U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Breadcrumb

Controls Over Payments to Outside Counsel

View Summary Announcement

Report Information

Publish Date
Report sub-type
Review
Report Number
REV-22-002

Unimplemented Recommendations

Analyze the data and reporting within ALIS to monitor the disallowances on OC invoices and OC non-compliance with the FDIC OC Deskbook requirements.

Develop and implement monitoring techniques to determine whether OAs are applying invoice payment authority appropriately and in accordance with the FDIC OC Deskbook.

Establish and implement a risk-based process to use ALIS data and results of the PPR Program to assess whether additional review of invoices paid during the PPR Program gap period is warranted.

Develop and issue planned guidance and reference materials for the invoice review and approval process, including but not limited to (1) block billing; (2) vague entries; (3) exceptions to the FDIC OC Deskbook requirements; and (4) the costs and supporting evidence for experts and professional service providers used by OC.

Develop and implement a process for documenting and tracking approved exceptions to the FDIC OC Deskbook requirements.

Revise and implement RMRG procedures to share the final results of independent post-payment reviews with OAs, Financial Specialists, Supervisory Attorneys, and Payment Supervisors and others involved in the invoice review process.

Text Alternative

This is the accessible text file for FDIC OIG report number REV-22-002 entitled 'Controls Over Payments to Outside Counsel'.

This text file was formatted by the FDIC OIG to be accessible to users with visual impairments.

We have maintained the structural and data integrity of the original printed product in this text file to the extent possible. Accessibility features, such as descriptions of tables, footnotes, and the text of the Corporation’s comments, are provided but may not exactly duplicate the presentation or format of the printed version.

The portable document format (PDF) file also posted on our Web site is an exact electronic replica of the printed version.

[FDIC OIG logo]

Controls Over Payments to Outside Counsel

March 2022

REV-22-002

Review Report

Audits, Evaluations, and Cyber

Integrity.Independence.Accuracy.Objectivity.Accountability

[FDIC OIG Logo]

Executive Summary

Controls Over Payments to Outside Counsel

The FDIC’s Legal Division relies on Outside Counsel (OC) to assist with legal matters. Over 3¼ years, between January 2018 and March 2021, the Legal Division paid approximately $94 million to OC. The Legal Division has established controls and systems to manage its contracts and the payments made to OC. The Legal Division has also implemented an independent Post-Payment Review (PPR) Program to assess OC conformance to Legal Division requirements.

Effective contract oversight strengthens prudent management of FDIC resources and ensures that the FDIC receives goods and services as contracted. The objective of this review was to determine whether the Legal Division’s review and oversight of payments to OC can be improved.

Results

We identified four areas in which the FDIC Legal Division can improve its review and oversight of payments to OC.

First, the FDIC Legal Division should improve its analysis of data to monitor and assess the effectiveness of program controls for reviewing invoices received from OC. For example, we found that the FDIC does not analyze data to evaluate trends associated with the nature and type of disallowances identified during invoice reviews. The analysis of data can help identify anomalies and common areas of non-compliance across firms, so that the FDIC Legal Division can take steps to improve its oversight and compliance by OC.

Second, the FDIC Legal Division should enhance its policies and procedures by adding specific guidance in certain areas in order to ensure the consistent interpretation and applications of its requirements. For example, the Legal Division should improve guidance for its personnel to determine whether OC invoices adequately document and support the services of experts and other professional service providers retained by OC.

Third, the FDIC Legal Division should communicate the results of the PPR Program with those involved in reviewing and approving OC invoices to improve their understanding of requirements and identify areas where revised guidance is needed.

Lastly, the FDIC Legal Division should complete its training to all FDIC personnel responsible for the review and approval process for OC invoices to ensure requirements are consistently understood among existing staff and new hires.

Recommendations

The report includes eight recommendations designed to improve the FDIC Legal Division’s review and approval of payments to OC, ensure consistency and conformance to the FDIC’s procedural requirements, and promote the FDIC efforts to reduce and recover disallowed costs. The FDIC concurred with all eight recommendations in this report. The FDIC plans to complete corrective action by March 31, 2023.

Contents

BACKGROUND

REVIEW RESULTS

The FDIC’s Legal Division Should Enhance Its Analysis of Data to Assess Program Effectiveness

The FDIC’s Legal Division Should Improve Its Guidance for Invoice Review and Approval Processes

The FDIC’s Legal Division Should Share Feedback on Post-Payment Review Program Results

The FDIC’s Legal Division Should Provide Training on the Invoice Review and Approval Process

FDIC COMMENTS AND OIG EVALUATION

APPENDICES

1. Objective, Scope, and Methodology

2. Acronyms and Abbreviations

3. FDIC Comments

4. Summary of the FDIC’s Corrective Actions

TABLE

Analysis of PPR Program Results and Invoices Paid During Gap Period

[FDIC OIG Letterhead, FDIC OIG Logo, Federal Deposit Insurance Corporation Office of Inspector General Audits, Evaluations, and Cyber]

March 16, 2022

Subject | Controls Over Payments to Outside Counsel

The FDIC’s Legal Division relies on Outside Counsel (OC) to assist with legal matters. Between January 2018 and March 2021 the Legal Division paid approximately $94 million to OC to support the FDIC’s interests in legal matters.

The FDIC’s Board of Directors delegated contracting authority to the Legal Division for the services of OC. The FDIC Legal Division’s contracting authority is separate from that of the FDIC Division of Administration’s (DOA) Acquisition Services Branch. The FDIC Legal Division has developed its own policies, procedures, and a system to manage and oversee OC legal services and associated payments, and these policies, procedures, and system are distinct from those of DOA.

