As I have shared with many over the past several months, I view our office as an integral component of the FDIC. While we are independent by statute, we are part of the FDIC team, and our job is to help the Corporation achieve its challenging mission of ensuring stability and public confidence in the nation's banking system. A recent report by the National Academy of Public Administration entitled, Moving from Scorekeeper to Strategic Partner, aptly describes the role that the Office of Inspector General (OIG) can play in the federal government. Among the report's recommendations was the following:
Our 2007 plan serves as a blueprint for the audits, evaluations, investigations, and other projects in the OIG for fiscal year 2007. It also reflects our commitment to sustaining quality and increasing the efficiency of our office. To remain responsive to ever-changing priorities and emerging issues, we will keep close track of our planned work and make adjustments, as needed, to maximize the value that we add.
I am honored at the opportunity to lead the OIG and pleased to share our fiscal year 2007 plan with our stakeholders. I thank everyone for their support during my first months on the job and welcome feedback on our efforts throughout the coming year.
[Electronically produced version; original signed by Jon T. Rymer]
Mission and Vision
The FDIC OIG is an independent and objective unit established under the Inspector General Act of 1978, as amended (IG Act). The OIG's mission is to promote the economy, efficiency, and effectiveness of FDIC programs and operations, and protect against fraud, waste, and abuse to assist and augment the FDIC's contribution to stability and public confidence in the nation's financial system. In carrying out its mission, the OIG conducts audits, evaluations, and investigations; reviews existing and proposed legislation and regulations; and keeps the FDIC Chairman and the Congress currently and fully informed of problems and deficiencies relating to FDIC programs and operations.
In addition to the IG Act, the OIG also has statutory responsibilities to evaluate the FDIC's information security program and practices under the provisions of the Federal Information Security Management Act of 2002, to evaluate privacy and data protection matters under Section 522 of the Consolidated Appropriations Act of 2005, and to perform material loss reviews of failed FDIC-supervised depository institutions under the provisions of the Federal Deposit Insurance Corporation Improvement Act of 1991.
Our vision is to be a quality-focused FDIC team that promotes excellence and trust in service to the Corporation and the public interest.
Strategic Goals and Performance Measures
The OIG has reviewed the FDIC operating environment looking at both long-term and short-term issues facing the Corporation. As part of the FDIC's annual reporting process, we develop "Management and Performance Challenges" reflecting significant issues that the Corporation faces in carrying out its mission. We also have met with congressional staff and monitored the issues facing the Congress in its hearings and reports, including those developed by the Government Accountability Office (GAO) in its report on "21st Century Challenges." The OIG has hosted conferences on "Emerging Issues" with participants from other OIGs of financial regulatory agencies, GAO, regulatory agency officials, and congressional staff. We also met with FDIC executives and considered the FDIC's strategic goals and the corporate priorities and objectives in developing our goals. We believe that this process has resulted in strategic goals that are mission-related and outcome-oriented, and that will contribute to the achievement of the FDIC's mission.
To help accomplish our mission and achieve our vision, the OIG has established six strategic goals. Five of these strategic goals, which are our external goals, relate to the FDIC's programs and activities. These goals are as follows:
The OIG will
In addition, we have established a sixth (internal) strategic goal:
The OIG will
We are continuing the 2006 Business Plan approach to using qualitative performance measures that reflect mission-related goals and outcomes. These complement our quantitative performance measures. Each qualitative performance goal includes a set of key efforts representing ongoing work or work to be undertaken during 2007 in support of the goal. Also, potential outcomes have been identified for each performance goal to highlight the improvements that may result from these key efforts. We will measure our success in meeting our qualitative goals by having OIG senior management assess the extent to which we accomplish the work described in the key efforts under each goal. As part of our assessment, senior management will consider the amount of work conducted and recommendations made for each key effort, and then determine whether the overall body of work produced adequately achieves or addresses the related goal.
We are also continuing to use a streamlined list of quantitative measures that emphasize outcomes and results. These measures include financial benefits resulting from our audits, evaluations, and investigations; positive changes resulting from our recommendations (e.g., improved FDIC policies, practices, processes, systems, or controls); investigation actions (e.g., indictments, convictions, employee actions); recommendations implemented; and timeliness of our work products. We have revised the timeliness measures for audits, evaluations, and investigations based on our experience in FY 2006. For audits and evaluations, we will begin measuring adherence to target assignment completion dates rather than an overall average completion time. We believe this approach will permit us to better judge the extent that each assignment is meeting our timeliness goal. For investigations, we are adding a timeliness measure at the early stage of the investigation process to ensure prosecutorial interest before proceeding. Also, we are refining a timeliness measure at the end of the investigative process to ensure that we report to FDIC management on the outcome in a timely manner. A complete list of our quantitative measures, along with our targets for FY 2007, is shown in the table in the Quantitative Performance Measures and Targets section of this plan.
Together, our qualitative and quantitative performance measures will help us to determine the degree to which the OIG's work provides timely, quality support to the Congress, the Chairman, other FDIC officials, the banking industry, and the public. We will periodically assess the results of our performance and the appropriateness of our performance measures and goals, and make changes, as warranted.
Internal Operational Improvement Projects
This plan incorporates a number of initiatives to improve the efficiency and quality of OIG processes and products. These projects have a strategic importance for the OIG to ensure that we use our resources wisely and we can stay abreast of the significant and ever-changing challenges facing the FDIC and the banking industry.
Strategic Goals and Performance Measures
To achieve our strategic and performance goals, we provide objective, fact-based information and analysis to the Congress, the FDIC Chairman, other FDIC officials, and the Department of Justice. This effort typically involves our audits, evaluations, or criminal investigations conducted pursuant to the IG Act and in accordance with applicable professional standards. We also make contributions to the FDIC in other ways, such as reviewing and commenting on proposed corporate policies and draft legislation and regulations; participating in joint projects with management; providing technical assistance and advice on various issues such as information technology, strategic planning, risk management, and human capital; and participating in internal FDIC conferences and seminars.
In planning and budgeting our resources, we use an enterprise-wide risk assessment and planning process that considers current and emerging industry trends, and corporate programs, operations, and risks. Our audit and evaluation assignment plan, which outlines planned audit and evaluation coverage for the coming year, is based in part on the OIGís assessment of risks to the FDIC in meeting its strategic goals and objectives. This risk-based assessment process is linked to the Corporationís program areas and the OIGís identification of management and performance challenges in those areas. In formulating our assignment plan, we solicit input from senior FDIC management and members of the FDIC Audit Committee, as well as the Congress.
Conducting investigations of activities that may harm or threaten to harm the operations or integrity of the FDIC and its programs is a key activity for achieving our goals. These investigations involve fraud at financial institutions, obstruction of FDIC examinations, misrepresentations of deposit insurance coverage, identity theft crimes, concealment of assets by FDIC debtors, or criminal or other serious misconduct on the part of FDIC employees or contractors. In conducting our investigations, we coordinate and work closely with U.S. Attorneysí Offices, other law enforcement organizations, and FDIC divisions and offices. The OIG also operates an Electronic Crimes Unit (ECU) and laboratory in Washington, D.C. The ECU is responsible for conducting computer-related investigations and providing computer forensic support to investigations nationwide. We also manage the OIG Hotline for FDIC employees, contractors, and others to report allegations of fraud, waste, abuse, and mismanagement via a toll-free number or e mail.
