Unimplemented Recommendations
The FDIC OIG’s Report on Unimplemented Recommendations, provided at the link below, contains information about recommendations from our audits and evaluations that the OIG has not closed because our office has not determined that the FDIC has fully implemented recommended corrective actions.
Our listing omits recommendations that we determined to be of a sensitive nature, and therefore unsuitable for public release. The status of each recommendation is subject to change due to the FDIC’s ongoing efforts to implement them, and the OIG’s independent review of information about those efforts. Specifically, a recommendation identified as unimplemented in this report may fall into one of several categories:
- within targeted time frames,
- under OIG review, or
- overdue.
Further, the OIG may have subsequently closed a recommendation listed in this report after the date of its issuance.
For each Unimplemented Recommendation listed, we provide the report title, along with a link to the full report if available; the date of report issuance; and a brief description of the recommendation.
Our Unimplemented Recommendations listing will be updated monthly.
Overall Status of Recommendations
FDIC OIG Unimplemented Recommendations as of March 15, 2021
|
OIG Report No. |
Report Title |
Rec No. |
Recommendation |
Issued Date |
|
|
1 |
AUD-17-001 |
5 |
Non-public report. |
11/2/2016 |
|
|
2 |
AUD-20-001 |
2 |
Monitor employee and contractor compliance with policy requirements for properly safeguarding sensitive electronic and hardcopy information. |
10/23/2019 |
|
|
3 |
AUD-20-003 |
3 |
Develop and approve privacy plans for all information systems containing personally identifiable Information consistent with Office of Management and Budget (OMB) Circular A-130. |
12/18/2019 |
|
|
4 |
AUD-20-003 |
|
4 |
Implement a Privacy Continuous Monitoring (PCM) program to regularly assess the effectiveness of privacy controls. |
12/18/2019 |
|
5 |
AUD-20-003 |
5 |
Update policies and/or procedures to reflect the current organizational structure of the Privacy Program and responsibilities of agency personnel and component offices that support the FDIC’s Privacy Program. |
12/18/2019 |
|
|
6 |
AUD-20-003 |
7 |
Complete and implement the data protection program policy directive, data labeling guide, and associated job aids. ^ |
12/18/2019 |
|
|
7 |
AUD-20-003 |
8 |
Develop and implement controls to ensure that personally identifiable Information stored in network shared drives and in hard copy is regularly monitored and reviewed for compliance with privacy laws, regulations, policy, and guidelines. |
12/18/2019 |
|
|
8 |
AUD-20-003 |
9 |
Ensure that Divisions and Offices complete File Plans. |
12/18/2019 |
|
|
9 |
AUD-20-003 |
11 |
Generate reports to monitor and audit compliance with the FDIC’s records retention and disposition requirements. |
12/18/2019 |
|
|
10 |
AUD-21-001 |
1 |
Ensure that risk acceptance decisions are reassessed in accordance with FDIC guidance to determine whether they remain valid and are at an acceptable level. |
10/27/2020 |
|
|
11 |
AUD-21-001 |
2 |
Implement control improvements to prevent the unauthorized installation of software on the FDIC network. |
10/27/2020 |
|
|
12 |
AUD-21-001 |
3 |
Remediate incomplete and out-of-date baseline configurations. |
10/27/2020 |
|
|
13 |
AUD-21-001 |
4 |
Assess the effectiveness of the FDIC’s controls for managing Administrative Accounts and implement control improvements. |
10/27/2020 |
|
|
14 |
AUD-21-001 |
5 |
Implement a process to ensure that all outsourced information systems are subject to the National Institute of Standards and Technology (NIST) Risk Management Framework as prescribed by Office of Management and Budget (OMB) policy. |
10/27/2020 |
|
|
15 |
AUD-21-001 |
6 |
Ensure that the FDIC’s cloud-based information systems are subject to annual security and privacy control assessments. |
10/27/2020 |
|
|
16 |
AUD-21-001 |
7 |
Update FDIC’s directive(s) related to contingency planning to reflect current business processes, requirements, and government-wide security policy and guidance. |
10/27/2020 |
|
|
17 |
AUD-21-001 |
8 |
Incorporate additional scenarios involving operational challenges into the FDIC’s information technology (IT) contingency plan testing exercises. |
10/27/2020 |
|
|
18 |
AUD-21-002 |
1 |
