United States Department of State and the Broadcasting Board of Governors, Inspector General



The Honorable Jon T. Rymer
Inspector General
Federal Deposit Insurance Corporation
3501 N. Fairfax Drive, Room E9070
Arlington,VA 22226

Subject: Report on the External Quality Control Review of the Federal Deposit Insurance Corporation's Inspector General Audit Organization

Dear Mr. Rymer:

The enclosed report presents the results of the Department of State, Office of Inspector General's (DOS 01G) external quality control review of the Federal Deposit Insurance Corporation, Office of Inspector General, Office of Audits. Your response to the draft report is included as Appendix C, and excerpts and the DOS OIG's position are incorporated into the relevant sections of the report.

DOS OIG agrees with your proposed corrective actions to the recommendations. DOS OIG thanks you and your staff for the assistance and cooperation provided during the review. If you have any questions, please contact me at (202) 663-0361 or have your staff contact Mark W. Duda, Assistant Inspector General for Audits, at (202) 663-0372.

Sincerely,

    [Electronically produced version; original signed by Howard J. Krongard]

Howard J. Krongard
Inspector General



Enclosure: As stated.









UNCLASSIFIED, United States Department of State and the Broadcasting Board of Governors Offi ce of Inspector General Office of Audit, Report on the External Quality Control Review of the Federal Deposit Insurance Corporation’s Inspector General Audit Organization




UNCLASSIFIED


INTRODUCTION

The Department of State, Office of Inspector General (DOS OIG), Office of Audits reviewed the system of quality control for the audit function of the Federal Deposit Insurance Corporation, Office of Inspector General (FDIC OIG) in effect for the year ended March 31, 2007. A system of quality control encompasses the organizational structure and the policies adopted and procedures established to provide an OIG with reasonable assurance of conforming with generally accepted government auditing standards (GAGAS). The elements of quality control are described in Government Auditing Standards 2003 Revision, promulgated by the Comptroller General of the United States. The design of the system, and compliance with it in all material respects, are the responsibility of the FDIC OIG. DOS OIG’s objective was to determine whether the internal quality control system was adequate as designed and complied with to provide reasonable assurance that applicable auditing standards, policies, and procedures were met. DOS OIG’s responsibility was to express an opinion on the design of and the FDIC OIG’s compliance with the system based on this review.

The review was conducted in accordance with the guidelines established by the President’s Council on Integrity and Efficiency and the Executive Council on Integrity and Efficiency. In performing the review, DOS OIG obtained an understanding of the system of quality control for the FDIC OIG. In addition, DOS OIG tested compliance with the FDIC OIG’s quality control policies and procedures to the extent considered appropriate. These tests included the application of the FDIC OIG’s policies and procedures on selected audits. Because this review was based on selective tests, it would not necessarily disclose all weaknesses in the system of quality control or all instances of lack of compliance with it. Nevertheless, DOS OIG believes that the procedures it performed provide a reasonable basis for its opinion.

Because there are inherent limitations in the effectiveness of any system of quality control, departures from the system may occur and not be detected. Also, projection of any evaluation of a system of quality control to future periods is subject to risk that the system of quality control may become inadequate because of changes in conditions or because the degree of compliance with the policies or procedures may deteriorate.

In DOS OIG’s opinion, the system of quality control for the audit function of the FDIC OIG in effect for the year ended March 31, 2007, was designed to meet the requirements of the quality control standards established by the Comptroller General for a federal government audit organization. In addition, the system of quality control was complied with during the period reviewed to provide FDIC OIG with reasonable assurance of conforming with applicable auditing standards, policies, and procedures.

From its review, DOS OIG has the following findings and recommendations that should improve the FDIC OIG’s compliance with GAGAS and its internal audit policies and procedures. These findings are not of sufficient significance to affect the DOS OIG’s overall unmodified opinion. However, FDIC OIG needs to continue its diligence to maintain an effective quality control system. Implementing the recommendations would improve the quality control system and help to maintain an unmodified opinion. These matters are discussed in the findings and recommendations that follow.

The background, scope, and methodology for this review can be found in Appendix A; general comments regarding FDIC OIG are in Appendix B; and FDIC OIG’s comments are in Appendix C.



UNCLASSIFIED


FINDINGS AND RECOMMENDATIONS

POLICIES AND PROCEDURES

DOS OIG reviewed the FDIC OIG’s Office of Audits (OA) policies and procedures and found that they were generally adequate for ensuring compliance with GAGAS. This work entailed a comprehensive review of the policies and procedures in such areas as professional judgment, competence, audit planning, supervision, evidence and audit documentation, the final report, and the quality control process. DOS OIG’s review disclosed that the policies and procedures pertaining to personal and external impairments to independence should be strengthened.