Another means of ensuring we achieve our goals is to maintain positive working relationships with the Congress, the Chairman, FDIC officials, and other OIG stakeholders. We provide timely, complete, and high-quality responses to congressional inquiries and communicate regularly with the Congress about OIG work and its conclusions. Also, the OIG communicates with the Chairman and Vice Chairman through briefings about ongoing and completed work and is a regular participant at Audit Committee meetings. The OIG also places a high priority on building strong alliances with GAO, the Presidentís Council on Integrity and Efficiency, the Executive Council on Integrity and Efficiency, and other agenciesí Offices of Inspector General.
The OIGís employees are our most important resource for accomplishing our mission and achieving our goals. For that reason, we strive to operate a human resources program that attracts, develops, motivates, rewards, and retains a highly skilled, diverse, and capable staff.
The OIG staff is comprised of auditors, criminal investigators, attorneys, program analysts, computer specialists, and administrative personnel. The OIG staff holds numerous advanced educational degrees and possesses a number of professional licenses and certificates. To maintain professional proficiency, each of our staff attains an average of about 55 hours of continuing professional education and training annually.
Like much of the FDIC, the OIG has been downsizing its staff for several years in response to changes in the banking industry that have resulted in bank consolidations and improved financial health and the near completion of resolutions of failed institutions during the banking and thrift crises of the 1980s and early 1990s. Overall OIG staffing will have decreased from the authorized level of 190 in fiscal year 2003 to a level between 120 and 130 in fiscal year 2007. During that period, our Office of Audits has been reduced about 50 percent. These changes have impacted some performance targets compared to previous yearsí performance.
Our information technology (IT) goal is to better link IT planning and investment decisions to our mission and goals, thus helping ensure that OIG managers and staff have the IT tools and services they require to successfully and productively perform their work. The OIG IT vision is to enable our managers and staff, through reliable and modern technology, to maximize productivity and responsiveness. To help realize this goal and vision, our strategy will be to pursue IT solutions that optimize our effectiveness and efficiency, connectivity, reliability, and security, and employ best practices in managing our IT systems, services, and investments.
Relationship of the OIG to the FDIC
The IG Act, as amended, makes the OIG responsible for keeping both the FDIC Chairman and the Congress fully and currently informed about problems and deficiencies relating to FDIC programs and operations. This dual reporting responsibility makes our role unique at the FDIC and can present a number of challenges for establishing and maintaining an effective working relationship with management. Although we are an integral part of the Corporation, unlike any other FDIC division or office, our legislative underpinning requires us to operate as an independent and objective oversight unit at the same time. As such, a certain amount of tension with the Corporation may be inherent in the nature of our mission. Notwithstanding, the OIG has established a cooperative and productive relationship with the Corporation by fostering open and honest communication; building relationships based upon mutual respect; conducting our work in an objective and professional manner; and recognizing and addressing the risks, priorities, and needs of the FDIC.
[ D ]
The Corporation also has back-up examination authority to protect the interests of the deposit insurance fund for more than 3,537 (as of June 30, 2006) national banks, state-chartered banks that are members of the Federal Reserve System, and savings associations.
In recent years, the banking industry has been marked by consolidation, globalization, and the development of increasingly complex investment strategies available to banks. Bank regulators, both domestically and internationally, have devised new standards for bank capital requirements commonly referred to as Basel IA and Basel II. The FDIC and the other bank regulators continue to assess the potential impact of new standards on bank safety and soundness.
The FDIC has developed and implemented programs to minimize the extent to which the institutions it supervises are involved in or victims of financial crimes and other abuse. Bank governance practices are important safeguards in this regard, and the FDIC has issued guidance to banks about governance expectations, including adherence to requirements in the Sarbanes-Oxley Act for publicly traded financial institutions. The FDIC also analyzes data security threats, occurrences of bank security breaches, and incidents of electronic crime that involve financial institutions. As part of safety and soundness examinations, the FDIC also ensures that the institutions comply with regulatory reporting requirements of the Bank Secrecy Act (BSA).
As more and more laws are passed, and new regulations are adopted to implement those laws, policy makers and regulators seek to ensure that the intended benefits justify the considerable costs. Pursuant to the Economic Growth and Regulatory Paperwork Reduction Act of 1996, the FDIC and other bank regulators have been reviewing regulations in order to identify outdated or otherwise unnecessary regulatory requirements imposed on insured depository institutions. Notably, the President signed S.2856, the Financial Services Regulatory Relief Act. Among other provisions, this Act includes an increase from $250 million to $500 million on the asset size for eligibility for an 18-month examination cycle; permission for banks, thrifts, and credit unions to use new lending and investment authority; and other changes allowing financial institutions to improve the efficiency of their operations.
The OIGís role under this strategic goal is conducting audits and evaluations that review the effectiveness of various FDIC programs and examination processes aimed at providing continued stability to the nationís banks. Another major means of achieving this goal is through investigations of fraud at FDIC-supervised institutions; fraud by bank officers, directors, or other insiders; fraud leading to the failure of an institution; fraud impacting multiple institutions; and fraud involving monetary losses that could significantly impact the institution.
2007 Performance Goals: To assist the FDIC to ensure the nationís banks operate safely and soundly, the OIG will
The Federal Deposit Insurance (FDI) Act, requires the cognizant OIG to perform a review when the deposit insurance fund incurs a material loss due to the failure of an insured depository institution. The FDIC OIG performs the review if the FDIC is the primary regulator of the institution. The Department of the Treasury OIG and the OIG at the Board of Governors of the Federal Reserve System perform reviews when their agencies are the primary regulators. These reviews identify what caused the material loss, evaluate the supervision of the federal regulatory agency (including compliance with the Prompt Corrective Action requirements of the Federal Deposit Insurance Act), and propose recommendations to prevent future failures. A loss is considered material to the insurance fund if it will exceed $25 million and 2 percent of the failed institutionís total assets. While no banks or thrifts have failed in the United States since June 25, 2004, the OIG must be prepared to conduct such a review, as necessary, and will work with the Division of Supervision and Consumer Protection (DSC) and the Division of Resolutions and Receiverships (DRR) to ensure such readiness.
The examination of the banks that it regulates is a core FDIC function. Through this process, the FDIC assesses the adequacy of management and internal control systems to identify, measure, and control risks; and bank examiners judge the safety and soundness of a bankís operations. The Corporation conducted 2,399 safety and soundness examinations in 2005. The examination program employs risk-focused supervision for banks. According to examination policy, the objective of a risk-focused examination is to effectively evaluate the safety and soundness of the bank, including the assessment of risk management systems, financial condition, and compliance with applicable laws and regulations, while focusing resources on the bankís highest risks.
The OIGís work in 2007 will focus on how effective the FDICís examinations are in assessing a variety of risks that can be particularly sensitive for banks. In one audit, we will focus on an assessment of interest rate risks. In another audit, we will review added risks associated with electronic banking, and determine whether examination procedures adequately address the risks and the extent to which the examiners follow the procedures. Another assignment will address examination coverage of an institutionís lending activities with attention to the reliability of appraisals and sufficiency of insurance coverage.
Similarly, with respect to subprime lending, since the 1990ís, such lending volumes have increased significantly and financial regulators have closely monitored and responded to that trend. However, any weaknesses in the related examination guidance and the FDICís implementation of that guidance may impact an institutionís safety and soundness.