In 1998 and 1999, the FDIC OIG published a series of 64 audits of legal fees and expenses paid by the FDIC with findings that identified disallowed or unsupported costs.1 These OIG audits identified more than $12 million in questioned costs at the FDIC and recommended their recovery from OC. As a result and in response to the findings in these audits, the Legal Division established its Post-Payment Review (PPR) Program in 1999.2

Footnote: 1 -The Inspector General Act of 1978, as amended, defines the term questioned cost as a cost identified due to (1) an alleged violation of a provision of a law, regulation, contract, grant, cooperative agreement, or other agreement or document governing the expenditure of funds; (2) a finding that, at the time of the audit, such cost is not supported by adequate documentation; or (3) a finding that the expenditure of funds for the intended purpose is unnecessary or unreasonable. An unsupported cost is a cost that is questioned because the auditors found at the time of the audit the cost was not supported by adequate documentation. A disallowed cost is a questioned cost that management has sustained or agreed should not be charged to the government. 5 U.S.C. app. § 5(f)(1)-(3).

Footnote: 2 - In 1998 and 1999, the FDIC OIG issued 64 audits examining the FDIC’s processing of legal fees. See reports and summaries at https://www.fdicoig.gov/audits-and-evaluations-0?page=13&year=archive.

We initiated this review due to the FDIC’s reliance on OC, the significant amount of payments to OC, and the importance of effective contract oversight activities. The objective of this review was to determine whether the Legal Division’s review and oversight of payments to Outside Counsel can be improved.3 Appendix 1 contains information regarding the objective, scope, and methodology.

Footnote: 3 - We conducted the review in accordance with the Council of Inspectors General on Integrity and Efficiency Quality Standards for Federal Offices of Inspector General and adhered to the professional standards of independence, due professional care, and quality assurance.

BACKGROUND

The FDIC enters into Legal Services Agreements (LSA) with OC before they conduct work. Under the terms of the LSA, the OC’s work must comply with the policies, requirements, practices, and procedures reflected in the FDIC Legal Division guidance entitled, FDIC Outside Counsel Deskbook (FDIC OC Deskbook). The FDIC OC Deskbook is incorporated into the LSA and contains the FDIC’s requirements for allowable billing practices. The FDIC’s Legal Division maintains a list of OCs available to the FDIC, oversees all LSAs, and maintains the FDIC OC Deskbook, including any necessary revisions.

The Legal Division assigns an Oversight Attorney (OA) for each legal matter. The OA is responsible for managing all legal assignments and litigation, including matters referred to OC. The OA determines whether to hire OC to assist in the matter. If an OC is retained, the FDIC Legal Division issues a referral letter that identifies the specific services requested.4 The OA must approve the case plan and budget before the OC can begin working on a matter.5 The case plan explains how the firm anticipates accomplishing the work for which it has been retained and the budget shows the anticipated cost to the FDIC, including all professional fees and expenses. The budget provides the OA with information to establish financial expectations and controls costs.

Footnote: 4 - The referral letter includes a requirement for the OC to follow the FDIC OC Deskbook.

Footnote: 5 - The FDIC OC Deskbook provides an exception to this requirement in cases of extreme urgency.

When an OC submits an invoice electronically into the Advanced Legal Information System (ALIS),6 or an FDIC Legal Division staff manually enters an invoice into ALIS, the legal fee invoice process begins which involves several steps as described below.7

Footnote: 6 - ALIS is an enterprise application designed to assist Legal Division managers, supervisors, attorneys and support staff in managing Legal Division matters. ALIS supports the creation, management, review, and tracking of legal matters, legal invoices, and corporate legal activities on a web-based system accessible through the FDIC intranet.

Footnote: 7 - According to the FDIC OC Deskbook, OC must bill on a monthly basis.

Automated Checks Within ALIS. Invoices entered into ALIS are subject to application controls. For example, ALIS identifies whether an invoice exceeds 100 percent of the budget threshold for the matter and, if so, automatically rejects the invoice. ALIS also checks for duplicate invoices, duplicate line items, overlapping billing periods, and verifies that OC billing rates align with the LSA.

Financial Specialist Review. Financial Specialists are responsible for reviewing the OC’s expenses to ensure the expenses are allowable, properly supported, and consistent with the LSA and the FDIC OC Deskbook requirements.

Oversight Attorney Review. OAs work with OC on assigned matters and review OC invoices to determine whether the fees and expenses charged conform to the provisions of the FDIC OC Deskbook. They review and adjust, approve, or reject invoices for payment. OAs may approve invoices up to a $25,000 threshold, and approval of invoices for payment within their delegated authority is not subject to review by a Supervisory Attorney.8

Footnote: 8 - The Legal Division updated the authority given to the OAs for approving invoices for payment on July 31, 2020. The new tiered system increased OA payment approval thresholds not requiring supervisory review from a standard amount of $5,000 per invoice to between $10,000 and $25,000 per invoice. The approval amount per invoice depends on the OA’s experience level. Corporate Grade (CG) Attorney 12, up to $10,000; CG-13, up to $15,000; CG-14, up to $15,000 and CG-15, up to $25,000.

Supervisory Attorney Review. Supervisory Attorneys conduct secondary level reviews and approvals over invoices that exceed the OA’s delegated payment authority (from $10,000 to $25,000 depending on the OA’s level of experience).

Payment Supervisor Review. Payment Supervisors in the Legal Division perform a final invoice review, which includes a second level review to verify whether the invoice is within budget and in agreement with the rates in the LSA. Once the Payment Supervisor’s review is complete, the invoice is submitted to the FDIC’s Division of Finance for payment.

Post-Payment Review Program. The FDIC Legal Division also maintains a Risk Management and Records Group (RMRG), which manages the Post-Payment Review (PPR) Program. The PPR Program monitors payments to OC to ensure that OC comply with the FDIC OC Deskbook and all other contractual obligations.9 The Legal Division Directive 5220.2 Post-Payment Review Program (September 2009) describes the PPR Program. RMRG attorneys conduct the post-payment reviews and are familiar with the Legal Division’s Directives and the FDIC OC Deskbook.

Footnote: 9 - The PPR Program‘s objective is to determine whether the invoices submitted by the law firms are: (1) adequately supported by source documentation, (2) prepared in accordance with the applicable LSA, and (3) representative of the cost of services and litigation previously approved by the Legal Division. The OIG previously performed a similar review function, which was used to correct and recover OC improperly submitted invoices.

