Federal Deposit Insurance Corporation
Office of Inspector General
Federal Deposit Insurance Corporation - Office of Inspector General

Peer Review: System Review Report on the Federal Deposit Insurance Corporation Office of Inspector General Audit Organization and Corresponding Letter of Comment

This is the accessible text file for 2013 FDIC System Review Report prepared by the United States Department of State and the Broadcasting Board of Governors, Office of Inspector General

This text file was formatted by the FDIC OIG to be accessible to users with visual impairments.

We have maintained the structural and data integrity of the original printed product in this text file to the extent possbile. Accessibility features, such as descriptions of tables, footnotes, and the text of the Corporation’s comments, are provided but may not exactly duplicate the presentation or format of the printed version.

The portable document format (PDF) file also posted on our Web site is an exact electronic replica of the printed version.

UNCLASSIFIED

The Honorable Jon T. Rymer Inspector General Federal Deposit Insurance Corporation 3501 N. Fairfax Dr., Room 9070 Arlington, VA 22226

Dear Mr. Rymer: Please find enclosed the final System Review Report for the audit organization of the Federal Deposit Insurance Corporation, Office of Inspector General. The review was conducted in accordance with Government Auditing Standards and Council of the Inspectors General on Integrity and Efficiency guidelines. Your response to the draft report has been incorporated into the report in its entirety as Enclosure 2.

We thank you and your staff for your assistance and cooperation during the conduct of the review.

Sincerely, /Signed/ Harold W. Geisel Acting Inspector General

Enclosures: As stated.

United States Department of State and the Broadcasting Board of Governors Office of Inspector General

SEP 17 2013

System Review Report

UNCLASSIFIED

The Honorable Jon T. Rymer Inspector General

Federal Deposit Insurance Corporation 3501 N. Fairfax Drive, Room 9070 Arlington, VA 22226 Dear Mr. Rymer,

We have reviewed the system of quality control for the audit organization of the Federal Deposit Insurance Corporation, Office of Inspector General (FDIC/OIG), in effect during the period April 1, 2011, through March 31, 2013 . A system of quality control encompasses the FDIC/OIG's organizational structure and the policies adopted and procedures established to provide it with reasonable assurance of conformity with Government Auditing Standards (GAS). The elements of quality control are described in GAS. The FDIC/OIG is responsible for designing a system of quality control and complying with it to provide the FDIC/OIG with reasonable assurance of performing and reporting in conformity with applicable professional standards in all material respects. Our responsibility is to express an opinion on the design of the system of quality control and the FDIC/OIG's compliance therewith based on our review.

Our review was conducted in accordance with GAS and guidelines established by the Council of the Inspectors General on Integrity and Efficiency (CIGIE). During our review, we interviewed the FDIC/OIG personnel and obtained an understanding of the nature of the FDIC/OIG audit organization and the design of the FDIC/OIG's system of quality control sufficient to assess the risks implicit in its audit function. Based on our assessments, we selected engagements and administrative files to test for conformity with professional standards and compliance with the FDIC/OIG's system of quality control. The engagements selected represented a reasonable cross-section of the FDIC/OIG's audit organization, with emphasis on higher-risk engagements. Prior to concluding the review, we reassessed the adequacy of the scope of the peer review procedures and met with the FDIC/OIG management to discuss the results of our review. We believe that the procedures we performed provide a reasonable basis for our opinion.

In performing our review, we obtained an understanding of the system of quality control for the FDIC/OIG's audit organization. In addition, we tested compliance with the FDIC/OTG's quality control policies and procedures to the extent we considered appropriate. These tests covered the application of the FDTC/OIG's policies and procedures on selected engagements. Our review was based on selected tests; therefore, it would not necessarily detect all weaknesses in the system of quality control or all instances of noncompliance with it.

