• Strengthened FDIC assessments of risks to the Deposit Insurance Fund.
• Improved external risk mitigation.

Consumer protection laws are an important part of the safety net of America. The U.S. Congress has long advocated particular protections for consumers in relationships with banks. For example:

• The Community Reinvestment Act (CRA) encourages federally insured banks to meet the credit needs of their entire community.
• The Equal Credit Opportunity Act prohibits creditor practices that discriminate based on race, color, religion, national origin, sex, marital status, or age.
• The Home Mortgage Disclosure Act was enacted to provide information to the public and federal regulators regarding how depository institutions are fulfilling their obligations towards community housing needs.
• The Fair Housing Act prohibits discrimination based on race, color, religion, national origin, sex, familial status, and handicap in residential real-estate-related transactions.
• The Gramm-Leach-Bliley Act eliminated barriers preventing the affiliations of banks with securities firms and insurance companies and mandates new privacy rules.
• The Truth in Lending Act requires meaningful disclosure of credit and leasing terms.
• The Fair and Accurate Credit Transaction Act further strengthened the country’s national credit reporting system and assists financial institutions and consumers in the fight against identity theft.

The FDIC serves a number of key roles in the financial system and among the most important is the FDIC’s work in ensuring that banks serve their communities and treat consumers fairly. The FDIC has recognized the importance of its role in this regard by establishing its own strategic goal ensuring that consumers’ rights are protected and supervised institutions invest in their communities. The FDIC carries out its role by (1) providing consumers with access to information about their rights and disclosures that are required by federal laws and regulations and (2) examining the banks where the FDIC is the primary federal regulator to determine the institutions’ compliance with laws and regulations governing consumer protection, fair lending, and community investment.

An important FDIC initiative is promoting expanded opportunities for the underserved banking population in the United States to enter the financial mainstream. Newly appointed FDIC Chairman, Sheila Bair said, “The FDIC has been a leader in financial education efforts, but more can be done. Regulators and bankers can work together to reach out to underserved communities and to develop credit and deposit products that meet the needs of those communities.” The FDIC promotes public understanding of the federal deposit insurance system and seeks to ensure that depositors and bankers have ready access to information about consumer protection laws. The results of the FDIC’s efforts bring greater stability and fairness to our financial system.

The OIG’s role under this strategic goal is targeting audits and evaluations that review the effectiveness of various FDIC programs aimed at protecting consumers, fair lending, and community investment. Additionally, the OIG’s investigative authorities are used to identify, target, disrupt, and dismantle criminal organizations and individual operations engaged in fraud schemes that target our financial institutions.

2007 Performance Goals: To assist the FDIC to protect consumer rights and ensure customer data security and privacy, the OIG will

• Evaluate the effectiveness of FDIC programs for ensuring customer data security and privacy at FDIC-insured institutions.
• Review FDIC’s examination coverage of institution compliance at FDIC-insured institutions.
• Address allegations of fraudulent insurance coverage and identity theft schemes affecting the FDIC.

Key Effort

• Evaluate how the FDIC identifies offshore outsourcing activities in FDIC-supervised institutions and assesses the programs those institutions have in place to address the data security risks associated with offshore outsourcing. [AUDIT]
• Assess DSC’s IT examination procedures for addressing the security of sensitive customer information when FDIC-supervised institutions use TSPs and examiners’ implementation of those procedures. [AUDIT]

Significance

Data security and financial privacy are important values in American society. Banks are increasingly using third-party servicers to provide support for core information and transaction processing functions. The increasing globalization and cost saving benefits of the financial services industry are leading many banks to make greater use of foreign-based service providers. Although generally permissible, this outsourcing practice raises certain risks, such as country, compliance, contractual, and reputation risks.

With respect to privacy and security, the obligations of a financial institution to protect the privacy and security of information about its customers under applicable U.S. laws and regulations remain in full effect when the institution transfers the information to a foreign-based service provider. The transfer of that information to a service provider located in another country does not alter those obligations. Accordingly, the FDIC expects financial institutions to effectively manage these risks and adequately oversee any relationships with foreign-based third-party service providers.

Potential Outcomes

• Enhanced data security of sensitive customer information in financial institutions and protection of the FDIC’s reputation for maintaining public confidence in the banking system.

Key Effort

• Determine whether DSC is adequately assessing financial institutions’ compliance management systems during the compliance examination process. [AUDIT]
• Determine whether revisions to the interagency CRA regulations and examination procedures have achieved their intended purposes and assess the impact of the revised regulations and procedures on the CRA performance of FDIC-supervised institutions and how that impact is being measured by the FDIC. [AUDIT]

Significance

Compliance with laws and regulations must be managed as an integral part of a bank’s business strategy. FDIC has responsibility for ensuring that the financial institutions it supervises comply with consumer protection laws and regulations. A compliance management system is the method by which the bank manages the entire consumer compliance process. The FDIC uses its compliance examination process to ascertain the effectiveness of an institution’s program for compliance. In 2005, the FDIC conducted 2,020 compliance and CRA examinations.

Although the job of compliance has grown more complex, the FDIC is committed to making certain that financial institutions develop and maintain a sound compliance management system that is integrated into the overall risk management strategy of the institution. Noncompliance with consumer statutes and regulations can result in monetary penalties, litigation, and formal enforcement actions. Successful compliance management will avoid these potential consequences and create a culture of compliance readiness.

Potential Outcomes

• A sound compliance management system that is essential to the efficient and successful operation of an institution.

Key Effort

• Conduct investigations of alleged schemes that defraud investors by misrepresenting FDIC-insurance coverage or affiliation. [INVESTIGATION]
• ECU will continue to work with DSC and the Computer Security Incident Response Team in detecting and investigating identity theft attempts which warrant issuance of FDIC Special Alerts to banks and consumers and will take all steps necessary to have fraudulent websites shut down; participate in the Cyberfraud Working Group, the Identity Theft Working Group, the HighTech Crimes Investigative Association; and coordinate with the Federal Trade Commission to identify and help combat emerging schemes that prey on consumers. [INVESTIGATION]

Significance

Every year fraud schemes rob depositors and financial institutions of millions of dollars. The OIG’s Office of Investigations is used to identify, target, disrupt, and dismantle criminal organizations and individual operations engaged in fraud schemes that target our financial institutions or that prey on the banking public. OIG investigations have identified multiple schemes that defraud depositors. Common schemes range from identity fraud to Internet scams such as “phishing” and “pharming”.

Investigative work related to these areas is ongoing and will continue to be at the forefront of OI’s key efforts. With the help of sophisticated technology, the ECU will continue to work with FDIC divisions and other federal agencies to help with the detection of new fraud patterns and combat existing fraud. Coordinating closely with the Corporation’s DRR and the various U.S. Attorneys’ offices, the OIG hopes to reduce substantial risk and yield positive results. These proactive measures will help to promote continued public confidence in federal deposit insurance and goodwill within financial institutions.

Potential Outcomes

• Detected and reduced incidence of fraud schemes intended to defraud depositors and undermine public confidence in deposit insurance.
• Reduced incidence of misrepresentations regarding FDIC deposit insurance.

The United States provides protection to depositors in its banks, savings and loan associations, and credit unions. One of the key players in this process is the FDIC. Among its various functions, the FDIC acts as the receiver or liquidating agent for failed FDIC-insured institutions. The success of the FDIC’s efforts in resolving troubled institutions has a direct impact on the banking industry and on the taxpayers.

DRR exists to plan and efficiently handle the resolutions of failing FDIC-insured institutions and to provide prompt, responsive, and efficient administration of failing and failed financial institutions in order to maintain confidence and stability in our financial system.

• The resolution process involves valuing a failing federally insured depository institution, marketing it, soliciting and accepting bids for the sale of the institution, determining which bid to accept and working with the acquiring institution through the closing process.
• The receivership process involves performing the closing function at the failed bank; liquidating any remaining assets; and distributing any proceeds to the FDIC, the bank customers, general creditors, and those with approved claims.

The FDIC’s resolution and receivership activities pose tremendous challenges. Today record profitability and capital in the banking industry have led to a substantial decrease in the number of financial institution failures compared to prior years. However, as indicated by the trends in mergers and acquisitions, banks are becoming more complex, and the industry is consolidating into larger organizations. As a result, the FDIC could potentially have to handle a failing institution with a significantly larger number of insured deposits than it has had to deal with in the past.

The change between how the FDIC handled resolutions and receiverships 20 years ago and how it will be handling them 20 years from now will be largely based on learning to anticipate and plan, instead of reacting. Through the development of new resolution strategies within the various DRR business lines, FDIC must set far-reaching plans for the future to keep pace with a changing industry.

The OIG’s role under this strategic goal is targeting audits and evaluations that assess the effectiveness of the FDIC’s various programs designed to ensure that the FDIC is ready to and does respond promptly, efficiently, and effectively to financial institution closings. Additionally, the OIG investigative authorities are used to pursue instances where fraud is committed to avoid paying the FDIC civil settlements, court-ordered restitution, and other payments as the institution receiver. The OIG will also continue to work with FDIC officials to keep abreast of the ongoing efforts being taken by DRR and the Corporation as a whole, to sustain proficiency in resolution activity and to prepare for the possibility of a large institution failure or multiple failures caused by a single catastrophic event.

2007 Performance Goals: To help ensure the FDIC is ready to resolve failed banks and effectively manages receiverships, the OIG will:

• Evaluate the FDIC’s plans and systems for managing bank resolutions.
• Respond to potential crimes affecting FDIC’s efforts to recover financial losses.

Key Efforts

• Evaluate the design and implementation of controls used by the FDIC to protect personal information collected and maintained in electronic form as a result of resolution and receivership activity. [AUDIT]
• Monitor DRR’s planning for a potential large bank failure. [OTHER PROJECT]

Significance

In performing their duties of resolving failing FDIC-insured depository institutions, DRR personnel have access to a wide variety of records containing personally identifiable information of a bank’s employees and customers. Such records include: bank employee payroll records, customer deposit records, and customer loan records. The FDIC is committed to protecting the privacy of personal information. Within the FDIC, each division has established controls and procedures for the protection of sensitive information. Through various policies and procedures, DRR has established certain methods for controlling access to collected and maintained sensitive information. However, given the increased risks associated with, and attention being placed on identity theft, the protection of customer information in FDIC’s systems is paramount to sustaining the public’s confidence in the FDIC.

