Audits, Evaluations, and Inspections
Audits assess aspects of the economy, efficiency, and effectiveness of Board and CFPB programs and operations. For example, the OIG oversees audits of the Board’s financial statements and financial performance reports, and it conducts audits of (1) the efficiency and effectiveness of processes and internal controls over agency programs and operations; (2) the adequacy of controls and security measures governing agency financial and management information systems and the safeguarding of assets and sensitive information; and (3) compliance with applicable laws and regulations related to agency financial, administrative, and program operations. As mandated by the IG Act, OIG audits are performed in accordance with the Government Auditing Standards established by the Comptroller General.
Inspections and evaluations include program evaluations, enterprise risk-management activities, process design and life-cycle evaluations, and legislatively mandated reviews of failed financial institutions supervised by the Board. Inspections are generally narrowly focused on a particular issue or topic and provide time-critical analysis that cuts across functions and organizations. In contrast, evaluations are generally focused on a specific program or function and may make extensive use of statistical and quantitative analytical techniques. Evaluations can also encompass other preventive activities, such as reviews of system development life-cycle projects. OIG inspections and evaluations are performed according to the Quality Standards for Inspection and Evaluation issued by the Council of the Inspectors General on Integrity and Efficiency (CIGIE).
The information below summarizes OIG work completed during the reporting period and ongoing work that will continue into the next semiannual reporting period.
Board of Governors of the Federal Reserve System
Completed Projects
Board Should Strengthen Controls over the Handling of the Federal Open Market Committee Meeting Minutes
OIG Report No. 2013-AE-B-012
August 27, 2013
We initiated this audit at the request of the Board’s Chairman. An official in the Board’s Congressional Liaison Office (CLO) e-mailed the FOMC meeting minutes to an e-mail distribution list (CLO contact list) on April 9, 2013, one day earlier than the scheduled release date. As a result, the Board issued the FOMC minutes at 9:00 a.m. on April 10, 2013, rather than the scheduled 2:00 p.m. release time. Our audit objectives were to evaluate the Board’s processes for distributing the approved FOMC minutes to Board staff prior to their public release and the Board’s management controls to prevent the early distribution of those minutes.
During the three-week period following an FOMC meeting, the meeting minutes are drafted, edited, and approved prior to public release. The FOMC minutes are finalized approximately 24 hours prior to publication and loaded into the Board’s publication system. FOMC Secretariat staff notify Office of Board Members staff that the FOMC minutes are ready for publication. Subsequently, Office of Board Members staff prepare the minutes to be released to the public. The Program for Security of FOMC Information describes who is responsible for ensuring that FOMC information, including the FOMC minutes, is safeguarded and how it should be handled.
While CLO and the Board’s Public Affairs Office staff are required to properly safeguard FOMC information in accordance with the Program for Security of FOMC Information, the Office of Board Members has not established formal written management controls to ensure that the Division Director’s directives regarding the CLO contact list and publication of the FOMC minutes are implemented. We noted that the CLO did not have written policies and procedures related to the dissemination of information to the CLO contact list. In addition, neither the CLO nor the Public Affairs Office had written policies and procedures regarding the business processes that require access to the FOMC minutes.
Public Affairs Office and CLO staff also did not handle the FOMC minutes in accordance with the Program for Security of FOMC Information. Before being given access to confidential FOMC information, including the FOMC minutes, Board staff members agree to abide by the Program for Security of FOMC Information, which incorporates the Board’s Information Classification and Handling Standard. Although the Board provides required annual training that covers the Information Classification and Handling Standard, training on FOMC-specific information-handling requirements is not provided.
The Program for Security of FOMC Information requires that access to FOMC information be limited to those with a strict need to know. However, the access control list for the publication system included two Board staff members who may not have needed access to the system, and Division of Monetary Affairs staff did not limit access to the FOMC minutes to a subset of users on the publication system access control list with a need to know.
We made four recommendations designed to strengthen the Board’s controls over the handling of the approved FOMC minutes prior to public release. Management concurred with the recommendations and has initiated steps to implement them. Management also stated that it has taken actions to improve compliance with the Program for Security of FOMC Information.
The Board Can Benefit from Implementing an Agency-Wide Process for Maintaining and Monitoring Administrative Internal Control
OIG Report No. 2013-AE-B-013
September 5, 2013
Our objective for this audit was to determine the processes for establishing, maintaining, and monitoring internal control within the Board. We focused on internal control over the effectiveness and efficiency of operations and compliance with laws and regulations, i.e., administrative internal control. Internal control is an integral part of managing an organization and is critical to improving organizational effectiveness and accountability. It comprises the plans, methods, and procedures used to meet the organization’s mission, goals, and objectives. Internal control is the first line of defense in safeguarding assets and preventing and detecting errors and fraud; thus, it helps organizations achieve desired results through effective stewardship of government resources.
FMFIA requires that each executive agency establish internal accounting and administrative controls in compliance with standards established by the Government Accountability Office and prepare an annual statement on internal control based on an evaluation performed using Office of Management and Budget (OMB) guidelines. Although the Board is not subject to FMFIA, the Board decided to voluntarily comply with the spirit and intent of FMFIA shortly after its enactment.