The RMRG attorneys audit all invoices paid to select OC during a specific period to ensure the fees and expenses are reasonable and consistent with the standards and requirements set forth in the FDIC OC Deskbook. The RMRG process is independent from the reviews conducted by the OAs, Financial Specialists, Supervisory Attorneys, or Payment Supervisors. The RMRG post-payment reviews also assess OC against the FDIC’s diversity goals and information security requirements. The RMRG formalizes its results of a post-payment review, including any findings, recommended disallowances, and subsequent recoveries into a report that is provided to the OC.

REVIEW RESULTS

The FDIC Legal Division should improve its review and oversight of payments to OC in four areas: (1) increasing the analysis of FDIC data; (2) providing clear guidance in specific areas; (3) sharing results of post-payment reviews with those involved in the invoice review process; and (4) providing a periodic training program to reinforce expectations and requirements.

The FDIC’s Legal Division Should Enhance Its Analysis of Data to Assess Program Effectiveness

The FDIC Legal Division should enhance its analysis of data to monitor and assess the effectiveness of program controls related to its review of OC invoices. Government Accountability Office (GAO) Standards for Internal Control in the Federal Government (GAO Internal Control Standards) support the collection and analysis of information to monitor the effectiveness of internal controls and achieve performance objectives.10 The GAO Internal Control Standards state that management should use quality information11 to achieve the entity’s objectives. GAO Internal Control Standards suggest ongoing monitoring, evaluations, or a combination of the two to obtain reasonable assurance of the operating effectiveness of the organization’s internal controls.

Footnote: 10 - GAO, Standards for Internal Control in the Federal Government (GAO-14-704G) (September 2014).

Footnote: 11 - Management should obtain relevant data from reliable internal and external sources in a timely manner based on the identified information requirements.

The FDIC Legal Division maintains OC contract and invoice-related data within ALIS. However, the Legal Services and Special Contracts Group (LSSCG), within the FDIC’s Legal Division, does not use ALIS to monitor the nature, type, and significance of disallowances identified by OAs or Financial Specialists as part of the invoice review process. The LSSCG uses the reports from ALIS only for purposes to monitor contract administration.

Data from the invoice review process within ALIS could be used by the FDIC Legal Division to identify OC with repeat disallowances or other non-compliance with the FDIC OC Deskbook requirements. For example, the data within ALIS could be used to identify common types of disallowances that may indicate the need for clarification in the FDIC OC Deskbook or the need for additional training. As discussed further below, our review of PPR Program reports and OC invoice submissions found trends related to block billing, vague entries, and the invoices of third-party experts that indicate a need for additional guidance. Analysis of the data in ALIS could also help the FDIC Legal Division to analyze and assess whether the delegation thresholds for OAs are appropriate.

Further, the FDIC Legal Division should use ALIS data and the results of its post-payment reviews to assess whether invoices submitted by OC that were not assessed as part of the post-payment reviews require additional review. While a post-payment review is underway, the OC continues to submit invoices for work performed. We determined that, on average, there was a gap of 2.4 years between the date of the last invoice selected for review by the PPR Program team and the date that the RMRG issued its results – referred to as the PPR Program gap period.12 As described below, ALIS data could be used to determine whether the review of additional invoices submitted during the gap period is warranted to seek additional recoveries.

Footnote: 12 According to Legal Division officials, some PPR Program reviews are delayed at the request of OC because of ongoing litigation work for the FDIC and the resources needed to respond to PPR Program information requests.

For example, the FDIC could apply the rate of recovery from the PPR Program Review to the invoices paid during the gap period. The Table below illustrates the results of this type of analysis for six post-payment reviews conducted in 2021. According to information in ALIS, the FDIC paid $4.34 million to these six OC firms during the PPR Program gap period. We are not suggesting that the FDIC should recover these amounts from these firms. Rather, we are providing an example of the type of analysis that could help the FDIC determine whether additional review of a particular firm is warranted.

Footnote: 12 According to Legal Division officials, some PPR Program reviews are delayed at the request of OC because of ongoing litigation work for the FDIC and the resources needed to respond to PPR Program information requests.

[Table]

Table: Analysis of PPR Program Results and Invoices Paid During Gap Period

Table header: Column 1: OC; Column 2: Invoice Amounts Reviewed; Column 3: Amounts Recovered; Column 4: Rate Recovered from OC Based on PPR Program Results; Column 5: Invoices Paid by the Legal Division During the PPR Program Gap Period (1/1/19 to 6/30/21); Column 6: Potential Additional Recovery (Assumes Original Recovery Rate)

Row 1; OC: 1; Invoice Amounts Reviewed: $931,992; Amounts Recovered: $22,605; Rate Recovered from OC Based on PPR Program Results: 2.4%; Invoices Paid by the Legal Division During the PPR Program Gap Period (1/1/19 to 6/30/21):$414,616; Potential Additional Recovery (Assumes Original Recovery Rate): $10,056.

Row 2; OC: 2; Invoice Amounts Reviewed: $807,736; Amounts Recovered: $1,930; Rate Recovered from OC Based on PPR Program Results: 0.2%; Invoices Paid by the Legal Division During the PPR Program Gap Period (1/1/19 to 6/30/21): $108,610; Potential Additional Recovery (Assumes Original Recovery Rate): $260.

Row 3; OC: 3; Invoice Amounts Reviewed: $1,584,151; Amounts Recovered: $16,079; Rate Recovered from OC Based on PPR Program Results: 1.0%; Invoices Paid by the Legal Division During the PPR Program Gap Period (1/1/19 to 6/30/21): $1,796,530; Potential Additional Recovery (Assumes Original Recovery Rate): $18,235.

Row 4; OC: 4; Invoice Amount Reviewed: $1,365,052; Amounts Recovered: $4,111; Rate Recovered from OC Based on PPR Program Results: 0.3%; Invoices Paid by the Legal Division During the PPR Program Gap Period (1/1/19 to 6/30/21): $736,338; Potential Additional Recovery (Assumes Original Recovery Rate: $2,217.