The risk of a large bank failure is one of the greatest threats to the Deposit Insurance Fund and public confidence in the nation’s financial systems. The FDIC bears primary responsibility to plan the government’s reaction to such a failure. DRR has plans for sophisticated models to train FDIC staff and prepare for differing circumstances. The OIG will monitor the development of the model, look for opportunities to contribute, and involve its own staff in simulations of potential large bank fraud that causes a bank to collapse, and in post-failure reviews of what caused the bank to fail.

Potential Outcomes

• Help to ensure that the FDIC minimizes the risks of mishandling sensitive information in its possession that, if inappropriately released, could greatly damage its reputation and the public’s confidence.
• Better preparation for a large bank failure.

Key Efforts

• Continue criminal investigations of individuals fraudulently concealing assets from FDIC. [INVESTIGATION]
• Continue to respond to any bank closing where fraud is suspected to have played a role in the failure of the institution. An investigative team, to include ECU agents, will respond in the event of such a closing, and will share data imaged from the closing as needed with FDIC. [INVESTIGATION]
• OI will work with DRR and Legal to improve bank closing procedures for: addressing coordination issues with contractors who collect electronic data; providing immediate investigative response and coordination with the Department of Justice and the FBI to a large or multiple bank failure; and identifying and developing training that will help maintain proficiencies and expertise at bank closings. [INVESTIGATION]

Significance

The OIG’s OI coordinates closely with DRR, with special attention to various types of financial institution fraud and related crimes, including concealment of assets. The FDIC was owed more than $1.7 billion in criminal restitution as of September 30, 2006. In most instances, the individuals do not have the means to pay. However, a few individuals do have the means to pay but hide their assets and/or lie about their ability to pay. OI works closely with DRR and the Legal Division in aggressively pursing criminal investigations of these individuals. Specifically, OI offers vital assistance in these pursuits. In the case of bank closings where fraud is suspected, OI is prepared to send case agents and computer forensic special agents from the ECU to the institution. Agents use different investigative tools to provide computer forensic support to OI’s investigations by obtaining, preserving, and later examining evidence from computers at the bank. The determined investigative work of OI has allowed for successful outcomes in various cases and substantial restitution payments. As a result of well-prepared investigations, FDIC has a good recovery record of funds for the receivership.

Although there have been far fewer failures in recent years, DRR must be ready to resolve troubled institutions and is, in fact, continuing to focus on its ability to resolve institutions of any size. According to FDIC analysis, the failures of the 1980s and early 1990s were concentrated in the energy, agriculture, and commercial real estate sectors. In contrast, recent bank failures are largely attributable to fraud, mismanagement, improper accounting and reporting practices, and losses related to investments in sub-prime lending. OI will continue to work with DRR to ensure the OIG remains proficient and up-to-date on DRR’s resolution strategies.

Potential Outcomes

• Debts owed to the FDIC collected.
• Justice for individuals who criminally conceal assets.
• Deterrence of those who might consider similar crimes.

The FDIC must effectively manage and utilize a number of critical strategic resources in order to carry out its mission successfully, particularly its human, financial, IT, and physical resources. The Corporation does not receive an annual appropriation, except for its OIG, but rather is funded by the premiums that banks and thrift institutions pay for deposit insurance coverage, the sale of assets recovered from failed banks and thrifts, and from earnings on investments in U.S. Treasury securities.

The FDIC has emphasized its stewardship responsibilities for all of its resources in its strategic planning process. The FDIC Board of Directors approves an annual Corporate Operating Budget to fund the operations of the Corporation.

The Corporate Operating Budget provides resources for the operations of the Corporation’s three major programs or business lines—Insurance, Supervision, and Receivership Management—as well as its major program support functions (legal, administrative, financial, IT, etc.). Program support costs are allocated to the three business lines so that the fully loaded costs of each business line are displayed in the operating budget approved by the Board.

In addition to the Corporate Operating Budget, the FDIC has a separate Investment Budget that is composed of individual project budgets approved by the Board of Directors for major investment projects. Budgets for investment projects are approved on a multi-year basis, and funds for an approved project may be carried over from year to year until the project is completed. A number of the Corporation’s more costly IT projects are approved as part of the investment budget process.

Deposit insurance reform legislation resulted in the merging the Bank Insurance Fund and the Savings Association Insurance Fund into a new fund, the Deposit Insurance Fund, effective March 31, 2006. Expenditures from the Corporate Operating and Investment Budgets are paid from two funds managed by the FDIC—the Deposit Insurance Fund and the FSLIC Resolution Fund. The Corporation’s 2007 spending is expected to total approximately $1 billion.

To effectively manage its budget, in May 2005, the Corporation implemented an enhanced cost-management program to provide managers with additional cost information, including the fully loaded cost of key businesses processes. The Corporation will also continue to benchmark the cost of selected business processes with those of peer organizations and continue to explore the use of performance scorecards to assess performance against appropriate cost, timeliness, quality, and customer service standards.

Financial resources are but one aspect of the FDIC’s critical assets. The Corporation’s human capital is also vital to its success. The FDIC will have the opportunity over the next decade to substantially reshape its workforce in conjunction with the projected retirements of a large number of long-serving employees. The downsizing that has occurred over the past 12 years has resulted in limited hiring of new employees. The FDIC has made efforts over the recent years to address the need to reshape its workforce with the implementation of the Corporate Employee Program, the Succession Management Program, and the Leadership Development Program. In 2006, the Corporation began the development and implementation of a comprehensive succession management program to ensure that the FDIC’s workforce has the skills and expertise needed to successfully address its mission responsibilities in the future and to maintain its leadership role in the financial regulatory community. Throughout the reshaping of its workforce, the FDIC maintains its commitment to a working environment of high integrity and to the achievement of its mission.

Technological advances have produced tools that all workers today would be lost without. IT drives and supports the manner in which the public and private sector conduct their work. At the FDIC, the Corporation seeks to leverage IT to support its business goals in insurance, supervision and consumer protection, and receivership management, and to improve the operational efficiency of its business processes. The financial services industry employs technology for similar purposes.

Along with the positive benefits that IT offers comes a certain degree of risk. In that regard, information security has been a long-standing and widely acknowledged concern among federal agencies. A key effort for all agencies must be the establishment of effective information security programs. The E Government Act of 2002 recognized the importance of information security. Title III of the E-Government Act, entitled the Federal Information Security Management Act (FISMA), requires each agency to develop, document, and implement an agency-wide information security program to provide adequate security for the information and information systems that support the operations and assets of the agency. Section 522 of the Consolidated Appropriations Act of 2005 requires agencies to establish and implement comprehensive privacy and data protection procedures and have an independent third-party review performed of their privacy programs and practices.

Business continuity is another key concern to all federal agencies. In light of recent large-scale disasters, the Corporation must be prepared to respond to such events, whether related to natural disasters or terrorism. The continuity of FDIC’s business operations is essential in order to maintain the public’s confidence and trust in the Corporation.

With greater uses of technological advances, the FDIC found itself with IT applications largely “stovepiped” around workgroup needs, not enterprise business needs. The stovepiped view of data in these applications made data consistency and integrity a greater challenge, according to a study published in December 2005 by Gartner, Inc. Accordingly, the FDIC has adopted an Enterprise Architecture blueprint for security and e-government as depicted in Figure 5.1. The Federal Deposit Insurance Act empowers the FDIC to enter into contracts to procure goods and services. The authority to establish policies and procedures for the contracting program has been redelegated by the Board of Directors to the Director, Division of Administration. The Acquisition Services Branch of that Division is responsible for developing contracting policies and procedures, and communicating and implementing those policies and procedures throughout the FDIC. Heightened corporate wide attention to contract administration is critical to ensuring the Corporation receives cost effective, quality performance from contractors. The FDIC is increasingly relying on contractors to accomplish its mission. The table below shows the value of active contracts by division as of March 2006.

[ D ]

The OIG’s role in this strategic goal is to perform audits, evaluations, and investigations that

• identify opportunities for more economical, efficient, and effective corporate expenditures of funds;
• foster corporate human capital strategies that benefit employees, strengthen employees’ knowledge, skills, and abilities; ensure employee and contractor integrity; and inspire employees to perform to their maximum capacity;
• help the Corporation to leverage the value of technology in accomplishing the corporate mission and promote the security of both IT and human resources;
• ensure that procurement practices are fair, efficient, effective, and economical; and
• enhance corporate governance and risk management practices.

2007 Performance Goals: To promote sound governance and effective stewardship of FDIC strategic resources, the OIG will

• Evaluate corporate efforts to fund operations efficiently, effectively, and economically.
• Assess corporate human capital strategic initiatives.
• Promote integrity in FDIC internal operations.
• Promote alignment of IT with the FDIC’s business goals and objectives.
• Promote IT security measures that ensure the confidentiality, integrity, and availability of corporate information.
• Promote personnel and physical security.
• Evaluate corporate contracting efforts.
• Monitor corporate risk management and internal control efforts.

Key Efforts

• Evaluate the effectiveness of the FDIC’s records management program. [EVALUATION]
• Evaluate the effectiveness of FDIC’s newly established Project Management Office (PMO). [AUDIT]
• Evaluate the appropriateness to which salary costs are being charged to various New Financial Environment (NFE) program codes. [EVALUATION]
• Evaluate the performance measurement processes that the FDIC uses to monitor corporate performance. [EVALUATION]

Significance

Records are a valuable resource and must be managed properly for the agency to function effectively and to comply with Federal laws and regulations. The FDIC records management program is designed to ensure continuity and consistency, to assist in decision-making and information-sharing, and to provide information required by Congress and others for overseeing the Corporation’s activities. Thus, it is important that the Corporation’s records are economically and effectively managed to meet business needs and to comply with applicable laws and regulations.

