Reliability of Supervisory Information Accessed Through the Virtual Supervisory Information on the Net (ViSION) System

September 2008
Report No. AUD-08-019

FDIC OIG, Office of Audits
Federal Deposit
Insurance Corporation

Why We Did The Audit

ViSION is a mission-critical FDIC system that provides access to a broad range of information related to insured financial institutions in support of the Corporationís insurance and supervision programs. The system serves approximately 3,900 FDIC and outside agency users (primarily other federal and state regulatory agencies). The objective of the audit was to assess the reliability of key supervisory information accessed through the ViSION system.

Background

Key supervisory information accessed through the ViSION system includes: (1) examination ratings used to evaluate the safety and soundness of financial institutions; (2) Bank Secrecy Act (BSA) examination information reported to the Department of the Treasury; (3) safety and soundness Reports of Examination (ROE) provided to financial institutions; and (4) ROE processing dates used to monitor examination frequency and determine deposit insurance assessments for financial institutions. The FDICís Division of Supervision and Consumer Protection (DSC) is responsible for ensuring the reliability of supervisory information in each of these four areas.

We reviewed a sample of 75 of the 5,075 financial institutions for which the FDIC was the primary federal regulator as of April 3, 2008. For each of the 75 institutions, we verified supervisory information accessed through the ViSION system to source documentation, such as hard copy ROEs. We considered the information we assessed to be reliable if it was accurate and complete as described in the Government Accountability Officeís publication Assessing the Reliability of Computer-Processed Data.

Audit Results

Supervisory information accessed through the ViSION system was not fully reliable in each of the four areas that we assessed. The table below summarizes the results of our assessment of key supervisory information accessed through the ViSION system for each of the 75 financial institutions we sampled.

Reliability of Key Supervisory Information for 75 Sampled Institutions
Institution Information as of May 28, 2008 Financial Institution Examination Ratings BSA Examinations Safety and Soundness ROEs ROE Processing Dates
Reliable 73 73 42 65
Unreliable 2 2 33 10
Total Institutions 75 75 75 75
Source: Analysis of information in the ViSION system, hard copy ROEs, and discussions with DSC officials.

Unreliable information pertaining to examination ratings, BSA violations, and ROE processing dates resulted principally from erroneous data entry. Unreliable information pertaining to ROEs resulted principally from state regulatory agencies not submitting electronic ROEs to the FDIC and insufficient controls over the collection, processing, and storage of ROEs. Unreliable information accessed through the ViSION system can limit the efficiencies that the FDIC intended to achieve through automation such as accurate, timely, and consistent data used for offsite monitoring of financial institutions. In addition, because ROE processing dates are used in determining deposit insurance assessments, the reliability of those dates is critical to ensuring the integrity of premiums charged to insured financial institutions. Unreliable ROE processing dates resulted in 1 of 75 sampled institutions being significantly undercharged ($3,050, or about 10 percent) on one of its quarterly deposit insurance assessments.

DSC has taken steps to promote the reliability of information accessed through the ViSION system. For example, DSC periodically reviews the integrity of selected information accessible through the ViSION system as part of the divisionís internal reviews. DSC also identified concerns regarding the reliability of ROE information prior to our audit and was working to improve its processes and technology for collecting, processing, and storing electronic ROEs. However, DSC had not performed an assessment of supervisory information accessed through the ViSION system to determine an acceptable information accuracy rate. Establishing an information accuracy rate is important for ensuring cost-beneficial controls over the reliability of information accessed through the ViSION system.

Recommendation and Management Response

We recommended that the Director, DSC, conduct an assessment of key supervisory information accessed through the ViSION system in order to define an acceptable accuracy rate and identify respective controls and responsibilities over the reliability of supervisory information consistent with the results of the assessment.

DSC concurred with our recommendation and has planned to take responsive actions.



Contents Page

BACKGROUND1

Key Supervisory Information Accessed Through the ViSION System

2

Assessing the Reliability of Key Supervisory Information

4
RESULTS OF AUDIT4
ASSESSMENT OF KEY SUPERVISORY INFORMATION ACCESSED THROUGH THE VISION SYSTEM4

Examination Ratings

5

BSA Examinations

5

Safety and Soundness ROEs

6

ROE Processing Dates

7

Strengthening the Reliability of Key Supervisory Information

7

Recommendation Related to ViSION System Information Reliability

8
CORPORATION COMMENTS AND OIG EVALUATION8
APPENDICES

1. OBJECTIVE, SCOPE, AND METHODOLOGY

10

2. ROLE OF EXAMINATION MAIL DATES IN CALCULATING DEPOSIT INSURANCE ASSESSMENTS

14

3. CORPORATION COMMENTS

16

4. MANAGEMENT RESPONSE TO RECOMMENDATION

17

5. ACRONYMS USED IN THE REPORT

18
TABLES

1. Reliability of Key Supervisory Information for 75 Sampled Institutions

5

2. Unreliable Examination Mail Dates in the ViSION System

5

3. Effects of Unreliable Examination Mail Dates on Insurance Assessments

15







FDIC, Federal Deposit Insurance Corporation, Office of Inspector General,Office of Auidts, 3501 Fairfax Drive, Arlington, VA 22226-3500
DATE: September 25, 2008
 