Row 5; OC: 5; Invoice Amounts Reviewed: $636,950; Amounts Recovered: $21,273; Rate Recovered from OC Based on PPR Program Results: 3.3%; Invoices Paid by the Legal Division During the PPR Program Gap Period (1/1/19 to 6/30/21): $236,990; Potential Additional Recovery (Assumes Original Recovery Rate): $7,915.

Row 6; OC: 6; Invoice Amounts Reviewed: $639,071; Amounts Recovered: $10,714; Rate Recovered from OC Based on PPR Program Results: 1.7%; Invoices Paid by the Legal Division During the PPR Program Gap Period (1/1/19 to 6/30/21): $1,048,949; Potential Additional Recovery (Assumes Original Recovery Rate): 17,586.

Row 7; Totals; Invoices Paid by the Legal Division During the PPR Program Gap Period (1/1/19 to 6/30/21): $4,342,034; Potential Additional Recovery (Assumes Original Recovery Rate): $56,269.

Source: OIG analysis of PPR Program results and invoices paid during the PPR Program gap period.

[End of table]

Absent improved monitoring techniques and reports, the Legal Division has limited ability to identify common trends and proactively address common risks, weaknesses, or reoccurring disallowances. In addition, it may use such techniques and reports to reinforce conformance to the FDIC OC Deskbook by both OC and individuals within the Legal Division responsible for the review and payment of OC invoices.

We recommend that the FDIC General Counsel:

1. Analyze the data and reporting within ALIS to monitor the disallowances on OC invoices and OC non-compliance with the FDIC OC Deskbook requirements.

2. Use the data and reporting within ALIS to provide feedback to OC regarding non-compliance or to address a lack of clarity in the FDIC OC Deskbook.

3. Develop and implement monitoring techniques to determine whether OAs are applying invoice payment authority appropriately and in accordance with the FDIC OC Deskbook.

4. Establish and implement a risk-based process to use ALIS data and results of the PPR Program to assess whether additional review of invoices paid during the PPR Program gap period is warranted.

The FDIC’s Legal Division Should Improve Its Guidance for Invoice Review and Approval Processes

The FDIC Legal Division should improve guidance for reviewing and approving OC invoices. According to the GAO Internal Control Standards management should communicate its policies and procedures so that personnel can implement the control activities for their assigned responsibilities. Management also should periodically review its policies, procedures, and related control activities for continued relevance and effectiveness in achieving the entity’s objectives or addressing related risks.

The FDIC Legal Division has established policies and procedures for the review and approval of OC invoices. We found that the FDIC OC Deskbook, which serves as the primary criteria for the invoice review process, lacks specificity in certain important areas. We determined that the FDIC OC Deskbook should provide additional guidance and examples to (1) assess block billing and vague entries;13 (2) document exceptions to the FDIC OC Deskbook requirements; and (3) review third-party invoices. The FDIC Legal Division should also ensure the consistent interpretation and application of these requirements.

Footnote: 13 - According to the FDIC OC Deskbook, a vague entry does not provide sufficient information about the service provided by the OC on the invoice. A block or mixed time entry (block billing) includes more than one task in the same entry, so that the time spent on each task is not recorded.

Block Billing and Vague Entries

The FDIC OC Deskbook states that:

Time billed for each fee or expense should be identified separately. Do not combine different types of activities in one entry on the E-invoice. 'Block billing' of fees is not acceptable, even if the same individual performed the activities, except for multiple, related activities for which only a small amount of time (no more than 30 minutes) is expended.

Further, the FDIC OC Deskbook supports that vague entries for invoices are not permitted and states that “[t]he description of the service provided should be brief and informative.”

Individuals reviewing OC invoices (such as OAs, Financial Specialists, Supervisory Attorneys, and Payment Supervisors) must determine whether an invoice includes vague entries or block billing and whether to disallow the invoice entries. While vague entries and block-billing are prohibited, determining what constitutes a vague entry or block-billing is subjective and open to interpretation. For example, one paid OC invoice contained multiple supporting invoices for the services of third-party experts and consultants. These supporting invoices contained varying degrees of detail and time allocations associated to loan underwriting concurrence reviews. One supporting invoice described the service as merely “concurrence reviews” with no additional detail.

OAs working with OC on legal matters may be informed of OC activities and conclude that the OC invoices contain sufficient detail and separation of activities while an independent reviewer would not. The FDIC OC Deskbook lacks clarity and provides only limited guidance and examples in these areas for what constitutes acceptable invoicing practices. This could lead to inconsistencies in the treatment of OC invoices and determinations on disallowances by Legal Division staff and ultimately questioned costs.

Our reviews of PPR Program reports determined that block-billing and vague entries are the two most common areas for disallowance in OC invoices. It is important for the FDIC to issue specific guidance with examples on how to identify and correct vague entries and block-billing in invoices. Without sufficient guidance and examples, there is a risk of inconsistent interpretations by Legal Division officials, resulting in approvals that are inconsistent with the Legal Division’s requirements. For example, as described in detail below, our review of payments to OC found that some invoices from third-party experts contained block-billing and vague entries and were not rejected by Legal Division officials.

Exceptions to FDIC OC Deskbook Requirements

According to the FDIC OC Deskbook, the FDIC will only pay reasonable costs for services rendered or supplies provided in the course of representation. It further states that:

ANY EXCEPTIONS OR QUESTIONS ABOUT INVOICING, FEES, AND EXPENSE REQUIREMENTS FOR SUBCONTRACTED PROFESSIONALS SHOULD BE RESOLVED AND DOCUMENTED BETWEEN OUTSIDE COUNSEL AND THE FDIC BEFORE EXPENSES ARE INCURRED.

The FDIC OC Deskbook clarifies that “[a]bsent express FDIC Legal Division permission, experts and other professional service providers may only be compensated for fees and expenses in accordance with the requirements of this [FDIC OC Deskbook].”

Although the FDIC OC Deskbook allows exceptions to requirements, the FDIC Legal Division has not established a process for documenting exceptions in its policies and procedures. Absent improved guidance and a formalized process for documenting exceptions to the FDIC OC Deskbook, FDIC personnel (OAs, Financial Specialists, Supervisory Attorneys, and Payment Supervisors) cannot effectively determine whether the rationale or justification for the exception conforms to the Legal Division’s requirements.