We found that the Board’s divisions have processes for establishing administrative internal control that are tailored to their specific responsibilities. These controls generally use best practices and are designed to increase efficiency and react to changing environments; however, the Board’s processes for maintaining and monitoring these controls can be enhanced. Specifically, we found that the Board does not have an agency-wide process for maintaining and monitoring its administrative internal control. The Board’s approach to addressing the provisions of FMFIA does not require management to assess and monitor administrative internal control. We believe that an agency-wide process that maintains, monitors, and reports on administrative internal control can assist the Board in effectively and efficiently achieving its mission, goals, and objectives, as well as address the organizational challenges outlined in the Board’s 2012–2015 strategic framework.
We recommended that the Chief Operating Officer designate responsible officials or an office to develop and implement an agency-wide policy and process to more closely follow the spirit and intent of FMFIA and develop a training program to increase staff awareness about maintaining and monitoring administrative internal control. Management concurred with the recommendation’s intent, stating that the Board has already implemented, or is in the process of implementing, several enhanced administrative processes. Management added that it will evaluate whether and in what form an agency-wide framework makes sense, given the priorities and budgetary constraints underlying the Board’s new strategic framework, and that it will coordinate with the Executive Committee of the Board to implement any additional requirements.
The Board Should Improve Procedures for Preparing for and Responding to Emergency Events
OIG Report No. 2013-AE-B-016
September 30, 2013
Our objectives for this evaluation were to assess the Board’s policies and procedures for responding to unexpected emergency events and to assess communications protocols for processing and disseminating information to Board staff during such emergencies. The Board has a crisis management structure in place and has procedures to prepare for and respond to emergency events. Key components of the crisis management structure are the Crisis Leadership Team, which ensures the continuity of Board operations and essential functions, and the Crisis Support Team, which manages the actual emergency.
During an emergency, the Law Enforcement Unit (LEU) Chief serves as the Crisis Support Team lead and incident commander. Floor wardens assist the LEU during emergencies by ensuring that employee evacuations are quick, orderly, and safe. The LEU’s Safety and Emergency Preparedness Bureau performs considerable planning and other activities to prepare for emergencies, including conducting annual floor warden training. The bureau also prepares the Board’s Occupant Emergency Plan, which describes the roles and responsibilities for employees, contractors, and visitors, as well as the responsibilities for components of the crisis management structure.
We found that drills and exercises to prepare for emergencies did not fully incorporate all components of the Occupant Emergency Plan. The Crisis Leadership Team did not convene during drills to make critical decisions to ensure that Board operations and essential functions continued with minimal disruption, and employees were not fully accounted for after the drills. In addition, tabletop exercises, an emergency preparedness best practice, were not routinely performed because they are not required. Incomplete drills and the absence of full-scale tabletop exercises to supplement the drills decrease the likelihood of appropriate responses to emergencies.
In addition, we found that the floor warden program has challenges recruiting and retaining volunteers, and we found that floor wardens are not completing annual training. Therefore, the Board lacks assurance that there will be a sufficient number of trained floor wardens available during actual emergencies to assist in the safe, orderly movement of employees, including those who require assistance due to physical limitations.
Finally, we found that the Board does not have the capability to send public address announcements to employees working in leased office space because the buildings lack such a system. Employees may receive crucial information via telephone, intranet, e-mail, text, or word of mouth. This limitation increases the risk that employees may not receive the appropriate instructions simultaneously and in a timely manner and may make uninformed decisions that could place them in harm’s way.
We made seven recommendations to improve the Board’s emergency preparedness. We recommended that the Crisis Leadership Team convene during evacuation drills, that employees be accounted for after drills and emergencies, and that full-scale tabletop exercises be conducted as an additional training tool. We also recommended that floor wardens complete annual training, that division directors be required to recruit floor wardens, and that the floor warden roster be kept up to date. Finally, we recommended that all Board employees working in leased office spaces receive critical information simultaneously and in a timely manner. Management generally concurred with our recommendations.
Board Should Enhance Compliance with Small Entity Compliance Guide Requirements Contained in the Small Business Regulatory Enforcement Fairness Act of 1996
OIG Report No. 2013-AE-B-008
July 1, 2013
In this evaluation, we assessed the Board’s compliance with certain requirements of the Small Business Regulatory Enforcement Fairness Act of 1996, as amended (SBREFA). We initiated this evaluation to determine the validity of a complaint received by the OIG Hotline concerning the Board’s compliance with SBREFA.
SBREFA became law in 1996 and was later amended by the Small Business and Work Opportunity Act of 2007 to include specific requirements for small entity compliance guides. These guides are created by federal rulemaking agencies to explain the actions a small entity should take to comply with a rule. Section 605(b) of SBREFA generally allows the agency head to certify in the Federal Register, as part of the proposed or final rule, that the final rule will not have a significant economic impact on a substantial number of small entities. In such cases, a compliance guide does not have to be created. The 2007 amendments to SBREFA also included a congressional reporting requirement.
We found that the Board was not consistent in developing or updating small entity compliance guides in accordance with SBREFA requirements. In addition, the Board’s compliance guides did not consistently provide clear guidance to small entities explaining how to comply with certain rules or when the requirements of the specific rules would be satisfied. Instead, many of the guides merely restated and summarized each section of the rules.
We also reviewed the Board’s compliance with the annual congressional reporting requirement to describe the status of the agency’s compliance with the small entity compliance guide requirements created by the 2007 amendments to SBREFA. We requested documentation evidencing that the annual congressional reporting requirement had been satisfied, but we did not receive any.