MEMORANDUM TO:Sandra L. Thompson, Director
Division of Supervision and Consumer Protection
 
FROM:Russell A. Rau [Electronically produced version; original signed by Russell A. Rau]
Assistant Inspector General for Audits
 
SUBJECT:Reliability of Supervisory Information Accessed Through the Virtual Supervisory Information on the Net (ViSION) System
(Report No. AUD-08-019)
 

This report presents the results of our audit of the reliability of supervisory information accessed through the ViSION system. ViSION is a mission-critical FDIC system1 that provides access to a broad range of information related to insured financial institutions in support of the Corporationís insurance and supervision programs. The objective of the audit was to assess the reliability of key supervisory information accessed through the ViSION system. We conducted this performance audit in accordance with generally accepted government auditing standards. Appendix 1 of this report discusses our audit objective, scope, and methodology in detail.

BACKGROUND

The ViSION system is one of the most widely-used Web-based systems at the FDIC. During the first 6 months of 2008, the system recorded approximately 5.7 million pages viewed and served about 3,900 FDIC and outside agency users (primarily other federal and state regulatory agencies). The ViSION systemís primary users within the FDIC are executives, regional managers, case managers, review examiners, and field examiners in the Division of Supervision and Consumer Protection (DSC). DSC personnel use the system to perform supervisory-related functions, such as tracking applications, accessing examination information, and monitoring enforcement actions. Analysts in the Division of Insurance and Research (DIR) also rely on information in the ViSION system to perform insurance-related functions, such as analyzing trends in the banking industry and calculating deposit insurance assessment rates for financial institutions.


1 NFE is the FDICís financial management system, which is managed by DOF.











Key Supervisory Information Accessed Through the ViSION System

Key supervisory information accessed through the ViSION system includes: (1) financial institution examination ratings (examination ratings); (2) Bank Secrecy Act (BSA) of 1970 examination information (BSA examinations) reported to the Department of the Treasury; (3) safety and soundness Reports of Examination (ROE); and (4) ROE processing dates used to monitor examination frequency and determine deposit insurance assessments for financial institutions. Our audit focused on assessing the reliability of information in these four areas because of their criticality to the success of the FDICís insurance and supervision programs. A brief description of each area follows.

  • Examination Ratings. Pursuant to the Uniform Financial Institutions Rating System, federal and state regulatory agencies assign examination ratings to financial institutions based on the results of safety and soundness examinations and other supervisory activities. Examination ratings consist of a composite rating reflecting the institutionís overall financial condition and operations and six component ratings pertaining to the institutionís capital, assets, management, earnings, liquidity, and sensitivity to market risk (collectively referred to as CAMELS ratings).2 DSC personnel manually enter composite and component ratings for all FDIC-insured financial institutions into the ViSION system, which is the Corporationís system of record for examination ratings. The reliability of examination ratings is critical because they are used by the FDIC and other regulatory agencies to focus supervisory attention on institutions experiencing financial and operational weaknesses and to monitor safety and soundness trends throughout the financial industry. Examination ratings are also used in calculating deposit insurance assessments charged to financial institutions.
  • BSA Examinations. Congress enacted BSA to prevent banks and other financial service providers from being used as intermediaries for, or to hide the transfer or deposit of, money derived from criminal activity. BSA requires financial institutions to assist government agencies in this regard by maintaining appropriate records and filing certain reports that can be used in criminal, tax, or regulatory investigations or proceedings. Under the Act, the FDIC is authorized to examine financial institutions for BSA compliance and refer significant violations and deficiencies to the Department of the Treasury (the Treasury). The FDIC and state regulatory agencies examine financial institutions for BSA compliance in conjunction with safety and soundness examinations. DSC personnel manually enter the results of BSA examinations, including the number and type of violations and enforcements actions (if any), into the ViSION system. To facilitate this process, DSC has established codes in the ViSION system that correspond to specific types of BSA violations and enforcement actions. DSC uses information in the ViSION system to report BSA examination information to the Treasury.

2 Composite and component ratings are assigned on a scale of 1 to 5, with 1 representing the highest rating and least degree of supervisory concern and 5 representing the lowest rating and greatest degree of supervisory concern.



