2015 Annual Report
VI. Corporate Management Control
The FDIC uses several means to maintain comprehensive internal controls, ensure the overall effectiveness and efficiency of operations, and otherwise comply as necessary with the following federal standards, among others:
- Chief Financial Officers’ Act (CFO Act)
- Federal Managers’ Financial Integrity Act (FMFIA)
- Federal Financial Management Improvement Act (FFMIA)
- Government Performance and Results Act (GPRA)
- Federal Information Security Management Act (FISMA)
- OMB Circular A-123
- GAO’s Standards for Internal Control in the Federal Government
As a foundation for these efforts, the Division of Finance Corporate Management Control Branch oversees a corporate-wide program of relevant activities by establishing policies and working with management in each division and office in the FDIC. The FDIC has made a concerted effort to ensure that financial, reputational, and operational risks have been identified and that corresponding control needs are being incorporated into day-to-day operations. The program also requires that comprehensive procedures be documented, employees be thoroughly trained, and supervisors be held accountable for performance and results. Compliance monitoring is carried out through periodic management reviews and by the distribution of various activity reports to all levels of management. Conscientious attention is also paid to the implementation of audit recommendations made by the FDIC Office of the Inspector General, the GAO, and other providers of external/audit scrutiny. The FDIC has received unmodified/unqualified opinions on its financial statement audits for 24 consecutive years, and these and other positive results reflect the effectiveness of the overall management control program.
In 2015, efforts were focused on human resources, process mapping, continuation of activities associated with the Dodd-Frank Act, and contract oversight. Considerable energy was devoted to ensuring that the FDIC’s processes and systems of control have kept pace with the workload, and that the foundation of controls throughout the FDIC remained strong.
During 2016, among other things, program evaluation activities will focus on failed bank data; the Identity, Credential and Access Control Program; systems development associated with the Capital Investment Review Committee; the Workforce Development Initiative; and systems security. Continued emphasis and management scrutiny also will be applied to the accuracy and integrity of transactions and oversight of systems development efforts in general.
MANAGEMENT REPORT ON FINAL ACTIONS
As required under amended Section 5 of the Inspector General Act of 1978, the FDIC must report information on final action taken by management on certain audit reports. The tables on the following pages provide information on final action taken by management on audit reports for the federal fiscal year period October 1, 2014, through September 30, 2015.
|(There were no audit reports in this category.)|
|Audit Reports||Number of Reports||Funds put to
|A.||Management decisions – final action not taken at beginning of period||0||$0|
|B.||Management decisions made during the period||1||$4,586|
|C.||Total reports pending final action during the period (A and B)||1||$4,586|
|D.||Final action taken during the period:|
|1. Value of recommendations implemented (completed)||0||$0|
|2. Value of recommendations that management concluded should not or
could not be implemented or completed
|3. Total of 1 and 2||0||$0|
|E.||Audit reports needing final action at the end of the period||1||$4,586|
|Report No. and Issue Date||OIG Audit Finding||Management Action||Disallowed Costs|
|The Director, Division of Administration (DOA), should coordinate with the Division of Information Technology (DIT) and FDIC division and office officials, as appropriate, to address potential gaps that may exist between the 12-hour time frame required to restore mission essential functions following an emergency and the 72-hour recovery time objective for restoring missioncritical applications.||
In addition to other steps that it has already taken, DOA, in partnership with the Office of Corporate Risk Management and DIT, has convened a working group to advance a risk management framework that will enhance the FDIC’s business continuity plans. The framework will define a method for addressing potential gaps that may exist between the 12-hour requirement to restore mission essential functions and the 72-hour recovery time objective for restoring mission-critical applications. A set of options and recommendations will be presented to executive management to either accept identified risks or authorize resources to close identified gaps.
Due Date: 12/31/2016
|The FDIC, FRB, and OCC should consider the need to (1) increase their level of written enforcement action coordination to meet the requirements of Federal Register policy statement 62 Fed. Reg. 7782, or (2) revise the policy statement to reflect the regulators’ current level of coordination.||
The Legal Division and the Division of Risk Management Supervision will revise the memo and devise a new policy statement.
Due Date: 4/30/2016