Finally, banks often outsource software development and maintenance, data processing, and other critical IT business services to TSPs. Many of these services fall within the purview of bank examiners, and for FDIC-supervised institutions, it is through IT examinations that the coverage occurs. One of the OIGís audits in 2007 will determine whether the FDICís examinations of TSPs comply with applicable guidance. Given the industryís widespread use of TSPs, any financial or operational problems that TSPs experience could negatively impact the safety and soundness of multiple institutions.
All financial institutions today are at risk of being used to facilitate criminal activities, including money laundering and terrorist financing. The Corporation needs to guard against a number of financial crimes and other threats, including money-laundering, terrorist financing, data security breaches, and financial institution fraud. Bank management is the first line of defense against fraud, and the banksí independent auditors are the second line of defense. Because fraud is both purposeful and hard to detect, it can significantly raise the cost of a bank failure, and examiners must be alert to the possibility of fraudulent activity in financial institutions.
The OIGís OI works closely with FDIC management in DSC and the Legal Division to identify and investigate financial institution crime, especially fraud. OIG investigative efforts are concentrated on those cases of most significance or potential impact to the FDIC and its programs. The goal, in part, is to bring a halt to the fraudulent conduct under investigation, protect the FDIC and other victims from further harm, and assist the FDIC in recovery of its losses. Pursuing appropriate criminal penalties not only serves to punish the offender but can also deter others from participating in similar crimes.
Since the terrorist attacks of September 11, 2001, the FBI has no longer been able to devote the same level of resources to financial institution fraud cases. The OIG fully expects its caseload of financial institution fraud to continue to increase. U.S. Attorneysí Offices and FBI Offices throughout the country are increasingly relying on the FDIC OIG to handle such cases. Referrals and requests for investigative assistance from the U.S. Attorneysí Offices and the FBI are on the increase. The OIG is also receiving more referrals of financial institution fraud matters from DSC. We expect such referrals to continue to increase, particularly because our criminal investigations can also be of benefit to the FDIC in pursuing enforcement actions to prohibit offenders from continued participation in the banking system.
The intentional denial of accurate information to bank examiners undermines the integrity of the examination process. When investigating instances of financial institution fraud, the OIG defends the vitality of the FDICís examination program by investigating associated allegations or instances of criminal obstruction of bank examinations and by working with U.S. Attorneysí Offices to bring these cases to justice.
The OIGís investigations of financial institution fraud currently constitute about 75 percent of the OIGís investigation caseload. At year-end 2001, the OIG had 43 open financial institution fraud cases. That number had risen to 97 by year-end 2006.
The OIG is also committed to continuing its involvement in interagency forums addressing fraud. Such groups include national and regional bank fraud, check fraud, mortgage fraud, cyberfraud, identity theft, and anti-phishing working groups. Additionally, the OIG will enhance its industry outreach efforts to keep financial institutions informed on fraud-related issues and to educate bankers on the role of the OIG in combating financial institution fraud.
A number of significant laws drive the OIGís work with respect to this strategic goal. Under the BSA, banks must file a Currency Transaction Report (CTR) with the Treasury Department for each transaction over $10,000 or multiple cash transactions by any individual in one business day or over the period of a day aggregating over $10,000. The BSA also requires banks to file SARs when suspected money laundering or BSA violations occur. Although the Department of the Treasury has overall authority for BSA enforcement and compliance, the Financial Crimes Enforcement Network (FinCEN), created in 1990, has delegated authority to administer the BSA. FinCEN maintains automated systems from which DSC examiners can download information on CTRs and SARs filed by FDIC-supervised institutions. The filing and use of SARs and CTRs has been the subject of significant regulatory, congressional, and banking community interest. Our efforts to establish a data base of SARs will augment our capability to search and sort data from FinCEN and assist OIG investigations and DSC enforcement actions.
The USA PATRIOT Act, enacted on October 26, 2001 in response to the September 11, 2001 terrorist attacks, made a number of amendments to the anti-money laundering provisions of the BSA. Title III of the USA PATRIOT Act, in particular, is intended to facilitate the prevention, detection, and prosecution of international money laundering and terrorist financing. FDIC examiners play a critical role in ensuring that institutions comply with the Act, and we will be reviewing this area in 2007. Examiners must consistently implement procedures to help ensure that institutions have needed programs in place to detect money laundering and terrorist financing activities that can threaten the safety and soundness of institutions and the security of American citizens.
In a related vein, the Department of the Treasuryís Office of Foreign Assets Control (OFAC) is responsible for developing, promulgating, and administering sanctions for the Secretary of the Treasury under various laws, including the Trading with the Enemy Act and the International Emergency Economic Powers Act. Generally, OFAC regulations prohibit financial institutions from engaging in transactions with the governments of, or individuals or entities associated with, foreign countries against which federal law imposes economic sanctions. As referenced earlier, the FDICís safety and soundness examinations of FDIC-supervised financial institutions include an assessment of the institutionsí compliance with BSA anti-money laundering requirements. As part of the BSA anti-money laundering examinations, the FDIC assesses the institutionís OFAC compliance programs. The OIGís work will look at the FDICís efforts in this area.
Federal deposit insurance remains a fundamental part of the FDICís commitment to maintain stability and public confidence in the Nationís financial system. Now in its eighth decade, the FDIC has insured deposits up to the legally authorized threshold, which presently stands at $100,000 for individual accounts and $250,000 for retirement accounts. Legislation passed by the Congress on February 1, 2006 merges separate insurance funds for banks and thrifts into a single Deposit Insurance Fund with about $50 billion in reserve. This legislation also imposed some reforms on how the FDIC is to manage the fund in the future including indexing for inflation, permitting the fund reserves to fluctuate inside a percentage range of estimated insured deposits, and administering rebates and assessments. The Corporation is working to implement these reforms.
As insurer, the FDIC must also evaluate and effectively manage how changes in the economy, the financial markets, and the banking system affect the adequacy and the viability of the Deposit Insurance Fund. Significantly, there has been no bank or thrift failure in over 2 years for the first time in the FDICís history. Still, there remain many challenges to the FDIC and other banking regulators.
The continuing consolidation of the banking industry means there are a few very large institutions that represent an increasingly significant share of the Deposit Insurance Fundís risk exposure. Industry consolidation presents benefits and risks to the Deposit Insurance Fund. While the risks to the funds are diminished because of the diversification benefits of consolidation (along geographic and product lines), the concentration of deposits in fewer insured depository institutions increases the risks to the Deposit Insurance Fund in the event a large insured depository institution fails.
As a result of industry consolidation, the assets in the industry are also increasingly concentrated in a small number of large, complex institutions for which the FDIC is not, for the most part, the primary supervisor. The largest banks operate highly complex branch networks, have extensive international and capital market operations, and work on the cutting edge of technologically sophisticated finance and business. The increased complexity of the industry and the concentration of risk to the insurance funds in the largest banking organizations are expected to grow more pronounced over time and to present greater risk-management challenges to the Corporation. A two-tiered banking system characterized by a limited number of very large, complex institutions and a much larger number of small community banks appears to be emerging. The banking regulators, including the FDIC, need insight into the risks that are inherent in these different types of banking organizations.
The OIG has a responsibility to evaluate the FDICís programs and operations to ensure that the agency has adequate information to gauge the risks inherent as financial institutions consolidate, enter into new business areas, and become more global.