2




  • Safety and Soundness ROEs. Users of the ViSION system can access ROEs pertaining to FDIC-supervised financial institutions through a system component called the ROE module. The ROE module links users of the ViSION system to a separate standalone system called the Interagency Examination Repository (IER), which is used by FDIC and state examiners to store and access electronic copies of completed safety and soundness ROEs. FDIC and state examination personnel enter ROEs into the IER using a combination of manual and automated processes. DSC intended for the IER to promote efficiencies in the off-site monitoring of financial institutions. However, as discussed later in this report, concerns regarding the reliability of information in the IER require DSC to rely instead on hard copy ROEs as the system of records for examinations.
  • ROE Processing Dates. Our audit focused on three ROE processing dates that the FDIC uses to monitor examination frequency and determine deposit insurance assessment rates for financial institutions. All three dates, which are manually entered into the ViSION system by DSC personnel, are described below.
    • Examination Start Date. The date that the FDIC examination team begins the on-site examination. DSC uses this date (along with the examination completion date described below) to monitor compliance with regulatory requirements concerning the length of time between examinations.
    • Examination Completion Date. The date that the FDIC examination team completes the examination and submits the ROE for supervisory review.
    • Examination Mail Date. The date that the federal or state regulatory agency mails the completed ROE to the financial institution. DIR uses the examination mail date (also referred to as the ďtransmittal dateĒ) to determine when deposit insurance assessment pricing changes become effective for financial institutions.3

The FDIC has established a Data Stewardship Program4 to enable the Corporation to, among other things, ensure the usefulness, accuracy, timeliness, and accessibility of corporate data. Under the program, divisions and offices designate subject matter experts (SME) who are responsible for preserving the accuracy of data entered into application systems and databases. Within DSC, personnel in the Technology Supervision Branch serve as SMEs for the ViSION system.


3 FDIC Rules and Regulations Part 327.4, Assessment Rates, describes circumstances in which the effective date for determining deposit insurance assessment pricing can be different than the examination mail date. Such circumstances include, for example, situations in which the FDIC disagrees with a financial institution examination rating assigned by another regulatory agency and determines that a rating change is warranted.
4 FDIC Circular 1301.3, Data Stewardship Program, dated September 4, 2001.



3




Assessing the Reliability of Key Supervisory Information

We used the Government Accountability Officeís (GAO) October 2002 publication entitled, Assessing the Reliability of Computer-Processed Data, as the overarching criteria for assessing the reliability of supervisory information accessed through the ViSION system. The publication states that computer-processed data are reliable when they are accurate (i.e., they reflect the data entered at the source or in the source documents) and complete (i.e., they contain all relevant data elements and records). Based on a random sample of 75 financial institutions for which the FDIC is the primary federal regulator, we verified key supervisory information accessed through the ViSION system to source documentation, such as hard copy safety and soundness ROEs.

RESULTS OF AUDIT

Supervisory information accessed through the ViSION system pertaining to examination ratings, BSA examinations, safety and soundness ROEs, and ROE processing dates was not fully reliable for the 75 financial institutions that we sampled. Specifically, examination ratings and BSA examinations were generally reliable, with some exceptions. Safety and soundness ROEs were not reliable for 33 of the 75 institutions, and ROE processing dates were not reliable for 10 of the 75 institutions. Unreliable information accessed through the ViSION system can limit the efficiencies that the FDIC intended to achieve through automation such as accurate, timely, and consistent data used for off-site monitoring of financial institutions. In addition, because ROE processing dates are used in determining deposit insurance assessments, the reliability of those dates is critical to ensuring the integrity of premiums charged to insured financial institutions. Unreliable ROE processing dates resulted in 1 of 75 sampled institutions being significantly undercharged ($3,050, or about 10 percent) on one of its quarterly deposit insurance assessments.

ASSESSMENT OF KEY SUPERVISORY INFORMATION ACCESSED THROUGH THE VISION SYSTEM

As reflected in Table 1 below, supervisory information accessed through the ViSION system pertaining to examination ratings, BSA examinations, safety and soundness ROEs, and ROE processing dates was not fully reliable for the 75 financial institutions that we sampled. Unreliable information accessed through the ViSION system can limit the efficiencies, such as accurate, timely, and consistent data used for off-site monitoring of financial institutions, that the FDIC intended to achieve through automation. In addition, because ROE processing dates are used in determining deposit insurance assessments, the reliability of those dates is critical to ensuring the integrity of premiums charged to insured financial institutions.



4




Table 1. Reliability of Key Supervisory Information for 75 Sampled Institutions
Institution Information as of May 28, 2008 Examination Ratings BSA Examinations Safety and Soundness ROEs ROE Processing Dates
Reliable 73 73 42 65
Unreliable 2 2 33 10
Total Institutions 75 75 75 75
Source: Analysis of information in the ViSION system, hard copy ROEs, and discussions with DSC officials.

