VI. Risk Management and Internal Controls
The FDIC uses several means to maintain comprehensive internal controls, ensure the overall effectiveness and efficiency of operations, and otherwise comply as necessary with the following federal standards, among others:
- Chief Financial Officers’ Act (CFO Act)
- Federal Managers’ Financial Integrity Act (FMFIA)
- Federal Financial Management Improvement Act (FFMIA)
- Government Performance and Results Act (GPRA)
- Federal Information Security Moderization Act of 2014 (FISMA)
- OMB Circular A-123
- GAO’s Standards for Internal Control in the Federal Government
As a foundation for these efforts, the Division of Finance, Risk Management and Internal Controls Branch (RMIC) oversees a corporate-wide program of relevant activities by establishing policies and working with management in each division and office in the FDIC. The FDIC has made a concerted effort to ensure that financial, reputational, and operational risks have been identified and that corresponding control needs are being incorporated into day-to-day operations. The program also requires that comprehensive procedures be documented, employees be thoroughly trained, and supervisors be held accountable for performance and results. Compliance monitoring is carried out through periodic management reviews and by the distribution of various activity reports to all levels of management. Conscientious attention is also paid to the implementation of audit recommendations made by the FDIC Office of Inspector General, the GAO, and other providers of external/audit scrutiny. The FDIC has received unmodified opinions on its financial statement audits for 27 consecutive years, and these and other positive results reflect the effectiveness of the overall management control program.
In 2018, efforts were focused on enhancing FDIC’s Risk Management program (updating the enterprise risk management and internal control directive, drafting the risk appetite statement, updating the risk profile), improving data mining capabilities, identifying performance metrics, mapping key operational areas, exploring opportunities for process improvement, monitoring FDIC’s internal controls over outsourced service providers, continuing efforts with stakeholders on failed bank data, and system security. Considerable energy was devoted to ensuring that the FDIC’s processes and systems of control have kept pace with the workload, and that the foundation of controls throughout the FDIC remained strong.
During 2019, RMIC will focus on the Corporate Enterprise Risk Management Program, Model Risk Management validation, enhancing the internal control program, exploring opportunities for process improvement, monitoring FDIC’s internal controls over outsourced service providers, and system security. Also, continued emphasis and management scrutiny will be applied to the accuracy and integrity of transactions and oversight of systems development efforts in general.
Fraud Reduction and Data Analytics Act of 2015
The Fraud Reduction and Data Analytics Act of 2015 was signed into law on June 30, 2016. The law is intended to improve federal agency financial and administrative controls and procedures to assess and mitigate fraud risks, and to improve federal agencies’ development and use of data analytics for the purpose of identifying, preventing, and responding to fraud, including improper payments.
The FDIC’s enterprise risk management and internal control program considers the potential for fraud and incorporates elements of Principle 8 – Assess Fraud Risk, of the GAO Standards of Internal Control in the Federal Government. The FDIC implemented a Fraud Risk Assessment Framework as a basis for identifying potential financial fraud risks and schemes, ensuring that preventive and detective controls are present and working as intended. Examples of fraud risks are contractor payments, wire transfers, travel card purchases, and theft of cash receipts.
As part of the Framework, potential fraud areas are identified and key controls are evaluated/implemented as proactive measures to fraud prevention. Although no system of internal control provides absolute assurance, the FDIC’s system of internal control can provide reasonable assurance that key controls are adequate and working as intended. Monitoring activities include supervisory approvals, management reports, and exception reporting.
FDIC management performs due diligence in areas of suspected or alleged fraud. At the conclusion of due diligence, the matter is either closed or referred to the Office of Inspector General for investigation.
During 2018, there was no systemic fraud identified within the FDIC.