GAGAS 3.49 and 3.50 require audit organizations to have policies and procedures that establish internal guidance for audits and attestation engagements. OA’s Office of the Assistant Inspector General for Audits (AIGA) is responsible for developing policies and procedures to ensure that audit engagements comply with GAGAS. The policies and procedures pertaining to the general standard of independence include the FDIC OIG’s Policies and Procedures Manual and other advisories and administrative notices in effect during the scope of this review. These policies and procedures, however, need strengthening with respect to personal and external impairments to independence.

Personal Impairments to Independence

The Policies and Procedures Manual requires the immediate notification of the supervisor in the event of a personal impairment to independence, but this guidance is incomplete. The manual lacks guidance on the supervisor’s specific duties to report and resolve personal impairments as well as the repercussions to staff for failure to report such impairments.

The personal impairment of staff members, per GAGAS 3.07, results from relationships and beliefs that might cause auditors to limit the extent of the inquiry, limit disclosure, or weaken or slant audit findings in any way. Although the Policies and Procedures Manual requires all staff members to immediately notify their supervisor if they have any personal impairments to independence, it does not specify how supervisors are to report and resolve impairments. GAGAS 3.07 and 3.09 require audit organizations to maintain independence and resolve personal impairments promptly; however, the lack of specific OA guidance hampers such efforts. Although no personal impairments were identified during the review, improved guidance for reporting and resolving personal impairments if they occur is needed to preclude any possible adverse impact on independence.

Additionally, the Policies and Procedures Manual states that “failure to properly disclose impairments to independence during an assignment can lead to disciplinary actions.” The OA also has mechanisms to ensure that its staff is aware of these responsibilities. The manual, however, does not elaborate on this disciplinary mechanism and the actions that could be taken against staff members who fail to report a personal impairment. Although this review did not identify any personal impairments, guidance is needed to strengthen OA policies and procedures.

External Impairments to Independence

The Policies and Procedures Manual guidance on external impairments to independence is incomplete. OA only recently addressed the topic, and the manual still does not delineate how staff should report and resolve an external impairment.

External impairments, according to GAGAS 3.19, occur when auditors are deterred from acting objectively and exercising professional skepticism by pressures, actual or perceived, from management and employees of the audited entity or oversight organizations. Additionally, GAGAS 3.20 states that an audit organization’s internal quality control system “should include internal policies and procedures for reporting and resolving external impairments.”

However, the Policies and Procedures Manual guidance on external impairments is incomplete. In fact, external impairments were not addressed at all until the 2006 revision of the guidance for policies 300.1 4a (1) (d) and 300.1 5 (b) and (c). Policy 300.1 4a (1) (d) addresses identifying external impairments, but only for reporting and resolving such impairments that are a result of denial of access to information. Policies 300.1 5 (b) and (c) state that directors and associate directors are to report any external impairments – not only those that are a result of denial of access to information – to the AIGA, and the AIGA is to report external impairments to the Inspector General and the deputy inspector general. The policies do not include guidance to the staff for reporting or resolving external impairments. No external impairments were identified during the review; however, additional guidance is needed to ensure that staff is aware of how to report and resolve external impairments that could adversely affect an auditor’s independence.


Recommendation 1: The FDIC Inspector General should require the assistant inspector general for audits to ensure that the Policies and Procedures Manual contains adequate guidance on (a) reporting and resolving personal impairments, (b) identifying the disciplinary mechanism and actions that could be taken if personal impairments are not reported, and (c) reporting and resolving external impairments.

In its comments to the draft report, FDIC OIG officials said that they will add the recommended guidance to the Policies and Procedures Manual to reflect the Government Auditing Standards July 2007 revision. FDIC OIG anticipates the corrective action will be completed by February 29, 2008.

REQUIRED WORKING PAPER DOCUMENTATION

DOS OIG performed a review of five randomly selected audits conducted by FDIC OIG and found that working paper documentation was generally adequate and in conformance with GAGAS and the Policies and Procedures Manual. This extensive and detailed review covered various stages of the audit process, including planning and implementation.

For example, specific areas of planning that DOS OIG reviewed included whether the audit plan defined the objectives of the audit, provided for the collection and analysis of sufficient background data, provided for the identification and testing of compliance with legal and regulatory requirements, and provided for an assessment of internal controls. Implementation areas of review included whether the audit documentation adequately supported the universe, sampling plan, and sampling criteria; the auditors obtained evidence about the reliability of the data used from computer-based systems, if data were significant to the audit findings; the auditors performed sufficient tests to determine the adequacy of the auditee’s internal control system; and the auditors adequately tested for violations and noncompliance with legal and regulatory requirements, if significant to the audit objective.

