• Corporate Downsizing,
• Human Capital, and
• Information Security.

The past 6 months at the Federal Deposit Insurance Corporation (FDIC) have been marked by dramatic corporate downsizing, streamlining, and restructuring as the Corporation continues to reinvent itself under the leadership of Chairman Donald Powell. The Corporation's overall streamlining efforts included merging four divisions into two, an action that is estimated to save nearly 300 positions and $35 million per year. The streamlining is also intended to increase operational efficiencies and empower employees through the delegation of increased authority and responsibility to lower levels within the organization. As part of overall savings, the Corporation's approved field management restructuring plan is estimated to save $23.5 million over 5 years. As of September 30, 2002 its 2002 buyout/retirement incentive program had achieved a reduction of 699 staff and $80 million projected savings in future operating costs. Additional staff departures are anticipated in 2003. Looking ahead, the Corporation anticipates a staffing level of approximately 5,380 by December 31, 2006. Current staff totals 5,500. In light of so many fundamental changes, each with ramifications to thousands of FDIC employees and the work they carry out in pursuit of the FDIC mission, some key questions must be asked.

Is the Corporation placing sufficient emphasis on human capital concerns? Is it developing an integrated human capital framework that evidences leadership commitment to human capital management; strategic human capital planning; acquiring, developing, and retaining talent; and a results-oriented organizational culture-all cornerstones of human capital management according to the U.S. General Accounting Office (GAO)?

While there are positive signs that human capital activities are indeed ongoing throughout the Corporation, I urge increased attention to this issue given the Corporation's current state of flux. As we discuss later in this semiannual report, the strategies that the Corporation is currently pursuing will be most effective if they are centralized, focused, and sustained. The Corporation's Human Resources Committee and the recruitment of a human capital professional as Associate Director of the Human Resources Branch of the Division of Administration are steps in the right direction towards achieving this goal.

The Office of Inspector General (OIG) will continue to emphasize this view in the months ahead and offer assistance to the Corporation as it builds on the cornerstones discussed above. The OIG must lead by example, and we are in the process of doing so. The OIG's participation in the FDIC's early retirement and buyout program and other attrition will result in the separation of 54 employees, or 25 percent of our April 2002 staff level. We also closed our San Francisco office during the reporting period. We understand the need to effectively manage the corresponding changes in our organization and processes. We also recognize the impact of organizational upheaval on the individuals comprising our current workforce. Mindful of this, during the reporting period we issued the final version of our Human Capital Strategic Plan. I fully support this plan. It incorporates input received from OIG staff, the GAO, and another OIG. Workforce analysis; competency investments; leadership development; and a results-oriented, high-performance culture are at its core. We are currently developing a technical knowledge inventory tool and will be working to develop key competencies for our occupational series to align our recruiting, training, and professional development efforts with the OIG mission.

Turning now to the issue of Information Security. Information, much of which is sensitive, is a critical corporate resource that must be protected. Information and analysis on banking, financial services, and the economy form the basis for the development of public policies and promote public understanding of and confidence in the nation's financial system. Sound information resources management is essential to the successful accomplishment of the FDIC's mission, goals, and objectives. Based on our work this year related to the Government Information Security Reform Act (GISRA), we concluded that the Corporation had established and implemented management controls that provided limited assurance of adequate security over its information resources.

The FDIC had made progress in addressing a number of security problems identified in our 2001 report. For example, it enhanced its risk management program, developed a security awareness program, improved security controls in the mainframe environment, and strengthened its disaster recovery and business continuity planning and incident response tracking and reporting. However, we concluded that in 3 of 10 key management control areas evaluated, (Contractor Security, Capital Planning and Investment Control, and Performance Measurement), the FDIC had no assurance that adequate security had been achieved. In a fourth area-Security Act Responsibilities and Authorities-we highlighted opportunities for the FDIC to strengthen the accountability and authority of one of its most important leadership positions related to information security-the Chief Information Officer (CIO). We provided Chairman Powell a list of 10 actions in priority order to address the concerns we identified in our review. Chief among those, we advocated appointing a permanent CIO, ensuring that the CIO reports directly and solely to the Chairman, and filling key vacancies in the Division of Information Resources Management that support information security initiatives and operations.

For its part, as referenced later in our semiannual report, during the reporting period, in addition to our GISRA-related work, the OIG participated in a number of meetings and exchanges governmentwide to tackle information security issues. The OIG has also focused attention on information security matters in its internal operations. In keeping with the security program being implemented throughout the Corporation, we named an information security officer, formed an advisory committee with representatives from each OIG component, published "e-security tips" for OIG staff, drafted new security-related policies, and identified priority information security areas for future focus. We will continue to devote attention to these issues internally and will also work closely with the Corporation to further its efforts to implement a comprehensive information security program that provides reasonable assurance of adequate security for its information resources.

And finally, I am again compelled to address an unresolved matter related to the FDIC's organizational leadership. In past semiannual report statements I have voiced concern that the Corporation has been operating with key vacancies on its Board of Directors, a condition that I believe is to the Board's detriment and that fails to ensure the independence of the FDIC. First, the position of Vice Chairman has been vacant since January 2001. On October 3, 2002, the Senate Banking Committee held confirmation hearings regarding the nomination of Director John Reich to be Vice Chairman of the FDIC. As of the date of this statement, he had not yet been confirmed.*

Second, I am concerned not only that Director Reich is awaiting confirmation as Vice Chairman, but also that a vacancy exists on the Board because one of the three FDIC Director positions has remained unfilled since September 1998. While several names have been sent forward for consideration, no definitive action has taken place to select a third FDIC Board Member. Given the make-up of the five-member Board, comprised of the Chairman of the FDIC, two FDIC Directors, the Comptroller of the Currency, and the Director of the Office of Thrift Supervision, the OIG's position is that the balance between various interests implicit in the Board's structure is preserved only when all Board positions are filled. Thus, I reiterate my position that it is critical-especially at this juncture in the FDIC's history, that a full Board be in place to provide the Corporation the strong, sustained leadership needed to meet the Corporation's many challenges.

The FDIC Chairman himself has recently offered a daunting challenge to the entire regulatory community, a challenge that will likely warrant FDIC Board attention and input. Speaking recently about the future of regulatory agencies, the Chairman noted:

"We've seen amazing dynamism and innovation in banking over the last 20 years. Yet we keep in place a regulatory system rooted in an era that is truly gone with the wind…Despite the convergence, efficiencies, and economies of scale achieved by the industry, the regulatory community is still mired in a confusing web of competing jurisdictions, overlapping responsibilities, and cumbersome procedures. I know we can do better."

The Chairman's proposed overhaul of financial services regulation would put in place three federal regulators. These entities would oversee the banking industry, the securities industry, and those companies that choose an optional federal insurance charter. In line with his proposed revamping of the regulatory agencies, the Chairman announced that the FDIC would be conducting a major study over the next year on the future of banking in America. He has invited a number of parties to join the FDIC in developing a new and better structure for a new financial age. The FDIC Board could have a significant role to play in the debate that the Chairman has launched. Only with a full complement of Members can the Board provide maximum input to that debate and fully carry out its corporate governance responsibilities.

Of additional note with respect to the FDIC's leadership, the Corporation named Steven O. App as its new Chief Financial Officer during the reporting period. Mr. App formerly served as the Deputy Chief Financial Officer at the Department of the Treasury. The OIG looks forward to continuing to work with him to address issues of mutual interest. Similarly, the OIG has appointed new senior leadership since our last semiannual report. Patricia Black, former Counsel to the Inspector General is now Deputy Inspector General, and Fred Gibson, who has been serving as Acting Counsel, was recently named Counsel to the Inspector General. Pat and Fred are eminently qualified to assume these new responsibilities. I am counting on their assistance and sound legal advice and counsel as I continue to lead our organization and serve the FDIC at this critical time in its history.

Gaston L. Gianni, Jr.
Inspector General
October 31, 2002

This section of our report focuses on key challenges confronting the FDIC as it works to accomplish its mission. In the OIG's view, these major issues fall into two broad categories. First, the Corporation faces challenges related to its core mission of contributing to the stability and public confidence in the nation's financial system by insuring deposits, examining and supervising financial institutions, and managing receiverships. Such challenges sometimes involve significant policy decisions and are often influenced by external factors such as industry events, economic trends, activities of other federal banking regulators, consumer concerns, and congressional interest. Second, a number of important operational matters require the Corporation's attention as its workforce actually carries out the corporate mission. These issues touch on, for example, information technology (IT) resources and security, contracting activities, human capital concerns, cost efficiencies, performance measurement and accountability, and physical security.