Improving project management is another ongoing business concern. In 2005, The Division of Information Technology (DIT) PMO was established as a resource center for clients, executives, project managers, and project team members engaged in the operations and oversight of IT projects. DIT initiated a PMO to establish standard repeatable project management practices and improve the results of IT project management activities. Successful project management is highly dependent upon keeping decision-makers fully informed of the cost and status of projects.

In May 2005, the Corporation also implemented NFE to enhance the FDIC's ability to meet current and future financial management and information needs. One of the intended organizational benefits of NFE was enhanced cost management. To that end, the cost management program was collaboratively created by all divisions and offices. The cost management program’s success will rely on employees accurately entering all the necessary data into the appropriate cost management chartfields when reporting their time and travel. In order to facilitate and support decision making, accurate cost data must be available for decision makers and other system users.

To provide assurance that the FDIC is achieving its strategic goals and objectives, there must be gauges that track and measure the Corporation’s performance of its operations, activities, and initiatives. Furthermore, these gauges must be aligned with the Corporation’s strategic goals and objectives and be useful to FDIC management and stakeholders.

Potential Outcomes

• Enhanced usefulness and reliability of records for decision makers.
• Cost-effective records management processes.
• Enhanced project management practices.
• Accurate cost data for decision makers and other system users.
• Performance measures that appropriately assess the Corporation’s performance and are useful to FDIC management and stakeholders.

Key Efforts

• Determine the extent to which the FDIC’s succession planning efforts identify and address future critical staffing and leadership needs. [EVALUATION]
• Evaluate the efficiency, effectiveness, and customer satisfaction with FDIC’s hiring program, procedures, and processes. [EVALUATION]

Significance

Federal agencies are faced with a growing number of employees who are eligible for retirement and are finding it difficult to fill certain mission-critical jobs— a situation that could significantly drain agencies’ institutional knowledge. To that end, the FDIC established a new human capital framework and strategy to guide its planned evolution toward a more flexible permanent workforce that will be capable of responding rapidly to significant changes in the financial services industry or unexpected changes in workload or priorities. As depicted in Figure 5.2, over the past 10 years the Corporation was in a continuous downsizing mode as it

[ D ]

Potential Outcomes

• Increased assurance that future leaders have the skills and expertise needed to carry out the FDIC mission.
• A more effective and efficient program for attracting, screening, and hiring new employees.

Key Efforts

• Conduct investigations, as needed, of criminal or serious misconduct on the part of FDIC employees and contractors to ensure a working environment of high integrity. [INVESTIGATION]
• Electronic Crimes Unit collaboration with the FDIC to ensure appropriate use of government property. [INVESTIGATION]
• Maintain OIG Hotline to respond to allegations of fraud, waste, abuse, and mismanagement. [INVESTIGATION]
• Participate with FDIC Ethics Office in addressing employee groups on ethics and conduct issues. [INVESTIGATION]

Significance

The achievement of the FDIC’s mission, in large part, depends upon employees that uphold values of integrity, honesty, and a commitment to maintain the public’s trust and confidence in the Corporation. In order to promote a working environment that embraces such values, there must be means in which misconduct is identified and handled appropriately. To foster a working environment of high integrity, it is also critical that employees and contractors receive ethics and conduct training.

Potential Outcomes

• Heightened awareness of unacceptable or unethical employee behavior and the appropriate consequences for such behavior.
• Appropriate use of resources for intended purposes.
• A working environment of high integrity.

Key Efforts

• Assess the FDIC’s progress in implementing an enterprise architecture program that supports the FDIC’s mission. [AUDIT]
• Complete a risk assessment of FDIC’s IT environment, including corporate risk mitigation activities. [AUDIT]

Significance

An Enterprise Architecture (EA) is a blueprint of an agency's current and planned operating and systems environment and the plan for transitioning between the two. Among other things, the EA defines principles and goals for, and sets direction on, IT security. It is critical that the FDIC has an effective structure in place to allow IT investment decisions to be made in alignment with its business needs; otherwise, the absence of an effective EA program may result in poor IT investment decisions.

As part of the OIG’s approach to assess the FDIC’s IT environment and risk, the OIG will conduct a risk analysis of FDIC’s IT environment to ensure that resources are focused on areas that represent the most risk to the FDIC.

Potential Outcomes

• Assurance that FDIC has an effective structure in place to allow IT investment decisions to be made in alignment with its business needs.
• Assurance that resources are devoted to areas that represent most risk to the FDIC.

Key Efforts

• Evaluate the effectiveness of the FDIC’s information security and privacy and data protection program and practices, including the FDIC’s compliance with FISMA and related policies, procedures, standards, legislation, and guidelines. [AUDIT]
• Determine whether the FDIC has established and implemented an IT disaster recovery capability that is consistent with federal standards, guidelines, and industry-accepted practices. [AUDIT]
• Evaluate the Corporation’s use of information in identifiable form, evaluate the privacy and data protection procedures, and recommend strategies and specific steps to improve data protection management. [AUDIT]

Significance

Information security and continuity of operations remain top priorities at the FDIC. As mandated by Title III, namely FISMA, of the E-Government Act of 2002, federal agencies are required to have an annual independent evaluation performed of their information security programs and practices and to report the results of the evaluation to the Office of Management and Budget (OMB). The OIG’s 2006 FISMA evaluation reported that the FDIC has made significant progress in improving its information security controls and practices. However, continued management attention was needed in key security control areas to ensure that appropriate risk-based and cost-effective security controls are in place to secure the FDIC’s information resources in furtherance of the Corporation’s security program goals and objectives. Further, the Corporation is subject to the Consolidated Appropriations Act, Title V, Section 522. The Act mandates the designation of a senior privacy official, establishment of privacy and data protection procedures, and a written report of the Corporation’s use of information in identifiable form.

The FDIC depends on the continuity of its IT operations to meet its business needs, financial obligations, and regulatory requirements. OMB policy requires agencies to establish and periodically test their ability to recover from IT service interruptions and to provide service based upon the needs and priorities of system participants. The FDIC conducts semiannual IT disaster recovery testing to ensure the Corporation’s ability to recover its mainframe, midrange, and server platforms that would be required to restore IT operations in the event of a disaster. It is of critical importance that the FDIC IT infrastructure can withstand interruptions and continue to fully support corporate business operations.

Potential Outcomes

• Strengthened, up-to-date information and system security controls and practices.
• Appropriate use of information in an identifiable form and enhanced protection of sensitive data.
• A reliable IT disaster recovery capability.

Key Efforts

• Determine the extent of the FDIC’s progress in developing and implementing a comprehensive business continuity plan (BCP) and program. [AUDIT]

Significance

Recent large-scale disasters in the United States have clearly demonstrated how important it is to have reliable emergency response procedures and a well-written BCP to sustain critical business functions during an emergency or situation that may disrupt normal operations. The FDIC has developed an Emergency Operations Plan comprised of an Emergency Response Plan and a separate BCP. In 2004, an OIG evaluation of FDIC’s BCP found that the BCP addresses the critical business functions of key FDIC divisions and offices. However, the evaluation noted that the FDIC could improve the quality of its BCP in a number of key areas to help ensure its success. The OIG will conduct a follow-up evaluation of the FDIC’s progress in implementing the recommendations we made in our earlier report. It is important, both symbolically and functionally, for federal government agencies to continue to serve the American public during any emergency or situation that may disrupt normal operations.

Potential Outcomes

• A sound BCP that helps ensure public confidence in the FDIC and its regulated banks.

Key Efforts

• Assess whether the FDIC has mechanisms in place to periodically evaluate the continuing need for contracts and determine whether there are corporate contracts that can be eliminated. [EVALUATION]
• Determine whether the Information Technology Application Services (ITAS) contracting approach is achieving anticipated procurement benefits, and (2) ascertain whether there is an appropriate balance between the controls in place and the risks inherent in the ITAS contracting approach. [EVALUATION]
• Determine whether adequate controls to ensure that work performed under the Federal Systems Integration Management (FEDSIM) interagency agreement contract complies with contract’s terms and conditions, and the contracting method has produced the intended results. [AUDIT]
• For pre-award reviews—determine whether the FDIC is complying with its Acquisition Policy Manual in evaluating proposals and/or assess financial aspects of bidders’ proposals, including determining whether proposed costs are reasonable and supported. [EVALUATION]
• For contract billing reviews—determine whether contractor billings are allowable under the contract, allocable, and reasonable. [EVALUATION]

Significance

With corporate downsizing has come, in many instances, increased reliance on contracted services and potential increased exposure to risk if contracts are not managed properly. Processes and related controls for identifying needed goods and services, acquiring them, and monitoring contractors after contract award must be in place and work effectively. As a good steward, the FDIC must ensure it receives the goods and services purchased with corporate funds. Further, the FDIC must have mechanisms in place to periodically evaluate the continuing need for contracts and determine whether there are corporate contracts that can be eliminated.

In 2004, the Corporation initiated a new contracting approach for its IT services with the goal to improve contractor support and streamline procurement and oversight activities. The ITAS contract combined approximately 40 contracts into one contract with multiple (four) vendors for a total program value of $555 million over 10 years. In such a large contractual undertaking, significant risk may exist in getting work completed, overseeing the contract, and, ultimately, meeting the Corporation’s needs. In addition, in 2004, the FDIC entered into an interagency agreement with the General Services Administration—FEDSIM contract—to provide assistance for IT support services. As of June 2005, a Contract Monitoring Information Application report indicated that the FEDSIM contract totaled $342 million. Considering the significant contract cost and the vital IT functions that are being acquired, the success of the FEDSIM contract will be extremely important to the FDIC for many years to come.

Potential Outcomes

• Cost savings from optimizing contract portfolios and consolidating redundant contracts.
• Strengthened contract administration and cost savings.
• Assurance that the ITAS and FEDSIM contracts are meeting the FDIC’s IT infrastructure and development needs.

Key Efforts

• Determine the extent to which the FDIC has implemented its Enterprise Risk Management Program consistent with applicable government-wide and best practices. [EVALUATION]

Significance

Revised OMB Circular A-123, which became effective for fiscal year 2006, requires a strengthened process for conducting management’s assessment of the effectiveness of internal control over financial reporting. The circular also emphasizes the need for agencies to integrate and coordinate internal control assessments with other internal control-related activities and ensure that an appropriate balance exists between the strength of controls and the relative risk associated with particular programs and operations.