There are inherent limitations in the effectiveness of any system of quality control. Therefore, noncompliance with the system of quality control may occur and not be detected. Projection of any evaluation of a system of quality control to future periods is subject to the risk that the system of quality control may become inadequate because of changes in conditions or because the degree of compliance with the policies or procedures may deteriorate. Enclosure 1 to this report identifies the offices of the FDIC/OIG that we visited and the engagements that we reviewed.

In our opinion, the system of quality control for the audit organization of the FDIC/OIG in effect during the period April 1, 2011 , through March 31, 2013, has been suitably designed and complied with to provide the FDIC/OIG with reasonable assurance of performing and reporting in conformity with applicable professional standards in all material respects. Federal audit organizations can receive a rating of pass, pass with deficiencies, or fail. The FDIC/OIG has received a peer review rating of pass. As is customary, we have issued a letter dated September 17, 2013, that sets forth findings that were not considered to be of sufficient significance to affect our opinion expressed in this report.

In addition to reviewing its system of quality control to ensure adherence with GAS, we applied certain limited procedures in accordance with guidance established by the CIGIE related to the FDIC/OJG's monitoring of engagements performed by Independent Public Accountants (IPA) under contract where the IPA served as the principal auditor. It should be noted that monitoring of engagements performed by IPAs is not an audit and therefore is not subject to the requirements of GAS. The purpose of our limited procedures was to determine whether the FDIC/OIG had controls to ensure IPAs performed contracted work in accordance with professional standards. However, our objective was not to express an opinion, and accordingly, we do not express an opinion on the FDIC/OIG's monitoring of work performed by IPAs. We made certain comments related to FDIC/OIG's monitoring of engagements performed by IPAs that are included in the above referenced letter dated September 17, 2013.

The review team appreciates the courtesy and cooperation provided by your staff during this review.

Sincerely,

/Signed/ Harold W. Geisel Acting Inspector General

Enclosures

Enclosure 1

Scope and Methodology

We tested compliance with the system of quality control for the audit organization of the Federal Deposit Insurance Corporation, Office of Inspector General (FDIC/OIG), to the extent we considered appropriate. These tests included a review of six of 34 audit reports issued during the period April 1, 2011, through March 31, 2013. The six audit reports we reviewed are listed in Table 1. We also reviewed an FDIC/OIG internal quality control review, Quality Control Review of GAGAS Assignments – 2012 (QCR-13-002, May 8, 2013).

In addition, we reviewed the FDIC/OIG’s monitoring of engagements performed by IPAs where the IPA served as the principal auditor during the period April 1, 2012, through March 31, 2013. We selected two audit reports from the population of 34 audit reports noted above. These reports are listed in Table 2.

We did not review FDIC/OIG’s audit of 2012 financial statements because the Government Accountability Office (GAO) performed the annual financial statement audits.

We conducted our review at FDIC/OIG headquarters in Arlington, VA, and also interviewed FDIC/OIG personnel located in Dallas, TX.

Table 1. Reviewed Engagements Performed by FDIC/OIG

Row 1 Report Number: AUD-12-001 Report Date: 10/25/2011 Report Title: The FDIC’s Shared-Loss Agreement with Banco Popular de Puerto Rico, San Juan, Puerto Rico

Row 2 Report Number: EVAL-12-003 Report Date: 03/23/2012 Report Title: The National Owned Real Estate Management and Marketing Services Contract with CB Richard Ellis, Inc.

Row 3 Report Number: AUD-12-011 Report Date: 08/31/2012 Report Title: The FDIC’s Examination Process for Small Community Banks

Row 4 Report Number: AUD-13-001 Report Date: 10/05/2012 Report Title: DRR’s Controls for Managing, Marketing, and Disposing of Owned Real Estate Assets

Row 5 Report Number: AUD-13-003 Report Date: 11/05/2012 Report Title: Independent Evaluation of the FDIC’s Information Security Program – 2012

Row 6 Report Number: AUD-13-004 Report Date: 02/04/2013 Report Title: The FDIC’s Data Submissions through the Governmentwide Financial Report System as of September 30, 2012