Examination Ratings

DSCís Risk Management Examination Manual states that examination ratings are used by regulators to evaluate the safety and soundness of financial institutions and to identify those institutions requiring special supervisory attention or concern. In addition, FDIC Circular 4700.1, Risk Related Premium System, dated June 7, 2007, states that maintaining accurate and complete examination ratings in the ViSION system is ďextremely importantĒ because the ratings are used in calculating deposit insurance assessments for financial institutions. Due to erroneous data entry, the ViSION system contained inaccurate component ratings for 2 of the 75 financial institutions that we sampled. We brought these inaccuracies to the attention of DSC officials during our audit, and the ratings were corrected in the ViSION system. The inaccurate ratings resulted in a slight undercharge (less than $15.00) for one institution on its 4th quarter 2007 deposit insurance assessment.

BSA Examinations

Under the terms of a Memorandum of Understanding between the Federal Banking Agencies (FBA)5 and the Treasuryís Financial Crimes Enforcement Network (FinCEN), the FDIC is required to report information to FinCEN on the BSA examinations the Corporation conducts or reviews. Information typically reported includes, for example, the number of BSA examinations conducted, the number and type of BSA violations identified, and the type of BSA enforcement actions taken. DSC Regional Director Memorandum 03-048, Bank Secrecy Act Examination Violations Codes, dated October 20, 2003, states that information in the ViSION system is used to fulfill the FDICís obligation to report BSA violations to FinCEN. The ViSION system did not contain all relevant BSA information for 2 of the 75 financial institutions that we sampled.






5 The FBAs are the Board of Governors of the Federal Reserve System, the FDIC, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision.



5




For one institution, the system did not contain a BSA violation cited in the safety and soundness ROE because DSC had not developed a violation code to track the specific type of violation cited.6 As a result, DSC did not include this violation in its BSA reporting to FinCEN. For the remaining institution, the ViSION system contained some, but not all, pertinent BSA information due to an oversight. Specifically, the BSA module in the ViSION system did not contain information regarding whether a BSA examination had been conducted or whether BSA violations had been identified for that institution.

Safety and Soundness ROEs

DSC Regional Director Memorandum 03-023, Integrity of Data Stored in the Interagency Examination Repository, dated July 1, 2003, emphasizes the importance of maintaining reliable ROEs in the IER to facilitate the off-site analysis of financial institutions. (As previously discussed, users of the ViSION system can access ROEs stored in the IER through a link in the system called the ROE module.) ROEs were not accessible through the ViSION system for 19 (25 percent) of the 75 financial institutions that we sampled. In addition, 14 (25 percent) of the 56 ROEs that were accessible through the ViSION system were draft versions of the final ROEs that did not reflect changes made during the supervisory review process.7 DSC officials informed us that they had identified data reliability concerns with ROEs stored in the IER prior to our audit and attributed these concerns to two principal factors:

  • Electronic ROEs Not Submitted by State Regulatory Agencies. Although information on all state regulatory agencies was not available at the time of our audit, a DSC official provided information indicating that 10 state regulatory agencies do not upload electronic ROEs to the IER for the examinations they conduct. In general, these regulators do not upload ROEs because of past technical problems experienced with the IER. For example, in January 2008, the FDIC advised state regulatory agencies to discontinue uploading ROEs to the IER for 6 weeks to allow for the correction of a system configuration problem. Thirteen of the 19 ROEs in our sample that were not accessible through the ViSION system had been prepared by state regulatory agencies.
  • Controls Over the Collection, Processing, and Upload of Electronic ROEs. DSC officials indicated that controls for collecting, processing, and uploading ROEs to the IER do not ensure that final ROEs are entered into the system. Current practices for collecting, processing, and uploading ROEs to the IER vary among the FDICís regional and field offices, involve multiple steps requiring coordination among DSC and Division of Information Technology (DIT) personnel, and are dependent on electronic ROE files being named properly. DSC is currently working on a multi-year project to improve its processes and technology for collecting, processing, and uploading ROEs to the IER.

6 The ROE states that the institution had not completed its Suspicious Activity Reports (SAR) correctly. A DSC official advised us that although the ViSION system contains a BSA violation code for failure to file a SAR, it does not contain a code for an incorrectly filed SAR because this type of violation is infrequently cited by examiners.
7 Such changes included, for example, modifications of component ratings and financial ratios and the addition of report sections or narrative describing examination results.



6




DSC officials informed us that, when fully implemented, these control improvements will significantly increase the reliability of ROE information in the IER.

