2016 Annual Report

Independent Auditor’s Report

To the Board of Directors
The Federal Deposit Insurance Corporation

In our audits of the 2016 and 2015 financial statements of the Deposit Insurance Fund (DIF) and of the Federal Savings and Loan Insurance Corporation (FSLIC) Resolution Fund (FRF), both of which are administered by the Federal Deposit Insurance Corporation (FDIC),¹ we found

• the financial statements of the DIF and of the FRF as of and for the years ended December 31, 2016, and 2015, are presented fairly, in all material respects, in accordance with U.S. generally accepted accounting principles;
• although internal controls could be improved, FDIC maintained, in all material respects, effective internal control over financial reporting relevant to the DIF and to the FRF as of December 31, 2016; and
• with respect to the DIF and to the FRF, no reportable noncompliance for 2016 with provisions of applicable laws, regulations, contracts, and grant agreements we tested.

The following sections discuss in more detail (1) our report on the financial statements and on internal control over financial reporting and other information² included with the financial statements; (2) our report on compliance with laws, regulations, contracts, and grant agreements; and (3) agency comments.

REPORT ON THE FINANCIAL STATEMENTS AND on INTERNAL CONTROL OVER FINANCIAL REPORTING

In accordance with Section 17 of the Federal Deposit Insurance Act, as amended,³ and the Government Corporation Control Act,⁴ we have audited the financial statements of the DIF and of the FRF, both of which are administered by FDIC. The financial statements for the DIF comprise the balance sheets as of December 31, 2016, and 2015; the related statements of income and fund balance and of cash flows for the years then ended; and the related notes to the financial statements. The financial statements for the FRF comprise the balance sheets as of December 31, 2016, and 2015; the related statements of income and accumulated deficit and of cash flows for the years then ended; and the related notes to the financial statements. We also have audited FDIC’s internal control over financial reporting relevant to the DIF and to the FRF as of December 31, 2016, based on criteria established under 31 U.S.C. § 3512(c), (d), commonly known as the Federal Managers’ Financial Integrity Act (FMFIA).

We conducted our audits in accordance with U.S. generally accepted government auditing standards. We believe that the audit evidence we obtained is sufficient and appropriate to provide a basis for our audit opinions.

Management’s Responsibility

FDIC management is responsible for (1) the preparation and fair presentation of these financial statements in accordance with U.S. generally accepted accounting principles; (2) preparing and presenting other information included in documents containing the audited financial statements and auditor’s report, and ensuring the consistency of that information with the audited financial statements; (3) maintaining effective internal control over financial reporting, including the design, implementation, and maintenance of internal control relevant to the preparation and fair presentation of financial statements that are free from material misstatement, whether due to fraud or error; (4) evaluating the effectiveness of internal control over financial reporting based on the criteria established under FMFIA; and (5) providing its assessment about the effectiveness of internal control over financial reporting as of December 31, 2016, included in the accompanying Management’s Report on Internal Control over Financial Reporting in appendix I.

Auditor’s Responsibility

Our responsibility is to express opinions on these financial statements and opinions on FDIC’s internal control over financial reporting relevant to the DIF and to the FRF based on our audits. U.S. generally accepted government auditing standards require that we plan and perform the audits to obtain reasonable assurance about whether the financial statements are free from material misstatement, and whether effective internal control over financial reporting was maintained in all material respects. We are also responsible for applying certain limited procedures to other information included with the financial statements.

An audit of financial statements involves performing procedures to obtain audit evidence about the amounts and disclosures in the financial statements. The procedures selected depend on the auditor’s judgment, including the auditor’s assessment of the risks of material misstatement of the financial statements, whether due to fraud or error. In making those risk assessments, the auditor considers internal control relevant to the entity’s preparation and fair presentation of the financial statements in order to design audit procedures that are appropriate in the circumstances. An audit of financial statements also involves evaluating the appropriateness of the accounting policies used and the reasonableness of significant accounting estimates made by management, as well as evaluating the overall presentation of the financial statements.