We recommended that the Board establish centralized oversight and a standard method or approach for creating small entity compliance guides. We also recommended that the Board begin submitting the annual reports describing the agency’s compliance with small entity compliance guide requirements to the relevant congressional committees as required by section 212(a)(6) of SBREFA. Management concurred with our recommendations and stated that it will take steps to implement them.
Security Control Review of a Third-party Commercial Data Exchange Service Used by the Board's Division of Banking Supervision and Regulation
OIG Report No. 2013-IT-B-010
August 6, 2013
FISMA requires the OIG to evaluate the effectiveness of the information security controls and techniques for a subset of the Board’s information systems, including those provided or managed by another agency, a contractor, or another organization. As part of the OIG’s work to fulfill this requirement, we reviewed the information system security controls for a third-party commercial data exchange service. Specifically, our audit objective was to evaluate the adequacy of selected security controls for protecting Board data from unauthorized access, modification, destruction, or disclosure, as well as compliance with FISMA and the information security policies, procedures, standards, and guidelines of the Board.
The Board’s Division of Banking Supervision and Regulation (BS&R) uses the commercial data exchange service to securely exchange sensitive business information with financial institutions. The service is listed on the Board’s FISMA inventory as a third-party application maintained by the Federal Reserve Bank of Philadelphia. BS&R is assigned overall responsibility for ensuring that the system meets FISMA requirements.
Overall, we found that the Board has taken steps to secure the third-party commercial data exchange service. However, we found that improvements are needed to ensure that the requirements of FISMA and the Board Information Security Program are met.
We made 11 recommendations to BS&R to strengthen security controls for the system. Management concurred with 10 recommendations and partially concurred with one recommendation. For the 10 recommendations with which management concurred, it outlined actions that have been taken, are underway, or are planned to address the recommendations. For the recommendation with which management partially concurred, it outlined planned actions that are responsive to the intent of the recommendation. We will follow up on the implementation of each recommendation as part of our future audit activities related to the Board’s continuing implementation of FISMA.
Security Control Review of the Board's National Examination Database System
OIG Report No. 2013-IT-B-009
July 19, 2013
To meet FISMA requirements, we reviewed the information system security controls for the National Examination Database (NED) system. NED is the database within BS&R’s National Information Center that is specifically designed to support bank supervision, and it is listed as a major application on the Board’s FISMA inventory for BS&R. Specifically, our audit objective was to evaluate the adequacy of certain control techniques designed to protect data in the system from unauthorized access, modification, destruction, or disclosure, as well as the system’s compliance with FISMA and the information security policies, procedures, standards, and guidelines of the Board.
We found that, in general, controls for NED are adequately designed and implemented. However, we found that improvements are needed to ensure that the requirements of FISMA and the Board Information Security Program are met. We made four recommendations designed to strengthen security controls for the system. Our report also included a matter for management’s consideration. Management concurred with our recommendations and outlined actions that have been taken, are underway, or are planned to address the recommendations. We will follow up on the implementation of each recommendation in this report as part of our future audit activities related to the Board’s continuing implementation of FISMA.
Results from OIG Vulnerability Scanning of Select Servers for the Board's Information Technology and Management Divisions
June 19, 2013
During this reporting period, we issued a management letter that documented our IT vulnerability scanning results and provided two suggestions to the Board for strengthening security controls. We conducted our scanning to support our annual audit of the Board’s information security program pursuant to FISMA. FISMA requires agencies to develop, document, and implement an information security program that, among other things, includes periodic risk assessments of the harm that could result from vulnerabilities within information systems. One component of an agency’s risk-management program is vulnerability scanning. Vulnerability scanning commonly refers to using automated tools to identify vulnerabilities in information systems resulting from outdated software versions, missing patches, and misconfigurations.
Status of the Transfer of Office of Thrift Supervision Functions
OIG Report No. 2013-AE-B-014
September 26, 2013
Title III of the Dodd-Frank Act established provisions for the transfer of authorities from the Office of Thrift Supervision (OTS) to the OCC, the FDIC, and the Board within one year after the July 21, 2010, enactment date. Title III transferred to the Board, on July 21, 2011, the functions and rulemaking authority for consolidated supervision of savings and loan holding companies and their nondepository subsidiaries. The Dodd-Frank Act required that, within 180 days after its enactment, the OTS, the OCC, the FDIC, and the Board jointly submit a plan—the Joint Implementation Plan—to Congress and the IGs of Treasury, the FDIC, and the Board that detailed the steps each agency would take to implement the title III provisions. The Joint Implementation Plan was submitted to Congress and the IGs on January 25, 2011. The Dodd-Frank Act also required the IGs to determine whether the implementation plan conformed to the title III provisions. On March 28, 2011, the IGs jointly issued a report concluding that the actions described in the Joint Implementation Plan generally conformed to the provisions of title III.
Section 327 of title III requires the IGs to report on the status of the implementation of the Joint Implementation Plan every six months. The IGs have issued five status reports to date, the latest of which was issued during this reporting period, on September 26, 2013. These joint reports, all of which are titled Status of the Transfer of Office of Thrift Supervision Functions, concluded that the Board, the FDIC, the OCC, and the OTS have substantially implemented actions to transfer OTS functions, employees, funds, and property to the Board, the FDIC, and the OCC, as appropriate. The first four reports noted that the Board was still implementing certain aspects of the plan.