[End of Table 1]

Table 2. Reviewed Monitoring Files of FDIC/OIG for Contracted Engagements

Row 1 Report Number: AUD-12-009 Report Date: 04/05/2012 Report Title: Corus Construction Venture, LLC Structured Asset Sale

Row 2 Report Number: AUD-12-014 Report Date: 09/13/2012 Report Title: Material Loss Review of Tennessee Commerce Bank, Franklin, Tennessee

[End of Table 2]

[End of Enclosure 1]

Enclosure 2

[FDIC letterhead, FDIC logo, Federal Deposit Insurance Corporation, Office of Inspector General 3501 Fairfax Drive, Arlington, VA 22226-3500

September 9, 2013 The Honorable Harold W. Geisel Deputy Inspector General U.S. Department of State and the Broadcasting Board of Governors 1700 N. Moore Street Arlington, VA 22209

Dear Mr. Geisel: Thank you for the opportunity to comment on the draft System Review Report and Letter of Comment prepared by your office concerning the Office of Audits' system of quality control. We value the peer review process and view it as an important facet of an audit organization's quality control efforts. We are pleased that your independent review of the Office of Audits' operations resulted in a pass opinion and concluded that the system of quality control in effect during the period April 1, 2011 through March 31, 2013 was suitably designed and complied with to provide reasonable assurance of performing and reporting in conformity with applicable professional standards in all material respects.

The Letter of Comment contains recommendations that, while not affecting the overall opinion expressed, are designed to strengthen the Office of Audits' system of quality control. We generally concur with the recommendations and are taking corrective actions to address them. Those actions and proposed completion dates are described in detail in the enclosure. If you have any questions, please call me at (703) 562-2166 or Stephen M. Beard, Deputy Inspector General for Audits and Evaluations at (703) 562-6352.

Sincerely /Signed/ Jon T. Rymer Inspector General

Enclosure

cc: Norman P. Brown, Acting Assistant Inspector General for Audits, DOS Stephen M. Beard, Deputy Inspector General for Audits and Evaluations, FDIC Mark F. Mulholland, Assistant Inspector General for Audits, FDIC E. Marshall Gentry, Assistant Inspector General for Evaluations, FDIC

Enclosure

Response to Letter of Comment Findings and Recommendations

The Office of Audits has been working to update its policies and procedures. Although the development of formal policies and procedures and training will require several months to complete as indicated in the proposed corrective action milestones, the Office of Audits has already taken steps to implement the corrective actions for ongoing and new audits. Those steps include briefing Office of Audits staff on the peer review findings and emphasizing the areas requiring improvement during the appropriate aspects of the assigrunent management process. The planned conective actions and proposed completion dates for the recommendations follow.

Finding 1. Audit Evidence Documentation

Recommendation 1: Take steps, such as staff training and/or clarification of policies and procedures, to emphasize the importance that audit documentation is sufficiently detailed to reflect the audit procedures performed, the audit evidence obtained, and the conclusions reached.

FDIC OIG Response: We generally concur with the recommendation and agree that we could have more clearly documented the results of work performed for those instances cited in the Letter of Comment. To enhance our existing procedures, we will take the following steps: (1) complete ongoing efforts to update to our policies and procedures manual, which will clarify expectations for documenting the work performed and evidence obtained, (2) update our existing Team Mate template to reflect changes in our policies and procedures, and (3) train staff on the updated policies and procedures manual and TeamMatc template. We will complete these steps by February 28, 2014.

Finding 2. Objective, Scope, and Methodology

Recommendation 2: Take steps to strengthen the review of the audit report objective, scope, and methodology sections to ensure that all required reporting elements are appropriately described and that the report is in compliance with the Policies and Procedures Manual (PPM) and Government Auditing Standards requirements.