DOS OIG concluded that the above and other areas were adequate for ensuring compliance with GAGAS. However, this review did disclose some areas in need of improvement; namely, approving, indexing, and updating the audit plan; completing the statement of non-conflict of interest; completing the statement of purpose, source, scope, and conclusion (PSSC); and completing the required checklists and certifications. Compliance with the appropriate sections of GAGAS and the Policies and Procedures Manual will remedy these problems.

Audit Plan

This review found some problems with the audit plan. Areas in need of improvement included approving, indexing, and updating the plan.

The Policies and Procedures Manual states that the audit plan should be approved by the directors in OA and documented in the assignment working papers before the start of fieldwork. The policy also requires that the audit steps be indexed to the supporting assignment documentation and the program modified if major changes occur in the scope.

For three of the five audits sampled, the audit plan needed improvement in these areas. For all three of these audits, the audit plan was approved after the fieldwork start date, the program was not indexed to the supporting documentation in TeamMate, and the audit steps were not signed off by the audit staff as completed.1 Additionally, there was an instance where the audit plan was not updated to include additional work performed.

Statement of Non-Conflict of Interest

FDIC requires all audit staff to certify each year that they understand GAGAS requirements and FDIC policies and procedures regarding independence. However, documentation on whether staff had any personal impairments to independence was not always provided in the working papers by all staff assigned to audits, as required by the Policies and Procedures Manual.

Per policy 320.2, the statement of non-conflict of interest is to be completed by the cognizant OA director, deputy assistant inspector general for audits (DAIGA), AIGA, team members, and other staff having input into the assignment before the start of work to indicate their independence regarding the specific assignment. The chapter also directs that the statement signed by all team members be maintained in the assignment documentation.

However, the statement of non-conflict of interest was not signed by all audit team members for three of the five audits sampled. Moreover, the statements for two of these three audits were signed by some of the team members after the fieldwork began, despite the assignment of these individuals to the audits before the commencement of this work.

Statement of Purpose, Source, Scope, and Conclusion

This review identified problems with inadequate or missing working paper documentation for the statement of PSSC, as required by the Policies and Procedures Manual. More specifically, a review of the five audits sampled disclosed that two of them had rates of inadequate or missing working paper documentation for PSSC of 96 percent and 19 percent, as shown in Table 1. Although the rates for this deficiency were nine percent or less for the other three audits, these important requirements of GAGAS and the Policies and Procedures Manual need to be consistently followed for all audits.

Table 1: Statement of Purpose, Source, Scope, and Conclusion
Report
Number
Number of Working Papers Reviewed Number of Working Papers With Deficient PSSC Elements Percentage of Working Papers With Deficient PSSC Elements
06-015 113 108 96%
06-016 22 2 9%
06-023 213 0 0
06-026 290 6 2%
07-007 43 8 19%
Source: DOS OIG review of FDIC OIG documentation.

GAGAS 7.68 states, “Audit documentation should be appropriately detailed to provide a clear understanding of its purpose and source and the conclusions the auditors reached.” In addition, policy 320.6 requires that “each document prepared must contain the following elements: objective/purpose/step, source, scope, methodology/work performed, results/discussion, and conclusion of the work performed to provide a clear understanding of the document’s purpose and source and the conclusions reached, as well as evidence of supervisory review.”

Moreover, the issue of deficient or missing PSSC elements on each document is apparently a recurring problem. An April 2007 FDIC OIG quality control review also identified this issue and observed that “confusion continues regarding whether every assignment document must contain the PSSC or whether assignment documents may be indexed to the PSSC of the Procedure Summary.” The confusion was attributed to Appendix B of the Policies and Procedures Manual, Policy 320.6, which states that “Basic assignment documentation should contain, where appropriate, the following elements . . ..” In its response to FDIC OIG’s quality control review, OA replied that the policies and procedures would be revised to correct the inconsistency, and staff would be advised of the correct interpretation of the provisions. This change is to be included in FDIC OIG’s February 29, 2008, revision to its Policies and Procedures Manual.

Required Checklists and Certifications

The documentation pertaining to the checklists and certifications required to be completed for all five audits was deficient. This review disclosed various problems with these documents, such as completion of the form in an untimely manner or failure to fill out the form at all. More specifically, DOS OIG reviewed five different checklists and certifications, listed in Table 2, for the five audits in the sample and found problems with these documents in nine instances out of 25 (36 percent). Moreover, in four of these nine instances, the form was not completed at all. (The 16 instances without deficiencies are designated in the table below by checkmarks.)