As previously reported, for savings and loan holding companies and bank holding companies with consolidated assets of $50 billion or more, and for nonbank financial companies that the Board is required to supervise pursuant to the Dodd-Frank Act, the Board is to collect assessments, fees, or other charges equal to the expenses the Board estimates are necessary or appropriate to carry out its supervisory and regulatory responsibilities. To address this requirement, the Board’s notice of proposed rulemaking for comment on the assessments, fees, and other charges was published in the April 18, 2013, Federal Register. The September 26, 2013, report noted that the rulemaking for the collection of supervisory assessments by the Board was finalized. In its written response to the September 26, 2013, report, the Board stated that it agreed with the IGs’ conclusions regarding the assessments, fees, and other charges required pursuant to the Dodd-Frank Act.
Audit of the Financial Stability Oversight Council's Designation of Financial Market Utilities: Report to the Financial Stability Oversight Council and the Congress
Prepared by the Council of Inspectors General on
Financial Oversight
July 2013
In 2013, our office participated in a working group convened by CIGFO to examine the rules, procedures, and practices established by FSOC and its member agencies to designate financial market utilities (FMUs) as systemically important and therefore subject to the requirements of title VIII of the Dodd-Frank Act. In addition, the working group made inquiries regarding FSOC’s processes to designate payment, clearing, and settlement activities conducted by financial institutions as systemically important.
The working group determined that FSOC carried out the designation activities as established in title VIII. FSOC created the Designations of Financial Market Utilities and Payment, Clearing, and Settlement Activities Committee, which carried out its activities in the designation process as intended by FSOC.
During the designation process, FSOC did not consider for designation foreign-based FMUs; retail FMUs; or payment, clearing, and settlement activities conducted by financial institutions. The working group was told that FSOC continues to consider designating foreign-based FMUs and payment, clearing, and settlement activities.
The working group made several recommendations regarding establishing a formal structure for the FMU committee; determining a course of action for foreign-based FMUs; continuing discussion of the process and rules regarding possible future designation of payment, clearing, and settlement activities; defining parameters for updates on designated FMUs from their respective regulators; and establishing a timeline for periodic reviews of nondesignated FMUs that may subsequently be designated as systemically important. The working group considered FSOC’s response and planned actions regarding the recommendations to be responsive.
Work in Progress
Review of the Federal Reserve's Supervisory Activities Related to the Loss at JPMorgan Chase & Co.'s Chief Investment Office
We continued fieldwork for our evaluation of the Federal Reserve’s supervisory activities related to the multibillion-dollar loss at JPMorgan Chase’s Chief Investment Office. Our objectives for this evaluation are to (1) assess the effectiveness of the Board’s and the Federal Reserve Bank of New York’s consolidated and other supervisory activities regarding JPMorgan Chase’s Chief Investment Office and (2) identify lessons learned for enhancing future supervisory activities.
Audit of the Board's Information Security Program
During this reporting period, we began our annual audit of the Board’s information security program and practices. This audit is being performed pursuant to FISMA, which requires each agency IG to conduct an annual independent evaluation of the agency’s information security program and practices. Our specific audit objectives are to evaluate the effectiveness of security controls and techniques for selected information systems and to evaluate compliance by the Board with FISMA and related information security policies, procedures, standards, and guidelines provided by the National Institute of Standards and Technology (NIST), OMB, and the Department of Homeland Security. In accordance with reporting requirements, our FISMA review includes an analysis of the Board’s security-related processes in the following areas: risk management, continuous monitoring management, plan of action and milestones, identity and access management, remote access management, configuration management, security training, contractor systems, contingency planning, incident response and reporting, and security capital planning. We expect to complete this project and issue our final report in the next reporting period.
Audit of the Board's Cost Estimates Associated with the Martin Building Construction and Renovation Project
We initiated an audit to assess how the estimated costs for the Martin Building construction and renovation project were determined and how these costs will be managed within the Board’s strategic framework. The Board’s strategic framework for the period 2012–2015 identified that upgrades to the Martin Building’s physical infrastructure were necessary to ensure that the work environment is safe, secure, and modern and to reduce utility consumption and expenses. A comprehensive renovation of the Martin Building, including the construction of a conference center and a visitors’ center, will address these concerns and will require significant capital investments. The importance of the Martin Building project specifically and the overall need to achieve significant cost savings throughout the Board are critical components of the Board’s strategic framework. We expect to complete this review and issue our final report in the next reporting period.
Inspection of the Board's Law Enforcement Unit
The OIG is required by the Uniform Regulations for Federal Reserve Law Enforcement Officers to periodically inspect the Board’s LEU. Our objective for this inspection is to assess compliance with the Uniform Regulations for Federal Reserve Law Enforcement Officers, Board and LEU internal policies and procedures, and applicable laws. The USA Patriot Act of 2001 granted the Board certain federal law enforcement authorities. To implement these authorities, the Board promulgated the Uniform Regulations for Federal Reserve Law Enforcement Officers in 2002. The regulations designated the Board’s OIG as the external oversight function responsible for reviewing and evaluating the Board’s law enforcement programs and operations, and we are conducting this inspection as part of our external oversight responsibilities. We completed our fieldwork during this reporting period, and we expect to issue our report during the next reporting period.