Potential Outcomes

• An enterprise-wide control environment that strikes the right balance of internal controls and corporate risks.
• Clear definition of responsibility for addressing corporate risks.

While the purpose of the OIG is focused on the FDIC’s programs and operations, we have an inherent obligation to hold ourselves to the highest standards of performance and conduct. Like any organization, we have processes and procedures for conducting our work; communicating with our clients, staff, and stakeholders; managing our financial resources; aligning our human capital to our mission; strategically planning and measuring the outcomes of our work; maximizing the cost-effective use of technology; and ensuring our work products are timely, value-added, accurate, and complete and meet applicable professional standards.

2007 Performance Goals: To build and sustain a high-quality OIG work environment, the OIG will

• Encourage individual growth through personal development;
• Strengthen human capital management and leadership development;
• Foster good client, stakeholder, and staff relationships;
• Ensure quality and efficiency of OIG audits, evaluations, investigations, and other operations;
• Enhance strategic and annual performance planning and performance measurement; and
• Invest in cost-effective and secure IT.

Key Efforts

• Develop training and development plans for auditors, evaluators, and investigators. [INTERNAL IMPROVEMENT]
• Conduct OIG-wide conference. [OTHER PROJECT]
• Explore expanding the pilot internal mentoring program. [INTERNAL IMPROVEMENT]
• Encourage staff to attain relevant professional certifications.
• Host an emerging issues symposium. [OTHER PROJECT]

Significance

The OIG’s performance and value to our clients and stakeholders is directly linked to the knowledge and abilities of our staff. As our individual and collective abilities increase, so do the performance capacity of our organization and value to clients and stakeholders.

To ensure a high-quality work environment, we must continuously invest in keeping staff knowledge and skills at a level equal to the work that needs to be done. Training and development plans are one means for ensuring that the OIG is making sound investments in staff development. While each staff member has the primary responsibility for managing his or her career, OIG supervisors and management play a key role in helping staff create and implement career development plans. An emerging issues symposium is one means of keeping OIG staff attuned to changes in the bank regulatory environment. Also, a mentoring program that has been piloted during the past year may be beneficial to provide career and developmental guidance to some OIG staff.

In addition, relevant professional certifications serve to enhance the expertise of OIG staff and help ensure continued high-quality work and products.

Potential Outcomes

• Continuous improvement in OIG expertise that can match the needs of our workload.
• A workforce that can develop to its fullest potential.

Key Efforts

• Include leadership development as a component of the auditor, evaluator, and investigator training plans. [INTERNAL IMPROVEMENT]
• Develop a pilot effort for end-of-assignment performance reviews. [INTERNAL IMPROVEMENT]
• Award a contract for supplemental expertise for audits, evaluations, investigations, and other OIG activities. [INTERNAL IMPROVEMENT]
• Update business continuity and emergency preparedness plans. [INTERNAL IMPROVEMENT]
• Update OIG workforce data for human capital decision-making. [INTERNAL IMPROVEMENT]

Significance

A committed leadership team is essential to our strategic goal to build and sustain a high-quality work environment. Leadership fosters accountability for reaching results-oriented goals and for continuous learning and improvement. The OIG needs to develop its leaders for succession to sustain its effectiveness and excellence even as current leaders may depart. Leadership development needs to occur for all employees and with each employee striving to enhance his or her leadership competencies.

OIG leaders must provide straightforward, honest, and constructive feedback about individual and organizational performance to employees. To that end, we will develop additional tools and processes to add to the frequency and quality of performance feedback.

Our staff is our most important asset. The OIG’s ability to produce products and serve clients and stakeholders is directly linked to the quality of staff. Complementing our workforce are contracted staff that can provide expertise beyond what we possess. Such experts can include contractors with expertise in IT, business continuity planning, forensic accounting, human capital issues, corporate investment strategy, commercial real estate appraisals, actuarial science, or any number of areas that OIG work may address. We will be awarding a contract in the next year to complement our existing workforce and assist us to build more quality into our work products.

Protecting our workforce in the event of any emergency is one of the highest priorities. Our emergency preparedness plan, prepared in conjunction with the FDIC’s plan, aims to guide us on what to do before, during, and after an emergency and ensure the safety and security of all OIG staff. The BCP looks toward resuming, first, critical operations, and then all operations after a significant disruption. We must keep these plans current and ready for immediate implementation.

Protecting our workforce in the event of any emergency is one of the highest priorities. Our emergency preparedness plan, prepared in conjunction with the FDIC’s plan, aims to guide us on what to do before, during, and after an emergency and ensure the safety and security of all OIG staff. The BCP looks toward resuming, first, critical operations, and then all operations after a significant disruption. We must keep these plans current and ready for immediate implementation.

Potential Outcomes

• A stronger leadership team.
• Successful leadership succession.
• A high-quality, high-performance culture.
• Enhanced expertise on OIG audits, evaluations, investigations, and projects.
• Improved readiness in the event of an emergency.

Key Efforts

• Continue communications with congressional clients to keep them fully and currently informed about OIG work and issues, problems, and deficiencies relating to FDIC programs and operations.
• Complete and coordinate OIG congressional communications protocols. [INTERNAL IMPROVEMENT]
• Strengthen efforts to keep the FDIC Chairman, Vice Chairman, and other FDIC officials, as appropriate, fully and currently informed about OIG work and issues, problems, and deficiencies relating to FDIC programs and operations. [OTHER PROJECT]
• Participate with other OIGs in the President’s Council on Integrity and Efficiency (PCIE) and meet with other accountability and law enforcement organizations. [OTHER PROJECT]
• Continue efforts to provide forums for OIG staff to address concerns, provide ideas for continuously improving the OIG, and add value to OIG products and services, including formation of the Employee Advisory Group. [OTHER PROJECT]
• Make OIG products accessible to the extent possible with consideration given to data sensitivity and privacy.

Significance

The Inspector General Act of 1978 (IG Act), as amended, makes the OIG responsible for keeping both the FDIC Chairman and the Congress fully and currently informed about problems and deficiencies relating to FDIC programs and operations. This dual reporting responsibility is the framework within which IGs perform their functions, and serves as a legislative safety net that protects the OIG’s independence and objectivity.

The OIG places a high priority on maintaining positive relationships with the Congress and providing timely, complete, and high quality responses to congressional inquiries. Communications with the Congress about OIG work and its conclusions are best handled by the Inspector General or a designee to ensure that information is conveyed accurately and in context. In most instances, this communication would include semiannual reports to the Congress, letters for reporting serious problems, issued audit and evaluation reports, information related to completed investigations, comments on legislation and regulations, written statements for congressional hearings, contacts with congressional staff, responses to congressional correspondence, and materials related to OIG appropriations.

The OIG also places a high priority on maintaining positive relationships with the Chairman, other FDIC Board members, and FDIC officials. The OIG regularly communicates with the Chairman and Vice Chairman through briefings about ongoing and completed audits, evaluations, and investigations. The OIG is a regular participant at Audit Committee meetings where recently issued audit and evaluation reports are discussed. Other meetings occur throughout the year as OIG officials meet with division and office leaders and attend/participate in internal FDIC conferences. The OIG’s semiannual reports to the Congress are sent to the Chairman 30 days prior to their transmittal to the Congress.

To assist the Congress and our other clients, many OIG products are available from the OIG’s Internet site, www.fdicig.gov. These include most audit and evaluation reports, unless security issues are involved. OIG investigations are generally unavailable on the Internet due to the privacy issues involved for the subjects and witnesses of the investigations. However, press releases, usually written by the Department of Justice, concerning investigations are available on our Internet site. In addition, testimony, plans, semiannual reports to the Congress, and other documents are also available.

The IGs appointed by the President and confirmed by the Senate are members of the PCIE. The FDIC OIG fully supports and participates in PCIE activities. This organization

• addresses integrity, economy, and effectiveness issues that transcend individual Government agencies; and
• increases the professionalism and effectiveness of OIG personnel throughout the Government.

Additionally, the OIG routinely meets with representatives of the Government Accountability Office (GAO) to coordinate work and minimize duplication of effort. The OIG also meets with representatives of the Department of Justice, including the FBI and U.S. Attorneys’ Offices to coordinate our criminal investigative work and pursue matters of mutual interest. Regular meetings are held with the financial regulatory OIGs and other groups where the OIG has similar business interests.

The OIG has been working over several years to be a results-oriented, high performance culture. The organization that has been envisioned would foster a work environment in which honest two-way communication and fairness are a hallmark, perceptions of unfairness are minimized, and any workforce disputes are resolved by fair and efficient means. The ideas of staff at all levels are to be sought and valued as we strive to continuously enhance OIG operations. An Employee Advisory Group, made up of elected and/or appointed OIG staff, meets regularly and provides advice to the Inspector General on a wide variety of issues in a non-threatening environment. A Diversity Coordinator also helps promote corporate diversity initiatives in our workplace.

Potential Outcomes

• Improved communications and working relationships with the OIG’s clients and stakeholders.
• Increased access to OIG products.
• Increased transparency about how the OIG does its work.
• Effective coordination and cooperation with other OIGs, GAO, and other law enforcement organizations.
• A more satisfied and motivated OIG workforce.

Key Efforts

• Review audit assignment management controls. [INTERNAL IMPROVEMENT]
• Update audit policies in accordance with revised Government Auditing Standards. [INTERNAL IMPROVEMENT]
• Host an external peer review of the Office of Audits and resolve any significant matters identified.
• Conduct an external peer review of another OIG. [OTHER PROJECT]
• Conduct periodic internal reviews of audit and investigation operations.
• Develop a project management tracking and reporting process for internal OIG projects. [INTERNAL IMPROVEMENT]

Significance

To carry out its responsibilities, the OIG must be professional, independent, objective, fact-based, nonpartisan, fair, and balanced in all its work. Also, the Inspector General and OIG staff must be free both in fact and in appearance from personal, external, and organizational impairments to their independence. The OIG adheres to the Quality Standards for Federal Offices of Inspector General, issued by the PCIE and the Executive Council on Integrity and Efficiency (ECIE). Further the OIG conducts its audit work in accordance with generally accepted Government Auditing Standards; its evaluations in accordance with PCIE Quality Standards for Inspectons; and its investigations, which often involve allegations of serious wrongdoing that may involve potential violations of criminal law, in accordance with Quality Standards for Investigations established by the PCIE and ECIE, and procedures established by the Department of Justice.