ROE Processing Dates

The DSC Risk Management Manual of Examination Policies states that the examination start date and examination completion date are used to monitor compliance with regulatory requirements concerning the length of time between examinations. Circular 4700.1 states that it is ďextremely importantĒ for the examination mail date in the ViSION system to be accurate and complete because the Risk Related Premium System (RRPS)8 uses this date to determine when deposit insurance assessment pricing changes become effective for financial institutions. The ViSION system contained unreliable ROE processing dates for 10 of the 75 financial institutions that we sampled. Specifically, the system contained inaccurate examination start dates for two institutions, an inaccurate examination completion date for one institution, and inaccurate or incomplete mail dates for eight institutions.9 Generally, these dates were off by a range of a few days to approximately 1 month. Unreliable ROE processing dates were principally caused by erroneous data entry.

Unreliable examination start and completion dates did not negatively impact DSCís examination schedules for the institutions we reviewed. However, unreliable examination mail dates affected the accuracy of deposit insurance assessments for three FDIC-insured financial institutions. One of the institutions was undercharged $3,050 (about 10 percent of the institutionís fourth quarter 2007 deposit insurance assessment). The monetary errors for the other two institutions were immaterial. Unreliable examination mail dates had no effect on the deposit insurance assessments of the remaining five institutions for two principal reasons: (1) the manner in which the FDIC calculated insurance assessments prior to the implementation of deposit insurance reform legislation differs from current practices and (2) examination ratings, which are a key factor in determining assessments, were substantially the same between the prior and current examinations for some of the institutions. See Appendix 2 for more detailed information regarding how examination mail dates can affect deposit insurance assessments for FDIC-insured financial institutions.


8 RRPS is the FDICís system of record for assigning risk categories and deposit insurance assessment rates to FDIC-insured financial institutions. RRPS is a module of the ViSION system.
9 One institution had both an inaccurate examination start and mail date. The examination start date for one institution was inaccurate by 7 days and by 30 days for the remaining institution. The inaccurate examination completion date was inaccurate by 3 days. The ViSION system did not contain an examination mail date for three institutions, and the remaining five institutions had examination mail dates that were inaccurate by 3 to 32 days.



7




Strengthening the Reliability of Key Supervisory Information

GAOís November 1999 publication entitled, Standards for Internal Control in the Federal Government, identifies a number of internal control activities that organizations can consider implementing to promote accurate and complete computer-processed data. Such internal control activities include, for example, data edit checks, verifications, and reconciliations. According to the publication, organizations should design and implement internal control activities based on related costs and benefits. In this context, organizations may, based on an assessment of risk, determine that data are reliable even though they are not error free. Within the FDIC, the Division of Resolutions and Receiverships (DRR) took such an approach when it established a formal Data Quality Program in September 2005 to ensure ďhighly reliable and accurate dataĒ within its priority IT systems.10 Under the program, critical data elements within DRRís priority IT systems are considered reliable if they demonstrate an accuracy rate of 90 percent or better based on data quality testing.

DSC has taken steps to promote the reliability of information accessed through the ViSION system. Such steps include designating SMEs for the ViSION system and periodically assessing the reliability of information accessed through the ViSION system during the divisionís internal reviews. However, DSC can improve the reliability of supervisory information accessed through the ViSION system by conducting an assessment of such information to determine an acceptable data accuracy rate. Establishing a data accuracy rate based on an assessment of relevant risks, costs, and benefits can provide DSC a basis for designing and implementing controls over the reliability of information accessed through the ViSION system that are efficient and effective.

Recommendation Related to ViSION System Information Reliability

We recommend that the Director, DSC, conduct an assessment of supervisory information accessed through the ViSION system in order to define an acceptable accuracy rate and define controls and responsibilities over the reliability of supervisory information consistent with the results of the assessment.

CORPORATION COMMENTS AND OIG EVALUATION

On September 16, 2008, the Director, DSC, provided a written response to the draft of this report. Managementís response is presented in its entirety in Appendix 3 of this report. In its response, DSC concurred with the recommendation and outlined its planned corrective actions.


10 DRR Circular 4360.14, Data Quality Program, dated October 30, 2005. The circular defines priority IT systems as any manual or automated system maintained by DRR for the storage and retrieval of information that is designated as such by the Deputy Director, DRR .


8




To address the recommendation, DSC will conduct a risk-based assessment of supervisory information accessed in ViSION to formalize acceptable data accuracy rates and to refine and clarify controls and responsibilities for monitoring data accuracy. These actions will be completed by June 30, 2009.

A summary of managementís response to the recommendation is in Appendix 4 of this report. DSCís planned actions are responsive to our recommendation. The recommendation is resolved but will remain open until we determine that the agreed-to corrective actions have been completed and are responsive.





























