Peer Review: System Review Report on the Federal Deposit Insurance Corporation Office of Inspector General Audit Organization and Corresponding Letter of Comment

This is the accessible text file for Report on the System Review Report on the Federal Deposit Insurance Corporation Office of Inspector General Audit Organization, prepared by the UNITED STATES RAILROAD RETIREMENT BOARD, Office of Inspector General

We have maintained the structural and data integrity of the original printed product in this text file to the extent possible. Accessibility features, such as descriptions of tables, footnotes, and the text of the Corporation’s comments, are provided but may not exactly duplicate the presentation or format of the printed version. 

The portable document format (PDF) file also posted on our Web site is an exact electronic replica of the printed version.

UNITED STATES RAILROAD RETIREMENT 

OFFICE OF INSPECTOR GENERAL

September 21, 2010

The Honorable Jon T. Rymer Inspector General Federal Deposit Insurance Corporation 3501 N. Fairfax Drive, Room #9070 Arlington, VA 22226

System Review Report on the Federal Deposit Insurance Corporation Offce of Inspector General Audit Organization

Dear Mr. Rymer:

Enclosed is the final System Review Report of the Federal Deposit Insurance Corporation Office of Inspector General audit organization conducted in accordance with Government Auditing Standards and Council of the Inspectors General on Integrity and Efficiency guidelines. 

Your response to the draft report is included as an enclosure with excerpts incorporated into the relevant sections of the report.

We agree with your proposed corrective action to the recommendations. We thank you and your staff for the courtesies and cooperation extended to our audit team during the review give special acknowledgement to Allan Sherman, Nancy Cipolla and Eugene Szczenski for their assistance and expertise provided throughout the review.

Sincerely,

Martin J. Dickman, Inspector General

Enclosure

844 N RUSH STREET CHICAGO IL 60611-2092

[Railroad Retirement Board agency seal]

UNITED STATES RAILROAD RETIREMENT BOARD

OFFICE OF INSPECTOR GENERAL

September 21, 2010

The Honorable Jon T. Rymer, Inspector General, Federal Deposit Insurance Corporation, 3501 N. Fairfax Drive, Room #9070, Arlington, VA 22226

Dear Mr. Rymer:

We have reviewed the system of quality control for the audit organization of Federal Deposit Insurance Corporation Offce of Inspector General (FDIC-OIG) in effect for the year ended March 31, 2010. A system of quality control encompasses FDIC-OIG's organizational structure and the policies adopted and procedures established to provide it with reasonable assurance of conforming with Government Auditing Standards. The elements of quality control are described in Government Auditing Standards. FDIC-OIG is responsible for designing a system of quality control and complying with it to provide FDIC-OIG with reasonable assurance of performing and reporting in conformity with applicable professional standards in all material respects. Our responsibility is to express an opinion on the design of the system of quality control and FDIC-OIG's compliance therewith based on our review.

Our review was conducted in accordance with Government Auditing Standards and guidelines established by the Council of the Inspectors General on Integrity and Effciency (CIGIE). During our review, we interviewed FDIC-OIG personnel and obtained an understanding of the nature of the FDIC-OIG audit organization, and design of the FDIC-OIG's system of quality control suffcient to assess the risks implicit in its audit function. Based on our assessments, we selected engagements and administrative files to test for conformity with professional standards and compliance with the FDIC-OIG's system of quality control. The engagements selected represented a reasonable cross-section of the FDIC-OIG's audit organization, with emphasis on higher-risk engagements. Prior to concluding the review, we reassessed the adequacy of the scope of the peer review procedures and met with FDIC-OIG management to discuss the results of our review. We believe that the procedures we performed provide a reasonable basis for our opinion.

In performing our review, we obtained an understanding of the system of quality control for the FDIC-OIG's audit organization. In addition, we tested compliance with the FDIC-OIG's quality control policies and procedures to the extent we considered appropriate.

These tests covered the application of the FDIC-OIG's policies and procedures on selected engagements. Our review was based on selected tests; therefore, it would not necessarily detect all weaknesses in the system of quality control or all instances of non-compliance with it.