Table 2: Required Checklists and Certifications
Checklist or Certification Report
Number
06-015
Report
Number
06-016
Report
Number
06-023
Report Number
06-026
Report Number
07-007
Referencing Checklist Not filled out Not filled out check mark check mark check mark
Supervisory Assignment Documentation Checklist Completed 32 days after final report issuance Completed 10 days after final report issuance check mark Not filled out check mark
Auditor-in-Charge Assignment Documentation Checklist Completed 26 days after final report issuance Not indexed to audit documentation check mark Not filled out check mark
Independent Referencing Quality Review Certification check mark check mark check mark check mark check mark
The GAGAS and OIG Policies and Procedures Certification Statements check mark Director did not sign check mark check mark check mark
Source: DOS OIG review of FDIC OIG documentation.

OA uses several checklists and certifications to assist in the review of audit assignments and reports and to help ensure that applicable GAGAS standards are met. The five listed in Table 2 are among the more salient. For example, the Auditor-in-Charge Assignment Documentation Checklist, per the Policies and Procedures Manual, is “designed to assist the Auditor-in-Charge in assignment planning, supervision, legal and regulatory requirements, management and information system controls, sampling, assignment documentation structure, and cross-indexing and referencing.” This checklist and the others are valuable tools, but their value is diminished when they are not completed in a timely manner or at all.


Recommendation 2: The FDIC Inspector General should require the assistant inspector general for audits to reiterate the necessity of preparing complete and timely working papers in conformance with the Policies and Procedures Manual. This reiteration should place special emphasis on required working papers for the audit plan; the statement of non-conflict of interest; the statement of purpose, source, scope, and conclusion; and the required audit checklists and certifications.

In its comments to the draft report, FDIC OIG said that it will reiterate to the OA staff the importance of maintaining high-quality audit documentation with emphasis on the specified quality control elements. In addition, FDIC OIG anticipates consolidating a number of checklists and certifications. FDIC OIG anticipates the corrective action will be completed by February 29, 2008.

SUPERVISION OF AUDIT STAFF

OA generally complied with GAGAS in ensuring that auditors and others receive appropriate guidance and effective supervision during the audit. GAGAS 7.44 states that “staff are to be properly supervised.” According to GAGAS 7.45, “supervision involves directing the efforts of staff assigned to the audit to ensure that the audit objectives are accomplished.” Elements of supervision include providing sufficient guidance to staff members, reviewing the work performed, and providing effective on-the-job training. Although there was evidence of these elements throughout the audit process for all projects reviewed, FDIC OIG needs to improve the timeliness of supervisory review of working papers, especially of coaching notes, to ensure that it achieves audit objectives, maintains audit quality, and fosters on-the-job training.

Supervisory Review of Audit Working Papers

OA needs to stress the importance of the timeliness of supervisory review of audit working papers. A review of the five audits sampled disclosed that the working papers for one of the audits was reviewed late 41 percent of the time. In all five audits, improvements in the timeliness of supervisory review (defined by DOS OIG as within 30 days) could be made, as shown in Table 3.

Table 3: Supervisory Review of Audit Working Papers
Report Number Number of Working Papers Reviewed Number of Working Papers Reviewed After 30 days Percentage of Working Papers Reviewed After 30 days
06-015 75 31 41%
06-016 217 22 10%
06-023 44 7 16%
06-026 494 61 12%
07-007 558 68 12%
Source: DOS OIG review of FDIC OIG documentation.

DOS OIG used 30 days as a threshold to determine untimely supervisory review of audit working papers because FDIC OIG has not established a criterion. DOS OIG uses this threshold for its own internal quality control reviews. Irrespective of whether 30 days is the most appropriate measure, DOS OIG urges FDIC OIG to establish some specific measurement in order to objectively determine the timeliness of supervisory review of working papers.

In addition to aiding the efficient attainment of assignment objectives and generally improving audit quality, timely review of working papers by supervisors is essential to providing meaningful on-the-job training – an element of supervision per GAGAS. Untimely supervisory review of working papers can impact audit quality and staff development.

Supervisory Follow-up of Coaching Notes

Supervisory follow-up of coaching notes also needs improvement.2 For three of the five audits sampled, the rate of untimely follow-up (defined by DOS OIG as exceeding 30 days) for supervisors to clear coaching notes after the staff provided responses was 19 percent or higher, as indicated in Table 4. Again, both audit quality and on-the-job training can suffer when supervision is untimely.

