Skip to Navigation
Skip to Main content
OIG Home
OIG Home

In This Section

Skip SHARE THIS PAGE section Skip STAY CONNECTED section

September 27, 2017

Major Management Challenges for the CFPB

available formats

Full Report:


Ensuring an Effective Information Security Program

Information security continues to be a key risk in the federal government, and as is the case for most federal agencies, the CFPB faces challenges due to the advanced persistent threat to information technology (IT) infrastructures. Although the CFPB has assumed responsibility for its IT infrastructure (the U.S. Department of the Treasury was previously responsible for the CFPB's IT infrastructure) and continues to mature its information security program, the agency faces challenges in fully implementing its information security continuous monitoring program. Specifically, the CFPB should implement a data loss prevention program and ensure that automated feeds from all systems, including contractor-operated systems, feed into the CFPB's security information event management tool. 

The CFPB has taken several steps to develop and implement an information security continuous monitoring program that is generally consistent with federal requirements. For example, the CFPB has implemented a centralized logging information tool for CFPB systems. CFPB management continues to face challenges, however, associated with maturing its information security continuous monitoring program across the agency; such challenges include establishing alerting capabilities and continuous monitoring metrics and further automating tools for several of its manual information security continuous monitoring processes.

The CFPB collects and stores sensitive information, including confidential supervisory information and personally identifiable information, to support many of its mission-critical activities. Unauthorized access to or disclosure of sensitive information, through internal or external threats, could undermine the public's trust in the CFPB and limit its ability to accomplish its mission. To monitor and protect against the unauthorized transfer of data and other threats, the CFPB's internal cyber operations team coordinates with its network provider, which assists with monitoring and detecting exfiltration and other threats to the agency's external network perimeter. However, the CFPB has not fully implemented processes, such as data loss prevention technologies, within its internal network that would enable the agency to detect and better protect against unauthorized access to and disclosure of its sensitive information. Likewise, the CFPB is in the process of implementing multifactor authentication for its internal system users.

To meet its mission, the CFPB relies on a variety of contractor-operated information systems, including several cloud-based services that are shared with other federal or commercial entities. As is the case for other federal agencies, contractor-provided, cloud-based services present additional risks. As noted above, the CFPB continues to work with providers of contractor-operated systems to ensure that automated feeds and other continuous monitoring data are integrated more effectively into the CFPB's risk management processes.

The CFPB is evaluating additional solutions to centralize and automate its information security continuous monitoring program and activities. Further, the CFPB's strategic plan emphasizes the importance of protecting sensitive information from unauthorized access and includes an initiative to establish a secure technology infrastructure. In addition, the CFPB plans to continue assessing contractors' compliance with the agency's IT requirements.

In accordance with the requirements of the Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, the CFPB is in the process of aligning its information security program and related policies and procedures to the National Institute of Standards and Technology Cybersecurity Framework. By implementing the presidential directive, the CFPB will be better able to address its IT challenges.

Related OIG Reports

Other Related Information

  • Consumer Financial Protection Bureau, Consumer Financial Protection Bureau Strategic Plan FY 2013–FY 2017 (Goal 4, Advance the CFPB's performance by maximizing resource productivity and enhancing impact, page 28)
  • U.S. Government Accountability Office, High-Risk Series: Progress on Many High-Risk Areas, While Substantial Efforts Needed on Others, "Ensuring the Security of Federal Information Systems and Cyber Critical Infrastructure and Protecting the Privacy of Personally Identifiable Information," GAO-17-375T, February 15, 2017
  • U.S. Government Accountability Office, Consumer Financial Protection Bureau: Some Privacy and Security Procedures for Data Collections Should Continue Being Enhanced, GAO-14-758, September 22, 2014


Maturing the Human Capital Program

An agency's human capital management activities have a direct effect on its ability to efficiently and effectively carry out its mission. Since beginning operations in 2011, the CFPB has worked to build its human capital program and develop a diverse, high-performing, and engaged workforce. The development of such a workforce, however, can be affected by evolving workforce expectations, changes in agency leadership, and governmentwide budget constraints. The CFPB needs to mature its human capital program by continuing to strengthen its strategic workforce planning efforts, including succession planning, and fully implementing its new performance management system.