In our prior semiannual report, we identified a new emerging issue-that of the Quality of Bank Financial Reporting and Auditing. This emerging risk potentially affects the FDIC in its role as regulator, receiver, and insurer. We update the OIG's and the Corporation's efforts to address this issue in this semiannual report.

With respect to the major issues relating to the Corporation's core mission, the FDIC must address risks to the insurance funds in a complex global banking environment that continues to experience change and offer expanded services. At the same time, the Corporation is charged with effectively supervising financial institutions and carefully protecting consumers' rights. A Board of Directors operating at full strength is essential to lead the Corporation as it faces such challenges. Without a full Board, the Corporation's independence cannot be guaranteed. As the Corporation moves forward, deposit insurance reforms will continue to be debated and deliberated by the banking industry and the Congress. One aspect of such reform involves the possible merger of the Bank Insurance Fund and the Savings Association Insurance Fund, an action that the OIG supports.

Turning attention to the Corporation's more "operational" demands, the use of IT at the FDIC is crosscutting and absolutely essential to the Corporation's accomplishment of its mission. IT must be effectively and efficiently used to achieve program results corporate-wide. The Corporation must also continue to develop an enterprise architecture process to manage technology, applications, and technical infrastructure for the Corporation. It also needs to follow sound system development procedures and comply with IT principles espoused by legislation and regulation. A critical priority is ensuring that effective controls are in place and implemented to ensure information system security, mitigate risks, and protect IT resources. Given the extent of the FDIC's contracting activities, strong controls and vigilant contractor oversight are also critical to the Corporation's success. Contracting must be done in a fair and cost-effective manner. The Corporation's contract oversight mechanisms must protect the FDIC's financial interests and help ensure that the FDIC is actually receiving the goods and services for which it is spending millions of dollars.

Major downsizing over the past years has impacted the FDIC workplace, and during the reporting period more occurred. In addition to losing staff, the Corporation has merged groups and streamlined its organizational structure. As a result of these activities, the Corporation has lost leadership and, in some cases, expertise and historical knowledge. The Corporation is taking steps to compensate for these resource losses and must build on ongoing initiatives to develop a comprehensive, integrated approach to human capital issues. It has established a Human Resources Committee and must continue to focus attention on human capital concerns in light of such significant recent organizational change and additional resource challenges to come.

In light of changes in the banking industry, advances in technology, and such dramatic shifts in staffing and skill levels, the Corporation has been closely scrutinizing its business processes and their associated costs in the interest of identifying operational efficiencies. Among other activities, its Supervision Process Redesign, New Financial Environment, focus on e-business, and plans to relocate many D.C.-based staff to Virginia Square in the future have generated ideas for such efficiencies and are positive steps.

Under the provisions of the Government Performance and Results Act with its emphasis on accountability, the Corporation establishes goals, measures performance, and reports on its accomplishments for all of these major issues and their corresponding challenges. With respect to a more recent concern, largely as a result of the events of September 11, 2001, one year ago we added the major issue of Ensuring Security of the FDIC's Physical and Human Resources to our list of management challenges. Our report discusses actions that the Corporation as taken to address these areas.

Our Major Issues section discusses the OIG's completed and ongoing/planned work to help the Corporation successfully confront these major issues and their associated challenges. We discuss areas where we identified opportunities for improvements and the recommendations we made in those areas. We identified potential monetary benefits of $2.1 million and made 73 nonmonetary recommendations during the reporting period. Our work targets all aspects of corporate operations and includes a number of proactive approaches and cooperative efforts with management to add value to the FDIC (see pages 11-32).

The operations and activities of the OIG's Office of Investigations are described beginning on page 33 of this report. As detailed in the Investigations section, the Office of Investigations is reporting fines, restitution, and recoveries totaling approximately $820 million. Cases leading to those results include investigations of bank fraud, theft of government funds, credit card fraud, and misrepresentations regarding FDIC insurance. Our report also highlights efforts of OIG agents who received the Attorney General's Award for Distinguished Service. Some of the investigations described reflect work we have undertaken in partnership with other law enforcement agencies and with the cooperation and assistance of a number of FDIC divisions and offices. To ensure continued success, the OIG will continue to work collaboratively with FDIC management, U.S. Attorneys' Offices, the Federal Bureau of Investigation, and a number of other law enforcement agencies (see pages 33-44).

The OIG Organization section of our report highlights several key internal initiatives that we have actively pursued during the reporting period. The OIG's internal focus has been on realigning resources in light of significant downsizing of staff and planning for the challenges of the future. Our Human Capital Strategic Plan is an important driver of that activity. This section of our report also references some of the cooperative efforts we have engaged in with management during the reporting period. These include making presentations at corporate conferences and meetings and providing technical assistance to corporate management in determining whether FDIC policies ensure that accounting and auditing contractors comply with the U.S. General Accounting Office's new independence standards. We note the proposed or existing laws and regulations reviewed during the past 6 months, refer to litigation and other efforts of OIG Counsel, and also capture some of our other internal initiatives this reporting period. In keeping with our goal of measuring and monitoring our progress, we visually depict significant results over the past five reporting periods (see pages 45-53).

We list the Inspector General Act reporting requirements and define some key terms in this section. The appendixes also contain much of the statistical data required under the Act (see pages 56-63).

The Office of Audits issues 22 reports containing total questioned costs of $556,535 and a memorandum identifying funds put to better use of $1.6 million. OIG reports include 73 nonmonetary recommendations to improve corporate operations and activities. Among these are recommendations to strengthen security over FDIC information systems, improve the effectiveness of the offsite review program, develop additional policy for and better capture and track Gramm-Leach-Bliley Act-related activities, and enhance the asset valuation review process. OIG investigations result in 14 indictments/informations; 17 convictions; and approximately $820 million in total fines, restitution, and other monetary recoveries. Approximately $819 million of that amount represents court-ordered restitution and is not an amount that has been collected. The OIG's participation in the FDIC's early retirement and buyout program and other attrition will result in the separation of 54 employees. All OIG components adjust to reductions through staff reorganizations and modifications in operational processes. Office of Audits reorganizes around five operational directorates: Resolution, Receivership, and Legal Affairs; Insurance, Supervision, and Consumer Affairs; Information Assurance; and Resource Management. A fifth directorate, Corporate Evaluations, performs corporate-wide and other evaluations. The OIG issues its Human Capital Strategic Plan for 2002-2006 outlining four objectives relating to workforce analysis; competency investments; leadership development; and a result-oriented, high-performance culture. The OIG focuses audit and evaluation work on information security matters through such projects as issuance of the 2002 Government Information Security Reform Act evaluation report, presentations at governmentwide meetings, and coordination with the U.S. General Accounting Office (GAO) and Office of Management and Budget. The OIG issues its Government Information Security Reform Act report, concluding that the Corporation had established and implemented management controls that provided limited assurance of adequate security over its information resources. While progress had been made in addressing previously identified weaknesses, in 3 of 10 key management control areas evaluated (Contractor and Outside Agency Security, Capital Planning and Investment Control, and Performance Measurement), the FDIC had no assurance that adequate security had been achieved. Our report also highlighted opportunities for the Corporation to strengthen the accountability and authority of its Chief Information Officer position.

The OIG and GAO continue their joint effort to audit the Corporation's financial statements. The OIG and GAO agree that the OIG will commit three staff members to perform the receivables from bank/thrift resolutions and receivership receipts audit work. One staff member will assist with information systems testing. The OIG is developing a multi-year strategy for performance of the information systems audit requirements starting in 2003. OIG counsel litigates 11 matters during the reporting period and provides advice and counsel on a number of issues. H The OIG reviews and comments on one proposed federal regulation and 22 proposed FDIC policies and directives and responds to 13 requests under the Freedom of Information Act and Privacy Act. The OIG coordinates with and assists management on a number of initiatives, including a joint project with the Office of Internal Control Management and the Division of Administration to ensure that accounting and auditing contractors comply with GAO's new independence standards, coordination with the Division of Supervision and Consumer Protection (DSC) on its Process Redesign II project, and Office of Investigations and Office of Audits executives' participation at the DSC Field Office Supervisor meetings. The OIG accomplishes a number of internal office initiatives, including completion of a comprehensive plan for downsizing and restructuring, issuance of Office of Audits' Fiscal Year 2003 Assignment Plan, establishment of an information security program, and outreach activity to various banking organizations on OIG operations. Four OIG Special Agents are among an 11-member team that receives the Attorney General's Award for Distinguished Service for their exemplary work in the investigations and prosecutions relating to the failure of Keystone Bank, Keystone, West Virginia. The OIG completes its annual review of the FDIC's Internal Control and Risk Management Program, concluding that the program complied with policy and was consistent with the Federal Managers' Financial Integrity Act provisions. The OIG issues the results of its evaluations of the adequacy of the physical security of FDIC facilities in headquarters and other selected sites. As Vice Chair of the President's Council on Integrity and Efficiency, the Inspector General leads the Inspector General community's activities designed to facilitate agency efforts related to the President's Management Agenda. These include work in the financial management, government performance, information technology, and human capital arenas.