An audit of internal control over financial reporting involves performing procedures to obtain evidence about whether a material weakness exists.⁵ The procedures selected depend on the auditor’s judgment, including the assessment of the risk that a material weakness exists. An audit of internal control over financial reporting also includes obtaining an understanding of internal control over financial reporting, evaluating the design and operating effectiveness of internal control over financial reporting based on the assessed risk, and testing relevant internal control over financial reporting. Our audit of internal control also considered the entity’s process for evaluating and reporting on internal control over financial reporting based on criteria established under FMFIA. Our audits also included performing such other procedures as we considered necessary in the circumstances.

We did not evaluate all internal controls relevant to operating objectives as broadly established under FMFIA, such as those controls relevant to preparing performance information and ensuring efficient operations. We limited our internal control testing to testing controls over financial reporting. Our internal control testing was for the purpose of expressing an opinion on whether effective internal control over financial reporting was maintained, in all material respects. Consequently, our audit may not identify all deficiencies in internal control over financial reporting that are less severe than a material weakness.

Definitions and Inherent Limitations of Internal Control over Financial Reporting

An entity’s internal control over financial reporting is a process effected by those charged with governance, management, and other personnel, the objectives of which are to provide reasonable assurance that (1) transactions are properly recorded, processed, and summarized to permit the preparation of financial statements in accordance with U.S. generally accepted accounting principles, and assets are safeguarded against loss from unauthorized acquisition, use, or disposition, and (2) transactions are executed in accordance with provisions of applicable laws, regulations, contracts, and grant agreements, noncompliance with which could have a material effect on the financial statements.

Because of its inherent limitations, internal control over financial reporting may not prevent, or detect and correct, misstatements due to fraud or error. We also caution that projecting any evaluation of effectiveness to future periods is subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate.

Opinions on Financial Statements

In our opinion:

• The DIF’s financial statements present fairly, in all material respects, the DIF’s financial position as of December 31, 2016, and 2015, and the results of its operations and its cash flows for the years then ended, in accordance with U.S. generally accepted accounting principles.
• The FRF’s financial statements present fairly, in all material respects, the FRF’s financial position as of December 31, 2016, and 2015, and the results of its operations and its cash flows for the years then ended, in accordance with U.S. generally accepted accounting principles.

Opinions on Internal Control over Financial Reporting

In our opinion, although certain internal controls could be improved,

• FDIC maintained, in all material respects, effective internal control over financial reporting relevant to the DIF as of December 31, 2016, based on criteria established under FMFIA.
• FDIC maintained, in all material respects, effective internal control over financial reporting relevant to the FRF as of December 31, 2016, based on criteria established under FMFIA

As discussed in greater detail later in this report, our 2016 audit identified deficiencies in FDIC’s information systems controls that collectively represent a significant deficiency in FDIC’s internal control over financial reporting.⁶

Although the significant deficiency in internal control did not affect our opinions on the 2016 financial statements of the DIF and of the FRF, misstatements may occur in other financial information reported by the DIF and the FRF and not be prevented or detected and corrected on a timely basis because of this significant deficiency.

In addition to the significant deficiency in information systems controls, we identified other deficiencies in FDIC’s internal control over financial reporting that we do not consider to be material weaknesses or significant deficiencies. Nonetheless, these deficiencies warrant FDIC management’s attention. We have communicated these matters to FDIC management and, where appropriate, will report on them separately.

Significant Deficiency in Information Systems Controls

During our 2016 audit, we identified new deficiencies in information systems controls that along with unresolved control deficiencies from prior audits, collectively represent a significant deficiency in FDIC’s internal control over financial reporting. Specifically, the deficiencies relate to general information systems controls in the areas of access and configuration management controls.