Third-Party Invoices

According to the FDIC OC Deskbook:

From time to time, it may be necessary for Outside Counsel to engage the services of other professionals [third-parties], for example, experts, local counsel, consultants, etc. Absent express FDIC Legal Division permission, experts and other professional service providers may only be compensated for fees and expenses in accordance with the requirements of [the FDIC OC Deskbook]. . . . Outside Counsel should document in writing with subcontracted professionals that they will comply with the billing and expense requirements in the [FDIC OC Deskbook].

We found Legal Division officials did not consistently enforce the requirements of the FDIC OC Deskbook for the fees and expenses of third-party experts. OAs explained that OC hire third-party experts to assist in legal cases and the description of an expert’s work is commonly described at a high-level within the invoice. According to the OAs, this is because providing detailed information could potentially be used to challenge the expert’s conclusions if information is obtained through the legal discovery process. Nevertheless, OC are responsible for ensuring that third-parties follow the FDIC OC Deskbook, and the prohibition of block billing and vague entries is extended to experts. Without a written justification to waive the requirements, the OAs should have enforced the FDIC OC Deskbook.

In discussing these requirements with the OAs, we determined that OAs generally did not have a consistent understanding of their responsibilities when reviewing third-party expert invoices and were not clear on the process for documenting waivers. For example, we reviewed one OC invoice that included fees for services of an expert witness retained by the OC to perform loan underwriting concurrence reviews. The expert billed for “concurrence reviews”. The invoice was not clear on how many loan concurrence reviews the expert performed or the duration of time spent on each loan reviewed. This invoice met the FDIC OC Deskbook definitions of block billing and vague entries.

However, the OA responsible for reviewing the invoice approved the payment for these fees. The OA incorrectly believed that expert witnesses were not subject to the same billing description standards in the FDIC OC Deskbook applicable to OC. Further, the OA incorrectly believed it was not his responsibility to ensure the expert billed for its services in accordance with the FDIC OC Deskbook because the expert was directly retained by the OC. This understanding by the OA was shared by other OAs and Supervisory Attorneys we interviewed.

Financial Specialists also expressed the need for clearer guidance over the reviews for third-party fees and expenses. Without sufficient guidance and clarification on the expectations over third-party invoices, the Legal Division cannot ensure that payments to OC are made in a consistent and appropriate manner.

Legal Division officials stated that they are developing additional internal guidance for Legal Division staff that will supplement the FDIC OC Deskbook. This revised guidance will provide those involved in Legal Division contracting and invoice review processes additional reference materials and checklists to ensure consistency. Legal Division officials estimate the guidance will be completed by June 2022.

We recommend that the FDIC General Counsel:

5. Develop and issue planned guidance and reference materials for the invoice review and approval process, including but not limited to (1) block billing; (2) vague entries; (3) exceptions to the FDIC OC Deskbook requirements; and (4) the costs and supporting evidence for experts and professional service providers used by OC.

6. Develop and implement a process for documenting and tracking approved exceptions to the FDIC OC Deskbook requirements.

The FDIC’s Legal Division Should Share Feedback on Post-Payment Review Program Results

The FDIC Legal Division should provide regular feedback on the results of the post-payment reviews to the LSSCG and Legal Division personnel responsible for reviewing and approving OC invoices. GAO Internal Control Standards state that management should internally communicate the necessary quality information to achieve the entity’s objectives. The standards also state that management should communicate quality information to enable personnel to perform key roles in achieving objectives, addressing risks, and supporting the internal control system.

During the post-payment review process, RMRG identifies disallowed costs and secures recoveries from OC. Sharing the results of the post-payment reviews would provide an opportunity to improve invoice reviews conducted by Legal Division personnel. Sharing the results would enhance Legal Division personnel’s understanding of the issues identified during post-payment reviews so that they can focus attention on similar issues when reviewing invoices. Further, it would improve consistency in the application of the FDIC OC Deskbook requirements by Legal Division personnel. Over 3½ years, between January 2018 and June 2021, RMRG completed 23 post-payment reviews and identified disallowed costs totaling $540,673. Based on our review of selected reports and interviews with RMRG officials, the two most common sources of disallowed costs included block billing and vague entries.

However, RMRG personnel have not routinely shared their PPR Program results internally with Financial Specialists, OAs, Supervisory Counsel, or the LSSCG. RMRG’s policy and procedures for the PPR Program, including the Legal Division’s Directive 5220.2, Post-Payment Review Program, (September 2009) and the Post Payment Review Manual (2020), do not include roles, responsibilities, or processes for sharing PPR Program results internally to improve the Legal Division’s operations.

Legal Division officials responsible for the invoice payment review and approval process, including Financial Specialists, OAs, and Supervisory Attorneys consistently acknowledged that receiving feedback on PPR Program findings would be beneficial and improve their review and approval of OC invoices. Without such feedback on PPR Program results, Legal Division personnel may continue to approve invoice payments that do not conform to the Legal Division’s requirements.

We recommend that the General Counsel:

7. Revise and implement RMRG procedures to share the final results of independent post-payment reviews with OAs, Financial Specialists, Supervisory Attorneys, and Payment Supervisors and others involved in the invoice review process.

The FDIC’s Legal Division Should Provide Training on the Invoice Review and Approval Process

The FDIC Legal Division should train individuals involved in the review and approval of OC legal fee invoices. According to GAO Internal Control Standards, “[o]nly when personnel are provided the right training, tools, structure, incentives, and responsibilities, is operational success possible.” Training should be “aimed at developing and retaining employee knowledge, skills, and abilities to meet changing organizational needs.”

During the course of our review, the FDIC Legal Division developed training detailing the roles and responsibilities in the legal billing review process, the increased payment authority for OAs, invoice review and approval in ALIS, reference materials, and the RMRG PPR Program. According to Legal Division officials, this training had been provided to most of the Legal Division’s litigation staff, but not more broadly to all parties that use the FDIC OC Deskbook and review and approve OC invoices for payment.

