Each depositor insured to at least $250,000 per insured bank



Home > About FDIC > Financial Reports > 2005 Annual Report




2005 Annual Report

Previous | Contents | Next

IV. Financial Statements and Notes - GAO's Audit Opinion

GAO logo. Accountability * Integrity * Reliability



Comptroller General
of the United States

United States Government Accountability Office
Washington, D.C. 20548

To the Board of Directors
The Federal Deposit Insurance Corporation

We have audited the balance sheets as of December 31, 2005 and 2004, for the three funds administered by the Federal Deposit Insurance Corporation (FDIC), the related statements of income and fund balance (accumulated deficit), and the statements of cash flows for the years then ended. In our audits of the Bank Insurance Fund (BIF), the Savings Association Insurance Fund (SAIF), and the FSLIC Resolution Fund (FRF), we found

  • the financial statements of each fund are presented fairly, in all material respects,
    in conformity with U.S. generally accepted accounting principles;
  • although certain internal controls should be improved, FDIC had effective internal
    control over financial reporting and compliance with laws and regulations for each
    fund; and
  • no reportable noncompliance with laws and regulations we tested.

The following sections discuss our conclusions in more detail. They also present information on the scope of our audits and our evaluation of FDIC management's comments on a draft of this report.

Opinion on BIF's Financial Statements
The financial statements, including the accompanying notes, present fairly, in all material respects, in conformity with U.S. generally accepted accounting principles, BIF's financial position as of December 31, 2005 and 2004, and the results of its operations and its cash flows for the years then ended.

As discussed in note 1 to BIF's financial statements, on February 8, 2006, the President signed into law the Federal Deposit Insurance Reform Act of 2005. Among its provisions, the Act calls for the merger of BIF and SAIF into a single Deposit Insurance Fund no later than the first day of the first calendar quarter that begins after the end of the 90-day period beginning on the date of enactment, which would be July 1, 2006.

Opinion on SAIF's Financial Statements
The financial statements, including the accompanying notes, present fairly, in all material respects, in conformity with U.S. generally accepted accounting principles, SAIF's financial position as of December 31, 2005 and 2004, and the results of its operations and its cash flows for the years then ended.

As discussed in note 1 to SAIF's financial statements, on February 8, 2006, the President signed into law the Federal Deposit Insurance Reform Act of 2005. Among its provisions, the Act calls for the merger of SAIF and BIF into a single Deposit Insurance Fund no later than the first day of the first calendar quarter that begins after the end of the 90-day period beginning on the date of enactment, which would be July 1, 2006.

Opinion on FRF's Financial Statements
The financial statements, including the accompanying notes, present fairly, in all material respects, in conformity with U.S. generally accepted accounting principles, FRF's financial position as of December 31, 2005 and 2004, and the results of its operations and its cash flows for the years then ended.

Opinion on Internal Control
Although certain internal controls should be improved, FDIC management maintained, in all material respects, effective internal control over financial reporting (including safeguarding assets) and compliance as of December 31, 2005, that provided reasonable assurance that misstatements, losses, or noncompliance material in relation to FDIC's financial statements of each fund would be prevented or detected on a timely basis. Our opinion is based on criteria established under 31 U.S.C. 3512 (c), (d) [commonly known as the Federal Managers' Financial Integrity Act (FMFIA)].

Weaknesses that we identified in FDIC's information system controls, which we consider to be a reportable condition, are described in a later section of this report. The reportable condition in information system controls, although not considered material, represents a significant deficiency in the design or operation of internal control that could adversely affect FDIC's ability to meet its internal control objectives. Although the weaknesses did not materially affect the 2005 financial statements of each of the three funds, misstatements may nevertheless occur in other FDIC-reported financial information as a result of the internal control weaknesses.

In addition to the reportable condition concerning information system controls, we noted other less significant matters involving FDIC's internal controls. We will be reporting separately to FDIC management on these matters.

Compliance with Laws and Regulations
Our tests for compliance with selected provisions of laws and regulations disclosed no instances of noncompliance that would be reportable under U.S. generally accepted government auditing standards. However, the objective of our audits was not to provide an opinion on overall compliance with laws and regulations. Accordingly, we do not express such an opinion.

Objectives, Scope, and Methodology
FDIC management is responsible for (1) preparing the annual financial statements in conformity with U.S. generally accepted accounting principles; (2) establishing, maintaining, and assessing internal control to provide reasonable assurance that the broad control objectives of FMFIA are met; and (3) complying with applicable laws and regulations.

We are responsible for obtaining reasonable assurance about whether (1) the financial statements are presented fairly, in all material respects, in conformity with U.S. generally accepted accounting principles, and (2) management maintained effective internal control, the objectives of which are the following:

  • financial reporting–transactions are properly recorded, processed, and summarized to permit the preparation of financial statements in conformity with U.S. generally accepted accounting principles, and assets are safeguarded against loss from unauthorized acquisition, use, or disposition, and
  • compliance with laws and regulations–transactions are executed in accordance with laws and regulations that could have a direct and material effect on the financial statements.
We are also responsible for testing compliance with selected provisions of laws and
regulations that could have a direct and material effect on the financial statements.
In order to fulfill these responsibilities, we
  • examined, on a test basis, evidence supporting the amounts and disclosures in the financial statements;
  • assessed the accounting principles used and significant estimates made by management;
  • evaluated the overall presentation of the financial statements;
  • obtained an understanding of internal control related to financial reporting (including safeguarding assets) and compliance with laws and regulations;
  • tested relevant internal controls over financial reporting and compliance, and evaluated the design and operating effectiveness of internal control;
  • considered FDIC's process for evaluating and reporting on internal control based on criteria established by FMFIA; and
  • tested compliance with certain laws and regulations, including selected provisions of the Federal Deposit Insurance Act, as amended, and the Chief Financial Officers Act of 1990.