2007 Performance Goals: To help the FDIC maintain the viability of the deposit insurance fund, the OIG will
The FDIC, in cooperation with the other primary federal regulators, proactively identifies and evaluates the risk and financial condition of every insured depository institution. The FDIC also identifies broader economic and financial risk factors that affect all insured institutions. The availability of timely banking information is critical to ensuring the FDIC's ability to assess risk to insured financial institutions and the deposit insurance funds. The FDIC is committed to providing accurate and timely bank data related to the financial condition of the banking industry. Industry-wide trends and risks are communicated to the financial industry, its supervisors, and policymakers through a variety of regularly produced publications and ad hoc reports. Risk-management activities include approving the entry of new institutions into the deposit insurance system, off-site risk analysis, assessment of risk-based premiums, and special insurance examinations and enforcement actions.
Risk management begins with the FDICís review of applications for deposit insurance to ensure that the applying institution is well-capitalized, possesses a qualified management team, and is capable of operating in a safe and sound manner.
Off-site risk analysis activities include reviewing examination reports and using a variety of information system models and tools. The purposes of these activities are to understand the risk profile of individual financial institutions and to identify trends and emerging risks affecting groups of financial institutions and the insurance fund. The information may be used to target institutions for examination or other follow-up activities; focus the scope of an examination; assist in setting risk-based premiums for individual institutions; determine the adequacy of the deposit insurance fund; develop new policy initiatives; and determine corporate strategies for supervision, staffing, communication and other resource decisions.
Primary responsibility for identifying and managing risks to the Deposit Insurance Fund lies with the FDICís Division of Insurance and Research, DSC, and DRR. To help integrate the risk management process, the FDIC established the National Risk Committee (NRC), a cross-divisional body. Also, a Risk Analysis Center monitors emerging risks and recommends responses to the NRC. In addition, a Financial Risk Committee focuses on how risks impact the Deposit Insurance Fund and financial reporting.
The FDIC assesses risk-based insurance premiums by assigning a risk classification to each insured institution. The risk classifications are adjusted periodically to reflect the relative risk posed by institutions. Accordingly, institutions that represent greater supervisory risks to the insurance funds pay higher premiums, subject to the statutory requirements.
In fulfilling its role as insurer, the FDIC has special back-up examination authority over all insured institutions and, at times, participates in examinations with the other federal regulators. In order to prevent or minimize losses to the funds, the primary federal regulator is required to take prompt corrective action when an FDIC-insured institution is determined to have capital problems. Depending on the institutionís capital classification, these actions range from imposing restrictions or requirements on an institutionís operations to the appointment of a receiver or conservator.
The consolidation of the banking industry has resulted in fewer and fewer financial institutions controlling an ever expanding percentage of the Nationís financial assets. As of June 30, 2006, the 10 largest FDIC-insured institutions controlled 44 percent of total insured assets and 42 percent of total insured deposits in the country. The FDIC is the primary federal regulator for none of these large financial institutions. In recent years, the FDIC has taken a number of measures to strengthen its oversight of the risks to the insurance fund posed by the largest institutions, and its key programs include the following:
Our audit work in this area for 2007 envisions evaluating the Dedicated Examiner Program, a program that the FDIC uses in the six largest banks in cooperation with other primary federal regulators and bank personnel to obtain real-time access to information about risk and trends in those institutions. Also, we plan to review the FDICís overall approach to identify and manage risks to the Deposit Insurance Fund.
Consumer protection laws are an important part of the safety net of America. The U.S. Congress has long advocated particular protections for consumers in relationships with banks. For example:
The FDIC serves a number of key roles in the financial system and among the most important is the FDICís work in ensuring that banks serve their communities and treat consumers fairly. The FDIC has recognized the importance of its role in this regard by establishing its own strategic goal ensuring that consumersí rights are protected and supervised institutions invest in their communities. The FDIC carries out its role by (1) providing consumers with access to information about their rights and disclosures that are required by federal laws and regulations and (2) examining the banks where the FDIC is the primary federal regulator to determine the institutionsí compliance with laws and regulations governing consumer protection, fair lending, and community investment.
An important FDIC initiative is promoting expanded opportunities for the underserved banking population in the United States to enter the financial mainstream. Newly appointed FDIC Chairman, Sheila Bair said, ďThe FDIC has been a leader in financial education efforts, but more can be done. Regulators and bankers can work together to reach out to underserved communities and to develop credit and deposit products that meet the needs of those communities.Ē The FDIC promotes public understanding of the federal deposit insurance system and seeks to ensure that depositors and bankers have ready access to information about consumer protection laws. The results of the FDICís efforts bring greater stability and fairness to our financial system.
The OIGís role under this strategic goal is targeting audits and evaluations that review the effectiveness of various FDIC programs aimed at protecting consumers, fair lending, and community investment. Additionally, the OIGís investigative authorities are used to identify, target, disrupt, and dismantle criminal organizations and individual operations engaged in fraud schemes that target our financial institutions.
2007 Performance Goals: To assist the FDIC to protect consumer rights and ensure customer data security and privacy, the OIG will
Data security and financial privacy are important values in American society. Banks are increasingly using third-party servicers to provide support for core information and transaction processing functions. The increasing globalization and cost saving benefits of the financial services industry are leading many banks to make greater use of foreign-based service providers. Although generally permissible, this outsourcing practice raises certain risks, such as country, compliance, contractual, and reputation risks.
With respect to privacy and security, the obligations of a financial institution to protect the privacy and security of information about its customers under applicable U.S. laws and regulations remain in full effect when the institution transfers the information to a foreign-based service provider. The transfer of that information to a service provider located in another country does not alter those obligations. Accordingly, the FDIC expects financial institutions to effectively manage these risks and adequately oversee any relationships with foreign-based third-party service providers.
Compliance with laws and regulations must be managed as an integral part of a bankís business strategy. FDIC has responsibility for ensuring that the financial institutions it supervises comply with consumer protection laws and regulations. A compliance management system is the method by which the bank manages the entire consumer compliance process. The FDIC uses its compliance examination process to ascertain the effectiveness of an institutionís program for compliance. In 2005, the FDIC conducted 2,020 compliance and CRA examinations.
Although the job of compliance has grown more complex, the FDIC is committed to making certain that financial institutions develop and maintain a sound compliance management system that is integrated into the overall risk management strategy of the institution. Noncompliance with consumer statutes and regulations can result in monetary penalties, litigation, and formal enforcement actions. Successful compliance management will avoid these potential consequences and create a culture of compliance readiness.
Every year fraud schemes rob depositors and financial institutions of millions of dollars. The OIGís Office of Investigations is used to identify, target, disrupt, and dismantle criminal organizations and individual operations engaged in fraud schemes that target our financial institutions or that prey on the banking public. OIG investigations have identified multiple schemes that defraud depositors. Common schemes range from identity fraud to Internet scams such as ďphishingĒ and ďpharmingĒ.
Investigative work related to these areas is ongoing and will continue to be at the forefront of OIís key efforts. With the help of sophisticated technology, the ECU will continue to work with FDIC divisions and other federal agencies to help with the detection of new fraud patterns and combat existing fraud. Coordinating closely with the Corporationís DRR and the various U.S. Attorneysí offices, the OIG hopes to reduce substantial risk and yield positive results. These proactive measures will help to promote continued public confidence in federal deposit insurance and goodwill within financial institutions.