9



APPENDIX 1

OBJECTIVE, SCOPE, AND METHODOLOGY

Objective

The objective of the audit was to assess the reliability of key supervisory information accessed through the ViSION system. We performed the work because supervisory information accessible through the ViSION system is important to the success of the FDICís insurance and supervision programs. We conducted this performance audit from March through August 2008 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Scope and Methodology

We limited the scope of the audit to assessing the reliability of supervisory information accessed through the ViSION system pertaining to examination ratings, BSA examinations, safety and soundness ROEs, and ROE processing dates. We based our assessment on a random sample of 75 (or 1.5 percent) of 5,075 financial institutions for which the FDIC was the primary federal regulator on April 3, 2008. Examinations for 37 of the 75 financial institutions were conducted by state regulatory agencies, and examinations for the remaining 38 institutions were conducted by the FDIC. The examinations we reviewed were conducted during the period July 2006 through April 2008. We considered the information we assessed to be reliable if it was accurate and complete as described in GAOís publication entitled, Assessing the Reliability of Computer Processed Data.

To accomplish our objective, we:

  • Interviewed DSC and DIT officials in the FDICís Washington, D.C., area offices and selected regional and field offices to identify key supervisory information accessed through the ViSION system and to obtain an understanding of how this information is used to support the FDICís supervision and insurance programs.
  • Assessed the reliability of key supervisory information accessible through the ViSION system as of May 28, 2008. For each institution, we compared key supervisory information to source documentation, such as hard copy ROEs, report transmittal memorandums, and BSA data entry forms, for the institutionís most recently completed safety and soundness and BSA examinations. Additionally, we considered relevant information obtained during interviews with DSC and DIT personnel, particularly when discrepancies were identified through our comparisons.


10


APPENDIX 1


  • Reviewed the results of relevant data quality assurance work conducted by DSCís Internal Control and Review Section as part of its field territory and regional office reviews.
  • Worked with a DIR representative to assess the effect that unreliable examination ratings and ROE processing dates had on the deposit insurance assessments of the financial institutions we sampled.
  • Reviewed relevant provisions of FDIC policies, procedures, and guidelines including:
    • The DSC Risk Management Manual of Examination Policies, dated December 2004
    • The Case Manager Procedures Manual, dated April 2004
    • Circular 4700.1, Risk Related Premium System, dated June 6, 2007
    • Circular 1301.3, Data Stewardship Program, dated September 4, 2001
    • DSC Regional Director Memorandum 03-023, Integrity of Data in the Interagency Examination Repository, dated July 1, 2003
    • DSC Regional Director Memorandum 03-048, Bank Secrecy Act Examination Violation Codes, dated October 20, 2005
    • DSC Regional Director Memorandum 05-039, Relationship Manager Program Implementation, dated September 30, 2005
    • FDIC Financial Institution Letter (FIL) 90-2003, Deposit Insurance Assessments, dated November 28, 2003
    • FIL 90-2007, Examination Cycle, dated October 24, 2007
    • DRR Circular 4360.14, Data Quality Program, dated September 30, 2005

Internal Control

We assessed the FDICís internal controls designed to ensure the reliability of key supervisory information accessed through the ViSION system. Such controls included relevant FDIC policies, procedures, and guidelines; the role of SMEs in maintaining reliable information in the ViSION system and IER; and DSCís practices for entering and maintaining key supervisory information into the ViSION system and IER. Also, we considered relevant data quality assurance work conducted by DSCís Internal Control and Review Section as part of their field territory and regional office reviews.



11


APPENDIX 1


Reliance on Computer-processed Information

We relied on information in the ViSION system to identify the total number of examined financial institutions for which the FDIC was the primary federal regulator as of April 3, 2008. We used this information as our universe in selecting a random sample of 75 financial institutions for detailed analysis. To assure ourselves that the total number of FDIC-supervised institutions in the ViSION system was sufficiently reliable, we compared this information to a listing of FDIC-supervised financial institutions in the FDICís Institution Directory system as of April 3, 2008 and to information included in the FDICís 2007 annual report to the Congress. Further, we spoke with DSC officials to obtain their views on the integrity of the information and to discuss the manner in which we were planning to use it. We performed tests of the reliability of ViSION data in order to accomplish our audit objective.

Performance Measurement

We reviewed the FDICís 2005-2010 Strategic Plan, 2008 Annual Performance Plan, 2008 Corporate Performance Objectives, and 2007 Annual Report and found that they did not contain goals, objectives, or performance measures that were specifically relevant to our audit.

Compliance With Laws and Regulations

We considered the following laws and regulations in determining the supervisory information to be assessed during the audit. Evaluation of compliance with these laws and regulations was not significant to the audit objective.