Evaluation of the Operational Components of the Board's Law Enforcement Unit
We initiated an evaluation of the operational components of the Board’s LEU. The LEU safeguards most Board-designated property and personnel 24 hours a day, 7 days a week. In the Board’s strategic framework for the next three years, the sixth strategic theme is to establish a cost-reduction approach for Board operations that maintains an effective and efficient use of financial resources. Accordingly, the Board’s Management Division, which includes the LEU, has linked its objectives to the strategic framework and is working to identify opportunities for potential cost savings and to improve operational efficiencies. Our objective for this evaluation is to assess the economy and efficiency of the LEU, including the various operational components within the organization. During the evaluation, we will consider the LEU’s cost-reduction efforts already in process, assess the use of staffing models (e.g., roles and responsibilities and staff resources), and identify potential enhancements to LEU operations that may more effectively use security technology.
Audit of the Provisioning of Information Technology Services across Board Divisions
We completed fieldwork and have briefed Board management on an audit of the Board’s IT services. Our audit objectives are to identify (1) how IT services are provided across the organization and (2) the potential to enhance operational efficiencies. In the Board’s strategic framework for the next three years, the sixth strategic theme is to establish a cost-reduction approach for Board operations that maintains an effective and efficient use of financial resources. Accordingly, Board divisions have linked their objectives to the strategic framework and are working to identify opportunities for potential cost savings and improved operational efficiencies. We expect to issue our final report in the next reporting period.
Development of a Comprehensive Audit Plan of the Board's Functions and Operations
The OIG has initiated a planning effort for audits and evaluations that includes reviewing aspects of the Board’s operations to identify an audit universe of core functions at the organization, division, and office levels. Our risk-based planning activities are designed to allow us to target our independent oversight of those programs and operations to which we can add value by providing timely products and services that will produce positive, measurable results. This analysis will facilitate the scheduling of projects to be undertaken in 2014 and the development of a multiyear general plan for subsequent years.
Audit of the Board of Governors of the Federal Reserve System Financial Statements as of and for the Years Ending December 31, 2013, and 2012
We contract for an independent public accounting firm to annually perform an integrated audit of the Board’s financial statements. The accounting firm performs the audit in accordance with generally accepted government auditing standards and expresses an opinion on the Board’s financial statements. In addition, as part of the integrated audit, and in accordance with the auditing standards of the Public Company Accounting Oversight Board, the independent auditors perform an audit of the effectiveness of internal controls over financial reporting and express an opinion on these controls. The audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the financial statements, evaluating the appropriateness of the accounting principles used and the reasonableness of significant estimates made by management, as well as evaluating the overall financial statement presentation. The audit also involves obtaining an understanding of internal control over financial reporting, assessing the risk that a material weakness exists, and testing and evaluating the design and operating effectiveness of internal control. We oversee the activities of the independent public accounting firm to ensure compliance with generally accepted government auditing standards and Public Company Accounting Oversight Board auditing standards related to internal controls over financial reporting.
In accordance with generally accepted government auditing standards, the independent auditors also will perform tests of the Board’s compliance with certain provisions of laws and regulations, since noncompliance with these provisions could have a direct and material effect on the determination of the financial statement amounts. The independent auditors’ reports will be issued in the next semiannual reporting period.
Audit of the Federal Financial Institutions Examination Council Financial Statements as of and for the Years Ending December 31, 2013, and 2012
The Board performs the accounting function for the FFIEC, and we contract for an independent public accounting firm to annually audit the FFIEC’s financial statements. The accounting firm performs the audit in accordance with generally accepted government auditing standards and expresses an opinion on the FFIEC’s financial statements. The audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the financial statements. The audit also includes an evaluation of the appropriateness of accounting principles used and significant accounting estimates made by management, as well as an evaluation of the overall financial statement presentation. We oversee the activities of the independent public accounting firm to ensure compliance with generally accepted government auditing standards.
In accordance with generally accepted government auditing standards, the independent auditors also will consider the FFIEC’s internal controls over financial reporting and will perform tests of the FFIEC’s compliance with certain provisions of laws and regulations, since noncompliance with these provisions could have a direct and material effect on the determination of the financial statement amounts. The independent auditors’ reports will be issued in the next semiannual reporting period.
Evaluation of the Board's Policies, Procedures, and Practices Associated with Agency-Sponsored Conferences
We initiated an evaluation of the Board’s conference-related activities. The objectives of our evaluation focus on determining the controls, policies, procedures, and practices associated with conferences. The review is limited to conference activities sponsored by the Board. We plan to issue our report during the next semiannual reporting period.
Evaluation of the Board's Corporate Services
The OIG is conducting an evaluation of the Board’s corporate services function to determine the extent to which Board staff use such services and to identify potential economies and efficiencies. We completed fieldwork for the mail services section of the corporate services evaluation, and we are continuing with the evaluation of the motor transport and print shop services. In the Board’s strategic framework for the next three years, the sixth strategic theme is to establish a cost-reduction approach for Board operations that maintains an effective and efficient use of financial resources. Accordingly, Board divisions, such as the Management Division, have linked their objectives to the strategic framework and are working to identify opportunities for potential cost savings and to improve operational efficiencies. We expect to complete our evaluation during the next semiannual reporting period.
Evaluation of Enforcement Actions against Institution-Affiliated Parties
In 2013, the OIGs for the Board, the FDIC, and the OCC initiated a joint evaluation of the processes for initiating enforcement actions and professional liability claims against institution-affiliated parties of failed institutions. Our objectives are to (1) describe the process for initiating enforcement actions against institution-affiliated parties for state member banks, (2) report the results of the Board’s efforts in investigating and pursing enforcement actions against institution-affiliated parties with a focus on individuals associated with failed state member banks, and (3) identify key factors that may impact the pursuit of enforcement actions against institution-affiliated parties.