The CFPB has focused its workforce planning efforts on identifying mission-critical positions as well as gaps in core skills. The CFPB continues to develop, and will soon begin implementing, its succession management program, which will help ensure the continuity of knowledge and leadership across the agency. The CFPB has also made progress in providing employees with training on diversity; however, the CFPB needs to ensure that all employees receive such training in order to further workforce engagement.

In 2017, the CFPB is reviewing its compensation program to ensure that the agency is aligned with leading practices and that the approach promotes mission and workforce priorities. The CFPB faces challenges in ensuring that its workforce perceives changes to the compensation program as equitable and transparent. The CFPB also began the final phase of implementing a new performance management system, which includes new performance standards; the CFPB is in the process of preparing employees for these new standards. These standards need to be clearly communicated to employees and consistently applied by management to ensure that the CFPB's new performance management system is perceived as fair and equitable by the workforce. The CFPB will need to balance these and other human capital initiatives with evolving workforce expectations and a potential change in CFPB leadership when the current Director's term expires in 2018.

Related OIG Reports

Other Related Information

  • Consumer Financial Protection Bureau, Consumer Financial Protection Bureau Strategic Plan FY 2013–FY 2017 (Goal 4, Advance the CFPB's performance by maximizing resource productivity and enhancing impact, page 28)
  • U.S. Government Accountability Office, Federal Workforce: Sustained Attention to Human Capital Leading Practices Can Help Improve Agency Performance, Testimony Before the Committee on Oversight and Government Reform, House of Representatives, GAO-17-627T, May 18, 2017
  • U.S. Government Accountability Office, High-Risk Series: Progress on Many High-Risk Areas, While Substantial Efforts Needed on Others, "Strategic Human Capital Management," GAO-17-317, February 15, 2017
  • U.S. Government Accountability Office, Consumer Financial Protection Bureau: Additional Actions Needed to Support a Fair and Inclusive Workplace, GAO-16-62, May 19, 2016


Strengthening the System of Internal Controls

Internal control activities help management efficiently and effectively achieve program goals and objectives and should be documented in and implemented through written policies and procedures. Clearly documenting internal controls, transactions, and other significant events in a manner that allows documentation to be readily available for examination is necessary to ensure the effective design, implementation, and operation of an entity's internal control system. Over the past year, the U.S. Government Accountability Office (GAO) and our office identified some program areas in which the CFPB can further strengthen its internal controls by enhancing policies and procedures and associated training to help ensure that risks are mitigated.

During an audit of the CFPB's contract award process, we found that on some occasions, reviews and approvals were overlooked or not documented as required by the Federal Acquisition Regulation or CFPB policy or that documentation could be improved. Further, during an evaluation of the CFPB's policies and procedures for documenting examination results, we identified inconsistencies in the approach to granting employees' access rights to a shared drive on which examination documentation and materials were stored. These inconsistencies resulted in examination employees in a certain region having access to materials containing sensitive information when they did not appear to have a business need to know that information.

GAO also identified areas in which the CFPB should ensure that internal controls are fully developed and implemented and that CFPB employees are aware of internal controls and receive the appropriate training. Specifically, GAO reported on deficiencies in the CFPB's internal controls over financial reporting related to property, equipment, and software. Although GAO reported that the CFPB implemented some corrective actions to mitigate the risks associated with these internal control deficiencies, GAO believes that additional actions are needed to fully mitigate the risks. 

The CFPB has acknowledged in its strategic plan the importance of internal controls and has drawn a clear link between the presence of rigorous internal controls and the operation of a high-performing organization. Further, the agency has committed to continuing its investment in resources that maintain effective internal controls and to following appropriate models for internal controls, such as the Federal Managers' Financial Integrity Act of 1982; the objectives on financial reporting as established under the Dodd-Frank Wall Street Reform and Consumer Protection Act; and best practices provided in the Office of Management and Budget's OMB Circular A-123: Management's Responsibility for Enterprise Risk Management and Internal Control.

