Federal Deposit Insurance Corporation
Office of Inspector General
Federal Deposit Insurance Corporation - Office of Inspector General

Unimplemented Recommendations

The FDIC OIG’s Report on Unimplemented Recommendations, provided at the link below, contains information about recommendations from our audits and evaluations that the OIG has not closed because our office has not determined that the FDIC has fully implemented recommended corrective actions.

Our listing omits recommendations that we determined to be of a sensitive nature, and therefore unsuitable for public release. The status of each recommendation is subject to change due to the FDIC’s ongoing efforts to implement them, and the OIG’s independent review of information about those efforts. Specifically, a recommendation identified as unimplemented in this report may fall into one of several categories:

  • within targeted time frames,
  • under OIG review, or
  • overdue.

Further, the OIG may have subsequently closed a recommendation listed in this report after the date of its issuance.

For each Unimplemented Recommendation listed, we provide the report title, along with a link to the full report if available; the date of report issuance; and a brief description of the recommendation.
 
Our Unimplemented Recommendations listing will be updated monthly.

Overall Status of Recommendations

Graphic depicting the overall status of OIG recommendations from fiscal year 2017 to fiscal year 2021

FDIC OIG Unimplemented Recommendations as of January 15, 2020

#

OIG Report No.

Report Title

Rec

No.

Recommendation

Issued Date

1

AUD-17-001

Audit of the FDIC's Information Security Program - 2016

5

Non-public report.

11/2/2016

2

AUD-18-004

The FDIC's Governance of Information Technology Initiatives

7

Identify and document the information technology resources and expertise needed to execute the FDIC’s IT Strategic Plan. ^

7/26/2018

3

AUD-19-003

Payments to Pragmatics, Inc.

1

Determine the portion of the $7,510 in unsupported labor charges that should be disallowed and recover that amount. ^

12/10/2018

4

AUD-19-003

Payments to Pragmatics, Inc.

2

Determine whether the remaining labor charges for the subject under Task Orders 4 and 5 are unsupported charges that should be disallowed. ^

12/10/2018

5

AUD-19-003

Payments to Pragmatics, Inc.

3

Determine the portion of the $39,979 in unallowable labor charges that should be disallowed and recover that amount. ^

12/10/2018

6

AUD-19-003

Payments to Pragmatics, Inc.

4

Determine whether additional labor charges should be disallowed for off-site work performed under Task Orders 4 and 5 that was not covered by the audit. ^

12/10/2018

7

AUD-20-001

The FDIC's Information Security Program - 2019

2

Monitor employee and contractor compliance with policy requirements for properly safeguarding sensitive electronic and hardcopy information.

10/23/2019

8

AUD-20-003

The FDIC's Privacy Program

3

Develop and approve privacy plans for all information systems containing personally identifiable Information consistent with Office of Management and Budget (OMB) Circular A-130.

12/18/2019

9

AUD-20-003

The FDIC's Privacy Program

 

 

 

 

 

4

Implement a Privacy Continuous Monitoring (PCM) program to regularly assess the effectiveness of privacy controls.

12/18/2019

10

AUD-20-003

The FDIC's Privacy Program

5

Update policies and/or procedures to reflect the current organizational structure of the Privacy Program and responsibilities of agency personnel and component

offices that support the FDIC’s Privacy Program.

12/18/2019

11

AUD-20-003

The FDIC's Privacy Program

6

Establish a governance body or other governance mechanisms to assist the Chief Records Officer (CRO) with records management implementation and compliance. ^

12/18/2019

12

AUD-20-003

The FDIC's Privacy Program

7

Complete and implement the data protection program policy directive, data labeling guide, and associated job aids.

12/18/2019

13

AUD-20-003

The FDIC's Privacy Program

8

Develop and implement controls to ensure that personally identifiable Information stored in network shared drives and in hard copy is regularly monitored and reviewed for compliance with

privacy laws, regulations, policy, and guidelines.

12/18/2019

14

AUD-20-003

The FDIC's Privacy Program

9

Ensure that Divisions and Offices complete File Plans. ^

12/18/2019

15

AUD-20-003

The FDIC's Privacy Program

11

Generate reports to monitor and audit compliance with the FDIC’s records retention and disposition requirements. ^

12/18/2019

16

AUD-20-003

The FDIC's Privacy Program

12

Finalize and implement a records management framework for FDIC information systems that ensures compliance with records retention requirements. ^

12/18/2019

17

AUD-20-003

The FDIC's Privacy Program

13

Revise and implement processes to ensure that Privacy Impact Assessments (PIAs) are completed and made available to the public prior to authorizing information systems containing personally identifiable Information to operate.

12/18/2019

18

AUD-20-003

The FDIC's Privacy Program

14

Revise and implement policy and/or processes to ensure Privacy Impact Assessments (PIAs) are periodically reviewed, updated, and removed from the FDIC’s public website when systems are retired.