Additionally, untimely response by staff to coaching notes is a problem. For three of the five audits sampled, the percentage of notes responded to by staff after 30 days was 21 percent or higher, as shown in Table 4. Although GAGAS does not specifically address untimely responding by staff to coaching notes, DOS OIG believes that it is a cause for concern, especially in light of GAGAS 7.46. This section states that “supervisors should satisfy themselves that staff members clearly understand what work they are to do, why the work is to be conducted, and what the work is expected to accomplish.” Timely supervisory follow-up on coaching notes is important because it can clear up issues at the early stage of an assignment before audit quality is adversely impacted.

Table 4: Response and Clearing of Supervisory Coaching Notes to Staff
Report Number Number of Notes Reviewed Number Responded to by Staff After 30 Days Percentage Responded to by Staff After 30 Days Number Cleared by Supervisors After 30 Days From Response by Staff Percentage Notes Cleared by Supervisors After 30 Days
06-015 22 2 9% 5 23%
06-016 15 5 33% 9 60%
06-023 39 8 21% 0 0
06-026 44 24 55% 22 50%
07-007 68 9 13% 9 13%
Source: DOS OIG review of FDIC OIG documentation.

Recommendation 3: The FDIC Inspector General should require the assistant inspector general for audits to emphasize the importance of timeliness of supervisory review of working papers, staff response to supervisory comments on working papers, and the clearance of coaching notes. Consideration should be given to establishing a specific measurement for working paper review and for clearing coaching notes.

FDIC OIG concurred with the recommendation and said it will emphasize to OA staff the importance of timely supervisory and staff actions regarding working papers. In addition, the FDIC OIG’s Inspector General has asked the assistant inspector general for audits to recommend specific timeliness measures. FDIC OIG anticipates the corrective action will be completed by February 29, 2008.

CONTINUING PROFESSIONAL EDUCATION DOCUMENTATION

DOS OIG found that OA generally did not maintain adequate documentation supporting the Continuing Professional Education (CPE) hours completed by staff subject to the CPE requirements, as required by GAGAS as well as OA’s own internal guidance.

GAGAS 3.45 requires auditors performing work under GAGAS to complete every two years, at least 80 hours of CPE, with at least 20 of the 80 hours completed in any one year of the two-year period. Moreover, Government Auditing Standards: Guidance on GAGAS Requirements for Continuing Professional Education states that the audit organization is responsible for maintaining documentation of the CPE hours completed by each auditor subject to the CPE requirements. If the audit organization elects to delegate the responsibility to the auditor for maintaining the above documentation, then the audit organization should have adequate procedures in place to ensure that its records of CPE hours earned by auditors are supported by the documentation maintained by auditors. Furthermore, all CPE records should be maintained for an appropriate period of time to satisfy any legal and administrative requirements, including peer review.

Policy 120.1 states that audit and audit-related staff are required to maintain individual training records that document completion of CPE hours to the satisfaction of an external reviewer. Such evidence of completion includes grade reports, completion certificates, course outlines, and agendas. Despite this policy, staff did not adequately maintain individual training records. FDIC OIG’s Training and Professional Development System database shows that each of the employees selected in DOS OIG’s sample amassed at least 80 CPE hours, per the GAGAS requirement. However, the maintenance of individual training records by staff was inadequate. A random sample from the universe of the 53 individuals subject to the CPE requirement disclosed that eight of 11 (73 percent) did not have adequate documentation to support all their CPE hours recorded in FDIC OIG’s Training and Professional Development System.

This problem was also identified during a June 2006 FDIC OIG quality control review. In response, FDIC OIG issued Office of Audits Administrative Procedures #6, dated August 2006, on continuing professional education. In addition to providing guidance to staff on implementing the CPE requirement, it instituted a new requirement effective January 1, 2007, that staff should meet the GAGAS CPE requirement by “taking qualifying structured training for which participants are provided with a completion certificate, documentation of a passing grade, or other evidence of satisfactory completion.” Any CPE hours for which there is no evidence of completion would not be counted as CPE hours for meeting the 80-hour requirement.


Recommendation 4: The FDIC Inspector General should require the assistant inspector general for audits to reiterate its existing policy to the audit staff regarding maintaining adequate documentation on CPE hours completed.

FDIC OIG officials said that they will reiterate current policy for maintaining documentation of CPE hours completed. They will also consider alternatives for updating the current policy requirement for individual employees to maintain supporting documentation. FDIC OIG anticipates the corrective action will be completed by February 29, 2008.

