2016 Annual Report
VI. Corporate Management Control
The FDIC uses several means to maintain comprehensive internal controls, ensure the overall effectiveness and efficiency of operations, and otherwise comply as necessary with the following federal standards, among others:
- Chief Financial Officers’ Act (CFO Act)
- Federal Managers’ Financial Integrity Act (FMFIA)
- Federal Financial Management Improvement Act (FFMIA)
- Government Performance and Results Act (GPRA)
- Federal Information Security Management Act (FISMA)
- OMB Circular A-123
- GAO’s Standards for Internal Control in the Federal Government
As a foundation for these efforts, the Division of Finance Corporate Management Control Branch oversees a corporate-wide program of relevant activities by establishing policies and working with management in each division and office in the FDIC. The FDIC has made a concerted effort to ensure that financial, reputational, and operational risks have been identified and that corresponding control needs are being incorporated into day-to-day operations. The program also requires that comprehensive procedures be documented, employees be thoroughly trained, and supervisors be held accountable for performance and results. Compliance monitoring is carried out through periodic management reviews and by the distribution of various activity reports to all levels of management. Conscientious attention is also paid to the implementation of audit recommendations made by the FDIC Office of Inspector General, the GAO, and other providers of external/audit scrutiny. The FDIC has received unmodified/unqualified opinions on its financial statement audits for 25 consecutive years, and these and other positive results reflect the effectiveness of the overall management control program.
In 2016, efforts were focused on failed bank data; the Identity, Credential and Access Control Program; systems development associated with the Capital Investment Review Committee; the Workforce Development Initiative; and systems security. Considerable energy was devoted to ensuring that the FDIC’s processes and systems of control have kept pace with the workload, and that the foundation of controls throughout the FDIC remained strong.
During 2017, among other things, program evaluation activities will focus on data mining, continuity of operations, process mapping, process improvements, internal controls of outsourced service providers, continuation of efforts on failed bank data, and systems security. Continued emphasis and management scrutiny also will be applied to the accuracy and integrity of transactions and oversight of systems development efforts in general.
FRAUD REDUCTION AND DATA ANALYTICS ACT OF 2015
The Fraud Reduction and Data Analytics Act of 2015 was signed into law on June 30, 2016. The law is intended to improve federal agency financial and administrative controls and procedures to assess and mitigate fraud risks, and to improve federal agencies’ development and use of data analytics for the purpose of identifying, preventing, and responding to fraud, including improper payments.
The FDIC’s enterprise risk management and internal control program considers the potential for fraud and incorporates elements of Principle 8 – Assess Fraud Risk, of the GAO Standards of Internal Control in the Federal Government. The FDIC implemented a Fraud Risk Assessment Framework as a basis for identifying potential financial fraud risks and schemes, ensuring that preventive and detective controls are present and working as intended. Examples of fraud risks are contractor payments, wire transfers, travel card purchases, and theft of cash receipts.
As part of the Framework, potential fraud areas are identified and key controls are evaluated/implemented as proactive measures to fraud prevention. Although no system of internal control provides absolute assurance, the FDIC’s system of internal control can provide reasonable assurance that key controls are adequate and working as intended. Monitoring activities include supervisory approvals, management reports, and exception reporting.
FDIC management performs due diligence in areas of suspected or alleged fraud. At the conclusion of due diligence, the matter is either dropped or referred to the Office of Inspector General for investigation.
During 2016, there has been no systemic fraud identified within the FDIC.
MANAGEMENT REPORT ON FINAL ACTIONS
As required under amended Section 5 of the Inspector General Act of 1978, the FDIC must report information on final action taken by management on certain audit reports. The tables on the following pages provide information on final action taken by management on audit reports for the federal fiscal year period October 1, 2015, through September 30, 2016.