12/18/2019

19

AUD-21-001

The FDIC's Information Security Program-2020

1

Ensure that risk acceptance decisions are reassessed in accordance with FDIC guidance to determine whether they remain valid and are at an acceptable level.

10/27/2020

20

AUD-21-001

The FDIC's Information Security Program-2020

2

Implement control improvements to prevent the unauthorized installation of software on the FDIC network.

10/27/2020

21

AUD-21-001

The FDIC's Information Security Program-2020

3

Remediate incomplete and out-of-date baseline configurations.

10/27/2020

22

AUD-21-001

The FDIC's Information Security Program-2020

4

Assess the effectiveness of the FDIC’s controls for managing Administrative Accounts and implement control improvements.

10/27/2020

23

AUD-21-001

The FDIC's Information Security Program-2020

5

Implement a process to ensure that all outsourced information systems are subject to the National Institute of Standards and Technology (NIST) Risk Management Framework as prescribed by Office of Management and Budget (OMB) policy.

10/27/2020

24

AUD-21-001

The FDIC's Information Security Program-2020

6

Ensure that the FDIC’s cloud-based information systems are subject to annual security and privacy control assessments.

10/27/2020

25

AUD-21-001

The FDIC's Information Security Program-2020

7

Update FDIC’s directive(s) related to contingency planning to reflect current business processes, requirements, and government-wide security policy and guidance.

10/27/2020

26

AUD-21-001

The FDIC's Information Security Program-2020

8

Incorporate additional scenarios involving operational challenges into the FDIC’s information technology (IT) contingency plan testing exercises.

10/27/2020

27

AUD-21-002

Governance of the Mobile Device Management Solution

1

Reinforce guidance and provide training on the need for effective identification and assessment of information technology project risks, and the prompt and accurate reporting of such risks.

12/21/2020

28

AUD-21-002

Governance of the Mobile Device Management Solution

2

Establish and implement a control that requires the concurrence of security and privacy officials prior to submitting a procurement package for new technologies to the Acquisition Services Branch. [Estimated funds put to better use of $361,533.]

12/21/2020

29

AUD-21-002

Governance of the Mobile Device Management Solution

3

Clarify and communicate the roles and responsibilities of Security and Enterprise Architecture Technical Advisory Board and Governance Risk and Compliance Section with respect to security requirements for new technologies.

12/21/2020

30

AUD-21-002

Governance of the Mobile Device Management Solution

4

Clarify roles and responsibilities for authorizing the use of Limited Authorization to Operates and the associated security control tailoring.

12/21/2020

31

AUD-21-002

Governance of the Mobile Device Management Solution

5

Clarify the intent and expectation of the Participation Agreement between the Legal Division and Acquisition Services Branch regarding legal reviews of procurement actions involving subscriptions.

12/21/2020

32

EVAL-20-001

Contract Oversight Management

1

Collect key acquisition data, including original contract award amount for modified contracts, original period of performance for modified contracts, clear and properly recorded contract modifications, and oversight manager workload, which will enhance automated portfolio-wide analyses and reporting to support informed decision-making.

10/28/2019

33

EVAL-20-001

Contract Oversight Management

2

Provide enhanced contract portfolio reports to FDIC executives, senior management, and the Board of Directors.

10/28/2019

34

EVAL-20-001

Contract Oversight Management

8

In conjunction with the Division of Information Technology, develop controls around access to information contained within Contract Electronic File to ensure that Personally Identifiable Information is appropriately protected, or identify an alternative to Contract Electronic File that can serve as a secure repository for all contract documents.

10/28/2019

35

EVAL-20-002

Offsite Reviews of 1- and 2-Rated Institutions

1

Evaluate the feasibility of using additional methods and innovative technologies to identify 1- and 2-rated institutions with other types of emerging supervisory concerns.

12/18/2019

36

EVAL-20-003

Cost Benefit Analysis Process for Rulemaking

1

Establish, document, and implement policy and procedures for conducting cost benefit analyses, including when and how the cost benefit analyses will

be performed.

2/4/2020

37

EVAL-20-003

Cost Benefit Analysis Process for Rulemaking

2

Establish, document, and implement policy and procedures that clearly define the roles and responsibilities for the Regulatory Analysis Section

(RAS), and early involvement for the RAS in participating in and framing the initial policy direction of a rule.

2/4/2020

38

EVAL-20-003

Cost Benefit Analysis Process for Rulemaking

3

Establish, document, and implement policy and procedures that clearly define the Chief Economist’s roles and responsibilities for reviewing and concurring

on cost benefit analyses performed.

2/4/2020

39

EVAL-20-003

Cost Benefit Analysis Process for Rulemaking

4

Establish, document, and implement policy and procedures that address how cost benefit analyses and supporting information, such as scope and

methodology, analyses, conclusions, and reconciliation to the Agency’s final policy decision will be documented and published in the Federal Register to ensure transparency.

