we do not express such an
opinion.
Objectives, Scope, and
Methodology
FDIC management is responsible for (1) preparing the
annual
financial
statements in conformity with U.S. generally accepted accounting
principles; (2) establishing and maintaining effective internal control
over
financial reporting and evaluating its effectiveness; and (3) complying
with
applicable laws and regulations. Management evaluated the effectiveness
of FDIC’s internal control over financial reporting as of December 31,
2010,
based on criteria established under FMFIA. FDIC management provided an
assertion concerning the effectiveness of its internal control over
financial
reporting (see app. I).
We are responsible for planning and performing the audit
to
obtain
reasonable assurance and provide our opinion about whether (1) the
financial statements are presented fairly, in all material respects, in
conformity with U.S. generally accepted accounting principles, and
(2) FDIC management maintained, in all material respects, effective
internal control over financial reporting as of December 31, 2010. We
are
also responsible for testing compliance with selected provisions of
laws
and regulations that have a direct and material effect on the financial
statements.
In order to fulfill these responsibilities, we
- examined, on a test basis, evidence supporting the amounts
and
disclosures in the financial statements;
- assessed the accounting principles used and significant
estimates made
by FDIC management;
- evaluated the overall presentation of the financial
statements;
- obtained an understanding of FDIC and its operations,
including its
internal control over financial reporting;
- considered FDIC’s process for evaluating and reporting on
internal
control over financial reporting based on criteria established under
FMFIA;
- assessed the risk that a material misstatement exists in
the financial
statements and the risk that a material weakness exists in internal
control over financial reporting;
- tested relevant internal control over financial reporting;
- evaluated the design and operating effectiveness of internal control over financial reporting based on the assessed risk;
- tested compliance with certain laws and regulations,
including selected
provisions of the Federal Deposit Insurance Act, as amended; and
- performed such other procedures as we considered necessary in
the
circumstances.
An entity’s internal control over financial reporting is
a
process affected by
those charged with governance, management, and other personnel, the
objectives of which are to provide reasonable assurance that
(1) transactions are properly recorded, processed, and summarized to
permit the preparation of financial statements in conformity with U.S.
generally accepted accounting principles, and assets are safeguarded
against loss from unauthorized acquisition, use, or disposition, and
(2) transactions are executed in accordance with laws and regulations
that
could have a direct and material effect on the financial statements.
We did not evaluate all internal controls relevant to
operating objectives as
broadly defined by FMFIA, such as controls relevant to preparing
statistical
report and ensuring efficient operations. We limited our internal control
testing to controls over financial reporting. Because of inherent
limitations
in internal control, internal control may not prevent or detect and
correct
misstatements due to error or fraud, losses, or noncompliance. We also
caution that projecting any evaluation of effectiveness to future
periods is
subject to the risk that controls may become inadequate because of
changes in conditions, or that the degree of compliance with policies
and
procedures may deteriorate.
We did not test compliance with all laws and regulations
applicable to
FDIC. We lited our tests of compliance to those laws and regulations
that
have a direct and material effect on the financial statements for the
year
ended December 31, 2010. We caution that noncompliance may occur and
not be detected by these tests and that such testing may not be
sufficient
for other purposes.
We performed our audit in accordance with U.S. generally
accepted
government auditing standards. We believe our audit provides a
reasonable
basis for our opinions and other conclusions.
FDIC Comments and
Our Evaluation
In commenting on a draft of this report, FDIC’s Chief
Financial
Officer
(CFO) noted that he was pleased that FDIC had received unqualified
opinions on the DIF’s and FRF’s 2010 and 2009 financial statements. He
noted that over the past year, FDIC had worked diligently to resolve
the
material weakness and significant deficiency that we had reported in our
2009 audit. In particular, he cited significant steps taken to
strengthen
controls over the loss-share estimation process and over information
systems security. The CFO stated that FDIC would continue to make
improvements in these areas in the coming year, and stressed that
FDIC’s
dedication to sound financial management remains a top priority.
The complete text of FDIC’s comments and its Management
Report
containing its assertion on the effectiveness of its internal control
over
financial reporting are reprinted in appendix I.
Steven J. Sebastian
Director
Financial Management and Assurance
March 14, 2011
|