A primary goal of the FDIC under its insurance program is to ensure that its deposit insurance funds remain viable. Achieving this goal is a considerable challenge, given that the FDIC supervises only a portion of the insured depository institutions. The identification of risks to non-FDIC supervised institutions requires coordination with the other federal banking agencies. The FDIC engages in an ongoing process of proactively identifying risks to the deposit insurance funds and adjusting the risk-based deposit insurance premiums charged to the institutions. The Division of Finance completes the final phase of this ongoing process by collecting the premium assessments.

Although the FDIC has a continuous program to ensure the viability of the deposit insurance funds, recent trends and events continue to pose additional risks to the funds. The economic landscape changed dramatically following the events of September 11, 2001, and the potential exists for an increased number of bank failures. Additionally, the environment in which financial institutions operate is evolving rapidly, particularly with the acceleration of interstate banking; new banking products and asset structures; electronic banking; and consolidations that may occur among the banking, insurance, and securities industries resulting from the Gramm-Leach-Bliley Act (GLBA).

Bank mergers have created "megabanks," or "large banks" (defined as institutions with assets of over $25 billion), and, for many of these institutions, the FDIC is not the primary federal regulator. As of March 31, 2001, there were 38 megabanks in the country. Of the $5.3 trillion consolidated assets controlled by the 38 megabanks, the FDIC was the primary regulator for only $162.5 billion in 3 institutions. The megabanks created as a result of mergers and the new or expanded services that the institutions can engage in under GLBA are presenting challenges to the FDIC. The failure of a megabank, for example, along with the potential closing of closely affiliated smaller institutions, could result in huge losses to the deposit insurance funds.

During the reporting period, the Corporation selected designated onsite examiners to enhance the FDIC's risk monitoring of the eight largest insured institutions.

In our previous semiannual report, we reported on a series of reviews that we had conducted based on a congressional request from Senator Paul Sarbanes, Chairman of the Senate Committee on Banking, Housing, and Urban Affairs, related to the failure of Superior Bank, FSB, Hinsdale, Illinois.

Upon the failure of Superior Bank, the Office of Thrift Supervision closed the institution on July 27, 2001. At the time of closure, Superior had total assets of $2.2 billion and total deposits of $1.6 billion. The FDIC was named conservator and transferred the insured deposits and substantially all of the assets of Superior to Superior Federal, FSB (New Superior), a newly chartered, full-service mutual savings bank. The failure of Superior was one of the costliest of all recent failures. The FDIC's most recent loss estimate is $440 million.

During the reporting period, we completed the last of our series of audits related to the Superior Bank failure-an audit of the Division of Resolutions and Receiverships' (DRR) marketing efforts for the deposit liabilities, assets, and principal product groups of New Superior.

We determined that DRR effectively marketed Superior's deposit liabilities and assets to maximize the return to the conservatorship. The FDIC, as the receiver, transferred deposit liabilities totaling $1.5 billion and assets totaling $2 billion to New Superior. We reviewed the sale of the deposit liabilities and approximately 65 percent of the assets. DRR awarded the sales to the highest bidders in all sales we reviewed, except for one security sale. We were unable to determine whether DRR selected the highest bidder for the one security sale, because of insufficiencies in the sale file documentation.

Signed into law on November 12, 1999, GLBA reverses many of the barriers between banking and commerce erected by the Glass-Steagall Act of 1933 and is the most extensive reform of financial services regulation in over 60 years. GLBA also affects how various bank and affiliate activities are regulated and examined. GLBA eliminates many federal and state barriers to affiliations among banks and securities firms, insurance companies, and other financial services providers. Financial organizations are provided flexibility in structuring these new financial affiliations through a holding company structure or a financial subsidiary. The Federal Reserve System remains the "umbrella" supervisor for holding companies, but GLBA also incorporates "functional regulation" to use the strengths of the various federal and state financial supervisors. Increased affiliation between state non-member banks and other financial services providers engaged in expanded activities-in a new functional regulation environment-poses risks to the FDIC and the Bank Insurance Fund.

We conducted an audit that focused on three of the GLBA's seven titles to determine whether: (1) the Division of Supervision (DOS), now known as the Division of Supervision and Consumer Protection (DSC), had established coordination arrangements for GLBA activities with other regulatory agencies; (2) DOS procedures had been updated to address the restrictions and safeguards in GLBA; and (3) DOS was identifying banks that are directly or indirectly engaged in GLBA activities. We concluded that DOS had established coordination arrangements with other regulatory agencies but needed an updated agreement for information sharing with the Securities and Exchange Commission (SEC). DOS had also updated or created related policies and procedures to address most of the GLBA provisions covered in our review although some additional guidance was needed in the area of related organizations. Also, while the FDIC had access to Federal Reserve System data on financial holding companies, DOS information systems did not identify banks that were directly or indirectly engaged in GLBA-affected activities.

We made four recommendations to DSC related to developing information-sharing procedures in conjunction with the FDIC Legal Division and the SEC, expediting policy revisions, and enhancing information systems and databases to better capture and track GLBA-related activity. DSC is taking action to address all recommendations.

The FDIC shares supervisory and regulatory responsibility for approximately 9,480 banks and savings institutions with other regulatory agencies including the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, the Office of Thrift Supervision, and state authorities. The FDIC is the primary federal regulator for 5,417 federally insured state-chartered commercial banks that are not members of the Federal Reserve System, which includes state non-member banks, including state-licensed branches of foreign banks and state-chartered mutual savings banks. The challenge to the Corporation is to ensure that its system of supervisory controls will identify and effectively address financial institution activities that are unsafe, unsound, illegal, or improper before the activities become a drain on the insurance funds.

Emerging trends and new developments in the banking industry require the DSC to identify and assess risks from such activities as:

• subprime lending;



• declining underwriting standards for commercial real estate lending;



• rapid changes in bank operations between safety and soundness examinations;



• the growth of information technology and its increasing impact on payment systems and other traditional banking functions;



• fraudulent activities, which have contributed significantly to bank failures in recent years; and



• expanded banking activities permitted by the GLBA.

Further, DSC may have to reevaluate the concepts of risk, capital, and asset valuation in light of ever developing investment products and methods.

The FDIC has worked to increase the efficiency of the bank examination process designed to identify and assess these risks. Its Process Redesign efforts are ongoing. Additionally, the Corporation reported in its 3rd quarter Letter to Stakeholders that for the year-to-date, it had completed 485 expedited examinations of well-managed/well-capitalized banks under $250 million, resulting in a reduction of the average examination time on these institutions of more than 20 percent. With the possibility of a serious economic downturn, and in light of the magnitude of FDIC corporate reorganization and downsizing, DSC must continue to assess its size and the mix of expertise and skills in its workforce to ensure sufficient capacity for addressing increased risks. Considering the lead-time for developing new commissioned examiners, the FDIC needs to ensure the examination workforce will be adequate for handling potential problems and bank failures.

During 1998, the FDIC implemented a new offsite rating tool, the Statistical CAMELS Offsite Rating (SCOR) review, to more effectively and efficiently monitor risk to the banking and thrift systems. SCOR uses quarterly Reports of Condition and Income (Call Reports)1 to identify institutions that could potentially receive a downgrade in their CAMELS ratings at their next safety and soundness examination. To do this, SCOR uses statistical techniques to estimate the relationship between Call Report data and the results of the latest examination and estimates the probability of an institution being downgraded at the next examination.

We completed an audit to determine the effectiveness of SCOR as an early warning system and to assess actions taken by the DSC in response to early warning flags identified by SCOR. The audit was conducted nationwide and included a sample of banks from all FDIC regional offices.

We concluded that the effectiveness of the SCOR review program in detecting potential deterioration in the financial condition of insured depository institutions, as presently implemented, was limited. SCOR had not identified emerging supervisory concerns or provided early warnings of potential deterioration at the majority of financial institutions we reviewed. Further, case managers were placing limited reliance on SCOR as an early warning system.