CONTRACT MONITORING AND OVERSIGHT MANAGEMENT RECORD KEEPING

The OA’s process for monitoring contract audits performed by independent public accountants (IPA) generally complied with applicable GAGAS and OA policies and procedures. The OA oversight manager reviewed contractor independence; held periodic status meetings with the contractor; reviewed and cleared all issues regarding deliverables in a timely manner; reviewed contactor audit documentation to ensure that adequate testing and findings were supported by sufficient, competent, and relevant evidence in compliance with GAGAS; reviewed the contractor report for compliance with GAGAS; and ensured that the report transmittal accurately reflected the extent of FDIC OIG’s assurance over the contractor’s work. The OA oversight manager also reviewed and approved contractor billings. However, OA needs to store and maintain contract monitoring documentation as required by FDIC OIG policies and procedures.

Although a review of the IPA contract file disclosed that OA was maintaining the contract monitoring documentation, it was not being stored in a single file, nor was it being maintained in one location in OA, as required by FDIC OIG policies and procedures.

The Policies and Procedures Manual, policy 370.1, requires that “throughout the term of the contract, the Oversight Manager shall be responsible for maintaining a complete record of the status and results of the oversight of the contract. The Oversight Manager file shall be organized and maintained in accordance with the Oversight Manager File Checklist.” The intent of the policy was to ensure that the contract monitoring documentation was maintained in a single file or location for business continuity purposes. Although oversight documentation was available, it was not the practice of the oversight manager to maintain the records in a central file or location. Reemphasizing this responsibility to the oversight manager should help to ensure continuity of contractor oversight duties in the event of a disruption to normal operations.


Recommendation 5: The FDIC Inspector General should require the assistant inspector general for audits to reemphasize to the oversight manager the importance of maintaining contract monitoring documentation in a single file or location.

FDIC OIG concurred with the recommendation and said it will reemphasize to the contract oversight manager the importance of maintaining oversight files in a single file or location to help ensure the continuity of oversight duties in the event of a disruption to normal operations. FDIC OIG anticipates the corrective action will be completed by February 29, 2008.



UNCLASSIFIED


RECOMMENDATIONS

Recommendation 1: The FDIC Inspector General should require the assistant inspector general for audits to ensure that the Policies and Procedures Manual contains adequate guidance on (a) reporting and resolving personal impairments, (b) identifying the disciplinary mechanism and actions that could be taken if personal impairments are not reported, and (c) reporting and resolving external impairments.

Recommendation 2: The FDIC Inspector General should require the assistant inspector general for audits to reiterate the necessity of preparing complete and timely working papers in conformance with the Policies and Procedures Manual. This reiteration should place special emphasis on required working papers for the audit plan; the statement of non-conflict of interest; the statement of purpose, source, scope, and conclusion; and the required audit checklists and certifications.

Recommendation 3: The FDIC Inspector General should require the assistant inspector general for audits to emphasize the importance of timeliness of supervisory review of working papers, staff response to supervisory comments on working papers, and the clearance of coaching notes. Consideration should be given to establishing a specific measurement for working paper review and for clearing coaching notes.

Recommendation 4: The FDIC Inspector General should require the assistant inspector general for audits to reiterate its existing policy to the audit staff regarding maintaining adequate documentation on CPE hours completed.

Recommendation 5: The FDIC Inspector General should require the assistant inspector general for audits to reemphasize to the oversight manager the importance of maintaining contract monitoring documentation in a single file or location.






UNCLASSIFIED


APPENDIX A - BACKGROUND, SCOPE, AND METHODOLOGY

BACKGROUND

The FDIC OIG is an independent unit that conducts audits, evaluations, investigations, and other reviews of FDIC’s programs and operations. Congress established FDIC to supervise banks, insure deposits, and help maintain a stable and sound banking system. The FDIC OIG’s OA is organized into two primary directorates: (1) Insurance, Supervision, and Receivership Management Audits and (2) Systems Management and Security Audits, each of which report directly to the AIGA.

Scope and Methodology

DOS OIG tested compliance with the FDIC OIG’s system of quality control, primarily by reviewing six randomly selected audit reports of the 24 issued during the September 30, 2006, and March 31, 2007, semiannual reporting periods. These tests included a review of five performance audit reports conducted and issued by FDIC OIG. Also reviewed were the monitoring activities for an audit performed under contract by an IPA. In addition, DOS OIG reviewed recent internal quality control reviews performed by FDIC OIG.

DOS OIG conducted its review at the FDIC OIG’s offices in Arlington, VA, from February through June 2007 in accordance with the President’s Council on Integrity and Efficiency and the Executive Council on Integrity and Efficiency, Guide for Conducting External Quality Control Reviews of the Audit Operations of the Inspector General, dated April 2005.