The Government Auditing Standards and PCIE/ECIE standards require organizations conducting audit and investigative work in accordance with the standards to have appropriate internal quality control systems in place and undergo an external quality control review. The external quality control reviews are conducted once every 3 years by an organization not affiliated with the OIG. The FDIC OIG is a member of the PCIE, and other member organizations conduct the external quality control review on a planned schedule. Similarly, the FDIC OIG has agreed to conduct an external quality control review on another office. A reviewing organization cannot be reviewed by an organization that it has reviewed during the 3-year cycle.

Potential Outcomes

• Assurance that the OIG’s internal quality control systems are in place and operating effectively to provide reasonable assurance that established policies and procedures and applicable professional standards are followed.
• Recommendations from the peer reviews that can be considered for improving OIG quality control.
• FDIC OIG observations of another OIG’s practices that can be used to improve FDIC OIG operations.
• More efficient OIG business processes.

Key Efforts

• Continue with an outcome-oriented strategic and annual plan with performance targets for the OIG for FY 2008. [INTERNAL IMPROVEMENT]
• Continuously assess and monitor changes in risk conditions that affect OIG business practices.

Significance

The FDIC OIG has its own strategic and annual planning processes independent of the Corporation’s planning process, in keeping with the independent nature of the OIG’s core mission. The Government Performance and Results Act of 1993 (GPRA) was enacted to improve the management, effectiveness, and accountability of federal programs. GPRA requires most federal agencies, including the FDIC, to develop a strategic plan that broadly defines the agency’s mission and vision, an annual performance plan that translates the vision and goals of the strategic plan into measurable objectives, and an annual performance report that compares actual results against planned goals.

The OIG strongly supports GPRA and is fully committed to applying its principles of strategic planning and performance measurement and reporting to our operations. Doing so will enable us to focus energy on providing value to the Corporation and will help identify where changes are needed to improve organizational effectiveness and efficiency. The OIG Strategic Plan and Annual Performance Plan lay the basic foundation for establishing goals, measuring performance, and reporting accomplishments consistent with the principles and concepts of GPRA.

Unlike the FDIC, which reports on a calendar year basis, the OIG receives a separate appropriation based on the typical government fiscal year ending September 30. Therefore, our performance planning and reporting is done on a September 30 fiscal year cycle. The fiscal year cycle is also consistent with the semiannual reporting periods prescribed by the Inspector General Act.

Past OIG strategic and performance plans sought to define many goals and objectives in quantifiable terms. To act as a catalyst in determining how the OIG directs its work and manages its resources, the OIG developed a new strategic plan framework in 2006 that adds qualitative performance measures to a few key quantitative performance measures. Collectively, these measures will help to demonstrate the degree to which the OIG’s work provides timely, quality service to the Chairman, the Congress, the banking industry, and the public. Additionally, the OIG will be capable of integrating its planning, budgeting, and performance reporting to show better the relationship between resource requests and desired performance levels.

As a corollary, the OIG recognizes that internal controls and systems are important components in the design and implementation of practices for accomplishing strategic and performance goals. Consequently, continuous assessments of risks and the internal controls in place to manage the risks are part of the OIG’s business strategies.

Potential Outcomes

• Ability to measure the OIG’s performance and compare it to goals and results.
• Work that meets the needs of FDIC management and the Congress and facilitates improvements in FDIC programs and operations.
• Clear communication to OIG clients, stakeholders, and staff about why the OIG performs its work and what outcomes it aims to achieve and does achieve.
• Continued improvement to the OIG’s strategic planning, budgeting, and productivity.
• Cost-effective internal controls that achieve internal control objectives and effectively manage risks.

Key Efforts

• Update the OIG IT Strategic Plan to guide OIG business decisions, priorities, and resource allocations for 2008-2010. [INTERNAL IMPROVEMENT]
• Continue enhancing the security of OIG information in the FDIC computer network infrastructure. [INTERNAL IMPROVEMENT]
• Invest in modern laptop computers with enhanced security. [INTERNAL IMPROVEMENT]
• Evaluate other IT equipment and software needs and their cost effectiveness. [INTERNAL IMPROVEMENT]
• Review audit and evaluation information system options and requirements for efficiency and security. [INTERNAL IMPROVEMENT]
• Update the OIG training system to be more efficient monitoring continuing professional education requirements. [INTERNAL IMPROVEMENT]
• Update the Dashboard to incorporate FY 2007 Business Plan goals and key efforts. [INTERNAL IMPROVEMENT]

Significance

IT has become an essential component of almost every OIG business process. It has been one factor in the OIG’s ability to downsize staff by one-third since fiscal year 2003. As a component of the FDIC, the OIG receives and will continue to receive support and services offered throughout the Corporation. Where operational independence is necessary to ensure completion of the OIG mission, the OIG independently undertakes IT initiatives as needed. For instance, OIG staff are connected to the FDIC computer network and carry out day-to-day functions within the Corporation’s firewall protections. In other areas, the OIG needs more independence. For example, we manage our own Internet site and content to ensure timely and complete dissemination of appropriate information.

The increasing capabilities of network administrators in the FDIC’s system architecture necessitates certain security enhancements for OIG information within the network. After consultations with FDIC’s DIT, the OIG will strengthen and enhance security and operational controls over network equipment and procedures to protect OIG information better.

The OIG also develops and maintains information systems that track the status of ongoing audits, evaluations, and investigations to help ensure the timeliness of our work and monitor our performance. With an updated planning, reporting, performance measurement, and budgeting process being planned, the supporting information systems need to be updated to integrate these business processes.

The OIG continuously looks for opportunities for improving our security, performance, and productivity with cost-effective computer equipment and software.

Potential Outcomes

• More integrated planning, performance measurement, reporting, and budget systems that enhance decision-making.
• Sensitive information better safeguarded.
• More productive and efficient workforce.

Office of Audits

The Office of Audits provides the FDIC with professional audit and related services covering the full range of its statutory and regulatory responsibility, including major programs and activities. These audits are designed to promote economy, efficiency, and effectiveness and to prevent fraud, waste, and abuse in corporate programs and operations. This office ensures the compliance of all OIG audit work with applicable audit standards, including those established by the Comptroller General of the United States. It may also conduct external peer reviews of other OIG offices, according to the cycle established by the PCIE.

The Office of Audits is organized into two primary Directorates: (1) Insurance, Supervision, and Receivership Management Audits and (2) Systems Management and Security Audits.

Office of Evaluations

The Office of Evaluations evaluates, reviews, studies, or analyzes FDIC programs and activities to provide independent, objective information to facilitate FDIC management decision-making and improve operations. Evaluation projects are conducted in accordance with the PCIE Quality Standards for Inspections. Evaluation projects are generally limited in scope and may be requested by the FDIC Board of Directors, FDIC management, or the Congress.

Office of Investigations

The Office of Investigations (OI) carries out a comprehensive nationwide program for the prevention, detection, and investigation of criminal or otherwise prohibited activity that may harm or threaten to harm the operations or integrity of the FDIC and its programs. OI maintains close and continuous working relationships with the U.S. Department of Justice; the Federal Bureau of Investigation; other Offices of Inspector General; and federal, state and local law enforcement agencies. OI coordinates closely with the FDIC’s Division of Supervision and Consumer Protection in investigating fraud at financial institutions, and collaborates with the Division of Resolutions and Receiverships and the Legal Division in investigations involving failed institutions and fraud by FDIC debtors.

In addition to its two regional offices, OI operates an Electronic Crimes Unit and forensics laboratory in Washington, D.C. The Electronic Crimes Unit is responsible for conducting computer-related investigations impacting the FDIC and providing computer forensic support to OI investigations nationwide. OI also manages the OIG Hotline for employees, contractors, and others to report instances of suspected fraud, waste, abuse, and mismanagement within the FDIC and its contractor operations via a toll-free number or e-mail.

Office of Management and Congressional Relations

The Office of Management and Congressional Relations is the management operations arm of the OIG with responsibility for providing business support for the OIG, including financial resources, human resources, and IT support; strategic planning and performance measurement; internal controls; coordination of OIG reviews of FDIC proposed policy and directives; OIG policy development; and congressional relations.

Office of Counsel

The Office of Counsel to the Inspector General is responsible for providing independent legal services to the Inspector General and the managers and staff of the OIG. Its primary function is to provide legal advice and counseling and interpret the authorities of, and laws related to, the OIG. The Counsel's office also provides legal research and opinions; reviews audit and investigative reports for legal considerations; represents the OIG in personnel-related cases; coordinates the OIG's responses to requests and appeals made pursuant to the Freedom of Information Act and the Privacy Act; prepares Inspector General subpoenas for issuance; and reviews draft FDIC regulations and draft FDIC and OIG policies and proposed or existing legislation, and prepares comments when warranted; and coordinates with the FDIC Legal Division when necessary.

The table below summarizes the OIG’s FY 2007 budgetary resources and the associated human capital resources in terms of full-time equivalent (FTE) positions by strategic goal.

The following table describes the sources for our performance data and how the data will be verified and validated.

This appendix presents a brief description of the audit and evaluation assignments that we plan to start in fiscal year 2007, including the assignment objective, background information, relevant prior coverage, known risks, and the estimated timeframes for starting and completing the work. The list of assignments is organized by the OIG’s strategic goal so that stakeholders can clearly see how individual assignments support the OIG’s business planning framework.

This listing reflects input we received from key stakeholders, including FDIC management and members of the Audit Committee, during the OIG’s business planning process, as well as during other routine discussions that OIG representatives have had with FDIC officials. The dialogue with FDIC executives and managers together with the increased emphasis within our organization on planning is a critical part of our continuing efforts to identify those areas where the OIG can devote resources in the best interest of the Corporation and meet our responsibilities under the IG Act.