FDIC OIG Response: We generally concur with the recommendation and acknowledge that we could have more fully described the relationship between the population and the items tested in the two reports referenced in the Letter of Comment. To strengthen the review process, we have instituted a new practice that will be formally integrated into our updated policies and procedures. As stated in the Letter of Conunent, for ongoing assignments, we are requiring teams to provide a draft of the Objective, Scope, and Methodology section of the report with the Message Design Package to focus attention on how that section will be presented in the report. We will issue our updated policies and procedures and complete any associated training by February 28, 2014.

Finding 3. Independence

Recommendation 3: Review the PPM to determine whether the Inspector General and Principal Deputy Inspector General should be required to prepare the Representation of Independence for each audit assignment and revise the PPM, as necessary.

FDIC OIG Response: We generally concur with the recommendation. In reviewing our PPM, we have determined that the Inspector General and Principal Deputy Inspector General should continue to prepare the Representation oflndependence for each audit assignment. Currently, the DIGAE and/or AIG will follow up with the Inspector General or Principal Deputy Inspector General during monthly status meetings to obtain verbal representations. We plan to update our procedures to provide flexibility in how these representations are obtained. Fu11her, as discussed in response to recommendation 4, we will add a step in the TeamMate template that is specifically directed at documenting their independence representations. We will issue our updated policies and procedures and complete any associated training by February 28, 2014.

Recommendation 4: Add a step in the TeamMate library that requires the audit manager or auditor-in-charge to certify that all required Representation oflndependence forms have been completed and documented in TeamMate before the assignment is closed.

FDIC OIG Response: We generally concur with the recommendation and are updating our existing Team Mate template to include steps for obtaining and documenting Representations of Independence from all staff contributing to the assignment, including the Inspector General, Principal Deputy Inspector General, and independent referencer. Audit managers will be responsible for ensuring that these steps are completed before the draft report is issued. Although we have taken steps to re-emphasize our existing requirements over time, we believe the addition of the steps in TeamMate will strengthen compliance with our procedures. We will implement the updated Tean1Mate template and provide appropriate training for staff by February 28, 2014.

Finding 4. Referencing Process

Recommendation 5: Require auditors to index and reference all changes to draft reports prior to issuance and issue a directive (or policy reminder) that all factual changes to repo11s made after they have been referenced should be re-referenced to ensure accuracy and enhance the integrity of the report.

FDIC OIG Response: We generally concur with the intent of the recommendation and plan to update our referencing procedures to clarify expectations related to indexing the draft report, including the need to index and reference the executive summary. With respect to changes to draft reports, we respectfully disagree that all changes need to be indexed and referenced. Instead, we will expand and more clearly define the types of changes (i.e., new statements of fact, including dates and legal citations) made to the draft report (and executive summary) that arc required to be indexed and referenced before the report is issued in final. We will issue om updated policies and procedures and complete any associated training by February 28, 2014.

Finding 5. Review of Independent Public Accountant Work Papers

Recommendation 6: Develop comprehensive review and verification procedures, such as Government Auditing Standards (GAS) checklists or incorporating GAS requirements into its standard audit program, for its Independent Public Accow1tant (IPA) audits to ensure compliance with professional standards and PPM requirements.

FDIC OIG Response: We generally concur with the intent of the recommendation, but believe that our current process is adequately designed to allow us to appropriately monitor whether an IPA adheres to the contract and by extension GAS and PPM requirements. As discussed, we evaluate whether the contractor adheres to GAS general standards primarily through the contracting process. Specifically, we review the TPA's qualifications and independence, and gain an understanding of the firm's system of quality control, taking into consideration their latest peer review report. Our contracts also include requirements that the firms perform their work in accordance with GAS. To that end, we establish deliverables that mirror our internal assignment management process, which provides a structured framework for managing and controlling assigrunents consistent with GAS field work and reporting requirements. In the case of the audit referenced in the Letter of Comment, the OIG technical monitor followed the process as described above. Nevertheless, we plan to enhance our existing procedures by addressing how a team should approach and document the review of the IP A's audit documentation, which is one of the contract deliverables. We expect these steps will better document the extent of oversight we currently provide to IP As to ensure that standards and PPM requirements are being met. We will issue our updated policies and procedures and complete associated training by February 28, 2014.