Reinforce guidance and provide training on the need for effective identification and assessment of information technology project risks, and the prompt and accurate reporting of such risks. |
12/21/2020 |
|
|
19 |
AUD-21-002 |
2 |
Establish and implement a control that requires the concurrence of security and privacy officials prior to submitting a procurement package for new technologies to the Acquisition Services Branch. [Estimated funds put to better use of $361,533.] |
12/21/2020 |
|
|
20 |
AUD-21-002 |
3 |
Clarify and communicate the roles and responsibilities of Security and Enterprise Architecture Technical Advisory Board and Governance Risk and Compliance Section with respect to security requirements for new technologies. |
12/21/2020 |
|
|
21 |
AUD-21-002 |
4 |
Clarify roles and responsibilities for authorizing the use of Limited Authorization to Operates and the associated security control tailoring. |
12/21/2020 |
|
|
22 |
AUD-21-002 |
5 |
Clarify the intent and expectation of the Participation Agreement between the Legal Division and Acquisition Services Branch regarding legal reviews of procurement actions involving subscriptions. |
12/21/2020 |
|
|
23 |
EVAL-20-001 |
1 |
Collect key acquisition data, including original contract award amount for modified contracts, original period of performance for modified contracts, clear and properly recorded contract modifications, and oversight manager workload, which will enhance automated portfolio-wide analyses and reporting to support informed decision-making. |
10/28/2019 |
|
|
24 |
EVAL-20-001 |
2 |
Provide enhanced contract portfolio reports to FDIC executives, senior management, and the Board of Directors. |
10/28/2019 |
|
|
25 |
EVAL-20-001 |
8 |
In conjunction with the Division of Information Technology, develop controls around access to information contained within Contract Electronic File to ensure that Personally Identifiable Information is appropriately protected, or identify an alternative to Contract Electronic File that can serve as a secure repository for all contract documents. |
10/28/2019 |
|
|
26 |
EVAL-20-003 |
1 |
Establish, document, and implement policy and procedures for conducting cost benefit analyses, including when and how the cost benefit analyses will be performed. |
2/4/2020 |
|
|
27 |
EVAL-20-003 |
2 |
Establish, document, and implement policy and procedures that clearly define the roles and responsibilities for the Regulatory Analysis Section (RAS), and early involvement for the RAS in participating in and framing the initial policy direction of a rule. |
2/4/2020 |
|
|
28 |
EVAL-20-003 |
3 |
Establish, document, and implement policy and procedures that clearly define the Chief Economist’s roles and responsibilities for reviewing and concurring on cost benefit analyses performed. |
2/4/2020 |
|
|
29 |
EVAL-20-003 |
4 |
Establish, document, and implement policy and procedures that address how cost benefit analyses and supporting information, such as scope and methodology, analyses, conclusions, and reconciliation to the Agency’s final policy decision will be documented and published in the Federal Register to ensure transparency. |
2/4/2020 |
|
|
30 |
EVAL-20-003 |
5 |
Establish, document, and implement policy and procedures for conducting retrospective cost benefit analyses on existing rules, including a regulatory risk assessment, as well as roles and responsibilities for the Driver Divisions, Chief Economist, and Division of Insurance and Research (DIR)/ Regulatory Analysis Section (RAS). |
2/4/2020 |
|
|
31 |
EVAL-20-004 |
1 |
Establish and implement a policy providing senior management’s crisis readiness directives. |
4/7/2020 |
|
|
32 |
EVAL-20-004 |
2 |
Establish a committee to guide and oversee FDIC crisis readiness planning. |
4/7/2020 |
|
|
33 |
EVAL-20-004 |
3 |
Establish and implement procedures supporting an Agency-wide process for crisis readiness planning. |
4/7/2020 |
|
|
34 |
EVAL-20-004 |
4 |
Establish and implement an Agency-wide all-hazards readiness plan that identifies and integrates FDIC readiness activities common to all crises impacting insured depository institutions. |
4/7/2020 |
|
|
35 |
EVAL-20-004 |
5 |
Establish and implement Agency-wide hazard-specific readiness plans, as needed, to identify and integrate FDIC readiness plans and activities unique to specific hazards impacting insured depository institutions. |
4/7/2020 |
|
|
36 |
EVAL-20-004 |
6 |