There are inherent limitations in the effectiveness of any system of quality control, and therefore, non-compliance with the system of quality control may occur and not be detected. Projection of any evaluation of a system of quality control to future periods is subject to the risk that the system of quality control may become inadequate because of changes in conditions, or because the degree of compliance with the policies or procedures may deteriorate.

Enclosure 1 to this report identifies the FDIC-OIG office that we visited and the engagements that we reviewed.

In our opinion, the system of quality control for the audit organization of FDIC-OIG in effect for the year ended March 31, 2010, has been suitably designed and complied with to provide FDIC-OIG with reasonable assurance of performing and reporting in conformity with applicable professional standards in all material respects. Federal  audit organizations can receive a rating of pass, pass with deficiencies, or faiL. FDIC-OIG has received a peer review rating of pass. As is customary, we have issued a letter dated September 21, 2010, that set forth findings that were not considered to be of sufficient significance to affect our opinion expressed in this report.

In addition to reviewing its system of quality control to ensure adherence with Government Auditing Standards, we applied certain limited procedures in accordance with guidance established by the CIGIE related to FDIC-OIG's monitoring of engagements performed by Independent Public Accountants (IPA) under contract where the IPA served as the principal auditor. It should be noted that monitoring of engagements performed by IPAs is not an audit and therefore is not subject to the requirements of Government Auditing Standards. The purpose of our limited procedures was to determine whether FDIC-OIG had controls to ensure IPAs performed contracted work in accordance with professional standards. However, our objective was not to express an opinion and accordingly, we do not express an opinion, on FDIC-OIG's monitoring of work performed by IPAs.

Sincerely,

Martin J. Dickman, Inspector General

Enclosure

Enclosure 1

SCOPE AND METHODOLOGY

Scope

We tested compliance with the FDIC-OIG audit organization's system of quality control to the extent we considered appropriate. These test included a review of 8 of 51 audits and attestation reports issued during the period April 1, 2009 through March 31, 2010 and semiannual reporting periods April 1, 2009 through September 30, 2009 and October 1, 2009 through March 31, 2010. We also reviewed the internal quality control reviews performed by FDIC-OIG.

In addition, we reviewed the FDIC-OIG's monitoring of engagements performed by IPAs where the IPA served as the principal auditor for reports issued during the period April 1, 2009, through March 31, 2010. During the period FDIC contracted with Government Accountability Office (GAO) for the audit of its agency's calendar year 2009 financial statements. FDIC-OIG also contracted for certain other engagements that were to be performed in accordance with Government Auditing Standards.

Methodology

The Council of the Inspectors General on Integrity and Efficiency (CIGIE) Guide for Conducting External Peer Reviews of the Audit Organizations of Federal Offices of Inspector General (guide), dated March 2009, was used in the conduct of the review. As set forth in the Guide, the approach to the review was to:

• Gain an understanding of the reviewed OIG's audit organization and its system of quality control.

• Evaluate the reviewed OIG's policies and procedures designed to provide reasonable assurance that generally accepted government auditing standards (GAGAS) and other pertinent requirements are met.

• Interview various levels of the reviewed OIG's professional staff to assess their understanding of and compliance with relevant quality control policies and procedures.

• Gain an understanding of the reviewed OIG's internal quality control and assurance program and review selected internal reports.

• Assess review risk and select the office(s) and audits to be reviewed and the nature and extent of tests to perform by using the knowledge obtained from the preceding steps.

• Review a sample of individual audits and attestation engagements, determining their adherence to GAGAS.

• Gain an understanding as to the extent the reviewed OIG uses contracted IPAs to perform audits and attestation engagements as the principal auditor and the policies and procedures for monitoring IPA work.

• Review the FDIC-OIG's IPA monitoring documentation for a sample of contracted audits and attestation engagements, emphasizing the reviewed OIG's monitoring activities to ensure the IPA's adherence to professional standards.