The United States provides protection to depositors in its banks, savings and loan associations, and credit unions. One of the key players in this process is the FDIC. Among its various functions, the FDIC acts as the receiver or liquidating agent for failed FDIC-insured institutions. The success of the FDICís efforts in resolving troubled institutions has a direct impact on the banking industry and on the taxpayers.
DRR exists to plan and efficiently handle the resolutions of failing FDIC-insured institutions and to provide prompt, responsive, and efficient administration of failing and failed financial institutions in order to maintain confidence and stability in our financial system.
The FDICís resolution and receivership activities pose tremendous challenges. Today record profitability and capital in the banking industry have led to a substantial decrease in the number of financial institution failures compared to prior years. However, as indicated by the trends in mergers and acquisitions, banks are becoming more complex, and the industry is consolidating into larger organizations. As a result, the FDIC could potentially have to handle a failing institution with a significantly larger number of insured deposits than it has had to deal with in the past.
The change between how the FDIC handled resolutions and receiverships 20 years ago and how it will be handling them 20 years from now will be largely based on learning to anticipate and plan, instead of reacting. Through the development of new resolution strategies within the various DRR business lines, FDIC must set far-reaching plans for the future to keep pace with a changing industry.
The OIGís role under this strategic goal is targeting audits and evaluations that assess the effectiveness of the FDICís various programs designed to ensure that the FDIC is ready to and does respond promptly, efficiently, and effectively to financial institution closings. Additionally, the OIG investigative authorities are used to pursue instances where fraud is committed to avoid paying the FDIC civil settlements, court-ordered restitution, and other payments as the institution receiver. The OIG will also continue to work with FDIC officials to keep abreast of the ongoing efforts being taken by DRR and the Corporation as a whole, to sustain proficiency in resolution activity and to prepare for the possibility of a large institution failure or multiple failures caused by a single catastrophic event.
2007 Performance Goals: To help ensure the FDIC is ready to resolve failed banks and effectively manages receiverships, the OIG will:
In performing their duties of resolving failing FDIC-insured depository institutions, DRR personnel have access to a wide variety of records containing personally identifiable information of a bankís employees and customers. Such records include: bank employee payroll records, customer deposit records, and customer loan records. The FDIC is committed to protecting the privacy of personal information. Within the FDIC, each division has established controls and procedures for the protection of sensitive information. Through various policies and procedures, DRR has established certain methods for controlling access to collected and maintained sensitive information. However, given the increased risks associated with, and attention being placed on identity theft, the protection of customer information in FDICís systems is paramount to sustaining the publicís confidence in the FDIC.
The risk of a large bank failure is one of the greatest threats to the Deposit Insurance Fund and public confidence in the nationís financial systems. The FDIC bears primary responsibility to plan the governmentís reaction to such a failure. DRR has plans for sophisticated models to train FDIC staff and prepare for differing circumstances. The OIG will monitor the development of the model, look for opportunities to contribute, and involve its own staff in simulations of potential large bank fraud that causes a bank to collapse, and in post-failure reviews of what caused the bank to fail.
The OIGís OI coordinates closely with DRR, with special attention to various types of financial institution fraud and related crimes, including concealment of assets. The FDIC was owed more than $1.7 billion in criminal restitution as of September 30, 2006. In most instances, the individuals do not have the means to pay. However, a few individuals do have the means to pay but hide their assets and/or lie about their ability to pay. OI works closely with DRR and the Legal Division in aggressively pursing criminal investigations of these individuals. Specifically, OI offers vital assistance in these pursuits. In the case of bank closings where fraud is suspected, OI is prepared to send case agents and computer forensic special agents from the ECU to the institution. Agents use different investigative tools to provide computer forensic support to OIís investigations by obtaining, preserving, and later examining evidence from computers at the bank. The determined investigative work of OI has allowed for successful outcomes in various cases and substantial restitution payments. As a result of well-prepared investigations, FDIC has a good recovery record of funds for the receivership.
Although there have been far fewer failures in recent years, DRR must be ready to resolve troubled institutions and is, in fact, continuing to focus on its ability to resolve institutions of any size. According to FDIC analysis, the failures of the 1980s and early 1990s were concentrated in the energy, agriculture, and commercial real estate sectors. In contrast, recent bank failures are largely attributable to fraud, mismanagement, improper accounting and reporting practices, and losses related to investments in sub-prime lending. OI will continue to work with DRR to ensure the OIG remains proficient and up-to-date on DRRís resolution strategies.
The FDIC must effectively manage and utilize a number of critical strategic resources in order to carry out its mission successfully, particularly its human, financial, IT, and physical resources. The Corporation does not receive an annual appropriation, except for its OIG, but rather is funded by the premiums that banks and thrift institutions pay for deposit insurance coverage, the sale of assets recovered from failed banks and thrifts, and from earnings on investments in U.S. Treasury securities.
The FDIC has emphasized its stewardship responsibilities for all of its resources in its strategic planning process. The FDIC Board of Directors approves an annual Corporate Operating Budget to fund the operations of the Corporation.
The Corporate Operating Budget provides resources for the operations of the Corporationís three major programs or business linesóInsurance, Supervision, and Receivership Managementóas well as its major program support functions (legal, administrative, financial, IT, etc.). Program support costs are allocated to the three business lines so that the fully loaded costs of each business line are displayed in the operating budget approved by the Board.
In addition to the Corporate Operating Budget, the FDIC has a separate Investment Budget that is composed of individual project budgets approved by the Board of Directors for major investment projects. Budgets for investment projects are approved on a multi-year basis, and funds for an approved project may be carried over from year to year until the project is completed. A number of the Corporationís more costly IT projects are approved as part of the investment budget process.
Deposit insurance reform legislation resulted in the merging the Bank Insurance Fund and the Savings Association Insurance Fund into a new fund, the Deposit Insurance Fund, effective March 31, 2006. Expenditures from the Corporate Operating and Investment Budgets are paid from two funds managed by the FDICóthe Deposit Insurance Fund and the FSLIC Resolution Fund. The Corporationís 2007 spending is expected to total approximately $1 billion.
To effectively manage its budget, in May 2005, the Corporation implemented an enhanced cost-management program to provide managers with additional cost information, including the fully loaded cost of key businesses processes. The Corporation will also continue to benchmark the cost of selected business processes with those of peer organizations and continue to explore the use of performance scorecards to assess performance against appropriate cost, timeliness, quality, and customer service standards.
Financial resources are but one aspect of the FDICís critical assets. The Corporationís human capital is also vital to its success. The FDIC will have the opportunity over the next decade to substantially reshape its workforce in conjunction with the projected retirements of a large number of long-serving employees. The downsizing that has occurred over the past 12 years has resulted in limited hiring of new employees. The FDIC has made efforts over the recent years to address the need to reshape its workforce with the implementation of the Corporate Employee Program, the Succession Management Program, and the Leadership Development Program. In 2006, the Corporation began the development and implementation of a comprehensive succession management program to ensure that the FDICís workforce has the skills and expertise needed to successfully address its mission responsibilities in the future and to maintain its leadership role in the financial regulatory community. Throughout the reshaping of its workforce, the FDIC maintains its commitment to a working environment of high integrity and to the achievement of its mission.