Establish and implement a process for ensuring periodic training of responsible personnel on their task-related responsibilities in executing readiness plans. |
4/7/2020 |
|
|
37 |
EVAL-20-004 |
7 |
Establish and implement a process for regularly documenting readiness plan exercise results and related recommendations, and retaining that documentation for use in readiness improvement activities. |
4/7/2020 |
|
|
38 |
EVAL-20-004 |
8 |
Establish and implement a monitoring process for lessons learned that prioritizes and tracks recommendations to improve readiness activities |
4/7/2020 |
|
|
39 |
EVAL-20-004 |
9 |
Establish and implement a process to ensure that the FDIC reviews and updates readiness plans on a recurring basis. |
4/7/2020 |
|
|
40 |
EVAL-20-004 |
10 |
Establish and maintain a central repository of up-to-date readiness plans. |
4/7/2020 |
|
|
41 |
EVAL-20-004 |
11 |
Establish and implement a process to assess and report regularly on the state of the FDIC’s Agency-wide readiness to address crises impacting insured depository institutions. |
4/7/2020 |
|
|
42 |
EVAL-20-005 |
2 |
Define the roles and responsibilities of the Board with respect to enterprise risk management, including its role in endorsing the risk appetite statement. ^ |
7/8/2020 |
|
|
43 |
EVAL-20-005 |
3 |
Develop and implement enterprise risk management communication protocols to the Board. ^ |
7/8/2020 |
|
|
44 |
EVAL-20-006 |
1 |
Develop and implement a strategy for acknowledging employees, supervisors, and managers, as appropriate, for creating and maintaining a culture in which harassment is not tolerated and promptly reporting, investigating, and resolving harassment complaints. |
7/10/2020 |
|
|
45 |
EVAL-20-006 |
2 |
Define in FDIC policy the terminology involving sexual harassment and ensure that it includes the Equal Employment Opportunity definition. |
7/10/2020 |
|
|
46 |
EVAL-20-006 |
3 |
Specify within FDIC policy that HR Specialists (Labor and Employee Relations Section) are avenues for employees to report sexual harassment and correct the contact information for the Anti-Harassment Program Coordinator. |
7/10/2020 |
|
|
47 |
EVAL-20-006 |
4 |
Clearly identify in FDIC policy the Anti-Harassment Program Coordinator roles and responsibilities with respect to sexual harassment allegations. |
7/10/2020 |
|
|
48 |
EVAL-20-006 |
5 |
Include requirements in FDIC policy for proportionate corrective action (discipline) when harassment is substantiated. |
7/10/2020 |
|
|
49 |
EVAL-20-006 |
6 |
Incorporate in FDIC policy options of alternative disciplinary action. |
7/10/2020 |
|
|
50 |
EVAL-20-006 |
7 |
Include in FDIC policy Legal Division responsibilities. |
7/10/2020 |
|
|
51 |
EVAL-20-006 |
8 |
Develop and implement a tracking system for sexual harassment misconduct allegations handled by the Anti-Harassment Program to ensure that relevant information is centralized, complete, accurate, and updated timely. |
7/10/2020 |
|
|
52 |
EVAL-20-006 |
9 |
Track data elements for misconduct allegations, including original allegation date; misconduct classification; date investigation concluded; name of investigator; names of complainant, alleged harasser, and witnesses; whether the allegation was substantiated or unsubstantiated; and date of written notification to complainant and alleged harasser regarding completion of the investigation. |
7/10/2020 |
|
|
53 |
EVAL-20-006 |
12 |
Develop and implement procedures to ensure that supervisors take consistent disciplinary actions for substantiated sexual harassment, in line with Federal government law on imposing disciplinary actions. |
7/10/2020 |
|
|
54 |
EVAL-20-006 |
13 |
Develop and implement a comprehensive, centralized database of disciplinary actions, including those associated with sexual harassment. |
7/10/2020 |
|
|
55 |
EVAL-20-006 |
14 |
Enhance employee and supervisor training on identifying and reporting sexual harassment, to include the training content recommended by the Equal Employment Opportunity Commission. |
7/10/2020 |
|
|
56 |
EVAL-20-006 |
15 |
Develop oversight mechanisms to assess the effectiveness of the FDIC’s sexual harassment prevention efforts and determine whether the FDIC is addressing sexual harassment allegations in a prompt and effective manner. |
7/10/2020 |
|
|
57 |
EVAL-20-007 |
1 |
Clarify criteria the examiners should use to identify an official as dominant. |