Regular training is needed to ensure requirements are consistently understood among existing staff and new hires. As of October 6, 2021, there were 185 Legal Division personnel involved in the review and approval of legal invoices. Of that figure, only 52 individuals (28 percent) had received the Legal Division training and 133 individuals (72 percent) had not.

Until training is provided to all responsible Legal Division staff, there is an increased risk that Legal Division officials will apply different interpretations of guidance and approve payments that are not compliant with the Legal Division’s requirements and intent. In addition, existing and new staff may not be aware of the full scope of their responsibilities, the role of the PPR Program, and the importance of its results.

We recommend that the FDIC General Counsel:

8. Update and provide regular and ongoing training related to (1) legal fee invoice review requirements and (2) the PPR Program, its purpose, and its results; for all staff involved in the legal fee bill process including Oversight Attorneys, Financial Specialists, Supervisory Attorneys, and Payment Supervisors.

FDIC COMMENTS AND OIG EVALUATION

On March 10, 2022, FDIC Management provided a written response to a draft of this report. The response is presented in its entirety in Appendix 3. In its response, FDIC Management stated that the FDIC Legal Division regularly makes enhancements to its oversight program for OC and that its planned corrective actions to the OIG recommendations in this report will dovetail with these ongoing efforts and aid the Legal Division in implementing and maintaining strong and effective internal controls.

In its response, FDIC Management concurred with all eight recommendations in this report and proposed corrective actions that were sufficient to address the recommendations. Therefore, we consider these eight recommendations to be resolved. The recommendations will remain open until we confirm that corrective actions have been implemented and are satisfied that the actions are responsive. A summary of the FDIC’s corrective actions is contained in Appendix 4.

Appendix 1

Objective, Scope, and Methodology

Objective

The review objective was to determine whether the Legal Division’s review and oversight of payments to Outside Counsel (OC) can be improved.

We performed our work remotely as a result of the Coronavirus Disease 2019 (COVID-19) pandemic from June 2021 through November 2021. This review was performed in accordance with the Council of the Inspectors General on Integrity and Efficiency’s Quality Standards for Federal Offices of Inspector General (Silver Book). These quality standards, as contained in the Pandemic Response Accountability Committee Agile Products Toolkit, include independence, analysis, evidence review, indexing and referencing, legal review, and supervision.

Scope and Methodology

Our scope included the Legal Division’s current OC invoice review and approval process and Post-Payment Review (PPR) Program activities from January 1, 2018 through June 30, 2021.

Methodology

To address our evaluation objective we:

• Reviewed a sample of prior Outside Counsel legal invoice review reports issued by our Office;

• Attended a walk-through of ALIS, evaluated key system documentation, reports, and examples of paid invoices;

• Interviewed FDIC officials responsible for the review and approval of legal invoices, including Financial Specialists, Oversight Attorneys, Supervisory Attorneys, and a Payment Supervisor, as well as individuals within the Risk Management and Resource Group (RMRG) to obtain a general understanding of legal invoices, roles and responsibilities related to the invoice approval process, and the PPR Program;

• Reviewed PPR Program results since January 1, 2021 and assessed whether OC submitted additional invoices that were not subject to PPR program review;

• Selected a judgmental sample of four PPR Program reports to determine whether Outside Counsel billing practices improved over time;

• Identified and assessed controls over the Legal Division’s review and approval of Outside Counsel invoice review and payment processes;

• Reviewed and analyzed PPR Program reports and findings issued by RMRG;

• Reviewed a sample Legal Services Agreement invoice to assess the FDIC OC Deskbook requirements; and

• Reviewed and analyzed available data related to invoice submissions from Outside Counsel and associated disallowances.

We also reviewed the following FDIC policies, guidance, and other information related to the invoice review and payment process:

• Directive 5200.7 FDIC Legal Division Electronic Billing Program, October 7, 2009;

• Directive 5220.2 - Post-Payment Review Program, September 11, 2009;

• Post Payment Review Manual, 2020;

• FDIC OC Deskbook;

• Process flow diagram provided by the Legal Division; and

• Terms of the Legal Services Agreement.

Appendix 2

Acronyms and Abbreviations

ALIS - Advanced Legal Information System

DOA - Division of Administration

FDIC - Federal Deposit Insurance Corporation

GAO - U.S. Government Accountability Office

GAO Internal Control Standards - Standards for Internal Control in the Federal Government

LSA - Legal Services Agreement

LSSCG - Legal Services and Special Contracts Group

OA - Oversight Attorney

OC - Outside Counsel

FDIC OC Deskbook - Federal Deposit Insurance Corporation Outside Counsel Deskbook OIG - Office of Inspector General

PPR - Post-Payment Review

RMRG - Risk Management and Records Group

Appendix 3

FDIC Comments

MEMO

TO: Terry L. Gibson Assistant Inspector General for Audits, Evaluations, and Cyber

FROM: Harrel M. Pettway General Counsel

DATE: March 10, 2022

RE: Management Response to the OIG Draft Audit Report, Controls Over Payments to Outside Counsel (No. 2021-008)

The FDIC welcomes the opportunity to respond to the Office of Inspector General’s (OIG) draft report Controls Over Payments to Outside Counsel, issued on February 24, 2022. The FDIC Legal Division has over two decades of experience executing a robust internal supervisory program with policies, procedures, and active oversight of the utilization of outside counsel, including payments that are made to law firms. The FDIC appreciates the recognition from the OIG as to the significant controls that the Legal Division already had in place, prior to the commencement of the audit, for payments made to outside counsel.

As the Report indicates, the Legal Division employs a multi-layer program of controls, with financial specialists, payment supervisors, oversight attorneys, supervisory attorneys, and post-payment reviews all examining the fee bills received from outside counsel. During the previous ten years the Legal Division performed 81 audits of law firms, some multiple times, and recovered over $1.7 million in disallowed fees that were inconsistent with Outside Counsel Deskbook (OC Deskbook) standards.