Technological advances have produced tools that all workers today would be lost without. IT drives and supports the manner in which the public and private sector conduct their work. At the FDIC, the Corporation seeks to leverage IT to support its business goals in insurance, supervision and consumer protection, and receivership management, and to improve the operational efficiency of its business processes. The financial services industry employs technology for similar purposes.
Along with the positive benefits that IT offers comes a certain degree of risk. In that regard, information security has been a long-standing and widely acknowledged concern among federal agencies. A key effort for all agencies must be the establishment of effective information security programs. The E Government Act of 2002 recognized the importance of information security. Title III of the E-Government Act, entitled the Federal Information Security Management Act (FISMA), requires each agency to develop, document, and implement an agency-wide information security program to provide adequate security for the information and information systems that support the operations and assets of the agency. Section 522 of the Consolidated Appropriations Act of 2005 requires agencies to establish and implement comprehensive privacy and data protection procedures and have an independent third-party review performed of their privacy programs and practices.
Business continuity is another key concern to all federal agencies. In light of recent large-scale disasters, the Corporation must be prepared to respond to such events, whether related to natural disasters or terrorism. The continuity of FDICís business operations is essential in order to maintain the publicís confidence and trust in the Corporation.
The OIGís role in this strategic goal is to perform audits, evaluations, and investigations that
2007 Performance Goals: To promote sound governance and effective stewardship of FDIC strategic resources, the OIG will
Records are a valuable resource and must be managed properly for the agency to function effectively and to comply with Federal laws and regulations. The FDIC records management program is designed to ensure continuity and consistency, to assist in decision-making and information-sharing, and to provide information required by Congress and others for overseeing the Corporationís activities. Thus, it is important that the Corporationís records are economically and effectively managed to meet business needs and to comply with applicable laws and regulations.
Improving project management is another ongoing business concern. In 2005, The Division of Information Technology (DIT) PMO was established as a resource center for clients, executives, project managers, and project team members engaged in the operations and oversight of IT projects. DIT initiated a PMO to establish standard repeatable project management practices and improve the results of IT project management activities. Successful project management is highly dependent upon keeping decision-makers fully informed of the cost and status of projects.
In May 2005, the Corporation also implemented NFE to enhance the FDIC's ability to meet current and future financial management and information needs. One of the intended organizational benefits of NFE was enhanced cost management. To that end, the cost management program was collaboratively created by all divisions and offices. The cost management programís success will rely on employees accurately entering all the necessary data into the appropriate cost management chartfields when reporting their time and travel. In order to facilitate and support decision making, accurate cost data must be available for decision makers and other system users.
To provide assurance that the FDIC is achieving its strategic goals and objectives, there must be gauges that track and measure the Corporationís performance of its operations, activities, and initiatives. Furthermore, these gauges must be aligned with the Corporationís strategic goals and objectives and be useful to FDIC management and stakeholders.
The achievement of the FDICís mission, in large part, depends upon employees that uphold values of integrity, honesty, and a commitment to maintain the publicís trust and confidence in the Corporation. In order to promote a working environment that embraces such values, there must be means in which misconduct is identified and handled appropriately. To foster a working environment of high integrity, it is also critical that employees and contractors receive ethics and conduct training.
An Enterprise Architecture (EA) is a blueprint of an agency's current and planned operating and systems environment and the plan for transitioning between the two. Among other things, the EA defines principles and goals for, and sets direction on, IT security. It is critical that the FDIC has an effective structure in place to allow IT investment decisions to be made in alignment with its business needs; otherwise, the absence of an effective EA program may result in poor IT investment decisions.
As part of the OIGís approach to assess the FDICís IT environment and risk, the OIG will conduct a risk analysis of FDICís IT environment to ensure that resources are focused on areas that represent the most risk to the FDIC.
Information security and continuity of operations remain top priorities at the FDIC. As mandated by Title III, namely FISMA, of the E-Government Act of 2002, federal agencies are required to have an annual independent evaluation performed of their information security programs and practices and to report the results of the evaluation to the Office of Management and Budget (OMB). The OIGís 2006 FISMA evaluation reported that the FDIC has made significant progress in improving its information security controls and practices. However, continued management attention was needed in key security control areas to ensure that appropriate risk-based and cost-effective security controls are in place to secure the FDICís information resources in furtherance of the Corporationís security program goals and objectives. Further, the Corporation is subject to the Consolidated Appropriations Act, Title V, Section 522. The Act mandates the designation of a senior privacy official, establishment of privacy and data protection procedures, and a written report of the Corporationís use of information in identifiable form.
The FDIC depends on the continuity of its IT operations to meet its business needs, financial obligations, and regulatory requirements. OMB policy requires agencies to establish and periodically test their ability to recover from IT service interruptions and to provide service based upon the needs and priorities of system participants. The FDIC conducts semiannual IT disaster recovery testing to ensure the Corporationís ability to recover its mainframe, midrange, and server platforms that would be required to restore IT operations in the event of a disaster. It is of critical importance that the FDIC IT infrastructure can withstand interruptions and continue to fully support corporate business operations.
Recent large-scale disasters in the United States have clearly demonstrated how important it is to have reliable emergency response procedures and a well-written BCP to sustain critical business functions during an emergency or situation that may disrupt normal operations. The FDIC has developed an Emergency Operations Plan comprised of an Emergency Response Plan and a separate BCP. In 2004, an OIG evaluation of FDICís BCP found that the BCP addresses the critical business functions of key FDIC divisions and offices. However, the evaluation noted that the FDIC could improve the quality of its BCP in a number of key areas to help ensure its success. The OIG will conduct a follow-up evaluation of the FDICís progress in implementing the recommendations we made in our earlier report. It is important, both symbolically and functionally, for federal government agencies to continue to serve the American public during any emergency or situation that may disrupt normal operations.
With corporate downsizing has come, in many instances, increased reliance on contracted services and potential increased exposure to risk if contracts are not managed properly. Processes and related controls for identifying needed goods and services, acquiring them, and monitoring contractors after contract award must be in place and work effectively. As a good steward, the FDIC must ensure it receives the goods and services purchased with corporate funds. Further, the FDIC must have mechanisms in place to periodically evaluate the continuing need for contracts and determine whether there are corporate contracts that can be eliminated.
In 2004, the Corporation initiated a new contracting approach for its IT services with the goal to improve contractor support and streamline procurement and oversight activities. The ITAS contract combined approximately 40 contracts into one contract with multiple (four) vendors for a total program value of $555 million over 10 years. In such a large contractual undertaking, significant risk may exist in getting work completed, overseeing the contract, and, ultimately, meeting the Corporationís needs. In addition, in 2004, the FDIC entered into an interagency agreement with the General Services AdministrationóFEDSIM contractóto provide assistance for IT support services. As of June 2005, a Contract Monitoring Information Application report indicated that the FEDSIM contract totaled $342 million. Considering the significant contract cost and the vital IT functions that are being acquired, the success of the FEDSIM contract will be extremely important to the FDIC for many years to come.
Revised OMB Circular A-123, which became effective for fiscal year 2006, requires a strengthened process for conducting managementís assessment of the effectiveness of internal control over financial reporting. The circular also emphasizes the need for agencies to integrate and coordinate internal control assessments with other internal control-related activities and ensure that an appropriate balance exists between the strength of controls and the relative risk associated with particular programs and operations.