In addition to the list of assignments that we plan to start, a number of assignments started in Fiscal Year 2006 and will be completed during Fiscal Year 2007. We have included a list of those assignments on the last page of the Appendix. Our planning process is ongoing and dynamic, and we may alter the focus, timing, and selection of audits and evaluations to better respond to legislatively mandated priorities, congressional requests, emerging issues, FDIC corporate governance issues, and changing priorities within the FDIC.

1. Material Loss Reviews (MLR)    [AUDIT] The OIG of the respective primary federal regulator is required by the FDIC Improvement Act of 1991 (FDICIA) to perform a material loss review (MLR) and report on failures of insured depository institutions resulting in losses to the deposit insurance funds which exceed the greater of $25 million or 2 percent of the institution’s assets. MLRs must be completed within 6 months from the time it is determined that a failure or payment of financial assistance will result in a material loss to the insurance funds. The audit objectives, as required by the FDICIA, section 38, are to determine (1) the causes for a material loss to a deposit insurance fund caused by an FDIC-supervised institution and (2) the adequacy of the FDIC’s supervision of the institution, including implementation of Prompt Corrective Action requirements. Projected Start N/A Expected Report Issuance N/A . 2. Examination Assessment of Interest Rate Risk    [AUDIT] Interest rate risk is fundamental to the business of banking. Changes in interest rates can expose an institution to adverse shifts in net interest income, increase the cost of funds, and impair the underlying value of its assets. Bank examiners assess the level of interest rate risk exposure in light of a bank's asset size, complexity, levels of capital and earnings, and most important, the effectiveness of its risk management processes. At the core of the interest rate risk examination process is a supervisory assessment of how well bank management identifies, monitors, manages, and controls interest rate risk. This assessment is summarized in an assigned risk rating for the component known as sensitivity to market risk, which is the “S” part of the CAMELS rating system. A June 2005 article in the FDIC’s Supervisory Insights stated that rising interest rates and a flattening yield curve could pressure net interest margins, particularly for liability-sensitive banks with increased exposure to long-term assets. The article noted that it is difficult to draw conclusions about the level of interest rate risk based solely on off-site information. This assignment continues the series of OIG audits that have focused on individual CAMELS rating components. The audit objectives are to (1) determine whether the FDIC’s examinations comply with applicable policies and procedures for assessing and addressing institutions’ sensitivity to interest rate changes and (2) evaluate how examiners consider off-site and industry-wide analysis in assessing interest rate risk. Projected Start 3rd Quarter – FY 2007 Expected Report Issuance 1st Quarter – FY 2008 . 3. The FDIC’s Oversight of Subprime Lending at FDIC-Supervised Institutions    [AUDIT] Subprime lending refers to programs that target borrowers with weakened credit histories typically characterized by payment delinquencies, previous charge-offs, judgments, or bankruptcies. Since the 1990s, subprime lending volumes have increased significantly and financial regulators, including the FDIC, have closely monitored and responded to that trend. In July 2001, Federal banking regulatory agencies jointly issued expanded examination guidance on subprime lending. In issuing the guidance, regulators recognized that subprime lending can expand credit access for consumers and offer institutions the opportunity to earn attractive returns. However, the risks associated with this activity must be properly controlled and managed to help ensure an institution’s fundamental safety and soundness. The expanded guidance applies specifically to those institutions that have subprime lending programs with an aggregate credit exposure greater than or equal to 25 percent of tier 1 capital. Prior OIG audit work focused on the FDIC’s process for assessing subprime lending using previously issued regulatory guidance and more recent work focused on predatory lending. The audit objectives are to determine whether (1) the FDIC’s institution and examiner guidance provides appropriate protection to consumers and helps ensure the safety and soundness of institutions, (2) examiners receive sufficient training related to subprime lending, and (3) examinations are conducted in accordance with subprime lending guidance. Projected Start 1st Quarter – FY 2007 Expected Report Issuance 3rd Quarter – FY 2007 . 4. Technology Service Provider (TSP) Examinations for Independent Data Centers    [AUDIT] An increasing number of insured institutions are outsourcing software development and maintenance, data processing, and other information technology (IT) services to TSPs. In many cases, these outsourced services are critical to the institutions’ daily operations and fall within the purview of bank examiners. Key components of the payments system, including credit card services and automated teller machine networks, are also operated and managed by TSPs. The Federal Financial Institutions Examination Council (FFIEC) has established a process for examining these companies. For TSPs that are owned or controlled by, or otherwise affiliated with, an FDIC-supervised financial institution, examination coverage is provided through the IT examination of the institution. The client base of major TSP firms has grown significantly during the past several years and the level of risk to financial institutions may correspondingly increase because any financial or operational problems these TSPs experience would affect a greater number of clients. Recent OIG audit work focused on assessing the FDIC’s oversight process for identifying and monitoring TSPs used by FDIC-supervised institutions and prioritizing examination coverage, and IT examination coverage related to vendor management. The audit objective is to assess the FDIC’s implementation of the FFIEC and FDIC guidance for conducting examinations of independent data centers. Projected Start 1st Quarter – FY 2007 Expected Report Issuance 3rd Quarter – FY 2007 . 5. Implementation of the USA PATRIOT Act    [AUDIT] The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act) (Public L. No. 107-560), enacted on October 26, 2001, was passed by the United States Congress in response to the September 11, 2001 attacks and made a number of amendments to the anti-money laundering provisions of the BSA. Title III: International Money Laundering Abatement and Financial Anti-Terrorism is intended to facilitate the prevention, detection, and prosecution of international money laundering and terrorist financing. Congress found that money laundering “provides the financial fuel that permits transnational criminal enterprises to conduct and expand their operations to the detriment of the safety and security of American citizens” and that it is critical to the financing of global terrorism and terrorist attacks. Accordingly, FDIC examiners play a critical role in ensuring that institutions comply with the Act. The audit objectives are to determine whether (1) examination procedures are designed to evaluate institution compliance with anti-money laundering and terrorist financing provisions of the USA PATRIOT Act and (2) those procedures are fully and consistently implemented to provide reasonable assurance that institutions with weak programs for detecting money laundering and terrorist financing activity will be identified and Projected Start 1st Quarter – FY 2007 Expected Report Issuance 3rd Quarter – FY 2007 . . 6. Dedicated Examiner Program for Large Institutions    [AUDIT] The FDIC has reported that the increased complexity of the industry and the concentration of risk to the insurance funds in the largest banking organizations are expected to grow more pronounced over time and to present greater risk-management challenges to the Corporation. As insurer, the FDIC needs a comprehensive understanding of the risks that the largest institutions pose to the Deposit Insurance Fund. A primary objective of the Division of Supervision and Consumer Protection’s (DSC) large insured depository institution program is to assess and quantify the risks posed by these large and complex institutions from a deposit insurer’s perspective. The FDIC is not the primary federal regulator for most of the large institutions it insures. Therefore, the risk assessment process is based on a combination of information obtained from the primary federal regulator, the institution, supervisory activities, market data, and publicly available data. The FDIC operates several programs to supervise and assess large bank risks. The FDIC established the Large Bank Branch in headquarters to coordinate the FDIC’s nationwide programs focused on supervising and assessing risk in large institutions. One of the key large bank programs is the Dedicated Examiner Program which was established in 2002. This program established dedicated examiners in the six largest insured depository institutions to work in cooperation with primary supervisors and bank personnel to obtain real-time access to information about the risk and trends in those institutions. Prior audit work focused on the FDIC’s special examination authority and efforts to monitor large bank risks before the dedicated examiner program was established. The audit objective is to determine whether the Dedicated Examiner Program is working as envisioned, that is, allowing the FDIC access to information it needs to assess and quantify the risks posed by large institutions to the Deposit Insurance Fund. Projected Start 1st Quarter – FY 2007 Expected Report Issuance 3rd Quarter – FY 2007 . 7. FDIC’s Approach to Managing External Risks    [EVALUATION] The FDIC has an Office of Enterprise Risk Management (OERM) that focuses on the risks internal to the FDIC. External risk management is a primary responsibility of FDIC’s Division of Insurance and Research, DSC, and Division of Resolutions and Receiverships (DRR). The FDIC has taken a series of steps over the last several years to better integrate its risk management process. In early 2003, the FDIC created the National Risk Committee (NRC), a cross-divisional body of senior managers established to identify and evaluate major business risks facing the banking industry and insurance fund. The NRC is supported by a network of regional risk committees. Additionally, the FDIC established the Risk Analysis Center in 2003 to monitor emerging macro and micro risks on a daily basis and recommend responses to the NRC. The third component to the FDIC’s risk management structure is the Financial Risk Committee, whose broad mission is to quantify risks to the deposit insurance fund for financial reporting and fund management purposes. In 2003, the FDIC commissioned an independent study that focused on financial risk management in the FDIC. That review also included an assessment of the NRC and the Risk Analysis Center and made specific recommendations aimed at strengthening the FDIC’s risk management processes over time. The objective is to evaluate the extent to which the FDIC has established an enterprise risk management framework for identifying, assessing, and responding to risks facing the deposit insurance fund, including how the FDIC ensures that relevant information is identified, captured, and communicated. Projected Start 4th Quarter 2007 Expected Report Issuance 2nd Quarter 2008 . . 8. Examination Assessment of Offshore Outsourcing of Data Services    [AUDIT] Financial institutions have been outsourcing to domestic third-party service providers or domestic affiliates for many years. Offshoring is the performance of day-to-day activities from a remote location typically not in an organization’s country of origin. The use of offshore contractors has grown dramatically in the past few years due to the flexibility offered by new technology and the prospect of lower costs. Domestic outsourcing and offshoring share many risk characteristics. However, the more complicated legal structure and chain of control incurred when offshoring financial services may create new risks when compared to domestic outsourcing. The FDIC assesses the risks related to offshoring as part of its IT examination process. Significant offshoring risk areas associated with data security include: Operations/Transactions Risk – weak controls may affect bank operations. Compliance Risk – offshore vendors may not have adequate privacy controls. Prior audit work focused on FDIC’s IT examination process more broadly. The audit objective is to evaluate how the FDIC identifies offshore outsourcing activities in FDIC-supervised institutions and assesses the programs those institutions have in place to address the data security risks associated with offshore outsourcing. Projected Start 1st Quarter – FY 2007 Expected Report Issuance 3rd Quarter – FY 2007 . 