FDIC did not sufficiently implement controls to limit or detect access to computer resources. Specifically, FDIC did not have sufficient boundary protection controls on its network to fully isolate sensitive financial systems from other parts of its network. According to FDIC, a plan to fully isolate sensitive systems on a secure network segment had been made, but implementation of the plan had been delayed because of other competing priorities. Until it appropriately isolates its sensitive financial systems, FDIC faces increased risk that unauthorized or malicious attempts to communicate with its financial systems could go undetected.

FDIC did not consistently implement configuration management controls. Configuration management controls are intended to prevent unauthorized changes to information system resources and provide reasonable assurance that systems are configured and operating securely and as intended. Effective configuration management depends on the maintenance of a complete, accurate inventory of information system components. However, we identified deficiencies in FDIC’s implementation of these controls, placing its information and systems at increased risk of modification, loss, or disclosure. Specifically, see the following:

• Although FDIC used multiple data sources to keep track of its inventory of network assets, it did not have a single, authoritative, complete, and accurate inventory of all network assets in its environment. This occurred because FDIC had not established a process to reasonably assure that a complete, accurate inventory was developed and maintained. Until FDIC develops and implements a process to maintain a complete, accurate inventory of its network assets, its ability to identify potential vulnerabilities in unidentified assets may be limited, posing unnecessary risks to information systems.
• FDIC did not consistently scan its servers for vulnerabilities. FDIC policy states that servers are scanned for vulnerabilities weekly, vulnerability reports are produced monthly, and systems may not go unscanned for more than 2 consecutive months. However, FDIC had not scanned 51 servers in one of its general support systems during the 3-month time period (July, August, and September 2016) that we reviewed. According to FDIC officials, this occurred because FDIC did not have an authoritative or complete inventory of its network assets and also because its legacy scanning and discovery tool failed to identify all servers. Officials also stated that the scanning and discovery tool has been replaced. In addition, the FDIC Office of Inspector General (OIG) has identified similar concerns. In its November 2016 report on the effectiveness of FDIC’s information security program in accordance with the requirements of the Federal Information Security Modernization Act of 2014,⁷ the OIG reported that at the time of its audit, FDIC was not performing vulnerability scans for more than 900 production servers within another of its general support systems.⁸ Without regularly scanning all servers, FDIC cannot reasonably assure that vulnerabilities in its servers are identified and corrected in a timely manner, increasing the risk that FDIC’s systems and information may be compromised.

During 2016, FDIC made progress addressing previously reported control deficiencies related to its information systems. Key corrective actions included improving controls for authorizing users’ access to financial applications and for logging and monitoring financial applications to detect potentially malicious activity. However, other previously reported control deficiencies in FDIC’s information security continued to exist. For example, FDIC (1) had not fully implemented agency-wide configuration baselines and (2) did not always effectively monitor changes to critical server files.⁹

The cumulative effect of the control risks created by FDIC’s new and previously reported information security control deficiencies, while not collectively considered a material weakness, is important enough to merit the attention of those charged with governance of FDIC and therefore represents a significant deficiency in FDIC’s internal control over financial reporting as of December 31, 2016. Continued and consistent management commitment and attention will be essential to addressing existing deficiencies and continually improving FDIC’s information system controls. Until FDIC takes the necessary steps to address these new and previously reported control deficiencies, its sensitive financial information and resources will remain at increased risk of inadvertent or deliberate misuse, improper modification, unauthorized disclosure, or destruction.

Other Matters

Other Information

FDIC’s other information contains a wide range of information, some of which is not directly related to the financial statements. This information is presented for purposes of additional analysis and is not a required part of the financial statements. We read the other information included with the financial statements in order to identify material inconsistencies, if any, with the audited financial statements. Our audit was conducted for the purpose of forming opinions on the DIF and the FRF financial statements. We did not audit and do not express an opinion or provide any assurance on the other information.