Our report contained three recommendations intended to improve the SCOR offsite review program. First, we recommended that DSC assess the usefulness of SCOR as an early warning system as it is currently being implemented. If DSC determines that SCOR should continue as part of the offsite monitoring program, we recommended that DSC revise SCOR procedures to require that the DSC case manager analyses be performed within shorter timeframes than allowed by the current procedures. We also recommended that DSC instruct case managers to more often recommend onsite activity or other interactions with the institution as a follow-up action for those institutions flagged by SCOR that also have previously identified management weaknesses.

DSC concurred with each of the three recommendations and took corrective action in response.

One of the Corporation's annual performance goals for 2002 is that prompt supervisory actions are taken to address problems identified in institutions identified as problem insured depository institutions and that the Corporation monitor these institutions' compliance with formal and informal enforcement actions. Corrective actions are agreements (informal) or legally enforceable orders (formal) that the FDIC may institute against a financial institution or individual respondent to correct noted safety and soundness or compliance deficiencies. During the reporting period we conducted an audit to determine whether work performed by third-party contractors for FDIC-supervised institutions met the requirements of corrective actions instituted by the FDIC's DOS.

We concluded that the FDIC accepted work performed by third parties as meeting the requirements of the corrective actions instituted by the Corporation, and third-party work was completed within established timeframes. Also, DOS reviewed the corrective actions to ensure their completeness in addressing the underlying safety and soundness concerns. We made no recommendations in this report.

The FDIC is legislatively mandated to enforce various statutes and regulations regarding, for example, consumer protection and civil rights with respect to state-chartered, non-member banks and to encourage community investment initiatives by these institutions. Some of the more prominent laws and regulations in this area include the Truth in Lending Act, Fair Credit Reporting Act, Real Estate Settlement Procedures Act, Fair Housing Act, Home Mortgage Disclosure Act, Equal Credit Opportunity Act, and Community Reinvestment Act of 1977.

The Corporation accomplishes its mission related to fair lending and other consumer protection laws and regulations primarily by conducting compliance examinations, taking enforcement actions to address unsafe or unsound banking practices and compliance violations, encouraging public involvement in the compliance process, assisting financial institutions with fair lending and consumer protection compliance through education and guidance, and providing assistance to various parties within and outside of the FDIC. During the reporting period the Corporation made progress implementing its adult financial education curriculum, "Money Smart," nationwide.

In the area of consumer protection, the OIG has planned an audit of the implementation of GLBA privacy provisions. GLBA requires banking agencies to establish appropriate standards for financial institutions relating to the administrative, technical, and physical safeguards of consumer records and information. The Federal Financial Institutions Examination Council has issued guidance summarizing procedures for examining compliance with the regulation. Our audit work will address whether privacy examinations are conducted in accordance with applicable GLBA provisions and corrective actions are taken in a timely manner when banks do not comply.

In October 2001, Chairman Powell testified on deposit insurance reform before the Subcommittee on Financial Institutions and Consumer Credit, Committee on Financial Services, U.S. House of Representatives. The Chairman recommended the merger of the Bank Insurance Fund (BIF) and the Savings Association Insurance Fund (SAIF), charging risk based premiums to all institutions, allowing insurance funds to build or shrink around a target or range, establishing assessment credits based on past contributions, and indexing insurance coverage and raising the insurance on retirement accounts.

The FDIC views these recommendations as interrelated and believes they should be implemented as a package because piecemeal implementation could introduce new distortions and aggravate the problems that the recommendations are designed to address. During the reporting period, on May 22, 2002, deposit insurance reform legislation, based on the FDIC's recommendations, passed the House of Representatives. The Corporation also continued to pursue its case for comprehensive deposit insurance reform in speeches, banker outreach sessions, and visits to other Members of Congress.

While conceptually the recommendations appear to the OIG to be sound, we have not done work related to all of them. Based on work to date, the OIG strongly supports merging the funds.

Chairman Powell has noted the unanimity within the banking community on this particular point. Today, as a result of bank mergers and acquisitions, many institutions hold both BIF- and SAIF-insured deposits, obscuring the difference between the funds. The resulting merged fund would not only be stronger and better diversified but would also eliminate the concern about a premium disparity between the BIF and the SAIF. Assessments in the merged fund would be based on the risk that institutions pose to the single fund. The prospect of different prices for identical deposit insurance coverage would be eliminated. Also, insured institutions would no longer have to track their BIF and SAIF deposits separately, resulting in cost savings for the industry.

We will continue to monitor deposit insurance reform, as changes in this area will impact the way the FDIC operates and how our office can best support the FDIC in pursuit of its mission.

As the Corporation works to contribute to the stability and public confidence in our nation's financial system, information technology (IT) continues to play an increasingly greater role in every aspect of the FDIC mission. As corporate employees carry out the FDIC's principal business lines of insuring deposits, examining and supervising financial institutions, and managing receiverships, they rely on information and corresponding technology as a critical resource. Information and analysis on banking, financial services, and the economy form the basis for the development of public policies and promote public understanding and confidence in the nation's financial system.

In early 1998, the Corporation's Division of Information Resources Management (DIRM) and the other FDIC divisions laid out an IT strategy to address the next 3-5 years and articulated five IT strategic goals:

• Make Customer Satisfaction Our Primary Measure of Success.



• Improve Corporate Business Processes and External Relationships Through the Use of Technology.



• Manage Information for the Corporation.



• Provide an IT Infrastructure that Works Everywhere, All the Time.



• Improve the Efficiency and Effectiveness of IT Management.

The plan is updated every year based on DIRM management planning conferences, client input, changes in the overall business planning process and priorities, and new technology developments. Accomplishing IT goals efficiently and effectively requires significant expenditures of funds and wise decision-making and oversight on the part of FDIC management. The Corporation's 2002 IT budget is approximately $192.5 million.

The Corporation must constantly evaluate technological advances to ensure that its operations continue to be efficient and cost-effective and that it is properly positioned to carry out its mission. The capabilities provided by IT advances, such as paperless systems, electronic commerce, electronic banking, and the instantaneous and constant information-sharing through Internet, Intranet, and Extranet sources, also pose risks to the Corporation and the institutions that it regulates and insures. Many of the risks are new and unique. Solutions to address them are sometimes difficult and without precedent.

In addition to technological advances that assist the Corporation in its mission, the Corporation must continue to respond to the impact of laws and regulations on its operations. Management of IT resources and IT security have been the focus of several significant legislative acts, such as the Government Performance and Results Act and the Paperwork Reduction Act. The Government Information Security Reform Act (GISRA) requires the OIG to conduct an annual evaluation of the FDIC's information security controls. We completed our second such review during the reporting period, as discussed in more detail below. According to the 2002 Annual Performance Plan, the Corporation will continue to be engaged in several major technology initiatives during the remainder of 2002. These include the following:

New Financial Environment. The FDIC is working to replace core components of its financial system and anticipates that the new financial environment will improve business processes by adopting the best practices built into software packages, simplify and consolidate financial systems applications and data, enhance efficiency by automating manual work, maximize e-business opportunities, and provide better decision-making to ensure continuity of financial operations.

E-Business. The FDIC is actively pursuing e-business relationships both with the institutions it insures and with the vendor community that provides goods and services to the Corporation. It is making FDICconnect available to more than 9,000 insured institutions. FDICconnect is an e-business channel between the FDIC and its insured institutions and allows for the direct exchange and sharing of information over the Internet.

Information security program improvements. The Corporation continues to develop and implement an information security program to address identified weaknesses. Several areas of focus are enhancing security performance measurement and contractor and external security.

Enterprise Architecture. A new enterprise architecture process will be introduced to manage technology, applications, and technical infrastructure for the Corporation. The new enterprise architecture process will be integral to corporate and IT planning and should provide a corporate view of and future direction for business processes, information, applications, and infrastructure. It will also provide the standards and procedures to be followed whenever a new information system is built.

Our work in the IT area during the reporting period focused principally on our reporting responsibility under GISRA and related assignments, as discussed below.

The most significant report that we issued in the IT area was our GISRA report entitled Independent Evaluation of the FDIC's Information Security Program-2002. GISRA requires annual agency program reviews of information security by agency program officials, in consultation with Chief Information Officers, and annual independent evaluations by agency Inspectors General. Our first such evaluation report, entitled Independent Evaluation of the FDIC's Information Security Program Required by the Government Information Security Reform Act, was issued in September 2001.