United States Department of State and the Broadcasting Board of Governors Office of Inspector General

SEP 17 2013

UNCLASSIFIED

The Honorable Jon T. Rymer Inspector General Federal Deposit Insurance Corporation 3501 N. Fairfax Drive, Room 9070 Arlington, VA 22226

Dear Mr. Rymer,

We have reviewed the system of quality control for the audit organization of the Federal Deposit Insurance Corporation, Office of Inspector General (FDIC/OIG), in effect during the period April 1, 2011, through March 31, 2013, and have issued our report thereon dated September 17, 2013, in which the FDIC/OIG received a rating of pass. That report should be read in conjunction with the comments in this letter, which were considered in determining our opinion. The findings described below were not considered to be of sufficient significance to affect the opinion expressed in that report.

Field Work Standards

Finding 1. Audit Evidence Documentation

FDIC/OIG's policies and procedures, as outlined in the FDIC/OIG Policies and Procedures Manual (PPM), incorporate elements of Government Auditing Standards (GAS), which states that auditors should prepare audit documentation in sufficient detail to enable an experienced auditor having no previous connection to the audit work to understand from the documentation the nature, timing, and results of procedures performed, the audit evidence obtained and its source and conclusions reached, including evidence that supports auditors' significant judgments and conclusions. The PPM also stated that auditors should plan, conduct, and report on assignments using the TeamMate Audit Management System, unless a waiver is granted by the Assistant Inspector General for Audits. We reviewed six performance audit reports to determine whether they were supported by sufficient evidence. For two of the six audit reports reviewed, we noted the following concerns:

• In one audit report, we identified a change from the draft audit report to the final audit report that was not supported by the work papers. For example, the indexed draft audit report included "unsupported claims totaling $24.1 million." The final audit report included "questioned claims totaling $20.8 million." The Auditor-in-Charge stated that the Assistant Inspector General for Evaluations, in consultation with the Deputy Inspector General for Audits and Evaluations, decided not to include $3.3 million in projected unsupported claims in the final report. However, the auditors did not prepare a work paper supporting the change.

• In the second audit report, we noted that information supporting the audit report was not always documented in the official system of record, TeamMate. Specifically, we were unable to find support in the work papers for the following statement made in the report: “None of the Accounting Officers we interviewed who were responsible for 25 sampled active owned real estate assets had been informed by DRR [Division of Resolutions and Receiverships] management that the contractor billing reports were available on the DRR Accounting SharePoint Site.” This occurred because the auditor did not document the audit evidence in TeamMate and did not indicate that the supporting work papers were maintained outside of TeamMate, as required by the PPM. The auditor who created the work paper was able to locate and provide the supporting work paper; however, had the auditor not been available, the work paper may not have been located.

Completing required work paper elements is important because they explain the results of testing to the extent that an experienced auditor understands the nature, timing, and results of audit procedures performed. Moreover, failure to clearly document audit evidence in the official system of record could create confusion and misunderstandings during report preparation and the quality assurance process and undermine the integrity of audit reports.

FDIC/OIG officials informed us that they have initiated an effort to update their TeamMate standard performance audit template. FDIC/OIG officials plan to have their Planning and Operations Group assist teams with the development of audit programs to ensure steps in TeamMate are logically organized to better capture results, to include all necessary supporting work papers, and to clearly indicate that teams have obtained sufficient and appropriate audit evidence.

Recommendation 1. The Federal Deposit Insurance Corporation Office of Inspector General’s Deputy Inspector General for Audits and Evaluations should take steps, such as staff training and/or clarification of policies and procedures, to emphasize the importance that audit documentation is sufficiently detailed to reflect the audit procedures performed, the audit evidence obtained, and the conclusions reached.

