Exhibit 99.6
Description of Material Weaknesses Reported as of December 31, 2004
Control Environment
We did not maintain an effective control environment related to internal control over financial reporting. Specifically, we identified the following material weaknesses in our control environment as of December 31, 2004:
| | • | | Tone at the Top |
| |
| | | | We did not establish and maintain a consistent and proper tone as to the importance of internal control over financial reporting. |
| |
| | • | | Accounting Policy |
| |
| | | | We lacked a written, comprehensive set of GAAP-compliant financial accounting policies and a formalized process for determining, monitoring, disseminating, implementing and updating our accounting policies and procedures. |
| |
| | • | | Board of Directors and Executive Roles |
| |
| | | | Roles and responsibilities were not clearly defined and documented between our executive management team and our Board of Directors. Our Chief Executive Officer served as the Chairman of the Board of Directors and our Chief Financial Officer and Chief Operating Officer each served as a vice chair of the Board of Directors. As a result, these two corporate governance structures lacked sufficient checks and balances, which adversely affected the flow of information to, and the effectiveness of, the Board of Directors. |
| |
| | • | | Enterprise-Wide Risk Oversight |
| |
| | | | We did not maintain a properly staffed, comprehensive and independent risk oversight function. Specifically, our risk oversight function lacked enterprise-wide coordination, dedicated senior leadership and sufficient staffing. Comprehensive risk policies did not exist, and existing policies applicable to each business unit required enhancement. |
| |
| | • | | Internal Audit |
| |
| | | | We did not maintain an effective and independent Internal Audit function. Internal Audit did not maintain a sufficient complement of personnel with an appropriate level of accounting and auditing knowledge, experience and training to effectively execute an appropriate audit plan. In addition, the Internal Audit department did not functionally report to the Audit Committee of the Board of Directors, but reported to the Chief Financial Officer, which created inadequate independence and objectivity. Further, our Internal Audit function lacked clarity regarding its risk assessment process, communications and audit plans. Our ineffective Internal Audit function adversely affected our ability to adequately identify our control weaknesses. |
| |
| | • | | Human Resources |
| |
| | | | Our human resources function did not have clear enterprise-wide coordination, which resulted in ineffective definition and communication of employee roles and responsibilities. In addition, training and performance evaluations were not always effective. As a result, we did not have a sufficient number of qualified staff, clear job descriptions, and appropriate policies and procedures relating to human resources. Lines of delegated authority were not always clear. |
| | • | | Fraud Risk Management Program |
| |
| | | | We did not maintain a comprehensive, centrally coordinated enterprise-wide fraud risk management program. Furthermore, we did not have a specific, comprehensive fraud risk management program related to internal control over financial reporting. |
| |
| | • | | Whistleblower Program |
| |
| | | | We lacked effective internal control over financial reporting relating to our whistleblower program that would ensure the anonymity, confidentiality and physical security of the information provided, as well as periodic reporting of that information. Although an enterprise-wide whistleblower program was in effect during 2004, regular reporting to a committee of the Board of Directors did not occur, and we believe the program was not trusted by company personnel. |
| |
| | • | | Accounting/Finance Staffing Levels |
| |
| | | | We did not maintain a sufficient complement of personnel with an appropriate level of accounting knowledge, experience and training in the application of GAAP commensurate with our financial reporting requirements. Further, the process we used to ensure that employees were assigned appropriate responsibilities based upon their credentials and experience was inadequate. |
| |
| | • | | Information Technology Policy |
| |
| | | | We did not maintain and clearly communicate information technology policies and procedures. This weakness contributed to our inadequate internal control over financial reporting systems. |
| |
| | • | | Policies and Procedures |
| |
| | | | We did not maintain adequate policies and procedures related to initiating, authorizing, recording, processing and reporting transactions. This lack of documentation led to (a) inconsistent execution of business practices, (b) inability to ensure practices were in accordance with management standards and (c) ambiguity in delegation of authority. |
Application of GAAP
We did not maintain effective internal control over financial reporting relating to our process and information technology applications for determining, monitoring, disseminating, implementing and updating accounting policies that complied with GAAP. We identified numerous material and immaterial misapplications of GAAP that indicate that a material weakness in our application of GAAP existed as of December 31, 2004. We have identified misapplications of GAAP in the following primary categories:
| | • | | our accounting for debt and derivatives; |
| |
| | • | | our accounting for commitments; |
| |
| | • | | our accounting for investments in securities; |
| |
| | • | | our accounting for MBS trust consolidations and sale accounting; |
| |
| | • | | our accounting for financial guaranties and master servicing; |
| |
| | • | | our amortization of cost basis adjustments; and |
| |
| | • | | other adjustments, including accounting for income taxes. |
Many of these misapplications of GAAP resulted in material modifications to our financial statements and many of the other misapplications of GAAP that did not result in a material modification could have resulted in a material misstatement in the financial statements.
