While the FOMC Secretariat requires CLO and Public Affairs staff to read and abide by the Program for Security of FOMC Information, the Office of Board Members had not established management controls to ensure that the Division Director's directives regarding the CLO contact list and publication of the FOMC minutes are implemented. As stated in the U.S. Government Accountability Office's Standards for Internal Control in the Federal Government, policies and procedures help to ensure that management's directives are efficiently and effectively carried out. During our audit, we noted that the CLO did not have written policies and procedures related to the CLO contact list. In addition, neither the CLO nor Public Affairs had (1) written policies for determining which business functions require access to the FOMC minutes and (2) documented procedures on how to perform those business functions. Developing and implementing written policies and procedures may reduce the risk of another early release of the FOMC minutes.
The Special Assistant to the Board in the CLO stated that there were no documented policies or procedures related to the CLO contact list, which had been developed to distribute a wide variety of public information. At the time of the early release, the CLO contact list included congressional staffers, trade association staffers, professional contacts at several financial services companies, contacts at other government agencies, and certain staff in the CLO. Since the April 9, 2013, early release, management's directive now requires that the CLO contact list be limited to government recipients. In addition, a CLO staff member will (1) review the Board's public website to ensure that information to be sent to the CLO contact list is publicly available and (2) send only a link to the information being distributed. Therefore, to ensure that its directives are effectively communicated, management should develop and implement policies and procedures regarding who should be on the CLO contact list, what information the contacts will receive, and how the information will be sent to them.
While the CLO and Public Affairs had developed informal procedures over the past several years regarding the publication of the FOMC minutes, there were no written policies that identified which business functions required access to the FOMC minutes or that described the current business functions related to the minutes. Therefore, to ensure that applicable directives in the CLO and Public Affairs are effectively communicated, management should develop written policies for determining which business functions require access to the FOMC minutes and procedures on how to perform those functions.
We recommend that the Director of the Office of Board Members
The Director of the Office of Board Members agreed with our recommendations. In her response, the Director stated that Public Affairs has written a new procedures document that details specific steps that must be taken by Public Affairs staff to properly release the FOMC minutes to the press and the public, outlines safeguards to prevent an inadvertent release of the minutes to unauthorized individuals, and specifies which staff members are responsible for carrying out the release process. The Director also stated that the CLO has revised its administrative procedures manual to include the steps that govern the use of lists such as the CLO contact list.
In our opinion, the actions described by the Director of the Office of Board Members are responsive to our recommendations. We plan to follow up on the Office of Board Members' actions to ensure that the recommendations are fully addressed.