Management Response: FDIC/OIG concurred with the recommendation, stating that it would take steps to update the policies and procedures manual to clarify “expectations for documenting the work performed and evidence obtained,” to “update [the] existing TeamMate template to reflect changes in [the] policies and procedures,” and to “train staff on the updated policies and procures manual and TeamMate template” by February 28, 2014.

OIG Reply: OIG accepted the FDIC/OIG proposed action as meeting the intent of the recommendation.

Reporting Standards

Finding 2. Objective, Scope, and Methodology

The FDIC/OIG PPM incorporates reporting requirements noted in GAS 2011, paragraphs 7.12 and 7.13. In two of the six performance audit reports reviewed, we noted that auditors performed judgmental sampling as part of their audit testing. However, the audit reports did not contain certain elements of the sampling methodology or include all geographic locations in compliance with reporting standards. Specifically, the audit reports did not state the relationship between the population and the sample size or satisfactorily describe the sample design and why the design was chosen. One of the Auditors-in-Charge stated that these are not part of FDIC/OIG’s normal procedures when utilizing judgmental sampling techniques.

In addition, in one performance audit report, we noted inconsistencies between fieldwork testing documented in the work papers and what was presented in the audit report. For instance, the report stated that the audit team performed audit work at FDIC’s offices in Arlington, VA, and in Dallas, TX; however, audit work papers showed that work was also performed in Georgia and Arizona. The Auditor-in-Charge stated that Georgia and Arizona were not included in the audit report because the amount of work was not considered material. At the time of the audit, the team thought that it may be misleading to indicate that significant work was performed at these sites. However, report users may not be able to assess and/or fully understand the scope of audit procedures unless they are presented with all appropriate information, such as sample size to the population and rationale for the sampling technique.

FDIC/OIG officials informed us that this was an oversight and the audit report should have included all geographic locations and described the extent of work performed. FDIC/OIG officials also informed us that they could have more fully described the relationship between the population and the items tested in the two reports and are now requiring teams prepare the objective, scope, and methodology as part of their message design process. The issuance of updated procedures will provide for a review of the objective, scope, and methodology by the Planning and Operations Group to ensure that reporting standards are met.

Recommendation 2. The Federal Deposit Insurance Corporation Office of Inspector General’s Deputy Inspector General for Audits and Evaluations should take steps to strengthen review of the audit report objective, scope, and methodology sections to ensure that all required reporting elements are appropriately described and that the report is in compliance with the Policies and Procedures Manual and Government Auditing Standards requirements.

Management Response: FDIC/OIG concurred with the recommendation, stating that it would update policies and procedures to strengthen the review process and provide training on the updated policies and procedures by February 28, 2014.

FDIC/OIG further stated that teams working on ongoing assignments are now required to “provide a draft of the Objective, Scope, and Methodology section of the report . . . to focus attention on how that section will be presented in the report.”

OIG Reply: OIG accepted the FDIC/OIG proposed action as meeting the intent of the recommendation.

Quality Control Policies and Procedures

Finding 3. Independence

The FDIC/OIG’s “Updated Guidelines for Implementing Independence Requirements in the Government Auditing Standards 2011 Revision,” dated September 2012, states that before beginning an assignment, each staff member contributing to an assignment including the Inspector General, Principal Deputy Inspector General, and independent referencer will complete a Representation of Independence form to help identify threats to independence and document compliance with GAS in TeamMate.

In four of the six performance audits reviewed, we identified 10 instances of noncompliance from the population of 101 auditors (9.9 percent) who were assigned to these engagements. In seven of the 10 instances, the Representation of Independence form was not prepared and documented in TeamMate. For the remaining three instances, the form was prepared but not documented in TeamMate. This occurred because the FDIC/OIG’s quality control procedures related to independence were not fully implemented to ensure that all assigned auditors, independent referencers, and executive staff, such as the Inspector General and Principal Deputy Inspector General, had prepared and documented the independence statements in TeamMate prior to completion of the audit. In addition, the audit teams had difficulty obtaining independence statements from the executive staff.