While the purpose of the OIG is focused on the FDICís programs and operations, we have an inherent obligation to hold ourselves to the highest standards of performance and conduct. Like any organization, we have processes and procedures for conducting our work; communicating with our clients, staff, and stakeholders; managing our financial resources; aligning our human capital to our mission; strategically planning and measuring the outcomes of our work; maximizing the cost-effective use of technology; and ensuring our work products are timely, value-added, accurate, and complete and meet applicable professional standards.
2007 Performance Goals: To build and sustain a high-quality OIG work environment, the OIG will
The OIGís performance and value to our clients and stakeholders is directly linked to the knowledge and abilities of our staff. As our individual and collective abilities increase, so do the performance capacity of our organization and value to clients and stakeholders.
To ensure a high-quality work environment, we must continuously invest in keeping staff knowledge and skills at a level equal to the work that needs to be done. Training and development plans are one means for ensuring that the OIG is making sound investments in staff development. While each staff member has the primary responsibility for managing his or her career, OIG supervisors and management play a key role in helping staff create and implement career development plans. An emerging issues symposium is one means of keeping OIG staff attuned to changes in the bank regulatory environment. Also, a mentoring program that has been piloted during the past year may be beneficial to provide career and developmental guidance to some OIG staff.
In addition, relevant professional certifications serve to enhance the expertise of OIG staff and help ensure continued high-quality work and products.
A committed leadership team is essential to our strategic goal to build and sustain a high-quality work environment. Leadership fosters accountability for reaching results-oriented goals and for continuous learning and improvement. The OIG needs to develop its leaders for succession to sustain its effectiveness and excellence even as current leaders may depart. Leadership development needs to occur for all employees and with each employee striving to enhance his or her leadership competencies.
OIG leaders must provide straightforward, honest, and constructive feedback about individual and organizational performance to employees. To that end, we will develop additional tools and processes to add to the frequency and quality of performance feedback.
Our staff is our most important asset. The OIGís ability to produce products and serve clients and stakeholders is directly linked to the quality of staff. Complementing our workforce are contracted staff that can provide expertise beyond what we possess. Such experts can include contractors with expertise in IT, business continuity planning, forensic accounting, human capital issues, corporate investment strategy, commercial real estate appraisals, actuarial science, or any number of areas that OIG work may address. We will be awarding a contract in the next year to complement our existing workforce and assist us to build more quality into our work products.
Protecting our workforce in the event of any emergency is one of the highest priorities. Our emergency preparedness plan, prepared in conjunction with the FDICís plan, aims to guide us on what to do before, during, and after an emergency and ensure the safety and security of all OIG staff. The BCP looks toward resuming, first, critical operations, and then all operations after a significant disruption. We must keep these plans current and ready for immediate implementation.
Protecting our workforce in the event of any emergency is one of the highest priorities. Our emergency preparedness plan, prepared in conjunction with the FDICís plan, aims to guide us on what to do before, during, and after an emergency and ensure the safety and security of all OIG staff. The BCP looks toward resuming, first, critical operations, and then all operations after a significant disruption. We must keep these plans current and ready for immediate implementation.
The Inspector General Act of 1978 (IG Act), as amended, makes the OIG responsible for keeping both the FDIC Chairman and the Congress fully and currently informed about problems and deficiencies relating to FDIC programs and operations. This dual reporting responsibility is the framework within which IGs perform their functions, and serves as a legislative safety net that protects the OIGís independence and objectivity.
The OIG places a high priority on maintaining positive relationships with the Congress and providing timely, complete, and high quality responses to congressional inquiries. Communications with the Congress about OIG work and its conclusions are best handled by the Inspector General or a designee to ensure that information is conveyed accurately and in context. In most instances, this communication would include semiannual reports to the Congress, letters for reporting serious problems, issued audit and evaluation reports, information related to completed investigations, comments on legislation and regulations, written statements for congressional hearings, contacts with congressional staff, responses to congressional correspondence, and materials related to OIG appropriations.
The OIG also places a high priority on maintaining positive relationships with the Chairman, other FDIC Board members, and FDIC officials. The OIG regularly communicates with the Chairman and Vice Chairman through briefings about ongoing and completed audits, evaluations, and investigations. The OIG is a regular participant at Audit Committee meetings where recently issued audit and evaluation reports are discussed. Other meetings occur throughout the year as OIG officials meet with division and office leaders and attend/participate in internal FDIC conferences. The OIGís semiannual reports to the Congress are sent to the Chairman 30 days prior to their transmittal to the Congress.
To assist the Congress and our other clients, many OIG products are available from the OIGís Internet site, www.fdicig.gov. These include most audit and evaluation reports, unless security issues are involved. OIG investigations are generally unavailable on the Internet due to the privacy issues involved for the subjects and witnesses of the investigations. However, press releases, usually written by the Department of Justice, concerning investigations are available on our Internet site. In addition, testimony, plans, semiannual reports to the Congress, and other documents are also available.
The IGs appointed by the President and confirmed by the Senate are members of the PCIE. The FDIC OIG fully supports and participates in PCIE activities. This organization
Additionally, the OIG routinely meets with representatives of the Government Accountability Office (GAO) to coordinate work and minimize duplication of effort. The OIG also meets with representatives of the Department of Justice, including the FBI and U.S. Attorneysí Offices to coordinate our criminal investigative work and pursue matters of mutual interest. Regular meetings are held with the financial regulatory OIGs and other groups where the OIG has similar business interests.
The OIG has been working over several years to be a results-oriented, high performance culture. The organization that has been envisioned would foster a work environment in which honest two-way communication and fairness are a hallmark, perceptions of unfairness are minimized, and any workforce disputes are resolved by fair and efficient means. The ideas of staff at all levels are to be sought and valued as we strive to continuously enhance OIG operations. An Employee Advisory Group, made up of elected and/or appointed OIG staff, meets regularly and provides advice to the Inspector General on a wide variety of issues in a non-threatening environment. A Diversity Coordinator also helps promote corporate diversity initiatives in our workplace.
To carry out its responsibilities, the OIG must be professional, independent, objective, fact-based, nonpartisan, fair, and balanced in all its work. Also, the Inspector General and OIG staff must be free both in fact and in appearance from personal, external, and organizational impairments to their independence. The OIG adheres to the Quality Standards for Federal Offices of Inspector General, issued by the PCIE and the Executive Council on Integrity and Efficiency (ECIE). Further the OIG conducts its audit work in accordance with generally accepted Government Auditing Standards; its evaluations in accordance with PCIE Quality Standards for Inspectons; and its investigations, which often involve allegations of serious wrongdoing that may involve potential violations of criminal law, in accordance with Quality Standards for Investigations established by the PCIE and ECIE, and procedures established by the Department of Justice.
The Government Auditing Standards and PCIE/ECIE standards require organizations conducting audit and investigative work in accordance with the standards to have appropriate internal quality control systems in place and undergo an external quality control review. The external quality control reviews are conducted once every 3 years by an organization not affiliated with the OIG. The FDIC OIG is a member of the PCIE, and other member organizations conduct the external quality control review on a planned schedule. Similarly, the FDIC OIG has agreed to conduct an external quality control review on another office. A reviewing organization cannot be reviewed by an organization that it has reviewed during the 3-year cycle.