Audit Reports Reviewed
Report
Number
Report
Date
Report Title
06-015 July 20, 2006 FDIC’s Oversight of Technology Service Providers
06-016 August 10, 2006 Controls Over the Disposal of Sensitive FDIC Information by Iron Mountain, Inc.
06-020a September 25, 2006 The FDIC’s Efforts to Comply with OMB Memorandum M-06-16, Protection of Sensitive Agency Information
06-023 September 28, 2006 Examiner Use of Home Mortgage Disclosure Act Data to Identify Potential Discrimination
06-026 September 29, 2006 FDIC’s Contract Administration
07-007 March 30, 2007 Examination Assessment of the Reliability of Appraisals and Sufficiency of Insurance Coverage for Real Estate Lending
a Audit performed by IPA.
Source: OA reports issued during the Sept. 30, 2006-Mar. 31, 2007, reporting period.


UNCLASSIFIED


APPENDIX B - GENERAL COMMENTS

DOS OIG observed numerous positive audit practices in the FDIC OIG’s audit organization. Most importantly, the audit staff showed a high level of professionalism and expertise. During discussions, the audit staff displayed a thorough knowledge of the audits reviewed and the audit organization’s policies and procedures.

DOS OIG also found noteworthy practices and controls instituted to help ensure audits were performed in accordance with professional standards. The internal quality control review reports DOS OIG reviewed were insightful and contained indepth coverage of the organizational element assessed.



UNCLASSIFIED


APPENDIX C - FDIC OFFICE OF INSPECTOR GENERAL COMMENTS




October 18, 2007

The Honorable Howard J. Krongard
Inspector General
U.S. Department of State
2201 C Street, NW
Washington, DC 20520

Dear Mr. Krongard:

Thank you for the opportunity to respond to the draft report on the External Quality Control Review of the Federal Deposit Insurance Corporation’s Inspector General Audit Organization. The Federal Deposit Insurance Corporation Office of Inspector General’s Office of Audits (OA) recognizes the peer review process as an important facet of an audit organization’s quality control efforts. We are pleased that your independent review of our audit operations resulted in an unmodified opinion and concluded that our system of quality control was designed in accordance with the quality standards established by the Comptroller General and was complied with to provide reasonable assurance of conforming to applicable Government Auditing Standards and OA policies and procedures.

We value the report comment that OA staff showed a high level of professionalism and expertise and displayed a thorough knowledge of the audits reviewed and the OA’s policies and procedures. The report also identifies OA’s internal quality control reviews as a noteworthy practice for their insightfulness and in-depth coverage.

The report contains recommendations that, while not affecting the overall opinion, are designed to strengthen OA’s system of quality control. We concur with the recommendations and the enclosure provides our responses to each. Please extend our appreciation to the peer review team for their professionalism and valuable input to our audit function. If you have any questions, please call me at (703) 562-2166 or Russell A. Rau, Assistant Inspector General for Audits (AIGA), at (703) 562-6350.

Sincerely,

        [Electronically produced version; original signed by Jon T. Rymer]

Jon T. Rymer
Inspector General

Enclosure

cc: Mark W. Duda, AIGA, Department of State
Russell A. Rau, AIGA, Federal Deposit Insurance Corporation


Department of State (DOS) Recommendation 1: The Inspector General should require the Assistant Inspector General for Audits to ensure that the Policies and Procedures Manual contains adequate guidance on (a) reporting and resolving personal impairments, (b) identifying the disciplinary mechanism and actions that could be taken if personal impairments are not reported, and (c) reporting and resolving external impairments.

Federal Deposit Insurance Corporation (FDIC) Response: As noted in the report, the peer review team performed a comprehensive review of our policies and procedures and concluded they were generally adequate for ensuring compliance with the Government Auditing Standards (GAGAS). The report recognizes multiple existing controls established by OA to help ensure the staff maintains freedom from personal and external impairments to independence and that no personal or external impairments were identified. The report also identifies opportunities to strengthen controls, and we concur with the recommendation. The Inspector General has directed the Assistant Inspector General for Audits to add the recommended guidance as part of OA efforts to update policies and procedures to reflect the Government Auditing Standards July 2007 Revision. Corrective action will be completed by February 29, 2008.

DOS Recommendation 2: The Inspector General should require the Assistant Inspector General for Audits to reiterate the necessity of preparing complete and timely working papers in conformance with the Policies and Procedures Manual. This reiteration should place special emphasis on required working papers for the audit plan; the statement of non-conflict of interest; the statement of purpose, source, scope, and conclusion; and the required audit checklists and certifications.

