Freddie Mac 2005 Annual Report Download - page 71

Download and view the complete annual report

Please find page 71 of the 2005 Freddie Mac annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 171

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171

implemented compensating controls, including the performance of signiÑcant data validation and Ñnancial analytics,
which contributed to our delayed Ñnancial reporting timeline.
Information technology general controls as they relate to change management Ì Our controls over managing
changes related to the introduction of program and data changes and our controls related to production data and
applications need improvement. Weaknesses in these controls include lack of consistent standards and inadequate
testing of changes prior to deployment.
Information technology general controls as they relate to security administration, management and technology Ì Our
controls over information systems security administration and management functions need to improve in the
following areas: (a) development of and adherence to procedures and guidelines; (b) segregation of duties;
(c) logging and monitoring user access rights; and (d) periodic review of the appropriateness of access rights.
Weaknesses in these controls could allow unauthorized users to enter, delete or change data in these systems, as well
as increase the possibility that entries could be duplicated or omitted inadvertently.
Monitoring controls within Ñnancial operations and reporting functions Ì Monitoring controls are those controls that
are designed to evaluate how other controls are working, such as the performance of Ñnancial analytics and the
completion of account reconciliations. Despite the progress made in the identiÑcation, documentation, and
enhancement of monitoring controls during 2005, there were several instances where these controls did not identify
issues that ultimately led to accounting adjustments.
StaÇng adequacy Ì While we have made progress in our eÅorts to build a strong management team by Ñlling several
senior positions, we need to continue to recruit additional qualiÑed people into leadership positions across the
organization in order to achieve our objectives with regard to the remediation of weaknesses and deÑciencies within
our internal control infrastructure and our return to timely Ñnancial reporting. We have recently experienced high
employee turnover rates, which strain existing resources and contribute to increased operational risk. We are also
assessing our standards of performance and how we enforce those standards to create a more eÅective culture of
accountability.
Management risk and control self-assessment process Ì Our process to identify deÑciencies in key Ñnancial reporting
controls, prior to testing, does not provide reliable information on our risk and control environment.
In addition to these material weaknesses, a number of signiÑcant deÑciencies in our internal control were apparent that,
although not determined to be material at this time, still present risks of error in our Ñnancial reporting. For example, we
place reliance on end-user computing solutions with both insuÇcient documentation and change controls. This control
deÑciency was considered a material weakness at December 31, 2004. We believe that our remediation eÅorts have reduced
the severity of this deÑciency, however, it continues to pose signiÑcant risk to our Ñnancial reporting processes and requires
us to allocate signiÑcant resources to continue progress toward full remediation and to provide that this deÑciency does not
become material again.
Other signiÑcant deÑciencies include areas that need improvement: the governance over our risk management processes,
where we need to strengthen the resources engaged in this oversight role and our ability to aggregate risks across our
organization; our new product implementation process; and the governance of and processes related to our valuation of our
guarantee-related assets and liabilities. We also need to strengthen our procedures for monitoring instances where we make
simplifying assumptions in the application of our accounting policies in our Ñnancial reporting, and we need to reduce our
reliance on such assumptions. The excessive use of such assumptions increases the risk that diÅerences, when compared to a
stricter application of our accounting policies, could become consequential over time and result in errors that are not
detected (e.g., if the underlying transaction volume increases). Furthermore, we are examining the cause of certain data
quality issues associated with information provided to us by seller/servicers related to mortgage loans underlying our PCs and
Structured Securities and the use of that data within our operational transaction systems and Ñnancial reporting systems.
As we continue the remediation activities noted below, we may identify additional material weaknesses, signiÑcant
deÑciencies or other operational issues in our internal controls or conclude that signiÑcant deÑciencies we have already
identiÑed should be regarded as material weaknesses, either individually or in the aggregate.
During 2005, we implemented an internal control testing and evaluation program designed to evaluate the signiÑcant
components of our internal control over Ñnancial reporting and to identify whether deÑciencies exist within our internal
control environment. Upon discovering the need for several adjustments to our 2005 interim Ñnancial results in the course of
our Ñnancial reporting processes for 2005, we began a more comprehensive review of our internal control environment. This
review includes an assessment of the design and eÅectiveness of our internal control environment, an initiative to improve
information technology general controls, and remedial actions needed to address any issues identiÑed in the course of these
reviews.
55 Freddie Mac