If staff independence is not formally documented, there is a risk that the appearance of independence could be questioned thereby impacting the integrity of the audit. This was also an issue identified and documented in the letter of comments of the previous peer review conducted by the Railroad Retirement Board OIG in 2010. The recommendation was for the FDIC/OIG to re-emphasize existing requirements related to independence representation statements to its staff.

FDIC/OIG officials informed us that they have initiated an effort to update their TeamMate standard performance audit template. This will include specific steps for obtaining independence statements from OIG executives, staff, and the referencer and for assessing the independence of specialists. The steps must be completed and reviewed before the assignment is closed. They stated that these added steps will help ensure that independence statements are obtained and appropriately documented.

Recommendation 3. The Federal Deposit Insurance Corporation Office of Inspector General’s Deputy Inspector General for Audits and Evaluations should review the Policies and Procedures Manual (PPM) to determine whether the Inspector General and Principal Deputy Inspector General should be required to prepare the Representation of Independence for each audit assignment and revise the PPM, as necessary.

Management Response: FDIC/OIG concurred with the recommendation, stating that it had reviewed the current procedures and had determined that the Inspector General and Principal Deputy Inspector General “should continue to prepare the Representation of Independence for each audit assignment. However, FDIC/OIG further stated that it would “update [the] procedures to provide flexibility in how [Representations of Independence] are obtained” and provide related training by February 28, 2014.

OIG Reply: OIG accepted the FDIC/OIG proposed action as meeting the intent of the recommendation.

Recommendation 4. The Federal Deposit Insurance Corporation Office of Inspector General’s Deputy Inspector General for Audits and Evaluations should add a step in the TeamMate library that requires the audit manager or auditor-incharge to certify that all required Representation of Independence forms have been completed and documented in TeamMate before the assignment is closed.

Management Response: FDIC/OIG concurred with the recommendation, stating that it would update the “existing TeamMate template to include steps for obtaining and documenting Representations of Independence from all staff contributing to the assignment” and that it would provide related training for staff by February 28, 2014. FDIC/OIG further stated that audit managers would “be responsible for ensuring that these steps are completed before the draft report is issued.”

OIG Reply: OIG accepted the FDIC/OIG proposed action as meeting the intent of the recommendation.

Finding 4. Referencing Process

Regarding executive summaries, we noted that the FDIC/OIG’s annual summary of internal quality assurance reviews1 included a recommendation to reiterate the requirements for indexing and referencing the executive summary of the report to the Office of Audits and Evaluations staff. This recommendation was accepted by FDIC/OIG management and was implemented as of February 2012. However, the audit managers stated that the executive summary was not indexed and referenced because the information was taken directly from the report content that had previously been indexed and referenced, so it was unnecessary to repeat this step again.

Footnote 1: FDIC/OIG’s memorandum entitled, Annual Quality Monitoring Analysis and Summary of the OIG Audit Organization for 2012, dated Jan. 31, 2013.

As noted in Finding 1. Audit Evidence Documentation, a change was made to the final report after the draft report was referenced. The referenced draft audit report included “unsupported claims totaling $24.1 million.” The final audit report included “questioned claims totaling $20.8 million.” The Auditor-in-Charge stated that the Assistant Inspector General for Evaluations, in consultation with the Deputy Inspector General for Audits and Evaluations, decided not to include $3.3 million in projected unsupported claims in the final report and thus the total amount of unsupported claims changed between the draft and final report. We believe that this could have been avoided if changes included in the final report were indexed and referenced prior to the issuance.