We did not evaluate all internal controls relevant to operating objectives as broadly defined by FMFIA, such as those controls relevant to preparing statistical reports and ensuring efficient operations. We limited our internal control testing to controls over financial reporting and compliance. Because of inherent limitations in internal control, misstatements due to error or fraud, losses, or noncompliance may nevertheless occur and not be detected. We also caution that projecting our evaluation to future periods is subject to the risk that controls may become inadequate because of changes in conditions or that the degree of compliance with controls may deteriorate.

We did not test compliance with all laws and regulations applicable to FDIC. We limited our tests of compliance to those laws and regulations that could have a direct and material effect on the financial statements for the year ended December 31, 2005. We caution that noncompliance may occur and not be detected by these tests and that such testing may not be sufficient for other purposes.

We performed our work in accordance with U.S. generally accepted government
auditing standards.

Reportable Condition
In connection with our audits of the financial statements of the three funds administered by FDIC, we reviewed FDIC's information system controls. Effective information system controls are essential to safeguarding financial data, protecting computer application programs, providing for the integrity of system software, and ensuring continued computer operations in case of unexpected interruption. These controls include the corporatewide security management program, access controls, system software, application development and change control, segregation of duties, and service continuity controls.

In years prior to our 2004 financial audit, we reported on weaknesses we identified in FDIC's information system controls, which we considered to be a reportable condition. Over a period of years, FDIC made progress in correcting these information system control weaknesses and, in 2004, made substantial progress by correcting most of the weaknesses we had identified in prior years, including taking steps to fully establish a comprehensive information security program. These improvements enabled us to conclude that the remaining issues related to information system controls no longer constituted a reportable condition. However, we noted in our 2004 audit report1 that FDIC's implementation of a new financial system in 2005 would significantly change its information systems environment and the related information system controls necessary for their effective operation and that, consequently, continued commitment to an effective information security program would be essential to ensure that the corporation's financial and sensitive information would be adequately protected in the new environment.

FDIC implemented its new financial system in May 2005. However, in doing so, FDIC did not ensure that controls were adequate to accommodate its new systems environment. Our audit identified information system control weaknesses, which we consider to be a reportable condition that increased the risk of unauthorized modification and disclosure of critical FDIC financial and sensitive personnel information, disruption of critical operations, and loss of assets.

Specifically, FDIC did not (1) adequately restrict access to critical financial programs and data; (2) ensure incompatible systems-related functions, duties, and capabilities were appropriately segregated; and (3) sufficiently monitor access to system programs and data. Such weaknesses affected FDIC's ability to ensure that users only had the access needed to perform their assigned duties and that its systems were sufficiently protected from unauthorized users.

We determined that other management controls mitigated the effect of the information system control weaknesses on the preparation of the funds' financial statements for 2005. However, it is important going forward that FDIC work to address these weaknesses to ensure its information system controls appropriately safeguard the integrity of its financial and other data. Because of their sensitive nature, the details surrounding these weaknesses will be reported separately to FDIC management, along with recommendations for corrective actions.


FDIC Comments and Our Evaluation
In commenting on a draft of this report, FDIC's Chief Financial Officer (CFO) was pleased to receive unqualified opinions on BIF's, SAIF's, and FRF's 2005 and 2004 financial statements, and to note that there were no material weaknesses identified during the 2005 audits. With respect to our reporting as a reportable condition in 2005 weaknesses in information system controls, FDIC's CFO acknowledged but did not share our assessment regarding the severity of the risks or the magnitude of the vulnerability posed by the issues identified during the audit. The CFO expressed confidence in the sufficiency of the FDIC's information systems environment and related controls based on the corporation's view that it had a deliberate, comprehensive program designed to integrate not only system controls, but procedural, managerial, and audit controls into a balanced and cost-effective control framework. The CFO nonetheless acknowledged that the corporation would work diligently with us over the next audit cycle to both reconcile the two differing viewpoints and, where it feels changes are appropriate, to augment the corporation's program.

We are pleased that FDIC's CFO has pledged his commitment to work with us on these matters during the 2006 audits. However, the issues we identified during our 2005 audits, including (1) lack of adequate restriction of access to critical financial programs and data; (2) inappropriate segregation of incompatible systems-related functions, duties, and capabilities; and (3) lack of an effective process to sufficiently monitor access to systems programs and data, collectively, we believe, create a significant risk that critical financial and sensitive personnel information could be inappropriately disclosed and modified, assets lost, and critical systems operations disrupted. While we acknowledge that certain management controls FDIC had in place were able to mitigate the effect of these weaknesses with respect to preparation of the three funds' 2005 financial statements, the weaknesses nonetheless represent
significant vulnerabilities in FDIC's information system controls and thus constitute a reportable condition.

The complete text of FDIC's comments is reprinted in appendix I.

David M. Walker

David M. Walker
Comptroller General
of the United States

January 31, 2006



1 GAO, Financial Audit: Federal Deposit Insurance Corporation Funds' 2004 and 2003 Financial Statements, GAO-05-281 (Washington, D.C.: Feb. 11, 2005).




Last Updated 04/13/2006 communications@fdic.gov