The CFPB continues to build its internal control framework of policies and procedures for its various programs, including fixing gaps and improving employee awareness. In the past year, the CFPB reported that it has finalized an internal control policy; the agency also reported that it has (1) implemented an internal controls testing and evaluation program; (2) revamped its inventory management system to fix deficiencies; and (3) provided employee training to improve agency programs, such as the travel program. According to the CFPB, it is currently reviewing and revising the organization of its contract files and working on implementing eProcurement, which would create a single electronic system of record for all procurement actions. Additionally, the agency took action to close numerous OIG recommendations focused on developing and implementing policies and procedures. The CFPB also has made progress in establishing an agencywide enterprise risk-management program. It has organized an executive steering committee composed of the agency's top leadership to direct the process and is working to define its overall risk profile by identifying its main strategic and operational risks in concert with conducting risk assessments. 

Related OIG Reports

  • The CFPB Can Improve Its Examination Workpaper Documentation Practices, OIG Report 2017-SR-C-016, September 27, 2017
  • Security Control Review of the CFPB's Active Directory Implementation, OIG Report 2017-IT-C-008, April 17, 2017
  • The CFPB Can Strengthen Contract Award Controls and Administrative Processes, OIG Report 2017-FMIC-C-007, March 30, 2017
  • The CFPB Can Strengthen Its Controls for Identifying and Avoiding Conflicts of Interest Related to Vendor Activities, OIG Report 2017-SR-C-004, March 15, 2017
  • The CFPB's Advisory Committees Help Inform Agency Activities, but Advisory Committees' Administration Should Be Enhanced, OIG Report 2016-MO-C-016, November 30, 2016
  • The CFPB Should Continue to Enhance Controls for Its Government Travel Card Program, OIG Report 2016-FMIC-C-009, June 27, 2016

Other Related Information

  • Consumer Financial Protection Bureau, Consumer Financial Protection Bureau Strategic Plan FY 2013–FY 2017 (Goal 4, Advance the CFPB's performance by maximizing resource productivity and enhancing impact, page 28)
  • U.S. Government Accountability Office, Enterprise Risk Management: Selected Agencies' Experiences Illustrate Good Practices in Managing Risk, GAO-17-63, December 1, 2016
  • U.S. Government Accountability Office, Financial Audit: Bureau of Consumer Financial Protection's Fiscal Years 2016 and 2015 Financial Statements, GAO-17-138R, November 15, 2016
  • Office of Management and Budget, OMB Circular No. A-123: Management's Responsibility for Enterprise Risk Management and Internal Control, Memorandum M‑16-17, July 15, 2016
  • U.S. Government Accountability Office, Management Report: Improvements Needed in CFPB's Internal Controls and Accounting Procedures, GAO-16-522R, June 13, 2016
  • U.S. Government Accountability Office, Standards for Internal Control in the Federal Government, GAO-14-704G, September 10, 2014


Effectively Managing and Acquiring Workspace

Effectively managing workspace can present significant risks and challenges, including those associated with cost management and disruptions to employees. The CFPB is currently completing a renovation of its headquarters office building and is consolidating its Washington, DC, area staff into two buildings. Although the headquarters renovation is nearing completion, the CFPB will continue to manage five occupancy agreements in four cities. In addition, the CFPB faces challenges in developing sufficient information with which to determine its future space needs. GAO identifies collecting reliable real property data to support decisionmaking as a long-standing challenge that federal agencies face in managing real property.

Three of the CFPB's five occupancy agreements will expire at staggered times over a 5-year period, with the soonest expiring in 2019; therefore, the CFPB either will be renewing occupancy agreements or will be acquiring new space. We have reported that the CFPB does not have a process for consistently collecting, maintaining, and using information to help inform its space-planning decisions. In addition, the CFPB faces uncertainty with respect to staffing levels, which creates additional space-planning challenges because headcount is a critical input for space planning.

According to the CFPB, the agency is implementing a system that will help manage its space; the system will have functions such as space capacity and occupancy planning, space mapping, and space reporting. The CFPB also is planning to develop a long-term space plan and is considering contracting with external subject-matter experts to assist in this effort. Implementing a system that supports space planning and establishing a long-term plan may help the CFPB ensure that it is effectively planning for and using its office space to meet its mission needs.

Related OIG Reports

  • Collecting Additional Information Can Help the CFPB Manage Its Future Space-Planning Activities, OIG Report 2016-FMIC-C-002, February 3, 2016

Other Related Information

  • U.S. Government Accountability Office, High-Risk Series: Progress on Many High-Risk Areas, While Substantial Efforts Needed on Others, "Managing Federal Real Property," GAO-17-317, February 15, 2017