The objective of our 2002 review was to evaluate the effectiveness of the FDIC's information security program and assess the FDIC's compliance with the requirements of the Security Act and related information security policies, procedures, standards, and guidelines. We relied primarily on the Office of Management and Budget (OMB) Circular No. A-130, Management of Federal Information Resources, Appendix III, Security of Federal Automated Information Resources, as criteria for evaluating the adequacy of the FDIC's information security program. In addition, our evaluation focused on the FDIC's efforts to improve its information security controls and practices relative to the baseline established in our 2001 Security Act evaluation report.

In summary, we concluded that the Corporation had established and implemented management controls that provided limited assurance of adequate security over its information resources. In 3 of 10 key management control areas evaluated (Contractor and Outside Agency Security,2 Capital Planning and Investment Control, and Performance Measurement), the FDIC had no assurance that adequate security had been achieved. In a fourth management control area (Security Act Responsibilities and Authorities), we highlighted opportunities for FDIC management to strengthen the accountability and authority of one of its most important leadership positions related to information security, the Chief Information Officer.

The FDIC had been working hard to address the security weaknesses identified in our 2001 Security Act evaluation report and new weaknesses identified in recent audits and reviews. However, weaknesses in the FDIC's security operations continued to surface because the FDIC had not fully implemented a comprehensive information security management program. Frequently, security improvements at the FDIC were the result of a reaction to specific audit and review findings, rather than the result of a comprehensive program that provided continuous and proactive identification, correction, and prevention of security problems. Government oversight agencies, such as the U.S. General Accounting Office (GAO) and OMB, and other recognized standard setting organizations, such as the National Institute of Standards and Technology, have identified fundamental management principles and controls needed to implement an effective information security management program. Based on our evaluation work, we found that the FDIC had taken some, but not all, of the actions necessary to establish and implement these fundamental management principles and controls. We concluded that the FDIC's progress in addressing the security weaknesses identified in our 2001 Security Act evaluation report was offset by the emergence of new information security weaknesses identified during our current year evaluation. Accordingly, our overall assessment of the FDIC's information security program remained the same as last year.

Based on our evaluation results, we identified 10 steps, listed in priority order, that the Corporation could take in the near term to improve its information security operations (see write-up on next page). The observations and conclusions contained in our evaluation report were designed to assist the Corporation in furthering its efforts to implement a comprehensive information security program that provides reasonable assurance of adequate security for its information resources. Consistent with the intent of the Security Act, we will continue to work with the Corporation in accomplishing its goals in this critical area.

Products Supporting GISRA Results We issued the following individual reports in support of our GISRA-reported results during the reporting period:

OIG Identifies GISRA Action Items The OIG's Government Information Security Reform Act report communicated the following actions, in priority order, to the FDIC Chairman. These actions should be taken to better ensure adequate security of corporate information resources. 1. Strengthen accountability and authority for information security by (a) appointing a permanent Chief Information Officer, (b) ensuring that the individual serving as the Chief Information Officer reports directly and solely to the Chairman, and (c) filling key vacancies within the Division of Information Resources Management that support information security initiatives and operations; 2. Make security a key selection factor in the 2003 information technology (IT) capital planning and investment control process to ensure that appropriate and cost-effective security controls are considered and funded over the life cycle of the FDIC's IT investments. For 2004, the FDIC should have a completed IT Capital Plan; 3. Complete the FDIC IT enterprise architecture to ensure that security controls for components, applications, and systems are consistent with current and planned IT architectures; 4. Continue and complete efforts to define the sensitivity of all corporate data and related business rules and ensure that the results are considered when developing and implementing security measures for corporate systems and applications; 5. Strengthen the FDIC's Acquisition Policy Manual and other Corporation policies and procedures related to contractor-provided services by incorporating the security standards prescribed by OMB Circular No. A-130 and the National Institute of Standards and Technology; 6. Establish key measures to assess the performance of corporate information security activities against established baselines and target performance levels. Such measures should be designed to proactively improve security processes and controls; 7. Define clear roles and responsibilities for all areas related to information security, including general support systems, major applications, information security managers, application contingency plans, and the pre-exit clearance process for employees and contractors; 8. Complete and begin using the recently developed Information Security Program Management Report to better track the integration of the FDIC's information, physical, and operational security activities; 9. Implement a formal software configuration management program that ensures all required software modifications, including software patches, are properly tested, approved, and documented in a timely manner; and 10. Complete and formally issue planned revisions to FDIC circulars related to information security. IT Capital Plan is one output of the capital planning and investment control process and serves as the implementation plan for the budget year. The IT Capital Plan should include a component that demonstrates that IT projects include security controls that are consistent with the agency's enterprise architecture. An enterprise architecture is an institutional systems blueprint that defines in both business and technological terms an organization's current and target operating environments and how the organization will transition between the two.

Information Security Management of FDIC Contractors: We concluded that the FDIC's contractor information security policies and procedures needed improvement. Specifically, the policies and procedures were deficient with respect to the consideration of contractor security in acquisition planning and oversight of contractor security practices. Further, the Corporation's implementation of contractor information security in acquisition planning, incorporation of information security requirements in FDIC contracts, and oversight of contractor security practices were not adequate. Finally, contractors generally failed to implement sufficient security measures. These control weaknesses exposed the FDIC's information resources to the risk of unauthorized disclosure, destruction, and modification of sensitive and critical data, and disruption of system operations.

We made eight recommendations to address the concerns we identified. DIRM and Division of Administration (DOA) management agreed to work jointly to implement corrective actions in response to our recommendations.

Internal and Security Controls Related to the General Examination System (GENESYS): GENESYS is the system used to prepare the report of examination, which contains the results of examinations and ratings given to financial institutions. The finalized report of examination is provided to the examined institution and other federal and state examiners with responsibilities for the institution. Institution regulators are charged with maintaining strict confidentiality in matters related to the financial institution examinations. GENESYS contains confidential information related to the institution's financial condition and management. Our audit, conducted by an independent public accounting firm under our general guidance, evaluated the adequacy of selected internal and security controls related to the system. The independent public accounting firm concluded that automated controls in GENESYS were adequate but recommended enhancements to better protect sensitive data through improved safeguards, password controls, and warning banner screens. Management agreed with the recommendations in our report.

Network Operations Vulnerability Assessment: We engaged PricewaterhouseCoopers Consulting (PwC), an independent professional services firm, to perform a multi-phase vulnerability assessment of the FDIC's network operations.

The primary objective of the first phase of PwC's assessment was to review past security practices and develop a plan for a more detailed assessment of the vulnerability to FDIC's network operations during a follow-on Phase II. The resulting report from Phase I contained seven observations and multiple recommendations intended to improve performance and management controls.

DIRM partially concurred with all but two of PwC's recommendations. DIRM's written comments resolved some recommendations and caused us, in consultation with PwC, to revise four others. A substantial number of recommendations were unresolved at the time of report issuance; however, as of the end of the reporting period, we had reached agreement on all recommendations.

Integration of Information Security into the Capital Planning and Investment Control Process: The OIG and Office of Internal Control Management conducted a joint review to evaluate the FDIC's progress in integrating information security into the capital planning and investment control process (CPICP) since the OIG's first GISRA report was issued in September 2001. That report identified CPICP as an area that may warrant reporting as an individual material weakness. Our objective was to evaluate the extent to which the FDIC integrates security into that process.

Although not issued in final form during the reporting period, we issued our draft report to management. We determined that the FDIC had continued efforts to improve its overall IT capital planning process, but more progress was needed in establishing and implementing three key CPICP management controls related to security: an enterprise architecture that specifically addresses security requirements, consideration of information security in capital IT investment decisions, and system life cycle security management. Until these key management controls are fully established and implemented, corporate level decision-makers cannot be assured that security is appropriately integrated in FDIC systems commensurate with the level of risk associated with those systems.

Because deficiencies in the CPICP were again identified as a potential material weakness in our 2002 GISRA report, we will carefully evaluate the forthcoming management response to this report outlining specific corrective actions and will discuss this review in more detail in our upcoming semiannual report.

The private sector provides goods and services to the FDIC as needed through contracting to assist the Corporation in accomplishing its mission. Contractors provide assistance in such areas as information technology, legal matters, loan servicing, asset management, and financial services.

Maintaining a strong system of internal controls and effective oversight of contracting is critical to the FDIC's success. The Corporation has taken a number of steps in this regard-training, revisions to the Acquisition Policy Manual, and Contractor Oversight working groups. A goal related to contractor oversight was added to the Corporation's Annual Performance Plan, which is formulated in accordance with the Government Performance and Results Act. The Corporation must sustain such efforts going forward. Additionally, with increased downsizing and possibly more involvement of contractors to carry out the FDIC mission, effective oversight will become even more critical.

