Peer Review of the Internal Quality Control System for the Federal Deposit Insurance Corporation Office of Inspector General’s Office of Program Audits and Evaluations and the Office of Information Technology Audits and Cyber

Peer Review of the Internal Quality Control System for the Federal Deposit Insurance Corporation Office of Inspector General’s Office of Program Audits and Evaluations and the Office of Information Technology Audits and Cyber
NASA OFFICE OF INSPECTOR GENERAL

SUITE 8U71, 300 E ST SW

WASHINGTON, D.C. 20546-0001

November 25, 2019

The Honorable Jay N. Lerner

Inspector General

Federal Deposit Insurance Corporation

3501 Fairfax Drive

Arlington, VA 22226

SUBJECT: Peer Review of the Internal Quality Control System for the Federal Deposit Insurance Corporation Office of Inspector General’s Office of Program Audits and Evaluations and the Office of Information Technology Audits and Cyber

The NASA Office of Inspector General (OIG) has reviewed the internal quality control system for the Federal Deposit Insurance Corporation Office of Inspector General’s (FDIC OIG) Office of Program Audits and Evaluations and the Office of Information Technology Audits and Cyber in effect for the 12-month period ending March 31, 2019. This system encompasses FDIC OIG’s organizational structure, along with the policies and procedures established to provide the organization with reasonable assurance of conforming to the quality control elements described in the Government Accountability Office’s Government Auditing Standards, December 2011 Revision (GAGAS). FDIC OIG is responsible for establishing and maintaining a quality control system that provides reasonable assurance that the organization and its personnel comply with professional standards and applicable legal and regulatory requirements in all material respects. Our responsibility is to express an opinion on the design of that quality control system and FDIC OIG’s compliance.

We conducted our review in accordance with GAGAS and the Council of the Inspectors General on Integrity and Efficiency (CIGIE) Guide for Conducting Peer Reviews of the Audit Organizations of Federal Offices of Inspector General. We interviewed FDIC OIG personnel, obtained an understanding of the nature of its audit organization, and determined if the controls in place were sufficient to assess the risks implicit in FDIC OIG’s audit function. We reviewed documentation for a sample of audits and administrative files to test for conformity with professional standards and compliance with FDIC OIG’s system of quality control. (See Enclosure 1 for a list of the audits we reviewed and the FDIC OIG location visited.) The engagements we selected represented a reasonable cross-section of FDIC OIG’s audit organization, with emphasis on higher-risk projects conducted under GAGAS parameters.

In performing our review, we tested compliance with FDIC OIG’s quality control policies and procedures to the extent we considered appropriate. Near the conclusion of our review, we met with FDIC OIG management to discuss the scope and results of our review. While we believe the procedures performed provide a reasonable basis for our opinion, because our review was based on selected audits, we may not have detected all weaknesses in FDIC OIG’s system of quality control or all instances of noncompliance. There are inherent limitations in the effectiveness of any quality control system and, therefore, noncompliance may occur and not be detected. Projection of the adequacy of a control system to any future period is subjective due to changes in conditions or because the degree of compliance with the policies or procedures may deteriorate.

We found the system of quality control for FDIC OIG’s Office of Program Audits and Evaluations and Office of Information Technology Audits and Cyber in effect for the period April 1, 2018, through March 31, 2019, to be suitably designed and implemented as to provide reasonable assurance that the audit organization’s performance and reporting was in accordance with applicable professional standards in all material respects. As a result of an external peer review, audit organizations can receive a rating of pass, pass with deficiencies, or fail. Our review determined FDIC OIG should receive a rating of PASS.

As is customary, in a letter dated November 22, 2019, we communicated additional findings that require attention by FDIC OIG management but were not considered to be of sufficient significance to affect our opinion expressed in this report. In addition to reviewing its system of quality control to ensure adherence with GAGAS, we applied certain limited procedures in accordance with CIGIE guidance relating to FDIC OIG’s monitoring of audits performed under contract with Independent Public Accountants (IPA). While monitoring of engagements performed by IPAs is not an audit and therefore not subject to GAGAS requirements, our objective was to determine whether FDIC OIG had controls in place to ensure that IPAs performed contracted work in accordance with professional standards, but not to express an opinion on the sufficiency of the monitoring efforts. We issued a letter on November 12, 2019, with the results of that review and our comments for FDIC OIG management attention.

We appreciate the cooperation and courtesies extended to our review team during the peer review. Please direct any questions to Laurence Hawkins, Audit Operations and Quality Assurance Director, Office of Audits, at 202-358-1543 or laurence.b.hawkins@nasa.gov.

Paul K. Martin /Signed/ Inspector General

Enclosure I: Scope and Methodology

We tested compliance with FDIC OIG’s system of quality control to the extent we considered appropriate. These tests included reviewing three of five audit reports issued during the period April 1, 2018, through March 31, 2019, and the same period of the congressional semiannual reporting periods (semiannual periods ending September 30, 2018, and March 31, 2019).

The Government Accountability Office conducted the FDIC Financial Statement audit for the period under review for which FDIC OIG was not required to perform oversight. However, we reviewed FDIC OIG’s monitoring of audits performed by IPAs, where the IPA served as the principal auditor of the agency’s 2018 Information Security Program for the period of March 30, 2018, through October 14, 2018.

In addition, we reviewed one of three FDIC OIG audits for which an internal quality assurance review was performed. Since FDIC OIG did not conduct any internal quality control reviews for audits issued from April 1, 2018, through March 31, 2019, we expanded our scope of review to cover the period October 1, 2017, through May 31, 2018.

Table 1: FDIC OIG Products Reviewed

Performance Audits

Row: 1; Report Number: AUD-19-002; Date: December 4, 2018; Report Title: Controls Over System Interconnections with Outside Organizations;

Row: 2; Report Number:AUD-19-003 ; Date: December 10, 2018; Report Title: Payments to Pragmatics, Inc.;

Row: 3; Report Number: AUD-19-004; Date: January 16, 2019; Report Title: Security Configuration Management of the Windows Server Operating System;

IPA Audit

Row: 4; Report Number: AUD-19-001a; Date: October 26, 2018; Report Title: The FDIC’s Information Security Program-2018 (Restricted Report);

Quality Control Review

Row: 5; Report Number: AUD-18-002; Date: October 25, 2017; Report Title: Material Loss Review of First NBC Bank, New Orleans, Louisiana;

[End of table]

Source: FDIC OIG.

a FDIC OIG contracted with an IPA to perform this audit. FDIC OIG performed the oversight of the IPA’s work. FDIC OIG Office Visited

We performed on-site reviews and assessed the FDIC OIG audits completed at the following location:

Federal Deposit Insurance Corporation Office of Inspector General, 3501 Fairfax Drive Arlington, VA 22226