  • Section 10(d) of the Federal Deposit Insurance Act (the FDI Act) Ė DSC uses the examination start and complete dates recorded in the ViSION system to schedule examinations in order to meet the examination frequency requirements of this section.
  • 31 Code of Federal Regulations (C.F.R.) Part 103, Section 103.56 Ė Section 31 C.F.R. 103.56(e) requires the FDIC to periodically provide specific violations of 31 C.F.R. 103 (BSA) as well as apparent violations of FDIC Rules and Regulations Part 326, Subpart B, to the Assistant Secretary of the Treasury. DSC relies on ViSION data to compile its report to the Treasury.
  • 12 C.F.R. Part 327 Ė The FDIC relies on examination ratings and examination mail dates in the ViSION system when computing deposit insurance assessments to be charged to insured financial institutions.


12


APPENDIX 1


Additionally, we assessed the risk of fraud and abuse related to the audit objective in the course of evaluating audit evidence.

Prior Coverage

We considered the following reports previously issued by the FDIC OIG in planning and conducting our work:

  • Audit Report No. 04-017, Supervisory Actions Taken for Bank Secrecy Act Violations, dated March 2004. The objective of the audit was to determine whether the FDIC adequately follows up on BSA violations identified during examinations of FDIC-supervised financial institutions and ensures appropriate corrective actions are taken. The audit report stated that the FDIC had not ensured that all identified BSA violations were included and tracked in the ViSION system. Accordingly, the FDIC had not ensured complete reporting to the Treasury. The report recommended that the Director, DSC, re-evaluate and update examination guidance to strengthen the monitoring and follow-up processes for BSA violations, including consistent citation and recordation of all apparent violations in safety and soundness ROEs and the ViSION system.
  • Audit Report No. 04-027, FDICís Virtual Supervisory Information on the Net Application, dated July 2004. The objective of the audit was to determine whether controls over the ViSION systemís operational components, including modules implemented through Phase III, were adequate. The audit identified some discrepancies between certain data in the ViSION system and hard copy ROEs. The audit report recommended that the Director, DSC, establish a data quality review process to periodically check for discrepancies between the ViSION system and the ROE. DSC agreed to incorporate such data quality reviews into its field territory reviews.














13



APPENDIX 2

ROLE OF EXAMINATION MAIL DATES IN CALCULATING
DEPOSIT INSURANCE ASSESSMENTS

On November 2, 2006, the FDICís Board of Directors adopted a final rule on deposit insurance assessments as part of the implementation of the Federal Deposit Insurance Reform Act of 2005. Under the rule, the FDIC charges insured financial institutions quarterly insurance assessments based on the risk that the institutions pose to the Deposit Insurance Fund. In general, the FDIC calculates an institutionís quarterly insurance assessment by multiplying the institutionís assessable base amount by its risk-based assessment rate. The assessable base amount is the sum of the institutionís deposit liabilities (less permissible exclusions) derived from information contained in the institutionís Report of Condition and Income (Call Report) or Thrift Financial Report (TFR). The risk-based assessment rate is a number expressed in basis points that is derived from the institutionís risk assignment provided by the FDIC. An institution's risk assignment consists of four categories and is determined using various information, such as examination ratings, financial ratios from Call Reports and TFRs, and long-term debt issuer ratings for institutions that have them.

According to FDIC Rules and Regulations Part 327, Assessments:

Changes to an institutionís risk assignment resulting from a supervisory ratings change become effective as of the date of written notification to the institution [i.e., the examination mail date] by its primary federal regulator or state authority of its supervisory rating (even when the CAMELS component ratings have not been disclosed to the institution), if the FDIC, after taking into account other information that could affect the rating, agrees with the rating. If the FDIC does not agree, changes to an institutionís risk assignment become effective as of the date that the FDIC determines that a change in the supervisory rating is warranted.

FDIC Circular 4700.1, Risk Related Premium System, dated June 6, 2007, states, ďIt continues to be extremely important to maintain accurate and complete FDIC database records relating to the assignment of CAMELS ratings and the date those ratings were transmitted to the institution. These records are used by RRPS to calculate the assessment rate.Ē The circular also states, ďcase managers must now enter the date of the transmittal letters completed by state authorities for State-only examinations in ViSION, as the transmittal date is the date pricing changes become effective.Ē

OIG Analysis of Examination Mail Dates in the ViSION System

The ViSION system contained inaccurate or incomplete examination mail dates for 8 of the 75 financial institutions we sampled. Table 2 on the following page provides a summary of the unreliable examination mail dates we identified in the ViSION system.



14


APPENDIX 2


Table 2: Unreliable Examination Mail Dates in the ViSION System
Financial Institution Agency Performing the Examination Examination Mail Date in the ViSION System Examination Mail Date on the ROE Transmittal Memo Variance
A State Blank 8/25/2006 N/A
B State Blank 9/20/2006 N/A
C State Blank 11/3/2006 N/A
D State 7/5/2007 6/19/2007 16 days
E State 8/17/2007 7/16/2007 32 days
F FDIC 9/21/2007 9/24/2007 3 days
G State 12/6/2007 11/6/2007 30 days
H State 12/18/2007 11/26/2007 22 days
Source: OIG analysis of information in the ViSION system and hard copy transmittal memorandums.