Projections of calendar year 2002 non-legal contract awards and purchases total 1,400 actions valued at approximately $375 million. Information technology has always been one of the most active areas of contracting. As of September 30, 2002, there were more than 415 active information resources management contracts valued at approximately $476 million that had been awarded in headquarters. Approximately $230 million of this expenditure authority for active contracts had been spent and approximately $246 million remained to be used as of that date.

In coordination with DOA, the OIG developed a new approach to conducting audits of contractor billings and completed several audits using the new approach during the reporting period. Post-award audits of contractors focus specifically on contract provisions to determine the allowability of costs. Preaward audits focus on the bids received from potential contractors. We also can review the contract award process and contractor controls, as needed.

We questioned a total of $528,492 in two post-award reports for reasons including unauthorized subcontractors, unallowable subcontractor mark-ups, incorrect timesheets, unreasonable project management hours billed, and billings for unauthorized labor categories.

Management's response for $215,174 of that amount was not due as of the end of the reporting period. For the remainder, management disallowed $34,926.

We issued three preaward reports. Two of the reports related to activities regarding the construction of the Virginia Square II building and the third addressed contracting for Local Area Network administration and mainframe and operational support.

Management has expressed appreciation to the OIG for its efforts in this area of contract auditing.

The Government Performance and Results Act (Results Act) of 1993 was enacted to improve the efficiency, effectiveness, and accountability of federal programs by establishing a system for setting goals, measuring performance, and reporting on accomplishments. Specifically, the Results Act requires most federal agencies, including the FDIC, to prepare a strategic plan that broadly defines each agency's mission, vision, and strategic goals and objectives; an annual performance plan that translates the vision and goals of the strategic plan into measurable annual goals with specific indicators and targets; and an annual performance report that compares actual results against planned goals.

The Corporation's strategic plan and annual performance plan lay out the agency's mission and vision and articulate goals and objectives for the FDIC's three major program areas of Insurance, Supervision, and Receivership Management. The plans focus on four strategic goals that define desired outcomes identified for each program area: (1) Insured Depositors Are Protected from Loss Without Recourse to Taxpayer Funding, (2) FDIC-Supervised Institutions Are Safe and Sound, (3) Consumers' Rights Are Protected and FDIC-Supervised Institutions Invest in Their Communities, and (4) Recovery to Creditors of Receiverships Is Achieved. Through its annual performance report, the FDIC is accountable for reporting actual performance and achieving these strategic goals, which are closely linked to the major issues discussed in this semiannual report.

The Corporation has made significant progress in implementing the Results Act and will continue to address the challenges of developing more outcome-oriented performance measures, linking performance goals and budgetary resources, implementing processes to verify and validate reported performance data, and addressing crosscutting issues and programs that affect other federal financial institution regulatory agencies. The FDIC is committed to fulfilling both the requirements of the Results Act and congressional expectations that the performance plans and reports clearly inform the Congress and the public of the results and outcomes of the FDIC's major programs and activities, including how the agency will accomplish its goals and measure the results.

In 1998, the House Leadership formally requested that the Inspectors General of 24 executive agencies develop and implement a plan for reviewing their agencies' Results Act activities. The Congress attaches great importance to effective implementation of the Results Act and believes that Inspectors General have an important role to play in informing agency heads and the Congress on a wide range of issues concerning efforts to implement the Results Act. We believe the congressional views on such a review plan represent an appropriate direction for all Offices of Inspector General.

The FDIC OIG is fully committed to taking an active role in the Corporation's implementation of the Results Act. We have developed a review plan to help ensure that the Corporation satisfies the requirements of the Results Act and maintains systems to reliably measure progress toward achieving its strategic and annual performance goals. Our review plan consists of the following three integrated strategies:

Linking Planned Reviews to the Results Act. We will link planned reviews to corporate strategic goals and provide appropriate Results Act coverage through audits and evaluations. As part of this strategy, our planning effort this year will seek to align our audit work more closely with the Corporation's strategic plan.

Targeted Verification Reviews. We will maintain a program of independent reviews to periodically evaluate the adequacy and reliability of selected information systems and data supporting FDIC performance reports. The OIG has developed a standard work program to conduct these evaluations.

Advisory Comments. We will continue our practice of providing advisory comments to the Corporation regarding its update or cyclical preparation of strategic and annual performance plans and reports.

Examples of OIG audit findings and recommendations during the reporting period that are linked to Result Act issues and concepts include the following:

We issued a report on the FDIC's receivership termination activity. We concluded that DRR was complying with policies and procedures for terminating receiverships and data contained in the Receivership Termination System for the sampled receiverships were accurate and complete. We identified one area of concern, however, related to DRR annual performance planning and receivership termination activity.

Specifically, DRR's 2002 annual performance planning indicators and targets did not cover all significant receivership termination activities. Specifically, a 2002 performance indicator and target for terminating receiverships initiated prior to 2000 was not developed. Pre-2000 receiverships accounted for 157 of the 168 active receiverships in inventory at January 1, 2002. We recommended that DRR establish an interim 2002 performance indicator and targets that include all active receiverships when formulating future annual performance plans. DRR concurred with the two recommendations in our report and planned corrective action in response. (Also see write-up related to Third-Party Corrective Actions.)

During this reporting period, the OIG reviewed and provided advisory comments to management on the FDIC's draft 2001 Program Performance Report. The purpose of our review was to provide suggestions for enhancing the Corporation's performance report based on our knowledge and OIG work related to the Results Act. In addition, we reviewed the report to determine if it was in compliance with the Results Act and related OMB guidance. We noted that the draft performance report was not clear with respect to reporting on receivership termination activity and suggested that it be clarified. In addition, we suggested that the FDIC performance report include a reference to the OIG performance report in accordance with OMB guidance. Management agreed with our comments and incorporated many of our suggestions into the final report that was sent to the Congress and OMB.

The OIG will continue to develop and refine its integrated oversight strategy to help ensure that the FDIC's Results Act-related efforts fully conform to the spirit and intent of the Act. We plan to continue to work with the Corporation to improve the FDIC's performance measurement and reporting through our audits, evaluations, and management advisory reviews and analyses. The OIG will also continue to monitor and review legislation proposed in the Congress to amend the Results Act and will actively participate to refine appropriate OIG Results Act roles, responsibilities, and activities through the President's Council on Integrity and Efficiency and the interagency groups it sponsors.

The FDIC has been in a downsizing mode for the past 10 years as the workload from the banking and thrift crises of the late l980s and 1990s has been accomplished. During the reporting period, a number of division mergers and reorganizations took place and the Corporation concluded its 2002 buyout/retirement incentive programs. As noted in its 3rd quarter Letter to Stakeholders, these most recent incentive programs achieved a reduction of 699 staff and $80 million projected savings in future operating costs. In total, over the past 10+ years, the workforce (combined from the FDIC and the Resolution Trust Corporation) has fallen from approximately 23,000 in 1992 to 5,500 as of September 30, 2002.

By June 2003, the Corporation hopes to substantially complete required downsizing and correct existing skills imbalances. To do so, the Corporation continues to carry out other features of its comprehensive program such as solicitations of interest, reassignments, retraining, outplacement assistance, and possible reductions-in-force. As the Corporation adjusts to a smaller workforce, it must continue to ensure the readiness of its staff to carry out the corporate mission.

The Corporation has also predicted that almost 20 percent of FDIC employees will be eligible to retire within the next 5 years. The Corporation must continue to conserve and replenish the institutional knowledge and expertise that has guided the organization over the past years. Hiring and retaining new talent will be important, and hiring and retention policies that are fair and inclusive remain a significant component of the corporate diversity plan.

An important corporate consideration is determining where FDIC employees will be housed over the long-term. In that regard, the Corporation's Board of Directors approved construction of a new nine-story building at its Virginia Square office complex in Northern Virginia. This building will house FDIC staff for the most part now working in leased space in the District of Columbia. The expansion will cost approximately $111 million; however, the Corporation anticipates substantial savings in the long run-more than $78 million (in today's dollars) over the next 20 years. At DOA's request, the OIG conducted a preaward review to ensure that the process for soliciting and hiring contractors to perform the work of constructing the new site is carefully controlled and properly carried out. (See earlier write-up on preaward reviews.)