We also noted that another report contained a numerical discrepancy that should have been detected during the referencing process. One paragraph in the report objective, scope, and methodology section stated 10 properties were sampled for physical inspection and two paragraphs later it stated that 12 properties were sampled for physical inspection. Both numbers were indexed to a work paper and were verified by the independent referencer. The Auditor-in-Charge stated that the correct number of properties inspected was 10. This occurred because the sentence with the discrepancy was added at the “last minute” during the development of the draft report. While we determined that these discrepancies did not adversely impact the audit reports, these examples show how other potential discrepancies could go undetected. Audit reports containing significant discrepancies have an adverse effect on the integrity of the report.

FDIC/OIG officials informed us that the issuance of updated policies and procedures will reiterate the expectation that audit staff should index and reference executive summaries.

Recommendation 5. The Federal Deposit Insurance Corporation Office of Inspector General’s Deputy Inspector General for Audits and Evaluations should require auditors to index and reference all changes to draft reports prior to issuance and issue a directive (or policy reminder) that all factual changes to reports made after they have been referenced should be re-referenced to ensure accuracy and enhance the integrity of the audit report.

Management Response: FDIC/OIG concurred with the intent of the recommendation, stating that it planned to update procedures “to clarify expectations related to indexing the draft report, including the need to index and reference the executive summary” and to provide related training by February 28, 2014. However, FDIC/OIG further stated that it did not agree that “all changes need to be indexed and referenced” and that it would instead “expand and more clearly define the types of changes . . . made to the draft report (and executive summary) that are required to be indexed and referenced before the report is issued in final.”

OIG Reply: OIG accepted the FDIC/OIG proposed action as meeting the intent of the recommendation.

Independent Public Accountant Monitoring

Finding 5. Review of Independent Public Accountant Work Papers

In addition to reviewing its system of quality control to ensure adherence with GAS, we applied certain limited procedures in accordance with guidance established by CIGIE that related to FDIC/OIG’s monitoring of audit work performed by contracted IPA firms.

The PPM requires FDIC/OIG technical monitors ensure contractor adherence to GAS and inspect and review deliverables to ensure that they meet quality and professional standards. In one of two FDIC/OIG technical monitoring files for audit work performed by contracted IPA firms, we noted no evidence of FDIC/OIG technical monitor review for GAS compliance in the IPA work papers that were retained in TeamMate. Also, an inspection of IPA work papers in the TeamMate file showed no FDIC/OIG review notes or comments indicating review for compliance with FDIC OIG PPM requirements. For example, we identified only two summary work papers in the work paper file noting FDIC/OIG technical monitor review and acceptance of the IPA work papers.

The FDIC/OIG is responsible for all reports issued, to include IPA reports, and failure to document compliance with GAS and inspect IPA work papers could let quality control and noncompliance issues go undetected.

FDIC/OIG officials informed us that TeamMate template was essentially their checklist to ensure that deliverables, which tie to GAS requirements, are properly inspected and reviewed. However, they agreed that they can enhance how they document their review of IPA firms and are taking steps to ensure those teams who are currently working with IPAs develop and document and oversight strategy, including how they plan to review IPA’s work papers.

Recommendation 6. The Federal Deposit Insurance Corporation Office of Inspector General’s Deputy Inspector General for Audits and Evaluations should develop comprehensive review and verification procedures, such as Government Auditing Standards (GAS) checklists or incorporating GAS requirements into its standard audit program, for its Independent Public Accountant audits to ensure compliance with professional standards and Policies and Procedures Manual requirements.

Management Response: FDIC/OIG concurred with the intent of the recommendation, stating that it would enhance existing procedures to address "how a team should approach and document the review of the IPA's audit documentation" to "better document the extent of oversight" currently provided" and that it would provide related training by February 28, 2014. However, FDIC/OIG further stated that it believes its "current process is adequately designed to allow" monitoring of IPAs compliance with contracts and GAS and PPM requirements.

OIG Reply: OIG accepted the FDIC/OIG proposed action as meeting the intent of the recommendation.

Sincerely,

/Signed/ Harold W. Geisel Acting Inspector General

Print Print
Close