We requested that a DIR analyst review the examination mail dates contained in Table 2 to determine whether the unreliable data had an effect on deposit insurance premiums charged by the Corporation. The analyst concluded that the three blank examination mail dates had no effect on deposit insurance premiums due to the manner in which the Corporation calculated assessments prior to the implementation of deposit insurance reform legislation. The analyst also concluded that inaccurate examination mail dates had no effect on the deposit insurance premiums charged to institutions F and G because the current examination ratings for these institutions were substantially the same as in the prior examinations. Further, the analyst concluded that inaccurate examination mail dates had at least some effect on the deposit insurance premiums for institutions D, E, and H because the current examination ratings for these institutions changed from the prior examinations. Based on information provided by the DIR analyst, we calculated the effect that inaccurate examination mail dates had on the premiums charged to institutions D, E, and H. Table 3 summarizes the results of our calculations.

Table 3: Effects of Unreliable Examination Mail Dates on Insurance Assessments
Financial Institution Percentage of Quarterly Assessment that Was Not Correct Dollar Amount of Quarterly Assessment That Was Not Correct
D 0.06 % $6.00
E 0.40 % ($94.00)*
H 9.60 % ($3,050.00)
Total N/A ($3,138.00)
Source: OIG analysis of information provided by DIR.
*Parenthetical figures represent undercharges to financial institutions on their quarterly assessments.


15


APPENDIX 3

CORPORATION COMMENTS


DATE: September 16, 2008
 
MEMORANDUM TO:Russell A. Rau
Assistant Inspector General for Audits
 
FROM:Sandra L. Thompson[Electronically produced version; original signed by Sandra L. Thompson]
Director
 
SUBJECT:Response to Draft Report Entitled,Reliabilty of Supervisory Information Accessed Through the ViSION System (Assignment No. 2008-013)
 

The Division of Supervision and Consumer Protection (DSC) has read the subject report and appreciates your finding that DSC has "taken steps to promote the reliability of information accessed through the ViSION system." As you note in your report, DSC is engaged in a comprehensive effort to improve the usefulness and reliability of the Interagency Examination Report (lER) repository. This effort is representative of our strong commitment to data integrity and continual system improvement with the collaboration of our interagency partners.

Your recommendation and DSC's response follows:

Recommendation

We recommend that the Director, DSC, conduct an assessment of supervisory information accessed through the ViSION system in order to define an acceptable accuracy rate and define controls and responsibilities over the reliability of supervisory information consistent with the results of the assessment.

DRR Response

DSC concurs. We will conduct a risk-based assessment of the supervisory information accessed in ViSION, to formalize acceptable data accuracy rates, and to refine and clarify controls and responsibilities for monitoring data accuracy. These actions will be completed by June 30, 2009.












16



APPENDIX 4

MANAGEMENT RESPONSE TO RECOMMENDATIONS


This table presents the management response on the recommendation in our report and the status of the recommendation as of the date of report issuance.

Corrective Action: Taken or Planned for the recommendation Expected Completion Date Monetary Benefits Resolved:a Yes or No Open or Closedb
DSC will conduct a risk-based assessment of the supervisory information accessed in ViSION to formalize acceptable data accuracy rates and to refine and clarify controls and responsibilities for monitoring data accuracy. 6/30/2009 NA Yes Open
a Resolved Ė (1) Management concurs with the recommendation, and the planned corrective action is consistent with the recommendation.
(2) Management does not concur with the recommendation, but planned alternative action is acceptable to the OIG.
(3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long as management provides an amount.
b Once the OIG determines that the agreed-upon corrective actions have been completed and are effective, the recommendation can be closed.












17


APPENDIX 5

ACRONYMS USED IN THE REPORT


BSA Bank Secrecy Act
CAMELS Capital Adequacy, Asset Quality, Management, Earnings, Liquidity, Sensitivity to Market Risk
C.F.R. Code of Federal Regulations
DIR Division of Insurance and Research
DIT Division of Information Technology
DRR Division of Resolutions and Receiverships
DSC Division of Supervision and Consumer Protection
FBA Federal Banking Agency
FDI Federal Deposit Insurance
FIL Financial Institution Letter
FinCEN Financial Crimes Enforcement Network
GAO Government Accountability Office
IER Interagency Examination Repository
IT Information Technology
OIG Office of Inspector General
OMB Office of Management and Budget
ROE Report of Examination
RRPS Risk Related Premium System
SAR Suspicious Activity Report
SME Subject Matter Expert
TFR Thrift Financial Report
ViSION Virtual Supervisory Information on the Net




18


Last updated 1/13/2009