• Review other documents necessary for assessing compliance with standards; for example, independence documentation, continuing professional education records and relevant human resource files. Access to professional education and human resource files will be in accordance with the Privacy Act and applicable FDIC or OIG guidance; such files will be properly safeguarded.

• Maintain open communication with the reviewed OIG to ensure an understanding of the issues evaluated and keep the reviewed OIG fully informed of potential issues as they arise.

We visited the Arlington, Virginia office of the FDIC-OIG during the period of June 14-18, 2010, and reviewed the documentation for six engagements performed by FDIC-OIG and two audits contracted by FDIC-OIG. Below are the engagements we tested.

Audits and Attestations by FDIC-OIG

[Table]

Row 1; Report No.: AUD-09-015; Report Date: June 5, 2009; Report Title: FDIC's Brokered Deposit Waiver Application Process;

Row 2; Report No.: AUD-10-003; Report Date: January 11, 2010; Report Title: Verification of the FDIC's Data Submissions through the Governmentwide Financial Report Systems as of Setember 30, 2009;

Row 3; Report No.: AUD-09-023; Report Date: September 01, 2009; Report Title: Material Loss Review of Silver Falls Bank, Silverton, OR;

Row 4; Report No.: AUD-09-026; Report Date: September 04, 2009; Report Title: Material Loss Review of Sherman County Bank, Loup City, NE;

Row 5; Report No.: MLR-10-023; Report Date: March 10,2010; Report Title: Material Loss Review of First Coweta Bank, Newnan, GA;

Row 6; Report No.: AUD-09-021; Report Date: August 24,2009; Report Title: Material Loss Review of Magnet Bank, Salt Lake City, UT;

[End of Table]

Contracted Engagements

[Table]

Row 1; Report No.: AUD-10-001; Report Date: November 10, 2009; Report Title: Independent Evaluation of the FDIC's Information Security Program - 2009;

Row 2; Report No.: MLR-10-028; Report Date: March 25, 2010; Report Title: Material Loss Review of InBank, Oak Forest, IL;

[End of Table]

[Railroad Retirement Board agency seal]

UNITED STATES RAILROAD RETIREMENT BOARD

OFFICE OF INSPECTOR GENERAL

September 21, 2010

The Honorable Jon T. Rymer, Inspector General, Federal Deposit Insurance Corporation, 3501 N. Fairfax Drive, Room #9070, Arlington, VA 22226

Dear Mr. Rymer:

September 21,2010, The Honorable Jon T. Rymer, Inspector General, Federal Deposit Insurance Corporation, 3501 N. Fairfax Drive, Room #9070, Arlington, VA 22226

Dear Mr. Rymer:

The Railroad Retirement Board, Office of Inspector General (RRB-OIG) reviewed the system of quality control and assurance for the audit organization of the Federal Deposit Insurance Corporation, Office of Inspector General (FDIC-OIG) in effect for the year ended March 31, 2010, and have issued our report thereon dated September 21,2010, in which the FDIC-OIG received a rating of pass. The report should be read in conjunction with the comments in this letter, which were considered in determining our opinion. The findings described below are not considered to be of sufficient significance to affect the opinion expressed in that report.

GENERAL STANDARDS

Quality Control and Assurance: Monitoring of Quality Finding 1.

FDIC-OIG's system of quality control could be enhanced by performing quality control reviews of individual engagements to assess overall compliance with professional standards, policies and procedures.

According to Government Auditing Standards, (GAS) each audit organization performing audits or attestation engagements in accordance with generally accepted government auditing standards must establish a system of quality control that is designed to provide the audit organization with reasonable assurance that the organization and its personnel comply with professional standards and applicable legal and regulatory requirements.' Monitoring of quality is an ongoing periodic assessment of work completed on audits and attestation engagements designed to provide management of the audit organization with reasonable assurance that the policies and procedures related to the system of quality control are suitably designed and operating effectively in practice2.