The Legal Division is committed to ensuring that its utilization of outside counsel remains exemplary and a model for how the contracting function can operate in an efficient and cost-effective manner.

Management Response to the Recommendations

The FDIC Legal Division regularly makes enhancements to its oversight program for outside counsel, including regularly updating and adjusting the OC Deskbook. The planned corrective actions detailed below in response to the OIG recommendations will dovetail with these ongoing efforts and aid the Legal Division in implementing and maintaining strong and effective internal controls over payments made to outside counsel.

Recommendation 1: We recommend that the FDIC General Counsel analyze the data and reporting within ALIS to monitor the disallowances on OC invoices and OC non-compliance with the FDIC OC Deskbook requirements.

• Management Decision: Concur

• Planned Action: ALIS currently has an Invoice Adjustments report that captures all invoices with any line item adjustments on it which includes the invoice number, the line item adjustment amount, the reason code, and the external comments where the justification for the non-compliance adjustment is entered by the individual who made the adjustment. The Legal Information Technology Unit (LITU) plans to develop a trend analysis report out of ALIS that will track, monthly and year to date, the line item adjustment amounts and the fees and expense codes to monitor the types of adjustments made, and how much adjustments are made to a particular fees/expense code. These reports will be made available to any ALIS user who oversees Outside Counsel for case management purposes. The Legal Services and Special Contracts Group (LSSCG) will address any trends revealed in the reports by making changes and updates to the OC Deskbook as required under the circumstances.

• Estimated Completion Date: Development and testing of the trend analysis report will be completed by September 30, 2022. Initial analysis of the report by LSSCG will be completed by December 31, 2022. Any needed revisions to the OC Deskbook and internal guidance will be completed and published within 90 days following the completion of the analysis by LSSCG or by March 31, 2023, whichever is earlier.

Recommendation 2: We recommend that the FDIC General Counsel use the data and reporting within ALIS to provide feedback to OC regarding non-compliance or to address a lack of clarity in the FDIC OC Deskbook.

• Management Decision: Concur

• Planned Action: The feedback to Outside Counsel regarding non-compliance currently exists in the Legal Division’s processing of invoice payments to Outside Counsel. When an invoice is paid, the Outside Counsel firm receives an email with details of any adjustments made to the invoice including the adjusted amount and the external comments where the justification for the non-compliance adjustment is entered by the individual who made the adjustment. In addition, ebilling firms also have access to a report in Sharedoc (the ebilling application that is used to submit and track invoice statuses) that provides the line item invoice adjustments with the justification. LSSCG, the Risk Management and Records Group (RMRG), and the Systems Group work closely together to address any lack of clarity in the OC Deskbook and internal guidance on an ongoing basis. LSSCG will revise the OC Deskbook to emphasize to Outside Counsel the availability and importance of the report in Sharedoc for ebilling firms and the email notification of payment information when invoices are paid for paper billing firms.

• Estimated Completion Date: Feedback to Outside Counsel is currently provided on a monthly basis. LSSCG will revise the OC Deskbook to emphasize to Outside Counsel the availability and importance of the report by June 30, 2022.

Recommendation 3: We recommend that the FDIC General Counsel develop and implement monitoring techniques to determine whether OAs are applying invoice payment authority appropriately and in accordance with the FDIC OC Deskbook.

• Management Decision: Concur

• Planned Action: The payment approval authority for OA’s already exists in ALIS. All attorneys start with zero dollar approval authority. When LITU receives an email from a supervisory attorney providing the name, grade, and approval authority amount for an OA, only then will the OA be given that approval authority in ALIS. The current approval authority levels are as follows: CG-12, $10,000; CG-13 and 14, $15,000; and CG-15, $25,000. Current Legal Division Delegations of Authority for Legal Services were effective on July 31, 2020. LITU will generate reports on an annual basis comparing the number of fee bills out of the total that are reviewed by Delegated Authority before July 31, 2020 and after that date. LSSCG will report the identified trends to Legal Division management on an annual basis.

• Estimated Completion Date: First annual report – August 31, 2022.

Recommendation 4: We recommend that the FDIC General Counsel establish and implement a risk-based process to use ALIS data and results of the PPR Program to assess whether additional review of invoices paid during the PPR Program gap period is warranted.

• Management Decision: Concur

• Planned Action: The Legal Division will establish and implement a process to use ALIS data and PPR Program results to assess whether a firm has submitted invoices with a significant or unusually high rate of errors that warrants additional review of invoices paid during the PPR Program gap period.

• Estimated Completion Date: December 31, 2022

Recommendation 5: We recommend that the FDIC General Counsel develop and issue planned guidance and reference materials for the invoice review and approval process, including but not limited to (1) block billing; (2) vague entries; (3) exceptions to the FDIC OC Deskbook requirements; and (4) the costs and supporting evidence for experts and professional service providers used by OC.

• Management Decision: Concur

• Planned Action: As part of the process of updating the OC Deskbook and drafting internal guidance for the Legal Division, LSSCG will incorporate additional instructions and examples addressing those issues into the OC Deskbook, internal guidance, and training materials. This will require draft review and input from Oversight Attorneys and their Supervisors.

• Estimated Completion Date: Initial revisions of the OC Deskbook and publication of internal guidance will be completed by September 30, 2022. Revision of training materials will be completed by December 31, 2022.

Recommendation 6: We recommend that the FDIC General Counsel develop and implement a process for documenting and tracking approved exceptions to the FDIC OC Deskbook requirements.

• Management Decision: Concur

• Planned Action: The approved exceptions currently exist in ALIS. The Oversight Attorney and Delegated Authority have the ability to reject any adjustment made in ALIS and those rejections are captured in ALIS. If a rejection of an adjustment is made, ALIS requires the user to enter a “Rejected Reason.” This information is captured in ALIS. “Blanket” exceptions identified through usage will be addressed in the OC Deskbook and internal guidance through revision by LSSCG, accompanied by the addition of standard justification language.

• Estimated Completion Date: First phase of identification of new categories of exceptions to adjustment, addition of standard ALIS justification language, and approval of changes to documentation will be completed by December 31, 2022. LSSCG then will review needs on an annual basis.