| Audit Reports | Number of Reports | Disallowed Costs |
|
|---|---|---|---|
| A. | Management decisions – final action not taken at beginning of period | 0 | $0 |
| B. | Management decisions made during the period | 1 | $55 |
| C. | Total reports pending final action during the period (A and B) | 1 | $55 |
| D. | 1. Recoveries: | ||
| a. Collection & offsets | 0 | $0 | |
| b. Other | 0 | $0 | |
| 2. Write-offs | 0 | $0 | |
| 3. Total of 1 and 2 | 0 | $0 | |
| E. | Audit reports needing final action at the end of the period | 1 | $55 |
| (There were no audit reports in this category.) |
|---|
| Report No. and Issue Date | OIG Audit Finding | Management Action | Disallowed Costs |
|---|---|---|---|
| AUD-14-002 11/21/2013 |
The Director, Division of Administration (DOA) should coordinate with Division of Information Technology (DIT) and FDIC division and office officials, as appropriate, to address potential gaps that may exist between the 12- hour timeframe required to restore mission essential functions following an emergency and the 72-hour recovery time objective for restoring mission-critical applications. |
The Chief Information Officer Organization will prepare a briefing for the Board by June 16, 2017 on the status of the Continuity of Operations (COOP) effort and a Board Case by end of third quarter 2017 that lays out the approach for meeting the COOP objectives and how it addresses the risk associated with meeting the FEMA Category II requirements. Due Date: 10/11/2017
|
$0 |
| AUD-15-003 03/30/2015 |
The Director, RMS should review and update, as appropriate, supervisory guidance and associated training related to newly insured banks to address the lessons learned and issues described in this report, including the need for: a) thorough and timely (at least quarterly) monitoring of changes and deviations in bank business plans; (b) prompt communication to bank management regarding issues involving the adequacy of business plans; c) clear expectations regarding the timing, type, and documentation of supervisory monitoring activities pertaining to business plan compliance; and d) proactive supervisory action when banks materially deviate from their approved business plans without regulatory approval. |
RMS is finalizing new de novo supervision guidance. The Regional Director memo, which outlines supervisory expectations, including monitoring of business plan changes, is in final processing and expected to be issued by December 31, 2016. Due Date: 3/31/2017 |
$0 |
| AUD-15-007 09/03/2015 |
The Director, RMS, should update guidance for placing an institution on a targeted examination schedule to define dates to be used for purposes of complying with FDI Act examination frequency requirements. |
RMS is presently updating and consolidating its supervisory policies and procedures for large banks. As part of that effort, RMS will provide technical instructions for determining the examination “as of” date for an initial examination activity under the continuous examination program and for recording that information in its inventory systems to document compliance with the examination frequency requirements of Section 10(d) of the FDI Act. RMS will complete this action by March 31, 2017. Due Date: 3/31/2017 |
$0 |
| The Director, RMS, should issue or revise policy guidance to document the requirements and responsibilities of Regional Accountants for developing and communicating a comprehensive analysis and related conclusions for complex and/or unique accounting transactions, or for escalating such analysis to the Washington Office Policy staff, as appropriate. |
RMS recently held a conference call with Regional Accountants to discuss updates to existing guidance. RMS has also reached out to the OCC and FRB for information on those agencies’ handling of complex accounting questions. Additional time will be needed in order for the update to the responsibilities of the Regional Accountant to be consistent with the ongoing Accounting SME Project, which is an integral part of the communication channel for handling complex accounting questions. The timeline for the Accounting SME Project has been tentatively extended through March 31, 2017. Due Date: 3/31/2017 |
$0 | |
| AUD-15-008 09/16/2015 |
The Directors, RMS and DCP, should coordinate to review and clarify, as appropriate, existing policy and guidance pertaining to the provision and termination of banking services to ensure it adequately addresses banking products other than deposit accounts, such as credit products. |
Additional time is required to approve and issue several RMS Regional Director Memorandums, which will include the following topics: delegations of authority, communications with bankers, matters requiring board attention and other supervisory recommendations, large bank operating procedures, processing requests for review (bank appeals), and third-party lending. Due Date: 3/31/2017 |
$0 |
|
The Directors, RMS and DCP, should coordinate to assess the effectiveness of the FDIC’s supervisory policy and approach with respect to the issues and risks discussed in this report after a reasonable period of time is allowed for implementation. |
RMS’ Internal Control and Review section will conduct horizontal and regional office reviews to assess compliance with the FDIC’s actions to address the issues discussed in the report. The FDIC will also continue to report to the Board on deposit account terminations; highlight supervisory guidance in outreach events; and monitor inquiries and comments from the Office of the Ombudsman. Due Date: 6/30/2017 |
$0 | |
|
The Directors, RMS and DCP, should coordinate with the Legal Division to review and clarify, as appropriate, existing supervisory policy and guidance to ensure it adequately defines moral suasion in terms of the types and circumstances under which it is used to address supervisory concerns, whether it is subject to sufficient scrutiny and oversight, and whether meaningful remedies exist should moral suasion be misused. |
Additional time is required to approve and issue several RMS Regional Director Memorandums, which will include the following topics: delegations of authority, communications with bankers, matters requiring board attention and other supervisory recommendations, large bank operating procedures, processing requests for review (bank appeals), and third-party lending. Due Date: 3/31/2017 |
$0 |