Evaluation of the Board's Oversight of Mortgage Servicing Enforcement Actions and Settlement Agreements
We are conducting an evaluation of the Board’s oversight of a settlement with mortgage servicers for alleged deficient mortgage foreclosure practices. In January 2013, the Board and the OCC announced a settlement with mortgage servicers to compensate borrowers who were potentially harmed. The settlement covers borrowers who had a mortgage on their primary residence that was in any stage of foreclosure in 2009 or 2010 and that was serviced by one of the participating servicers. The settlement required mortgage servicers to slot the borrowers into various categories based on possible harm. The Board and the OCC associated payment amounts with each category. The amounts range from $300 to $125,000. A paying agent was hired by the servicers to mail checks, totaling about $3.6 billion, to approximately 4.2 million borrowers. Our objectives are to (1) evaluate the Board’s overall approach to oversight of the settlement, (2) determine the effectiveness of the Board’s oversight of the slotting process, and (3) determine the effectiveness of the Board’s oversight of the payment process executed by the paying agent.
Audit of the Division of Reserve Bank Operations and Payment Systems' Oversight of Reserve Banks' Wholesale Financial Services
We initiated an audit of the Division of Reserve Bank Operations and Payment Systems’ (RBOPS’s) oversight of Reserve Banks’ wholesale financial services. Our objective is to assess the extent and effectiveness of RBOPS’s oversight of those services. Specifically, we will review how RBOPS assesses wholesale services against the standards defined in the Federal Reserve Policy on Payment System Risk to determine whether the payment and settlement systems incorporate (1) an appropriate risk-management framework and (2) the internationally accepted guidelines in their policies and procedures. We have completed the majority of our fieldwork, and we expect to issue our final report during the next semiannual reporting period.
Audit of the Division of Banking Supervision and Regulation's Validation Process for Models Used during the Annual Comprehensive Capital Analysis and Review
We are conducting an audit of BS&R’s model risk-management processes for the supervisory models used in support of the annual Comprehensive Capital Analysis and Review (CCAR). CCAR is an annual exercise by the Federal Reserve System to ensure that institutions have robust, forward-looking capital planning processes that account for their unique risks and that they have sufficient capital to continue operations throughout times of economic and financial stress. CCAR includes a supervisory stress test to support the Federal Reserve System’s analysis of the adequacy of the firms’ capital. Our review assesses the overall effectiveness of the model risk-management framework pertaining to the supervisory models, including a wide spectrum of current model risk-management practices and the related policies and procedures. The objectives of our audit are to (1) assess the extent to which the Federal Reserve System’s model risk-management procedures for CCAR stress-testing supervisory models are consistent with Supervision and Regulation Letter 11-7 on model risk management and (2) assess whether the model risk-management practices are consistent with internal policies and procedures.
Audit of the Relocation of the Board's Data Center
We have been conducting an audit of the Board’s relocation of its data center. The relocation of the data center is a multiyear project that is planned to be completed in 2015. We are monitoring the project and will issue reports at key points. Our objectives during the initial audit are to obtain information and gain an understanding of the project’s scope, cost, and schedule. We plan to issue an interim report in the next semiannual reporting period.
Security Control Review of the E2 Solutions Travel System
During this reporting period, we initiated a security control review of the E2 Solutions Travel System. E2 Solutions Travel System is a web-based, end-to-end travel management system to plan, authorize, arrange, process, and manage official federal travel. This application is listed on the Board’s FISMA inventory as a third-party system. Our objectives are to (1) evaluate the adequacy of certain control techniques designed to protect data in the system from unauthorized access, modification, destruction, or disclosure and (2) assess compliance with Board Information Security Program and FISMA requirements. We expect to complete the review and issue our final report during the next semiannual reporting period.
Audit of the Board's STAR Modernization Project
We are conducting an audit of the STAR modernization project. STAR is the central computer application used by the statistics function at the Federal Reserve Banks and the Board to collect and edit over 75 periodic statistical reports from financial institutions. Our audit focuses on the adequacy and internal controls of the development process for the new system, including the cost and schedule. In addition, we are assessing how security controls are being built into the system. We expect to complete this project and issue our final report in the next reporting period.
Audit of the Board's Information Technology Contingency Planning and Continuity of Operations Program
We are conducting an audit of the Board’s IT contingency planning and its continuity of operations program. Our audit focuses on determining whether the Board’s program is consistent with federal guidelines, and we are reviewing how the Board’s contingency planning and its continuity of operations program provide a coordinated strategy involving plans, procedures, and technical measures that enable the recovery of information systems, operations, and data after a disruption. In addition, we are reviewing the cost of maintaining the Board’s IT continuity of operations program to identify cost savings and opportunities to enhance efficiencies. We plan to issue an interim report in the next semiannual reporting period.
Response to a Congressional Request Regarding the Board's Compliance with Federal Requirements for Addressing Climate Change
We received a letter from the co-chairs of the Bicameral Task Force on Climate Change regarding the actions taken by the Board in response to climate change. In the letter, the task force requested the identification of existing requirements in legislation, regulation, executive order, and other directives that apply to the Board and our assessment of how the Board is meeting these requirements. The task force also requested the identification of the Board’s authorities to reduce emissions of heat-trapping pollution and to make the nation more resilient to the effects of climate change. During this reporting period, we provided an initial reply to the task force, noting that we had requested that the Board’s General Counsel determine the federal requirements that apply to both components of the request. We have completed our assessment of the Board’s response and will issue a final response during the next reporting period.