Footnote 1: Government Auditing Standards", GAO-07-731 G, paragraph 3.50 a, pages 55, 

July 2007 Revision

Footnote 2: Government Auditing Standards", GAO-07-731 G, paragraph 3.53 f, page 56, 

July 2007 Revision

During the period under review, FDIC-OIG performed four Quality Control Reviews (QCRs). Our assessment of these QCRs disclosed that FDIC-OIG evaluated compliance with selected components of professional standards, policies and procedures.

FDIC-OIG advised us that they performed unscheduled work paper reviews of engagements performed by the Defense Contract Audit Agency (DCAA) and multiple unscheduled quality control efforts. FDIC-OIG also advised us that in their multi-year plan they included a review to assess overall compliance of individual engagements but decided to defer the effort due to critical workload issues and the need to perform unscheduled quality control related work. For example, since FDIC-OIG was in the midst of performing statutorily required material loss reviews using contractors, the agency decided to perform a quality control review of contractor technical monitoring. FDIC-OIG stated that collectively, their work constitutes continuing monitoring that provides assurance regarding their system of quality control and has resulted in key improvements to their processes.

Our review of individual reports disclosed findings related to documenting independence and work paper review for all of the engagements reviewed. Without a review of overall compliance with standards, policies and procedures, reports that do not meet professional standards may go undetected.

Recommendation:

1. FDIC-OIG should schedule and complete its planned quality control review of individual engagements for overall compliance with professional standards, policies and procedures.

FDIC-OIG's Response:

FDIC-OIG concurs with this recommendation and will complete a review of individual engagements. They also plan to periodically schedule additional reviews of individual engagements. The full text of FDIC-OIG's response is provided as an enclosure.

Independence: Statement of Non-Conflict of Interest

Finding 2.

FDIC-OIG can strengthen compliance with Statement of Non-Conflict of Interest requirements for all staff contributing to the audit process.

The FDIC-OIG procedures require auditors and non-audit personnel associated with the engagement to sign a Statement of Non-Conflict of Interest, specific to each engagement, in addition to being required to affirm to the Annual Independence Representation e-rnail. These statements represent their certification that they are free of personal impairments to independence or impairments to external independence in fact and appearance.

A new procedure for the completion of the Statement of Non-Conflict of Interest specific to each engagement was implemented in October 2009. This procedure was used by the FDIC-OIG in one of the five material loss engagements included in our review. The new procedure allows for the collection of lie-mail read receipts" indicating that the e-mail recipient was notified of the names of financial institutions involved in the engagement. By receipt of the e-mail, the recipient is instructed to bring any conflict of interest issues to their supervisor.

The new procedure which requires an lie-mail read receipt" only provides presumptive endorsement of independence, and not certification as required by FDIC-OIG's policies and procedures.

In three of the five engagements, we observed that three team members who had prepared work papers did not sign the Statement of Non-Conflict of Interest. Additionally, we noted that there was no evidence that the FDIC-OIG obtained a Statement of Non-Conflict of Interest from external auditors who were used in the planning phase of one engagement.

The current procedure does not certify that auditors are free of personal impairments to independence or impairments to external independence in both fact and appearance.

Recommendations:

2. FDIC-OIG should enhance the current procedure for obtaining independence representations via e-mail by using "Yes" and "No" voting buttons in place of read receipts.

3. FDIC-OIG should re-emphasize existing requirements to obtain Statement of Non-Conflict of Interest certifications from staff contributing to engagements.

FDIC-OIG's Response:

FDIC-OIG concurs with recommendation 2 and will issue updated procedures for documenting independence representations on individual engagements using Microsoft Outlook's voting button feature. The full text of FDIC-OIG's response is provided as an enclosure.

FDIC-OIG concurs with recommendation 3 and will re-emphasize that engagement-specific independence representations should be obtained and documented from staff contributing to engagements before beginning work. The full text of FDIC-OIG's response is provided as an enclosure.

Independence: Annual Independence Representation

Finding 3.

Additional procedures are needed to ensure that all current employees contributing to Office of Audit (OA) engagements complete an Annual Independence Representation confirmation.