REPORT ON COMPLIANCE WITH LAWS, REGULATIONS, CONTRACTS, AND GRANT AGREEMENTS

In connection with our audits of the financial statements of the DIF and of the FRF, both of which are administered by FDIC, we tested compliance with selected provisions of applicable laws, regulations, contracts, and grant agreements consistent with our auditor’s responsibility discussed below. We caution that noncompliance may occur and not be detected by these tests. We performed our tests of compliance in accordance with U.S. generally accepted government auditing standards.

Management’s Responsibility

FDIC management is responsible for complying with applicable laws, regulations, contracts, and grant agreements.

Auditor’s Responsibility

Our responsibility is to test compliance with selected provisions of applicable laws, regulations, contracts, and grant agreements that have a direct effect on the determination of material amounts and disclosures in the financial statements of the DIF and of the FRF, and perform certain other limited procedures. Accordingly, we did not test FDIC’s compliance with all applicable laws, regulations, contracts, and grant agreements.

Results of Our Tests for Compliance with Laws, Regulations, Contracts, and Grant Agreements

Our tests for compliance with selected provisions of applicable laws, regulations, contracts, and grant agreements disclosed no instances of noncompliance for 2016 that would be reportable, with respect to the DIF and to the FRF, under U.S. generally accepted government auditing standards. However, the objective of our tests was not to provide an opinion on compliance with applicable laws, regulations, contracts, and grant agreements. Accordingly, we do not express such an opinion.

Intended Purpose of Report on Compliance with Laws, Regulations, Contracts, and Grant Agreements

The purpose of this report is solely to describe the scope of our testing of compliance with selected provisions of applicable laws, regulations, contracts, and grant agreements, and the results of that testing, and not to provide an opinion on compliance. This report is an integral part of an audit performed in accordance with U.S. generally accepted government auditing standards in considering compliance. Accordingly, this report on compliance with laws, regulations, contracts, and grant agreements is not suitable for any other purpose.

AGENCY COMMENTS

In commenting on a draft of this report, FDIC stated that it was pleased to receive unmodified opinions on the DIF’s and the FRF’s financial statements, and noted that we reported that FDIC had effective internal control over financial reporting and that there was no reportable noncompliance with tested provisions of applicable laws, regulations, contracts, and grant agreements.

FDIC also noted that we reported deficiencies in FDIC’s information systems controls that collectively represent a significant deficiency. FDIC stated that it will work to improve its internal control environment and will focus additional management attention to address and remediate the identified information system control deficiencies, recognizing the essential role a strong internal control program plays in achieving an agency’s mission. Further, FDIC stated that dedication to sound financial management has been and will remain a top priority. The complete text of FDIC’s response is reprinted in appendix II.

James R. Dalkin
Director
Financial Management and Assurance

February 8, 2017

¹A third fund managed by FDIC, the Orderly Liquidation Fund, established by Section 210(n) of the Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub. L. No. 111-203, 124 Stat. 1376, 1506 (July 21, 2010), is unfunded and did not have any transactions from its inception in 2010 through 2016.

²Other information consists of information included with the financial statements, other than the auditor’s report.

³Act of September 21, 1950, Pub. L. No. 797, § 2[17], 64 Stat. 873, 890, classified as amended at 12 U.S.C. § 1827.

⁴31 U.S.C. §§ 9101-9110.

⁵A material weakness is a deficiency, or combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis. A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis.

⁶A significant deficiency is a deficiency, or combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit the attention of those charged with governance.

⁷Pub. L. No. 113-283, 128 Stat. 3073 (Dec. 18, 2014), codified as amended at 44 U.S.C. §§ 3551-3558.

⁸Federal Deposit Insurance Corporation, Office of Inspector General, Audit of the FDIC’s Information Security Program—2016, AUD-17-001 (Arlington, Va.: November 2016).

⁹GAO, Information Security: FDIC Implemented Controls over Financial Systems, but Further Improvements Are Needed, GAO-16-605 (Washington, D.C.: June 29, 2016).