Table 1: Audit, Inspection, and Evaluation Reports Issued to the Board during the Reporting Period
| Title | Type of report |
|
Total number of audit reports: 4 Total number of inspection and evaluation reports: 3 |
|
| Information technology audits | |
| Security Control Review of the Board’s National Examination Database System (nonpublic report) | Audit |
| Security Control Review of a Third-party Commercial Data Exchange Service Used by the Board’s Division of Banking Supervision and Regulation (nonpublic report) | Audit |
| Program audits, inspections, and evaluations | |
| Board Should Enhance Compliance with Small Entity Compliance Guide Requirements Contained in the Small Business Regulatory Enforcement Fairness Act of 1996 | Evaluation |
| Board Should Strengthen Controls over the Handling of the Federal Open Market Committee Meeting Minutes | Audit |
| The Board Can Benefit from Implementing an Agency-Wide Process for Maintaining and Monitoring Administrative Internal Control | Audit |
| Status of the Transfer of Office of Thrift Supervision Functions | Evaluation |
| The Board Should Improve Procedures for Preparing for and Responding to Emergency Events | Evaluation |
Table 2: Audit, Inspection, and Evaluation Reports Issued to the Board with Questioned Costs during the Reporting Perioda
| Reports | Number | Dollar value |
|
a.Because the Board is primarily a regulatory and policymaking agency, our recommendations typically focus on program effectiveness and efficiency, as well as strengthening internal controls. As such, the monetary benefit associated with their implementation typically is not readily quantifiable. Return to text |
||
| For which no management decision had been made by the commencement of the reporting period | 0 | $0 |
| That were issued during the reporting period | 0 | $0 |
| For which a management decision was made during the reporting period | 0 | $0 |
| (i)dollar value of recommendations that were agreed to by management | 0 | $0 |
| (ii)dollar value of recommendations that were not agreed to by management | 0 | $0 |
| For which no management decision had been made by the end of the reporting period | 0 | $0 |
| For which no management decision was made within six months of issuance | 0 | $0 |
Table 3: Audit, Inspection, and Evaluation Reports Issued to the Board with Recommendations That Funds Be Put to Better Use during the Reporting Perioda
| Reports | Number | Dollar value |
|
a.See note to table 2. |
||
| For which no management decision had been made by the commencement of the reporting period | 0 | $0 |
| That were issued during the reporting period | 0 | $0 |
| For which a management decision was made during the reporting period | 0 | $0 |
| (i)dollar value of recommendations that were agreed to by management | 0 | $0 |
| (ii)dollar value of recommendations that were not agreed to by management | 0 | $0 |
| For which no management decision had been made by the end of the reporting period | 0 | $0 |
| For which no management decision was made within six months of issuance | 0 | $0 |
Table 4: OIG Reports to the Board with Recommendations That Were Open during the Reporting Perioda
| Report title | Issuedate | Recommendations | Status of recommendations | ||||
| No. | Mgmt.agrees | Mgmt.disagrees | Lastfollow-update | Closed | Open | ||
| Evaluation of Service Credit Computations | 08/05 | 3 | 3 | – | 09/13 | 2 | 1 |
| Security Control Review of the FISMA Assets Maintained by the Federal Reserve Bank of Boston (nonpublic report) | 09/08 | 11 | 11 | – | 09/11 | 10 | 1 |
| Evaluation of Data Flows for Board Employee Data Received by Office of Employee Benefits and Its Contractors (nonpublic report) | 09/08 | 2 | 2 | – | 03/11 | 1 | 1 |
| Security Control Review of the Audit Logging Provided by the Information Technology General Support System (nonpublic report) | 03/09 | 4 | 4 | – | 09/13 | 4 | – |
| Security Control Review of the Lotus Notes and Lotus Domino Infrastructure (nonpublic report) | 06/10 | 10 | 10 | – | 09/13 | 10 | – |
| Security Control Review of the Internet Electronic Submission System (nonpublic report) | 12/10 | 6 | 6 | – | 03/13 | 3 | 3 |
| Response to a Congressional Request Regarding the Economic Analysis Associated with Specified Rulemakings | 06/11 | 2 | 2 | – | – | – | 2 |
| Review of the Failure of Pierce Commercial Bank | 09/11 | 2 | 2 | – | 09/13 | 1 | 1 |
| Security Control Review of the Visitor Registration System (nonpublic report) | 09/11 | 10 | 10 | – | 07/13 | 4 | 6 |
| Summary Analysis of Failed Bank Reviews | 09/11 | 3 | 3 | – | 03/13 | 2 | 1 |
| Evaluation of Prompt Regulatory Action Implementation | 09/11 | 1b | 1 | – | – | – | 1 |
| Audit of the Board’s Information Security Program | 11/11 | 1 | 1 | – | 11/12 | – | 1 |
| Review of RBOPS’ Oversight of the Next Generation $100 Note | 01/12 | 2 | 2 | – | – | – | 2 |
| Security Control Review of the National Remote Access Services System (nonpublic report) | 03/12 | 8 | 8 | – | 09/13 | 7 | 1 |
| Material Loss Review of the Bank of the Commonwealth | 04/12 | 4 | 4 | – | 03/13 | 3 | 1 |
| Security Control Review of the Board’s Public Website (nonpublic report) | 04/12 | 12 | 12 | – | – | – | 12 |
| Review of the Unauthorized Disclosure of a Confidential Staff Draft of the Volcker Rule Notice of Proposed Rulemaking | 07/12 | 3 | 3 | – | – | – | 3 |