According to FDIC-OIG policies and procedures manual Chapter 300.2 3a (March 2008), staff contributing to OA engagements will make an annual representation that they understand the GAS Independence Standards and will complete a Statement of Non-Conflict of Interest before performing work for each review to which they are assigned. Further, staff completing a Statement of Non-Conflict of Interest will notify his or her supervisor, the cognizant Director, and the Assistant Inspector General for Audit in writing if any potential impairment arises either before or during the conduct of an engagement.

FDIC-OIG procedures did not address newly hired employees and we noted that confirmations were not obtained from four employees who started employment or were reassigned to audit work after the January 2010 Annual Independence Representation document was e-mailed to the staff.

Without the Annual Independence Representation, FDIC-OIG cannot ensure that new and reassigned employees understand the standards, policies and procedures relating to independence.

Recommendation:

4. FDIC-OIG should develop procedures to obtain Annual Independence Representation confirmation from new employees and reassigned staff before they are assigned to audits.

FDIC-OIG's Response:

FDIC-OIG concurs with this recommendation and will develop the recommended procedures. The full text of FDIC-OIG's response is provided as an enclosure.

FIELD WORK STANDARDS

Supervision: Supervisory Reviews of Work Papers

Finding 4.

Improvements are needed to ensure the timely review of work papers. The FDIC-OIG has implemented a procedure for supervisory review to take place as the engagement progresses, generally within 30 days of work paper preparation, but always before final report issuance.

Our review of six engagements disclosed that FDIC-OIG does not always adhere to the 30 day standard for supervisory reviews of work papers.

Also some key work papers, such as analysis, summaries, indexing and referencing point sheets, were not reviewed prior to report issuance as reflected in the chart below:

[Table]

Row 1; Number of working papers; AUD 09-015: 511; AUD 09-021: 403; AUD 09-023: 166; AUD 09-026: 300; MLR 10-023: 277; AUD 10-003: 95;

Row 2; Number of working papers; reviewed after report issuance3; AUD 09-015: 13, (2.5%); AUD 09-021: 61, (15%); AUD 09-023: 16, (10%); AUD 09-026: 20, (7%); MLR 10-023: 15, (5%); AUD 10-003: 4, (4%);

Footnote 3: Work papers reviewed after report issuance included analysis. summaries. 

indexing and referencing point sheets.

Row 3; Number of working papers; not reviewed within 30 days; AUD 09-015: 216, (42%); AUD 09-021: 52, (13%); AUD 09-023: 16, (10%); AUD 09-026: 39, (13%); MLR 10-023: 37, (13%); AUD 10-003: 3, (3%);

[End of table]

When the review of key work papers is delayed until after report issuance, there is a greater risk that errors that impact report integrity will not be identified and corrected.

Recommendation:

5. FDIC-OIG should ensure that the procedures for reviewing work papers prior to report issuance are followed.

FDIC-GIG's Response:

FDIC-GIG concurs that additional attention to documenting work paper approvals was necessary for final reports issued during the peer review period. They stated that the 30-day timeframe was intended to be a goal for review, but not necessarily for approval and not an absolute requirement. The full text of FDIC-GIG's response is provided as an enclosure.

Sincerely,

Martin J. Dickman

Inspector General

Enclosure

[FDIC letterhead, FDIC logo, Federal Deposit Insurance Corporation, Office of Inspector General, 3501 Fairfax Drive, Arlington, VA, 22226]

September 10, 2010

The Honorable Martin J. Dickman, Inspector General, U.S. Railroad Retirement Board, 844 N Rush Street, Chicago, IL 60611-2092

Dear Mr. Dickman:

Thank you for the opportunity to respond to the draft Letter of Comment prepared as part of the external quality control review of the Federal Deposit Insurance Corporation's Inspector General audit organization. We recognize the peer review process as an important facet of an audit organization's quality control effort. We are pleased that your independent review of our audit operations resulted in a pass opinion and concluded that our system of quality control was designed in accordance with the quality standards established by the Comptroller General of the United States and was complied with to provide reasonable assurance of conforming to applicable Government Auditing Standards and Office of Audits policies and procedures.