9. Compliance Management System    [AUDIT] The FDIC has supervisory responsibilities for ensuring that the financial institutions it supervises comply with fair lending, privacy, and various other consumer protection laws and regulations. The FDIC uses its compliance examination process to ascertain the effectiveness of an institution’s program for complying with consumer protection laws and regulations. DSC compliance examinations combine a risk-based examination process with an in-depth evaluation of an institution’s compliance management system, resulting in a top-down, risk-focused approach to examinations. A financial institution must develop and maintain a sound compliance management system that is integrated into the overall risk management strategy of the institution. A compliance management system, which is comprised of board and management oversight, a compliance program and compliance audit, is how an institution: learns about its compliance responsibilities; ensures that employees understand these responsibilities; ensures that requirements are incorporated into business processes; reviews operations to ensure responsibilities are carried out and requirements are met; and takes corrective action and updates materials as necessary. The audit objective is to determine whether DSC is adequately assessing financial institutions’ compliance management systems during the compliance examination process. Projected Start 3rd Quarter – FY 2007 Expected Report Issuance 1st Quarter – FY 2008 . . 10. DRR’s Protection of Electronic Records    [AUDIT] Within the FDIC, DRR has the primary responsibility for resolving failed FDIC-insured depository institutions promptly, efficiently, and responsively to maintain public confidence in the nation’s financial system. In performing their duties, DRR personnel have access to a wide variety of records containing personally identifiable information of the bank’s employees and customers. These records may exist in hardcopy or electronic format. Given the increased risks associated with, and attention being placed on identity theft, the protection of customer information in the FDIC’s systems is paramount to the FDIC’s reputation. Prior OIG work focused on DRR efforts to protect personally identifiable information maintained in hardcopy form. The audit objective is to evaluate the design and implementation of controls used by the FDIC to protect personal information collected and maintained in electronic form as a result of resolution and receivership activity. Projected Start 3rd Quarter – FY 2007 Expected Report Issuance 4th Quarter – FY 2007 . 11. Records Management Program    [EVALUATION] Every Federal agency is legally required to manage its records. Records are the evidence of the agency's actions and support an agency's work to fulfill its mission. Therefore, records are a valuable resource and must be managed properly for the agency to function effectively and to comply with Federal laws and regulations. Records management addresses the life cycle of records, i.e., the period of time that records are in the custody of Federal agencies. The life cycle usually consists of three stages (1) creation or receipt, (2) maintenance and use, and (3) disposition. The FDIC has an established records management program, the goals of which are to: Protect the legal and financial rights of the Corporation and other entities directly affected by its activities. Ensure continuity and consistency in administration. Assist FDIC officials and their successors in making informed decisions. Provide the information required by Congress and others for overseeing the Corporation's activities. Prior OIG work focused on safeguards over personal employee information, DRR efforts to protect personally identifiable information maintained in hardcopy form, and disposal of sensitive information by FDIC’s records management contractor. The objective is to evaluate FDIC’s records management program to ensure that Corporation records are economically and efficiently managed to meet business needs and to comply with applicable laws and regulations. The evaluation may address: (1) to what extent the FDIC has a strategic approach to information management, (2) FDIC’s records management program use of best practices, and (3) FDIC efforts to move to digital storage of Corporate records. This review could be scoped into multiple assignments. Projected Start 3rd Quarter – FY 2007 Expected Report Issuance 1st Quarter – FY 2008 . 12. IT Project Management    [AUDIT] The Division of Information Technology (DIT) Project Management Office (PMO) was established in September 2005 as a resource center for clients, executives, project managers, and project team members engaged in the operations and oversight of IT projects. DIT initiated a PMO to establish standard repeatable project management practices and improve the results of IT project management activities. This PMO is organized to provide methodologies, oversight and expertise to support the successful completion of complex technology projects – the PMO does not provide direct management of individual projects. According to DIT’s IT PMO policy, the PMO provides six key functions for FDIC’s IT management community: Standards Management Monitoring Capacity Planning Portfolio Management Mentoring Governance Prior audit work focused on IT capital management and FDIC’s system development life cycle management before FDIC’s PMO was established. Projected Start 4th Quarter – FY 2007 Expected Report Issuance 2nd Quarter – FY 2008 . 13. Classifying Salary Costs in the NFE    [EVALUATION] The New Financial Environment (NFE) project was a major corporate initiative to enhance the FDIC's ability to meet current and future financial management and information needs. One of the organizational benefits NFE was designed to deliver is enhanced cost management. To that end, the cost management program was collaboratively created by all divisions and offices based on management’s need for cost information. The cost management program is a framework of codes to which all costs are charged. The FDIC’s cost management coding framework was implemented in May 2005. Costs are grouped into categories, called chartfields which are used to capture costs by business processes. The chartfields are used in NFE to capture the cost information. Approximately 70 percent of all the Corporation’s costs are from salary (plus related benefits) and travel. The cost management program’s success will rely on employees accurately entering all the necessary data into the appropriate cost management chartfields when reporting their time and travel. The objective is to determine the extent to which salary costs are being appropriately classified in NFE and result in management information that is current, complete, accurate, and consistent to support management decision-making. Projected Start 1st Quarter – FY 2007 Expected Report Issuance 2nd Quarter – FY 2007 . 14. Succession Planning Efforts    [EVALUATION] Federal agencies are faced with a growing number of employees who are eligible for retirement and are finding it difficult to fill certain mission-critical jobs— a situation that could significantly drain agencies’ institutional knowledge. The Government Accountability Office (GAO) has reported that leading public organizations engage in broad, integrated succession planning and management efforts that focus on strengthening both current and future organizational capacity. The Corporation has reported that over the past 3 years it has focused considerable resources on human capital planning and is in the process of developing and implementing several key structural components of its human capital strategy for the future, including identification of succession planning and management strategies. Prior OIG evaluations have focused on other aspects of the FDIC’s human capital program including its overall human capital framework, workforce planning, and the Corporate University. The objective is to determine the extent to which the FDIC’s succession planning efforts identify and address future critical staffing and leadership needs. Projected Start 1st Quarter – FY 2007 Expected Report Issuance 3rd Quarter – FY 2007 . 15. FDIC’s Career Program (Hiring Management)    [EVALUATION] In 2005, the FDIC established a new human capital framework and strategy to guide its planned evolution toward a more flexible permanent workforce that will be capable of responding rapidly to significant changes in the financial services industry or unexpected changes in workload or priorities. Over the past 12 years the Corporation was in a continuous downsizing mode as it completed the residual workload from the banking and thrift crises of the late 1980s and early 1990s but expects that significant downsizing activity is now complete. The FDIC is now working to pursue opportunities to begin reshaping its workforce to better align it with anticipated future human resource requirements. To facilitate this transition, the FDIC implemented a tool, FDIC Careers, Corporate Automated Recruiting, Evaluating, and Electronic Referral System, a fully automated hiring system in 2004, to make it easier for the FDIC to attract, screen and hire new employees. FDIC Careers is a new Web-based system that assists employees in finding and applying for jobs at the FDIC. FDIC Careers was developed by adapting a product known as “Quick Hire,” owned by job-search Web site Monster.com, for use by the FDIC. With FDIC Careers, the Human Resources Branch works with managers to design specific questions to distinguish the best-qualified individuals. The system automatically quantifies the answers to those questions into a list of rated and ranked applicants. The objective is to evaluate the efficiency, effectiveness, and customer satisfaction with FDIC’s hiring program, procedures, and processes. Projected Start 4th Quarter – FY 2007 Expected Report Issuance 2nd Quarter – FY 2008 . 16. Enterprise Architecture    [AUDIT] An Enterprise Architecture (EA) is a blueprint of an agency's current and planned operating and systems environment and the plan for transitioning between the two. Among other things, the EA defines principles and goals for, and sets direction on, IT security. The FDIC’s framework for implementing its EA is based on federal and industry best practices, including the Chief Information Officer Council’s Federal Enterprise Architecture Framework and the Zachman Framework for Enterprise Architecture. The seven components of the FDIC’s EA framework include: Business, Information, Data, Applications, Technical Infrastructure, Security Architectures and E-Government Strategy. The FDIC is not legally required to develop an EA but recognizes its value and has decided to develop and implement an EA. The annual evaluation of FDIC’s information security program covers the security aspect of EA and prior work has focused on FDIC’s Capital Investment Management Review Process for IT Investments. The audit objective is to assess the FDIC’s progress in implementing an enterprise architecture program that supports the FDIC’s mission. Projected Start 2nd Quarter – FY 2007 Expected Report Issuance 4th Quarter – FY 2007 . 17. IT Risk Assessment    [AUDIT] The FDIC uses IT as a critical corporate resource in accomplishing its mission, goals, and objectives. From an internal perspective, the FDIC maintains a complex IT computing infrastructure that supports many business applications, processes sensitive information, and supports critical business operations. The FDIC recently completed a major transformation of its IT program that resulted in, among other things, the award of the largest IT contracts in the FDIC’s history. From an external perspective, the FDIC assesses IT risks at FDIC-supervised institutions through industry outreach, regulation, and regular on-site IT examinations. GAO also conducts a review of the FDIC’s IT controls as part of its annual audit of the FDIC’s financial statements. This assignment will leverage IT risk analysis work performed by the FDIC and consider the FDIC’s complete IT environment (including IT management, technical infrastructure, applications, external connections, industry risks, etc.). The assignment will produce an IT risk analysis report that will be periodically updated and used to guide future IT audit assignments. The OIG has traditionally assessed corporate IT risks through ongoing audits, discussions with management, and monitoring of industry and regulatory issues. However, this approach will provide a more formal means for assessing IT risks facing the FDIC to help ensure that an appropriate level of audit attention is provided to the highest risk areas. The objective is to complete a risk assessment of FDIC’s IT environment, including corporate risk mitigation activities. Projected Start 1st Quarter – FY 2007 Expected Report Issuance 3rd Quarter – FY 2007 . 