FDIC Response: The peer review report states that, based on an extensive and detailed review, working paper documentation was generally adequate and in conformance with GAGAS and the OA Policies and Procedures Manual. Nevertheless, the report identified areas in need of improvement, and we concur with the recommendation. The Inspector General has directed the Assistant Inspector General for Audits to reiterate to OA staff the importance of maintaining high-quality audit documentation with an emphasis on the specified quality control elements. The quality control elements will also be revisited as part of OA efforts to update policies and procedures to reflect the Government Auditing Standards July 2007 Revision. In particular, we anticipate consolidating a number of checklists and certifications. Corrective action will be completed by February 29, 2008.

DOS Recommendation 3: The Inspector General should require the Assistant Inspector General for Audits to emphasize the importance of timeliness of supervisory review of working papers, the clearance of coaching notes, and staff response to supervisory comments on working papers. Consideration should be given to establishing a specific measurement for working paper review and for clearing coaching notes.

FDIC Response: The peer review concluded that OA generally complied with GAGAS in ensuring that auditors and others receive appropriate guidance and effective supervision. The peer review also concluded that although there was evidence of the tested elements of supervision throughout the audit process for all projects reviewed, timeliness of supervisory review of working papers could be improved. While neither GAGAS nor OA’s Policies and Procedures Manual impose specific timeframes for supervisory review of working papers, the peer review identified that more than 86 percent of working papers had been subject to supervisory review within the 30-day performance measure used by the peer review team. Notwithstanding this level of review, we agree that even more timely supervisory review as well as clearing of coaching notes are important, and we concur with the recommendation. The Inspector General has directed the Assistant Inspector General for Audits to emphasize to OA staff the importance of timely supervisory and staff actions regarding working papers. Additionally, the Inspector General has asked the Assistant Inspector General for Audits to recommend specific timeliness measurements as part of OA efforts to update policies and procedures to reflect the Government Auditing Standards July 2007 Revision. Corrective actions will be completed by February 29, 2008

DOS Recommendation 4: The Inspector General should require the Assistant Inspector General for Audits to reiterate its existing policy to the audit staff regarding maintaining adequate documentation on CPE hours completed.

FDIC Response: The report noted that each of the sampled employees amassed at least 80 continuing professional education (CPE) hours over a 2-year period in accordance with the GAGAS. Obtaining the minimum CPE hours is important to maintain professional competence, and retaining documentation in support of CPE is also a requirement. As noted in the report, during its internal quality control review, OA identified that staff did not always maintain required supporting documentation for CPE hours, and OA scheduled corrective actions. With respect to documentation maintenance, corrective action was implemented effective January 1, 2007, a date that marks the beginning of the current 2-year cycle. Nevertheless, we concur with the recommendation, and the Inspector General and Assistant Inspector General for Audits will reiterate current policy for maintaining documentation of CPE hours completed. OA will also consider alternatives for updating the current policy requirement for individual employees to maintain supporting documentation. Corrective action will be completed by February 29, 2008.

DOS Recommendation 5: The Inspector General should require the Assistant Inspector General for Audits to reemphasize to the oversight manager the importance of maintaining contract monitoring documentation in a single file or location.

FDIC Response: The peer review concluded that OA’s process for monitoring independent public accountants, under contract to OA, generally complied with applicable GAGAS and OA policies and procedures. The peer review also concluded that OA was maintaining the required contract monitoring documentation although not in a single file or location. We concur with the related recommendation. The Inspector General has directed the Assistant Inspector General for Audits to reemphasize to the contract oversight manager the importance of maintaining oversight files in a single file or location to help ensure the continuity of oversight duties in the event of a disruption to normal operations. OA will also revisit contractor oversight documentation procedures as part of OA efforts to update policies and procedures to reflect the Government Auditing Standards July 2007 Revision. Corrective action will be completed by February 29, 2008.

Summary: To implement the actions recommended and agreed-to as described earlier, the Assistant Inspector General for Audits will perform the following:

  • Advise OA staff members of the peer review results and OA responses in an upcoming staff meeting presentation.
  • Transmit the final peer review report to OA staff and post it on our internal and external Web sites.
  • E-mail OA staff members a message that reiterates and reemphasizes the policies and procedures discussed in the peer review recommendations within 30 days of the date of this response while continuing efforts to update OA policies and procedures.
  • Conduct an internal quality control review by December 31, 2008 to ensure that controls are in place and operating to address the findings and recommendations reported by the peer reviewers.