The Corporation's organizational make-up has been altered dramatically, and more change is in store. Designing, implementing, and maintaining effective human capital strategies are critical priorities and must be the focus of sustained corporate attention.

The OIG initiated an evaluation of aspects of the Corporation's employee training and development efforts. At the time we were conducting our work, the Corporation was in the midst of announcing several new initiatives and implementing a number of organizational changes that impacted both its training and development and overall human capital programs. As a result, we determined that it was not an appropriate time to review these activities. Because we had also gathered information associated with the FDIC's overall human capital strategy, we issued a memorandum to management to communicate that information as we terminated our review.

Our memorandum noted that last year, GAO added strategic human capital management to its list of high-risk government programs as an area that needs attention to ensure that the federal government functions in the most economic, efficient, and effective manner possible.

In its Model of Strategic Human Capital Management, GAO identified three cornerstones3 that relate to the activities we addressed in our evaluation:

• Leadership commitment to human capital management,



• Strategic human capital planning, and



• Acquiring, developing, and retaining talent.

In our memorandum, we communicated our observations on past corporate activities in these areas and focused on on-going or planned initiatives, pointing out where we believe the Corporation should continue to concentrate its efforts.

• The Corporation's Human Resources Committee (HRC), comprised of eight executives from throughout the Corporation, is a key driver of the Corporation's human capital initiatives to streamline the organization, complete downsizing, establish clear performance expectations and incentives for executives, and build a flexible workforce through a Corporate University and job rotation program. The HRC is responsible for developing policy recommendations for the Chief Operating Officer (COO), Chief Financial Officer (CFO), and the Deputy to the Chairman, as well as monitoring the implementation of the Corporation's human capital initiatives.

• The Corporate University is one of the key initiatives to transform the FDIC. It will be organizationally placed in the newly designed Human Resources Branch-a merger of the Training and Consulting Services Branch and the Personnel Services Branch-within DOA.

• The FDIC is recruiting a human capital professional as Associate Director of the Human Resources Branch. This position will report to the Deputy Director, DOA, who is also the Chairman of the HRC. The Associate Director's responsibilities will include the development of a comprehensive human capital program for the Corporation.

Strategic Workforce Planning

• The Corporation conducted an FDIC Human Capital Self-Assessment based on GAO guidelines, drafted a Human Resources Strategic Plan, and included various human capital initiatives in both the FDIC Strategic Plan and the FDIC 2002 Annual Plan. However, the FDIC has not yet finalized its development of a fully integrated human capital framework, such as the Human Resources Strategic Plan could provide. The HRC indicated that the draft Human Resources Strategic Plan would be revisited this fall before presenting it to the COO, CFO, and Deputy to the Chairman. We consider completion of this plan to be a critical priority for the FDIC.

• The Corporation's annual planning process addresses workforce planning in its core staffing analysis. However, the Corporation's current practices do not include a formalized corporate-wide skill gap analysis for long-term human capital planning purposes. In its draft Human Resources Strategic Plan, the Corporation recognized that the FDIC does not have such a process to compare the skills possessed by the workforce against future needs and identify strategies to address those gaps.

Acquiring, Developing, and Retaining Talent

• DOA's Training and Consulting Services Branch, as the principal training and employee development organization, works with the divisions and offices to identify the best ways to address their learning needs and develop core training programs.

• The strategies embodied in the FDIC Diversity Strategic Plan include enhancing the corporate recruiting program, creating developmental opportunities, enhancing the internal and external selection processes, and addressing benefit and workplace issues.

• The Chairman's announcements of the Corporate University and job rotation program will build on the Diversity Strategic Plan foundation and help create a broader corporate perspective through training and employee development.

• The Corporate University Steering Committee is currently developing its strategy for the Corporate University to best fit the FDIC's mission and operations. The Committee is also consulting with private-sector corporate universities, academic institutions, and other experts to identify best practices. The Steering Committee anticipates completing its work and presenting an options paper to the Chairman by the end of 2002.

Because human capital management is critical to the Corporation's future success, we will continue to monitor the Corporation's progress and provide audit coverage of the program and initiatives, as we deem appropriate.

The Corporation continues efforts to identify and implement ways to contain and reduce costs, either through more careful spending or assessing and making changes in business processes to increase efficiency. As steward for the BIF and the SAIF, the FDIC looks for cost reductions and efficiency improvements to minimize the draw on the funds.

The Corporation has taken steps to increase emphasis in this area. As discussed in the previous section of this report, savings will result from the Corporation's planned building of its new Virginia Square site. It is also expected that the Corporation's New Financial Environment will result in lower costs, better functionality, and enhanced efficiency. Several other initiatives are in process to better understand what the various business processes and activities within the FDIC cost, how they can be made more efficient, and how they compare to private and public sector entities. The Corporation may also need to recognize and plan for unmet needs which can add to operating costs. Such needs may include, for example, further ensuring information resources security and maintaining essential physical security.

Since being named head of the FDIC, FDIC Chairman Powell has underscored the importance of efficiency and effectiveness of the FDIC in various communications with FDIC employees. Certainly, the Corporation's organizational streamlining and downsizing were designed to achieve such efficiencies and economies. Additionally, the Corporation is evaluating the cost of certain corporate operations against appropriate benchmark organizations. The results of such studies will help the Corporation identify areas in which its costs may be higher than other organizations and potential "best practices" to reduce these costs.

In this connection, the Corporation is implementing a service costing initiative-new procedures to charge receiverships for services provided by the Corporation by applying standard rates. This initiative should also result in improved allocation of receivership expenses. The OIG is conducting a review of data quality of service costing to determine whether adequate controls exist to ensure the accuracy, timeliness, and completeness of receivership-related data used by the service costing system. Additionally, the OIG plans future work on service costing billing rates to determine whether the rates developed have been adequately supported and controls are in place to ensure that receiverships are being accurately billed. Our results will be discussed in future semiannual reports.

Largely in light of the events of September 11, 2001, we identified an emerging issue that the FDIC needed to address: the security of the FDIC's physical and human resources. The Corporation has devoted considerable attention to these areas since the tragic events of that day and continues to do so. It has enhanced important physical security features of its properties. It has worked to keep employees informed of security matters and events occurring in the Washington, D.C., area and field offices that may impact employee safety and security. It also developed an Emergency Response Plan on which the OIG provided extensive comments to the Chief Operating Officer during the previous reporting period.

We completed fieldwork on our evaluations of the FDIC's physical security of Washington, D.C., area and regional and field office facilities during the reporting period and issued two reports conveying our results.

Evaluation of Physical Security for the FDIC's Washington, D.C. Area Facilities
We issued a report on the FDIC's physical security program and its implementation in the Corporation's Washington, D.C. metropolitan area facilities, including Virginia Square. Generally the Corporation's program addresses perimeter security, entry security, interior security, and security planning-the four broad areas covered by Department of Justice-recommended minimum security standards. However, we noted several areas where the Corporation could improve its physical security program. Specifically, the Corporation needed to require that a risk level be assigned to each FDIC building and that the minimum security standards deemed practicable for each building be documented. Security risk assessments of FDIC facilities also needed to be conducted in accordance with time frames prescribed by FDIC policy. Finally, and this is a point that DOA recognized and acted upon, the initial design and assignment of responsibilities for emergency evacuation to both the Physical Security Unit and the Health Safety and Environmental Unit was confusing, and responsibilities were reassigned solely to the Physical Security Unit. We made 11 recommendations and offered several suggestions to better ensure the safety and security of individuals and property. The actions already taken or planned by the Corporation are responsive to our concerns.

Security for Field Sites
We also reported that regional and field offices had implemented perimeter, entry, and interior security measures that met or exceeded the Department of Justice's recommended minimum standards for the facilities' assigned security levels. DOA had performed vulnerability assessments of regional and field office facilities and implemented recommended security measures identified from those assessments. Each of the 15 offices in our sample had established procedures for responding to and reporting on emergencies and other security-related incidents. However, differences existed among the various offices regarding the types of security-related incidents reported for inclusion in the FDIC's incident reporting and investigation system. This inconsistent reporting limited the FDIC's ability to use the data for detecting trends that may require additional security measures. We made two recommendations to improve the completeness and usefulness of data contained in the system, and management agreed with both of them.

During the previous reporting period, the OIG identified the following emerging issue as warranting FDIC management's attention.