2/4/2020

40

EVAL-20-003

Cost Benefit Analysis Process for Rulemaking

5

Establish, document, and implement policy and procedures for conducting retrospective cost benefit analyses on existing rules, including a regulatory

risk assessment, as well as roles and responsibilities for the Driver Divisions, Chief Economist, and Division of Insurance and Research (DIR)/ Regulatory Analysis Section (RAS).

2/4/2020

41

EVAL-20-004

The FDIC's Readiness for Crises

1

Establish and implement a policy providing senior management’s crisis readiness directives.

4/7/2020

42

EVAL-20-004

The FDIC's Readiness for Crises

2

Establish a committee to guide and oversee FDIC crisis readiness planning.

4/7/2020

43

EVAL-20-004

The FDIC's Readiness for Crises

3

Establish and implement procedures supporting an Agency-wide process for crisis readiness planning.

4/7/2020

44

EVAL-20-004

The FDIC's Readiness for Crises

4

Establish and implement an Agency-wide all-hazards readiness plan that identifies and integrates FDIC readiness activities common to all crises impacting

insured depository institutions.

4/7/2020

45

EVAL-20-004

The FDIC's Readiness for Crises

5

Establish and implement Agency-wide hazard-specific readiness plans, as needed, to identify and integrate FDIC readiness plans and activities unique to

specific hazards impacting insured depository institutions.

4/7/2020

46

EVAL-20-004

The FDIC's Readiness for Crises

6

Establish and implement a process for ensuring periodic training of responsible personnel on their task-related responsibilities in executing readiness plans.

4/7/2020

47

EVAL-20-004

The FDIC's Readiness for Crises

7

Establish and implement a process for regularly documenting readiness plan exercise results and related recommendations, and retaining that documentation

for use in readiness improvement activities.

4/7/2020

48

EVAL-20-004

The FDIC's Readiness for Crises

8

Establish and implement a monitoring process for lessons learned that prioritizes and tracks recommendations to improve readiness activities

4/7/2020

49

EVAL-20-004

The FDIC's Readiness for Crises

9

Establish and implement a process to ensure that the FDIC reviews and updates readiness plans on a recurring basis.

4/7/2020

50

EVAL-20-004

The FDIC's Readiness for Crises

10

Establish and maintain a central repository of up-to-date readiness plans.

4/7/2020

51

EVAL-20-004

The FDIC's Readiness for Crises

11

Establish and implement a process to assess and report regularly on the state of the FDIC’s Agency-wide readiness to address crises impacting insured depository institutions.

4/7/2020

52

EVAL-20-005

The FDIC’s Implementation of Enterprise Risk Management

1

Define, document, and implement the authorities, roles, and responsibilities of the Operating Committee as the RMC, including:

a) Oversight of the establishment of the Agency’s risk profile;

b) Oversight of the regular assessment of risks;

c) Oversight of the development of appropriate risk responses; and

d) Final determinations of the approaches and actions to address the risks in the FDIC’s risk profile. These determinations should be based on deliberative discussion and consideration around additional actions that may be suggested or required to reduce the overall level of residual risk and align to the organization’s risk appetite and tolerance levels.

7/8/2020

53

EVAL-20-005

The FDIC’s Implementation of Enterprise Risk Management

2

Define the roles and responsibilities of the Board with respect to enterprise risk management, including its role in endorsing the risk appetite statement.

7/8/2020

54

EVAL-20-005

The FDIC’s Implementation of Enterprise Risk Management

3

Develop and implement enterprise risk management communication protocols to the Board.

7/8/2020

55

EVAL-20-005

The FDIC’s Implementation of Enterprise Risk Management

4

Define the roles and responsibilities of each committee in relation to enterprise risk management.

7/8/2020

56

EVAL-20-005

The FDIC’s Implementation of Enterprise Risk Management

5

Develop and implement procedures on how the risk committees interface with other enterprise risk management processes.

7/8/2020

57

EVAL-20-005

The FDIC’s Implementation of Enterprise Risk Management

7

Develop and implement procedures pertaining to how the Divisions, Offices, and Risk Management and Internal Controls Branch should execute their particular job functions related to enterprise risk management.

7/8/2020

58

EVAL-20-005

The FDIC’s Implementation of Enterprise Risk Management

8

Define, document, and implement procedures to ensure that enterprise risks are evaluated using enterprise risk management before enterprise-wide decisions are made.

7/8/2020

59

EVAL-20-006

Preventing and Addressing Sexual Harassment

1

Develop and implement a strategy for acknowledging employees, supervisors, and managers, as appropriate, for creating and maintaining a culture in which harassment is not tolerated and promptly reporting, investigating, and resolving harassment complaints.