18. The FDIC's Information Security Program--2007    [AUDIT] On December 17, 2002, the President signed into law H.R. 2458, the E-Government Act of 2002 (Public Law 107-347). Title III of this act is the Federal Information Security Management Act (FISMA). FISMA directs federal agencies to have an annual independent evaluation performed of their information security programs and practices and to report the results of the evaluation to the Office of Management and Budget (OMB). FISMA states that the independent evaluation is to be performed by the agency Inspector General or an independent external auditor as determined by the Inspector General. The audit objective is to evaluate the effectiveness of the FDIC’s information security program and practices, including the FDIC's compliance with FISMA and related information security policies, procedures, standards, and guidelines. As part of our evaluation, we will assess the FDIC’s efforts to improve its information security controls and practices relative to the baseline controls covered in our 2006 FISMA report and a new framework based on more recent government-wide guidance. The objective is to complete a risk assessment of FDIC’s IT environment, including corporate risk mitigation activities. Projected Start 3rd Quarter – FY 2007 Expected Report Issuance 4th Quarter – FY 2007 . 19. IT Disaster Recovery Capability    [AUDIT] OMB policy requires agencies to establish and periodically test their ability to recover from IT service interruptions and to provide service based upon the needs and priorities of system participants. The FDIC conducts semiannual IT disaster recovery testing to ensure the Corporation’s ability to recover its mainframe, midrange, and server platforms that would be required to restore IT operations in the event of a disaster. The FDIC has designated certain of its applications as "mission-critical" and includes these applications in its IT disaster recovery testing. The FDIC depends on the continuity of its IT operations to meet its business needs, financial obligations, and regulatory requirements. DIT conducted a semiannual IT disaster recovery test in April 2005 and experienced difficulties during the testing, including servers and critical applications that could not be recovered or tested and test scripts that did not execute as planned. DIT plans to relocate its IT disaster recovery capability to Richmond, Virginia. Our audit will evaluate the FDIC's IT disaster recovery capability following the planned move to Richmond. Prior work was completed in 2004 before the establishment of the facility in Richmond. The audit objective is to determine whether the FDIC has established and implemented an IT disaster recovery capability that is consistent with federal standards, guidelines, and industry-accepted practices. Projected Start 2nd Quarter – FY 2007 Expected Report Issuance 4th Quarter – FY 2007 . 20. Business Continuity Planning    [AUDIT] Recent large-scale disasters in the United States have clearly demonstrated how important it is to have reliable emergency response procedures and a well-written business continuity plan (BCP) to sustain critical business functions during an emergency or situation that may disrupt normal operations. The FDIC has developed an emergency operations program comprised of Emergency Response Plans and BCP. It is important, both symbolically and functionally, for federal government agencies to continue to serve the American public during any emergency or situation that may disrupt normal operations. We recently completed a review of FDIC’s Emergency Response Plan, which coupled with this assignment, will complete planned follow–up work of a 2004 evaluation related to FDIC’s business continuity planning. In 2003, we also completed an audit of the business continuity planning at FDIC-supervised institutions. The objective to evaluate the extent of the FDIC’s progress in developing and implementing comprehensive business continuity planning. Projected Start 1st Quarter – FY 2007 Expected Report Issuance 2nd Quarter – FY 2007 . 21. Contract Rationalization    [EVALUATION] The OIG’s report entitled, Contract Administration, stated that the FDIC currently does not have an effective information system for managing contracts. Historically, the Acquisition Services Branch maintained information about open and closed contracts using two different systems that were replaced when FDIC implemented NFE. Although NFE integrates financial and procurement information to some extent, the Acquisition Services Branch identified a number of gaps between current procurement business processes and NFE system capabilities. The Corporation has contracted with Oracle, Inc. to identify how best to use NFE and to suggest other system solutions for managing contracts. In the meanwhile, the FDIC better information on its existing inventory of contracts. The objective is to assess whether FDIC has mechanisms in place to periodically evaluate the continuing need for contracts and determine whether there are corporate contracts that can be eliminated. Projected Start 1st Quarter – FY 2007 Expected Report Issuance 3rd Quarter – FY 2007 . 22. Information Technology Application Services Task Order Awards    [EVALUATION] The FDIC, through the General Services Administration’s FedBizOpps Electronic Posting System, solicited and selected several contractors to perform a wide range of IT services. The Information Technology Application Services contract combined approximately 40 contracts into 1 contract with multiple vendors for a total program value of $555 million over 10 years. In such a large contractual undertaking, significant risk may exist in getting the work completed and in overseeing the large task orders. Further, the actual task order award methodology and the level of detail in the descriptions of work are key to the FDIC avoiding protests and receiving needed goods and services at fair and reasonable prices. The objectives are to determine whether the Information Technology Application Services contracting approach (1) is achieving anticipated benefits and (2) has an appropriate balance between controls in place and inherent risks. Projected Start 1st Quarter – FY 2007 Expected Report Issuance 2nd Quarter – FY 2007 . 23. Contractor Reviews    [EVALUATION] The program of contractor reviews includes pre-award reviews of the FDIC’s compliance with its contract evaluation and award process, pre-award reviews of contractor proposals or internal control systems, and contractor billing reviews. These assignments can result in monetary benefits, including recoveries of funds by the FDIC. In addition, the completion of a series of these assignments may identify common underlying problems resulting in opportunities to improve the contract solicitation, award, oversight, handling of claims, and closeout processes. The audit objectives will vary by assignment type and include one or more of the following: The objective of pre-award reviews is to (1) determine whether the FDIC is complying with its Acquisition Policy Manual in evaluating proposals and/or (2) assess financial aspects of bidders’ proposals, including determining whether proposed costs are fair, reasonable, and supported. The objective of billing reviews is to determine whether contractor billings are allowable under the contract, allocable, and reasonable. Projected Start 4th Quarter – FY 2007 Expected Report Issuance 4th Quarter – FY 2007 . 24. FDIC’s Enterprise Risk Management Program    [EVALUATION] OMB Circular A-123, Management’s Responsibility for Internal Control, defines management’s responsibility for internal control in federal agencies. The circular was revised in December 2004 to provide updated internal control standards and new specific requirements for conducting management’s assessment of the effectiveness of internal control over financial reporting. The revision to the circular became effective in fiscal year 2006. Management is responsible for developing and maintaining effective internal control. Internal control guarantees neither the success of agency programs, nor the absence of waste, fraud, and mismanagement, but it is a means of managing the risk associated with programs and operations. OMB Circular A-123 states that federal managers must carefully consider the appropriate balance between controls and risk in their programs and operations. OERM is the corporate oversight manager for internal controls and risk management. OERM is working in partnership with all FDIC divisions and offices, helping them to identify, evaluate, monitor, and manage their risks. The evaluation objective is to determine the extent to which the FDIC has implemented its Enterprise Risk Management Program consistent with applicable government-wide guidance and best practices. Projected Start 1st Quarter – FY 2007 Expected Report Issuance 3rd Quarter – FY 2007 . 25. Hold OIG Conference 2007 The OIG will hold an officewide conference during the week of April 16-20, 2007. A major focus of the conference will be the progress of many of the key efforts and infrastructure improvement initiatives contained in the 2007 Business Plan. The Office of Investigations will use part of the week to conduct its required legal training. Other component offices of the OIG may elect to plan individual business meetings or training during the same week. Projected Start 1st Quarter – FY 2007 Expected Report Issuance 3rd Quarter – FY 2007 . 26. Communicate with corporate stakeholders. The FDIC OIG is committed to establishing and maintaining effective working relationships with others in the Corporation. To ensure a full understanding of the role and activities of the OIG, the Inspector General and other OIG Executives will meet regularly with FDIC senior management and report back to others in the OIG on the results of those meetings. The OIG will also continue to participate in corporate-sponsored forums and meetings. We will keep track of meetings and commitments made by the OIG and the OIG’s participation in corporate events; inventory the timing and content of current coordination and communication efforts and explore ways to improve on those; develop new brochures, briefing materials, presentations, and other products to communicate the mission of the OIG and its component offices; and pursue additional opportunities to sustain solid working relationships with corporate officials. Projected Start 1st Quarter – FY 2007 Expected Report Issuance 3rd Quarter – FY 2007 . 27. Communicate with corporate stakeholders. The FDIC OIG is committed to establishing and maintaining effective working relationships with others in the Corporation. To ensure a full understanding of the role and activities of the OIG, the Inspector General and other OIG Executives will meet regularly with FDIC senior management and report back to others in the OIG on the results of those meetings. The OIG will also continue to participate in corporate-sponsored forums and meetings. We will keep track of meetings and commitments made by the OIG and the OIG’s participation in corporate events; inventory the timing and content of current coordination and communication efforts and explore ways to improve on those; develop new brochures, briefing materials, presentations, and other products to communicate the mission of the OIG and its component offices; and pursue additional opportunities to sustain solid working relationships with corporate officials. Projected Start 1st Quarter – FY 2007 Expected Report Issuance 3rd Quarter – FY 2007 . 28. Conduct an external peer review of the Department of Justice OIG audit function. The objective of this key effort is to conduct an external peer review to determine whether the reviewed audit organization’s internal quality control system is adequate and complied with to provide reasonable assurance that applicable auditing standards, policies, and procedures were met. Government Auditing Standards require auditing organizations to undergo an external peer review at least once every 3 years. In the Inspector General community, the peer review is conducted using standards and guidelines published by the President’s Council on Integrity and Efficiency. The FDIC OIG’s Office of Audits is responsible for completing a peer review of the Department of Justice OIG Office of Audits. OA must issue the report by June 3, 2007, without requesting an extension from the Government Accountability Office. An entrance conference was held September 6, 2006, and OA plans to complete the review and issue the final report in February 2007. Projected Start 4th Quarter – FY 2006 Expected Report Issuance 2nd Quarter – FY 2007