The FDIC OIG has its own strategic and annual planning processes independent of the Corporationís planning process, in keeping with the independent nature of the OIGís core mission. The Government Performance and Results Act of 1993 (GPRA) was enacted to improve the management, effectiveness, and accountability of federal programs. GPRA requires most federal agencies, including the FDIC, to develop a strategic plan that broadly defines the agencyís mission and vision, an annual performance plan that translates the vision and goals of the strategic plan into measurable objectives, and an annual performance report that compares actual results against planned goals.
The OIG strongly supports GPRA and is fully committed to applying its principles of strategic planning and performance measurement and reporting to our operations. Doing so will enable us to focus energy on providing value to the Corporation and will help identify where changes are needed to improve organizational effectiveness and efficiency. The OIG Strategic Plan and Annual Performance Plan lay the basic foundation for establishing goals, measuring performance, and reporting accomplishments consistent with the principles and concepts of GPRA.
Unlike the FDIC, which reports on a calendar year basis, the OIG receives a separate appropriation based on the typical government fiscal year ending September 30. Therefore, our performance planning and reporting is done on a September 30 fiscal year cycle. The fiscal year cycle is also consistent with the semiannual reporting periods prescribed by the Inspector General Act.
Past OIG strategic and performance plans sought to define many goals and objectives in quantifiable terms. To act as a catalyst in determining how the OIG directs its work and manages its resources, the OIG developed a new strategic plan framework in 2006 that adds qualitative performance measures to a few key quantitative performance measures. Collectively, these measures will help to demonstrate the degree to which the OIGís work provides timely, quality service to the Chairman, the Congress, the banking industry, and the public. Additionally, the OIG will be capable of integrating its planning, budgeting, and performance reporting to show better the relationship between resource requests and desired performance levels.
As a corollary, the OIG recognizes that internal controls and systems are important components in the design and implementation of practices for accomplishing strategic and performance goals. Consequently, continuous assessments of risks and the internal controls in place to manage the risks are part of the OIGís business strategies.
IT has become an essential component of almost every OIG business process. It has been one factor in the OIGís ability to downsize staff by one-third since fiscal year 2003. As a component of the FDIC, the OIG receives and will continue to receive support and services offered throughout the Corporation. Where operational independence is necessary to ensure completion of the OIG mission, the OIG independently undertakes IT initiatives as needed. For instance, OIG staff are connected to the FDIC computer network and carry out day-to-day functions within the Corporationís firewall protections. In other areas, the OIG needs more independence. For example, we manage our own Internet site and content to ensure timely and complete dissemination of appropriate information.
The increasing capabilities of network administrators in the FDICís system architecture necessitates certain security enhancements for OIG information within the network. After consultations with FDICís DIT, the OIG will strengthen and enhance security and operational controls over network equipment and procedures to protect OIG information better.
The OIG also develops and maintains information systems that track the status of ongoing audits, evaluations, and investigations to help ensure the timeliness of our work and monitor our performance. With an updated planning, reporting, performance measurement, and budgeting process being planned, the supporting information systems need to be updated to integrate these business processes.
The OIG continuously looks for opportunities for improving our security, performance, and productivity with cost-effective computer equipment and software.
Office of Audits
The Office of Audits provides the FDIC with professional audit and related services covering the full range of its statutory and regulatory responsibility, including major programs and activities. These audits are designed to promote economy, efficiency, and effectiveness and to prevent fraud, waste, and abuse in corporate programs and operations. This office ensures the compliance of all OIG audit work with applicable audit standards, including those established by the Comptroller General of the United States. It may also conduct external peer reviews of other OIG offices, according to the cycle established by the PCIE.
The Office of Audits is organized into two primary Directorates: (1) Insurance, Supervision, and Receivership Management Audits and (2) Systems Management and Security Audits.
Office of Evaluations
The Office of Evaluations evaluates, reviews, studies, or analyzes FDIC programs and activities to provide independent, objective information to facilitate FDIC management decision-making and improve operations. Evaluation projects are conducted in accordance with the PCIE Quality Standards for Inspections. Evaluation projects are generally limited in scope and may be requested by the FDIC Board of Directors, FDIC management, or the Congress.
Office of Investigations
The Office of Investigations (OI) carries out a comprehensive nationwide program for the prevention, detection, and investigation of criminal or otherwise prohibited activity that may harm or threaten to harm the operations or integrity of the FDIC and its programs. OI maintains close and continuous working relationships with the U.S. Department of Justice; the Federal Bureau of Investigation; other Offices of Inspector General; and federal, state and local law enforcement agencies. OI coordinates closely with the FDICís Division of Supervision and Consumer Protection in investigating fraud at financial institutions, and collaborates with the Division of Resolutions and Receiverships and the Legal Division in investigations involving failed institutions and fraud by FDIC debtors.
In addition to its two regional offices, OI operates an Electronic Crimes Unit and forensics laboratory in Washington, D.C. The Electronic Crimes Unit is responsible for conducting computer-related investigations impacting the FDIC and providing computer forensic support to OI investigations nationwide. OI also manages the OIG Hotline for employees, contractors, and others to report instances of suspected fraud, waste, abuse, and mismanagement within the FDIC and its contractor operations via a toll-free number or e-mail.
Office of Management and Congressional Relations
The Office of Management and Congressional Relations is the management operations arm of the OIG with responsibility for providing business support for the OIG, including financial resources, human resources, and IT support; strategic planning and performance measurement; internal controls; coordination of OIG reviews of FDIC proposed policy and directives; OIG policy development; and congressional relations.
Office of Counsel
The Office of Counsel to the Inspector General is responsible for providing independent legal services to the Inspector General and the managers and staff of the OIG. Its primary function is to provide legal advice and counseling and interpret the authorities of, and laws related to, the OIG. The Counsel's office also provides legal research and opinions; reviews audit and investigative reports for legal considerations; represents the OIG in personnel-related cases; coordinates the OIG's responses to requests and appeals made pursuant to the Freedom of Information Act and the Privacy Act; prepares Inspector General subpoenas for issuance; and reviews draft FDIC regulations and draft FDIC and OIG policies and proposed or existing legislation, and prepares comments when warranted; and coordinates with the FDIC Legal Division when necessary.
The table below summarizes the OIGís FY 2007 budgetary resources and the associated human capital resources in terms of full-time equivalent (FTE) positions by strategic goal.
The following table describes the sources for our performance data and how the data will be verified and validated.
This appendix presents a brief description of the audit and evaluation assignments that we plan to start in fiscal year 2007, including the assignment objective, background information, relevant prior coverage, known risks, and the estimated timeframes for starting and completing the work. The list of assignments is organized by the OIGís strategic goal so that stakeholders can clearly see how individual assignments support the OIGís business planning framework.
This listing reflects input we received from key stakeholders, including FDIC management and members of the Audit Committee, during the OIGís business planning process, as well as during other routine discussions that OIG representatives have had with FDIC officials. The dialogue with FDIC executives and managers together with the increased emphasis within our organization on planning is a critical part of our continuing efforts to identify those areas where the OIG can devote resources in the best interest of the Corporation and meet our responsibilities under the IG Act.
In addition to the list of assignments that we plan to start, a number of assignments started in Fiscal Year 2006 and will be completed during Fiscal Year 2007. We have included a list of those assignments on the last page of the Appendix. Our planning process is ongoing and dynamic, and we may alter the focus, timing, and selection of audits and evaluations to better respond to legislatively mandated priorities, congressional requests, emerging issues, FDIC corporate governance issues, and changing priorities within the FDIC.