Financial Reporting Process
We did not maintain an effective, timely and accurate financial reporting process. Specifically, we identified the following material weaknesses in our financial reporting process as of December 31, 2004:
| | • | | Financial Statement Preparation and Reporting |
| |
| | | | We did not perform timely and complete reviews of the consolidated financial statements by personnel with knowledge sufficient to reach appropriate accounting conclusions. Specifically, our systems and processes were not designed and in operation to enable us to prepare accurate consolidated financial statements in accordance with GAAP. These systems and processes, coupled with our human resources and other material weaknesses, resulted in our inability to prepare and complete accurate financial information. |
| |
| | • | | Disclosure Controls |
| |
| | | | We did not maintain effective disclosure controls and procedures, including an effective Disclosure Committee, designed to ensure complete and accurate disclosure as required by GAAP. In addition, we have not filed periodic reports on a timely basis as required by the rules of the SEC and the NYSE. |
| |
| | • | | General Ledger Controls |
| |
| | | | We did not maintain effective internal control over financial reporting relating to the general ledger and the periodic closing of the general ledger. Specifically, the design and operation of this control was inadequate for managing the addition or deletion of specific balance sheet or consolidated statements of income accounts. In addition, personnel were not granted access to the general ledger that was appropriate to their scope of responsibility and we lacked a formalized process with adequate controls designed to ensure that the general ledger was closed properly at the end of each period. |
| |
| | • | | Journal Entry Controls |
| |
| | | | We did not maintain effective internal control over financial reporting relating to the recording of journal entries, both recurring and non-recurring. Specifically, the design and operation of this control was inadequate for ensuring that journal entries were prepared by personnel with adequate knowledge of the activity being posted. The entries were not supported by appropriate documentation and were not reviewed at the appropriate level to ensure the accuracy and completeness of the entries recorded. |
| |
| | • | | Reconciliation Controls |
| |
| | | | We did not maintain effective internal control over financial reporting relating to the reconciliation of many of our financial statement accounts and other data records that served as inputs to those accounts. Specifically, the design and operation of this control was inadequate for ensuring that our accounts were complete, accurate and in agreement with detailed supporting documentation. In addition, this control did not ensure proper review and approval of reconciliations by appropriate personnel. |
Information Technology Applications and Infrastructure
We did not maintain effective internal control over financial reporting related to information technology applications and infrastructure, and the references in this section to “controls” refer to our internal control over financial reporting. Specifically, we identified the following material weaknesses relating to our information technology applications and infrastructure as of December 31, 2004:
| | • | | Access Control |
| |
| | | | We did not maintain effective design of controls over access to financial reporting applications and data. Specifically, ineffective controls included unrestricted access to programs and data, lack of periodic review and monitoring of such access, and lack of clearly communicated policies and procedures governing information technology security and access. Furthermore, we did not maintain effective logging and monitoring of servers and databases to ensure that access was both appropriate and authorized. |
| |
| | • | | Change Management |
| |
| | | | We did not maintain effective controls designed to ensure that information technology program and data changes were authorized and that the program and data changes were adequately tested for accuracy and appropriate implementation. |
| |
| | • | | End User Computing |
| |
| | | | We did not maintain effective controls over end user computing (“EUC”) applications, such as spreadsheets. Specifically, controls were not designed and in operation to ensure that access to these applications was restricted to appropriate personnel and that changes to data or formulas were authorized. |
Independent Model Review Process
We identified a material weakness as of December 31, 2004 related to the design of our internal control over financial reporting related to our independent model review process. Specifically, we did not independently review that: (i) the models and assumptions used to produce our financial statements were appropriate; and (ii) that outputs used to produce our financial statements were calculated accurately according to the model specifications. Our loan loss allowance, amortization, guaranty and financial instrument valuation processes each used models and we incorrectly valued our derivatives, mortgage loan and security commitments, security investments, guaranties and other instruments.
Treasury and Trading Operations
We identified a material weakness as of December 31, 2004 related to the design of our internal control over financial reporting related to our treasury and trading operations. Specifically, our internal control over financial reporting was inadequate with respect to the process of authorizing, approving, validating and settling trades, including inadequate segregation of duties among trading, settlement and valuation activities within both our treasury and trading operations.
Pricing and Independent Price Verification Processes
We identified a material weakness as of December 31, 2004 related to the design of our internal control over financial reporting related to our pricing and independent price verification processes. Specifically, our internal control over financial reporting was inadequate with respect to the process used to price assets and liabilities, and did not maintain appropriate segregation of duties between the pricing function and the function responsible for independently verifying such prices.
Wire Transfer Controls
We identified a material weakness as of December 31, 2004 related to the design of our internal control over financial reporting related to our wire transfer function. Specifically, the design of our internal control over financial reporting was insufficient with respect to the initiation, authorization, segregation of duties and anti-fraud measures related to wire transfer transactions and with respect to the reconciliation of cash balances and wire transfer activity. In addition, approvals were not consistent with approval policies and funds movements lacked verifications.