The Letter of Comment contains recommendations that, while not affecting the overall opinion, are designed to strengthen the Office of Audit's system of quality control. We concur with the recommendations, and the enclosure provides our responses to each. Please extend our appreciation to the peer review team for their professionalism, insight, and valuable input to our audit function. If you have any questions, please call me at (703) 562-2166 or Russell A. Rau, Assistant Inspector General for Audits (AIGA), at (703) 562-6350.

Sincerely,

Jon T. Rymer, Inspector General

Enclosure

cc: Diana Kruel, AlGA, Railroad Retirement Board

Russell Rau, AIGA, Federal Deposit Insurance Corporation

Railroad Retirement Board (RRB) Recommendation 1: FDIC-OIG should schedule and complete its planned quality control review of individual engagements for overall compliance with professional standards, policies, and procedures.

Federal Deposit Insurance Corporation (FDIC) Office of lnspector General (OIG) Response: We concur and will complete a review of individual engagements by February 28, 2011. We also plan to periodically schedule additional reviews of individual engagements.

RRB Recommendation 2: FDIC-OIG should enhance the current procedure for obtaining independence representations via e-mail by using "Yes" and "No" voting buttons in place of read receipts.

FDIC-OIG Response: We concur and will issue updated procedures for documenting independence representations on individual engagements using Microsoft Outlook's voting button feature. Corrective action will be completed by October 31, 2010.

RRB Recommendation 3: FDIC-OIG should re-emphasize existing requirements to obtain Statement of Non-Conflict of Interest certification from staff contributing to engagements.

FDIC-OIG Response: We concur and will re-emphasize that engagement-specific independence representations should be obtained and documented from staff contributing to engagements before beginning work. After receiving the draft Letter of Comment, we determined that the three OIG staff members identified by the peer review had made annual independence representations. Thus, in this case and as noted below, the two-tiered control process outlined in our policies and procedures helped ensure that our staff made independence representations. Corrective action will be completed by October 31, 2010.

RRB Recommendation 4: FDIC-OIG should develop procedures to obtain Annual Independence Representation confirmation from new employees and reassigned staff before they are assigned to audits.

FDIC-OIG Response: We concur and will develop the recommended procedures by October 31, 20 IO. After receiving the draft Letter of Comment, we obtained annual independence representations from the four new or reassigned staff members identified by the peer review and determined that each had made engagement-specific independence representations as part of our two-tiered control process for independence representations outlined in our policies and procedures.

RRB Recommendation 5: FDIC-OIG should ensure that the procedures for reviewing work papers prior to report issuance are followed.

FDIC-OIG Response: We concur that additional attention to documenting work paper approvals was necessary for final reports issued during the peer review period. We identified this matter in our Limited Review of TeamMate Assignment Documentation Status, dated March 12,2010, and implemented corrective action. For example, procedures were enhanced to focus on documenting approval of key work papers before final report issuance. We also adopted a new quality control form as part of the final report certification process.

The form documents the Audit Manager's representation that all key work papers, including coaching notes, have been reviewed and approved. The Audit Manager attaches to the form a snapshot of the TeamMate file evidencing the review and approval status of work papers. These controls are part of the quality control process for each engagement and, therefore, help ensure that work papers are approved prior to report issuance. Concerning supervisory review of electronic working papers as an engagement progresses, your letter correctly points out that our policy is for the reviews to generally take place within 30 days. It was intended that the 30-day timeframe be a goal for review but not necessarily approval and not be  an absolute requirement given the many demands on our audit managers. Based on your analysis, about 80 percent of the work papers met the goal and that increases to over 88 percent if the oldest of the six engagements is not considered. The trend is clearly in the right direction. Therefore, corrective action for this recommendation is considered complete.

Nonetheless, in addition to the implemented corrective action, we will monitor our progress in this area. Our quality control reviews of individual engagements, discussed above in response to Recommendation I, will review compliance with work paper review controls in these two areas.

[End of report]