9/30/2020 |
|
|
58 |
EVAL-20-007 |
2 |
Train examiners on the importance of understanding and documenting the independence and qualifications of internal auditor(s), and reviewing internal audit work papers and results. |
9/30/2020 |
|
|
59 |
EVAL-20-007 |
3 |
Train examiners on the importance of adequate annual external financial audit coverage, and under what circumstances and with what justifications banks may obtain reviews in place of audits. |
9/30/2020 |
|
|
60 |
EVAL-20-007 |
4 |
Implement guidance and train personnel on monitoring and following up on State-issued Matters Requiring Board Attention. |
9/30/2020 |
|
|
61 |
EVAL-20-007 |
5 |
Train examiners on the importance of ensuring that information system user access controls be adequately tested. |
9/30/2020 |
|
|
62 |
EVAL-20-007 |
6 |
Enhance case study training to incorporate the lessons learned from Enloe State Bank in regard to performing additional procedures related to the bank’s loan related activity. |
9/30/2020 |
|
|
63 |
EVAL-20-007 |
7 |
Train examiners to perform additional procedures to determine the likelihood of fraud once a dominant official designation is made at a bank with a weak internal control environment. |
9/30/2020 |
|
|
64 |
EVAL-20-007 |
8 |
Train examiners on indicators of fraud and how individual issues identified during an examination should be considered holistically to facilitate fraud detection. |
9/30/2020 |
|
|
65 |
EVAL-21-001 |
4 |
Provide training to program offices officials with responsibilities under the Personnel Security and Suitability Program (PSSP) on process steps and timeframes for removal action of contractors Security and Emergency Preparedness Section (SEPS) adjudicates to be unfavorable. |
1/19/2021 |
|
|
66 |
EVAL-21-001 |
6 |
Evaluate and document the Risk Assessment of completing Background Investigations for contractor personnel in high-risk positions before they begin work at the FDIC. |
1/19/2021 |
|
|
67 |
EVAL-21-001 |
8 |
Establish procedures that require the scope and duration of the Data Loss Prevention (DLP) review process to correspond with the risk associated with the individual being removed due to an unfavorable adjudication. |
1/19/2021 |
|
|
68 |
EVAL-21-001 |
9 |
Develop and implement a project plan to ensure that outstanding periodic reinvestigations (PRs) are prioritized, ordered, and completed in a timely fashion, and that upcoming PRs are initiated in a timely fashion as required by Federal regulations. |
1/19/2021 |
|
|
69 |
EVAL-21-001 |
10 |
Resolve inaccuracies in Security and Emergency Preparedness Section (SEPS’s) investigative case data. |
1/19/2021 |
|
|
70 |
EVAL-21-001 |
12 |
Conduct a comprehensive review to validate risk designation information for all contractors, and update risk designations based on the results of the review. |
1/19/2021 |
|
|
71 |
EVAL-21-001 |
13 |
Initiate background investigations for contractors where their risk levels are higher than their previously completed background investigations. |
1/19/2021 |
|
|
72 |
EVAL-21-001 |
14 |
Review and validate position risk and sensitivity designations and initiate corrected background investigations (Bis) commensurate with position risk and sensitivity levels. |
1/19/2021 |
|
|
73 |
EVAL-21-001 |
15 |
Review and update FDIC systems of record to reflect correct position risk information. |
1/19/2021 |
|
|
74 |
EVAL-21-001 |
16 |
Provide training to program office officials of their responsibilities to notify Security and Emergency Preparedness Section (SEPS) of any changes to employee position risk designations. |
1/19/2021 |
|
|
75 |
EVAL-21-001 |
18 |
Evaluate the risks associated with aged cases where the FDIC cannot demonstrate compliance with the statutory requirements for completed PBIs, record such risk evaluations, and assess in writing whether or not these risks are acceptable under the FDIC’s Enterprise Risk Management framework. |
1/19/2021 |
|
|
76 |
EVAL-21-001 |
19 |
Update employee and contractor data for the 787 cases identified in this report, in order to reflect preliminary background investigation (PBI) completion dates or annotate in the system that the PBI data are missing. |
1/19/2021 |
|
|
77 |
EVAL-21-001 |
20 |
Establish metrics, develop reports, and monitor preliminary background investigation (PBI) performance to ensure consistent execution of this statutory requirement. |
1/19/2021 |
Main Menu