Recent highly publicized business failures, including financial institution failures, have raised significant questions about the quality of financial reporting and auditing of these businesses. Various dimensions of this issue have been, and continue to be, widely discussed and reported in various forums, most notably with congressional hearings on the failure of Enron Corporation. Aspects of the problem as it relates to financial institutions have been documented in relatively recent OIG work on bank failures-Superior Bank and Keystone Bank-as presented in prior semiannual reports.

The issues involve interrelated roles of management (including Boards of Directors and Audit Committees), independent auditors, and regulators. Management is primarily responsible for the reliability of financial reports with auditors providing an independent audit function and regulators relying on the financial data.

Affected regulators include the Securities and Exchange Commission as well as the FDIC and other financial institution regulators. The need for reliable financial data affects the ability of regulators to effectively achieve their oversight missions. To the extent that the financial reporting of businesses (including financial institutions) is not reliable, the regulatory processes and mission achievement can be adversely affected. Financial institution regulators are affected by the quality of reporting of financial institutions and businesses transacting with financial institutions. Critical operational processes of financial institution regulators can be adversely affected. Essential research and analysis (used for economic analysis and decision-making) and bank supervision (examinations) can be complicated and potentially compromised by poor quality financial reports and audits.

In addition to supervision safety and soundness issues, the FDIC, in its roles as receiver and insurer, is potentially affected by financial reporting and audit quality, regardless of whether the FDIC is the primary federal regulator. Receivership management operations, relying on accounting and auditing contractors, can be adversely affected. Potentially, the insurance funds can be affected, for example, by financial institution and other business failures precipitated in whole or in part by financial reporting irregularities.

The financial reporting and audit quality issues are complicated by a number of interrelated risk factors, including: auditor independence; complexity and sophistication of business structures and transactions; adequacy and complexity of standards; fraud; auditors' document retention procedures; adequacy of auditor oversight; and qualifications and fitness of Audit Committees, Boards of Directors, and Officers.

Corporation Takes Steps to Address Issue
The Corporation has initiated actions to address many aspects of the bank financial reporting and audit quality issue that we discussed in our last semiannual report. The Corporation's 2001 Annual Report to the Congress (under the Chief Financial Officers Act), issued during this period, discussed this matter as an emerging issue. The Corporation also initiated several key actions to help ensure the quality of financial reporting and auditing of financial institutions.

The Corporation's actions considered the impact of recent significant changes to standards and policies for auditors. These changes resulted from the recent Sarbanes-Oxley Act of 2002 and new government auditing standards for independence issued by the Comptroller General of the United States:

• The Sarbanes-Oxley Act of 2002 established dramatic changes for publicly held companies and their auditors to protect investors and improve the accuracy and reliability of corporate financial reporting and disclosures. Among other provisions, the Act revised auditor independence rules, created a Public Company Accounting Oversight Board, revised corporate governance standards, and significantly increased the criminal penalties for violations of securities laws.



• GAO published revised independence standards in January 2002, effective for governmental audits beginning on or after January 1, 2003.

To address these issues, the Corporation established a joint group that included the Office of Internal Control Management, DOA, and the OIG. The OIG's role was to provide independent technical advice. The group's initial objective was to determine the actions that the Corporation should take regarding its use of services from accounting firms to ensure compliance with the new GAO independence standards. The Corporation's Legal Division and the DRR also joined the group to address contract issues within their respective divisions. The DSC subsequently joined the group to ensure coordination with the independence initiatives under consideration, such as the independence requirements and interpretations of the Securities and Exchange Commission and the Sarbanes-Oxley Act of 2002 as it affects accounting firms' work in insured institutions.

Corporate initiatives, highlighted below, address: independence requirements for corporate contracts with accounting firms; auditor independence for insured institutions; disciplining accountants; and additional Sarbanes-Oxley Act considerations.

Independence Requirements for Corporate Contracts with Accounting Firms
The new GAO independence standards include the following two overarching principles:

• Auditors should not perform management functions or make management decisions; and



• Auditors should not audit their own work or provide nonaudit services in situations where the nonaudit services are significant/material to the subject matter of audits.

To address the overarching independence principles involving corporate contracts with accounting firms, the following key actions have been taken:

• Revise ethics regulation to address lack of independence as a conflict of interest. In May 2002, the FDIC Board approved an interim final rule (12 CFR Part 366). A final version of the rule has been prepared for FDIC Board approval.



• Address significance and materiality for nonaudit services. The Legal Division will work with divisions/offices to prepare factors to be considered in determining whether nonaudit services are significant/material, to assess compliance with GAO's overarching principle.



• Address expert witness contracts. The Legal Division uses expert witnesses from accounting firms. These firms will be reviewed to ensure there are no conflicts of interest. In addition, the guidance for outside counsel will be updated, as necessary.



• Address contracts of failed institutions. Guidance is being developed to address auditor independence for contracts with accounting firms inherited from failed institutions.



• Use Ethics Conflicts Committee. The Legal Division's ethics conflicts committee, established to address potential ethical conflicts of interest, will be convened as necessary to address auditor independence conflicts.



• Update Acquisition Policy Manual (APM). DOA will update the APM to address auditor independence. The APM establishes a consolidated and uniform set of policies and procedures for procuring goods and services on behalf of the Corporation.



• Update standard contracts. DOA and the Legal Division will ensure that updated standard contracts address lack of independence as a conflict of interest. Also, contractor certifications will be required to ensure auditor independence standards.



• Consider automated tracking mechanism. DOA will consider the feasibility of using an automated mechanism to track the various types of auditor services being provided to assist in monitoring potential independence issues.

Also, the OIG is updating its internal policies and procedures to ensure appropriate compliance with Generally Accepted Government Auditing Standards, including independence standards. The OIG will also address the work of accounting firms conducting work under OIG contracts.

Auditor Independence Requirements for Insured Institutions
The FDIC's DSC, in coordination with other financial regulatory agencies, has a number of initiatives underway related to audits of insured banking institutions:

Under FDIC regulations (12 CFR Part 363) and explanatory guidelines and interpretations, auditors of insured institutions with $500 million or more in assets must "meet the independence requirements and interpretations of the SEC and its staff." As a result of the Sarbanes-Oxley Act of 2002, DSC believes that auditors are prohibited from performing both internal audit outsourcing and consulting work for external audit clients.

An interagency working group, headed by the FDIC, had been revising the guidance on auditor independence in the December 1997 "Interagency Policy Statement on the Internal Audit Function and its Outsourcing" in response to the SEC's adoption of revised independence rules in November 2000. As a result of the Sarbanes-Oxley Act of 2002, the guidance will require further revision. The following actions are among those being considered:

• Advise institutions with $500 million or more in total assets and all publicly-held institutions that they should follow the requirements of the new Sarbanes-Oxley Act;



• Encourage institutions with under $500 million in total assets that are not publicly held to follow the requirements of the new Sarbanes-Oxley Act; and



• Advise all state-chartered institutions to also follow any state laws or regulations with regard to auditor independence.

Disciplining Accountants Who Perform Audit Services
For institutions with $500 million or more in total assets - Section 36 of the Federal Deposit Insurance Act requires the federal banking agencies to jointly issue rules of practice for removing, suspending, and barring accountants from performing audit services for institutions subject to Part 363. An interagency working group has been drafting proposed rules of practice. These rules would permit the agencies to suspend/remove/bar independent public accountants from performing services under Section 36 for good cause. The rules of practice would define "good cause."

For all institutions - For several years, the FDIC has maintained a program of reporting apparent noncompliance by bank auditors with applicable professional standards (including Generally Accepted Auditing Standards (GAAS)) to the American Institute of Certified Public Accountants (AICPA) and state boards of accountancy. The AICPA as a professional association investigates GAAS infractions and may discipline accountants. Disciplinary action frequently involves additional education for the disciplined person but may ultimately result in revocation of an accountant's AICPA membership. State boards are able to revoke an accountant's license to practice; however, followup on referrals by some boards may be constrained by financial or staff limitations.

Additional Sarbanes-Oxlely Act Considerations
Where the FDIC has authority under Section 36 of the Federal Deposit Insurance Act, the FDIC is considering whether to amend Part 363 to be consistent with the Sarbanes-Oxley Act by:

• Requiring independent public accountants to be registered accounting firms;



• Accepting registration applications, annual reports, and inspection reports of registered accounting firms in lieu of peer review reports;



• Requiring that the independent public accountant retain audit documentation and any needed computer programs for a period of 7 years; and



• Adding the duties and responsibilities of the audit committee outlined in the new Act.

The OIG will continue to monitor and assess this issue for consideration in planning future audit and oversight work. In this regard, one ongoing audit is currently reviewing examiner reliance on the work of independent public accountants.