Recommendation 7: We recommend that the General Counsel revise and implement RMRG procedures to share the results of independent post-payment reviews with OAs, Financial Specialists, Supervisory Attorneys, and Payment Supervisors and others involved in the invoice review process.

• Management Decision: Concur

•Planned Action: RMRG will revise and implement internal procedures, specifically the Outside Counsel Post-Payment Review Manual, to ensure that Legal Division staff that are directly involved with the invoice review and approval process for legal fee bills receive the final results of post-payment reviews that are conducted by RMRG.

• Completion Date: December 31, 2022

Recommendation 8: We recommend that the FDIC General Counsel update and provide regular and ongoing training related to (1) legal fee invoice review requirements and (2) the PPR Program, its purpose, and its results; for all staff involved in the legal fee bill process including Oversight Attorneys, Financial Specialists, Supervisory Attorneys, and Payment Supervisors.

• Management Decision: Concur

• Planned Action: All new users who need access to ALIS must complete the ALIS online training through FDIC Learn. The Systems Group also offers one-on-one training to any ALIS user, provides ALIS Helpdesk and Deskside support, provides ALIS training to all the sections within the Legal Division, and maintains an ALIS webpage with job aids and ALIS-related resources. LSSCG, RMRG, and the Systems Group have provided training to cover the Legal Division’s invoice payment process, and this training will be updated as necessary on an annual basis.

• Estimated Completion Date: Online training is currently available through FDICLearn for ALIS. The online training module covering the invoice payment process will be available on FDICLearn by March 31, 2022. Any necessary updates to the training will be made by March 31 each year.

Appendix 4

Summary of the FDIC’s Corrective Actions

[table]

This table presents management’s response to the recommendations in the report and the status of the recommendations as of the date of report issuance.

Row 1; Rec. No. 1; Corrective Action - Taken or Planned: The FDIC will develop a trend analysis report out of ALIS that will track, monthly and year to date, the line item adjustment amounts and the extent of adjustments made to a particular fees/expense code. The FDIC will address any trends revealed in the reports by making changes and updates to the FDIC OC Deskbook as required under the circumstances.; Expected Completion Date: March 31, 2023; Monetary Benefits: $0; Resolved:a Yes or No: Yes; Open or Closedb: Open.

Row 2; Rec. No. 2; Corrective Action - Taken or Planned: The FDIC will revise the FDIC OC Deskbook to emphasize to OC the availability and importance of the adjustment report for ebilling firms and in the email notification of payment information when invoices are paid for paper billing firms.; Expected Completion Date: June 30, 2022; Monetary Benefits: $0; Resolved:a Yes or No: Yes; Open or Closedb: Open.

Row 3; Rec. No. 3; Corrective Action - Taken or Planned: The FDIC will generate reports on an annual basis comparing the number of fee bills out of the total that are reviewed by Delegated Authority. The FDIC will report the identified trends to Legal Division management on an annual basis.; Expected Completion Date: August 31, 2022; Monetary Benefits: $0; Resolved:a Yes or No: Yes; Open or Closedb: Open.

Row 4; Rec. No. 4; Corrective Action - Taken or Planned: The FDIC will establish and implement a process to use ALIS data and PPR Program results to assess whether a firm has submitted invoices with a significant or unusually high rate of errors that warrants additional review of invoices paid during the PPR Program gap period.; Expected Completion Date: December 31, 2022; Monetary Benefits: $0; Resolved:a Yes or No: Yes; Open or Closedb: Open.

Row 5; Rec. No. 5; Corrective Action - Taken or Planned: The FDIC will incorporate additional instructions and examples within its guidance and training materials. This will require draft review and input from OAs and their Supervisors.; Expected Completion Date: December 31, 2022; Monetary Benefits: $0; Resolved:a Yes or No: Yes; Open or Closedb: Open.

Row 6; Rec. No. 6; Corrective Action - Taken or Planned: The FDIC will address the treatment of “Blanket” exceptions in the FDIC OC Deskbook and internal guidance through revision by LSSCG, accompanied by the addition of standard justification language.; Expected Completion Date: December 31, 2022; Monetary Benefits: $0; Resolved:a Yes or No: Yes; Open or Closedb: Open

Row 7; Rec. No. 7; Corrective Action - Taken or Planned: The FDIC will revise and implement internal procedures to ensure that Legal Division staff that are directly involved with the invoice review and approval process for legal fee bills receive the final results of post-payment reviews that are conducted by RMRG.; Expected Completion Date: December 31, 2022; Monetary Benefits: $0; Resolved:a Yes or No: Yes; Open or Closedb: Open

Row 8; Rec. No. 8; Corrective Action - Taken or Planned: The FDIC has provided training to cover the Legal Division’s invoice payment process and this training will be updated annually as necessary. The online training module for new users of ALIS covering the invoice payment process will be available by March 31, 2022 and updated annually as necessary.; Expected Completion Date: March 31, 2022; Monetary Benefits: $0 Resolved:a Yes or No: Yes; Open or Closedb: Open

a Recommendations are resolved when —

1. Management concurs with the recommendation, and the planned, ongoing, and completed corrective action is consistent with the recommendation.

2. Management does not concur with the recommendation, but alternative action meets the intent of the recommendation.

3. Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long as management provides an amount.

b Recommendations will be closed when the OIG confirms that corrective actions have been completed and are responsive.

[end of report]

Federal Deposit Insurance Corporation Office of Inspector General

3501 Fairfax Drive Room VS-E-9068 Arlington, VA 22226

(703) 562-2035

The OIG’s mission is to prevent, deter, and detect waste, fraud, abuse, and misconduct in FDIC programs and operations; and to promote economy, efficiency, and effectiveness at the agency.

To report allegations of waste, fraud, abuse, or misconduct regarding FDIC programs, employees, contractors, or contracts, please contact us via our Hotline or call 1-800-964-FDIC.

FDIC OIG website - www. fdicoig.gov

Twitter - @FDIC_OIG

Oversight.gov - www.oversight.gov/