7/10/2020

60

EVAL-20-006

Preventing and Addressing Sexual Harassment

2

Define in FDIC policy the terminology involving sexual harassment and ensure that it includes the Equal Employment Opportunity definition.

7/10/2020

61

EVAL-20-006

Preventing and Addressing Sexual Harassment

3

Specify within FDIC policy that HR Specialists (Labor and Employee Relations Section) are avenues for employees to report sexual harassment and correct the contact information for the Anti-Harassment Program Coordinator.

7/10/2020

62

EVAL-20-006

Preventing and Addressing Sexual Harassment

4

Clearly identify in FDIC policy the Anti-Harassment Program Coordinator roles and responsibilities with respect to sexual harassment allegations.

7/10/2020

63

EVAL-20-006

Preventing and Addressing Sexual Harassment

5

Include requirements in FDIC policy for proportionate corrective action (discipline) when harassment is substantiated.

7/10/2020

64

EVAL-20-006

Preventing and Addressing Sexual Harassment

6

Incorporate in FDIC policy options of alternative disciplinary action.

7/10/2020

65

EVAL-20-006

Preventing and Addressing Sexual Harassment

7

Include in FDIC policy Legal Division responsibilities.

7/10/2020

66

EVAL-20-006

Preventing and Addressing Sexual Harassment

8

Develop and implement a tracking system for sexual harassment misconduct allegations handled by the Anti-Harassment Program to ensure that relevant information is centralized, complete, accurate, and updated timely.

7/10/2020

67

EVAL-20-006

Preventing and Addressing Sexual Harassment

9

Track data elements for misconduct allegations, including original allegation date; misconduct classification; date investigation concluded; name of investigator; names of complainant, alleged harasser, and witnesses; whether the allegation was substantiated or unsubstantiated; and date of written notification to complainant and alleged harasser regarding completion of the investigation.

7/10/2020

68

EVAL-20-006

Preventing and Addressing Sexual Harassment

10

Develop and implement procedures for investigating sexual harassment misconduct allegations. ^

7/10/2020

69

EVAL-20-006

Preventing and Addressing Sexual Harassment

12

Develop and implement procedures to ensure that supervisors take consistent disciplinary actions for substantiated sexual harassment, in line with Federal government law on imposing disciplinary actions.

7/10/2020

70

EVAL-20-006

Preventing and Addressing Sexual Harassment

13

Develop and implement a comprehensive, centralized database of disciplinary actions, including those associated with sexual harassment.

7/10/2020

71

EVAL-20-006

Preventing and Addressing Sexual Harassment

14

Enhance employee and supervisor training on identifying and reporting sexual harassment, to include the training content recommended by the Equal Employment Opportunity Commission.

7/10/2020

72

EVAL-20-006

Preventing and Addressing Sexual Harassment

15

Develop oversight mechanisms to assess the effectiveness of the FDIC’s sexual harassment prevention efforts and determine whether the FDIC is addressing sexual harassment allegations in a prompt and effective manner.

7/10/2020

73

EVAL-20-007

In-Depth Review of Enloe State Bank, Cooper, Texas

1

Clarify criteria the examiners should use to identify an official as dominant.

9/30/2020

74

EVAL-20-007

In-Depth Review of Enloe State Bank, Cooper, Texas

2

Train examiners on the importance of understanding and documenting the independence and qualifications of internal auditor(s), and reviewing internal audit work papers and results.

9/30/2020

75

EVAL-20-007

In-Depth Review of Enloe State Bank, Cooper, Texas

3

Train examiners on the importance of adequate annual external financial audit coverage, and under what circumstances and with what justifications banks may obtain reviews in place of audits.

9/30/2020

76

EVAL-20-007

In-Depth Review of Enloe State Bank, Cooper, Texas

4

Implement guidance and train personnel on monitoring and following up on State-issued Matters Requiring Board Attention.

9/30/2020

77

EVAL-20-007

In-Depth Review of Enloe State Bank, Cooper, Texas

5

Train examiners on the importance of ensuring that information system user access controls be adequately tested.

9/30/2020

78

EVAL-20-007

In-Depth Review of Enloe State Bank, Cooper, Texas

6

Enhance case study training to incorporate the lessons learned from Enloe State Bank in regard to performing additional procedures related to the bank’s loan related

activity.

9/30/2020

79

EVAL-20-007

In-Depth Review of Enloe State Bank, Cooper, Texas

7

Train examiners to perform additional procedures to determine the likelihood of fraud once a dominant official designation is made at a bank with a weak internal control environment.

9/30/2020

80

EVAL-20-007

In-Depth Review of Enloe State Bank, Cooper, Texas

8

Train examiners on indicators of fraud and how individual issues identified during an examination should be considered holistically to facilitate fraud detection.

9/30/2020

 

Print Print
Close