| Security Control Review of the Federal Reserve Bank of Richmond’s Lotus Notes Systems Supporting the Board’s Division of Banking Supervision and Regulation (nonpublic report) | 08/12 | 9 | 9 | – | – | – | 9 |
| Audit of the Small Community Bank Examination Process | 08/12 | 1 | 1 | – | – | – | 1 |
| Audit of the Board’s Government Travel Card Program | 09/12 | 4 | 4 | – | – | – | 4 |
| Audit of the Board’s Actions to Analyze Mortgage Foreclosure Processing Risks | 09/12 | 2 | 2 | – | – | – | 2 |
| Security Control Review of the Aon Hewitt Employee Benefits System (nonpublic report) | 09/12 | 8 | 8 | – | – | – | 8 |
| 2012 Audit of the Board’s Information Security Program | 11/12 | 2 | 2 | – | – | – | 2 |
| Security Control Review of Contingency Planning Controls for the Information Technology General Support System (nonpublic report) | 12/12 | 5 | 5 | – | – | – | 5 |
| Review of the Failure of Bank of Whitman | 03/13 | 1 | 1 | – | – | – | 1 |
| Controls over the Board’s Purchase Card Program Can Be Strengthened | 03/13 | 3 | 3 | – | – | – | 3 |
| Board Should Enhance Compliance with Small Entity Compliance Guide Requirements Contained in the Small Business Regulatory Enforcement Fairness Act of 1996 | 07/13 | 2 | 2 | – | – | – | 2 |
| Security Control Review of the Board’s National Examination Database System (nonpublic report) | 07/13 | 4 | 4 | – | – | – | 4 |
| Security Control Review of a Third-party Commercial Data Exchange Service Used by the Board’s Division of Banking Supervision and Regulation (nonpublic report) | 08/13 | 11 | 11 | – | – | – | 11 |
| Board Should Strengthen Controls over the Handling of the Federal Open Market Committee Meeting Minutes | 08/13 | 4 | 4 | – | – | – | 4 |
| The Board Can Benefit from Implementing an Agency-Wide Process for Maintaining and Monitoring Administrative Internal Control | 09/13 | 1 | 1 | – | – | – | 1 |
| The Board Should Improve Procedures for Preparing for and Responding to Emergency Events | 09/13 | 7 | 7 | – | – | – | 7 |
|
a. A recommendation is closed if (1) the corrective action has been taken; (2) the recommendation is no longer applicable; or (3) the appropriate oversight committee or administrator has determined, after reviewing the position of the OIG and division management, that no further action by the agency is warranted. A recommendation is open if (1) division management agrees with the recommendation and is in the process of taking corrective action or (2) division management disagrees with the recommendation and we have referred or are referring it to the appropriate oversight committee or administrator for a final decision. b. This recommendation was directed jointly to the OCC, the FDIC, and the Board.Return to text |
|||||||
Consumer Financial Protection Bureau
Completed Projects
The CFPB Should Strengthen Internal Controls for Its Government Travel Card Program to Ensure Program Integrity
OIG Report No. 2013-AE-C-017
September 30, 2013
Our objective for this audit was to determine the effectiveness of the CFPB’s internal controls for its GTC program. Specifically, we assessed compliance with policies and procedures and whether internal controls were designed and operating effectively to prevent and detect fraudulent or unauthorized use of travel cards and to provide reasonable assurance that cards are properly issued, monitored, and closed out.
Through its GTC program, the CFPB provides its employees with the necessary resources to arrange and pay for official business travel and other travel-related expenses and to receive reimbursements for authorized expenses. The CFPB’s Travel and Relocation Office within the Office of the Chief Financial Officer oversees the GTC program. In fiscal year 2012, the CFPB spent more than $10 million, or about 3 percent of its incurred expenses, on travel. As of April 30, 2013, the CFPB had 743 active cardholder accounts.
We found that internal controls for the CFPB GTC program should be strengthened to ensure program integrity. While controls over the GTC issuance process were designed and operating effectively, controls are not designed or operating effectively to (1) prevent and detect fraudulent or unauthorized use of GTCs and (2) provide reasonable assurance that cards are properly monitored and closed out. Specifically, the OIG found the following:
- Cardholders charged approximately $1,880 in unauthorized transactions on their GTCs.
- Cardholders claimed and received reimbursement for $320 in unallowable laundry and dry-cleaning transactions and $324 in potentially unallowable transactions for lodging and meals and incidental expenses.
- The Travel and Relocation Office did not ensure that cardholders could not exceed their daily cash-advance limit.
- The Travel and Relocation Office did not ensure that GTC accounts for separated employees were closed in a timely manner.
- The Travel and Relocation Office did not approve travel vouchers in a timely manner and send past-due account notifications to cardholders, their supervisors, the Chief Financial Officer, and the Office of Human Capital, as appropriate.
- The Travel and Relocation Office, cardholders, and cardholders’ supervisors did not properly submit or approve Travel Approval Forms and travel authorizations.
The results of our findings based on sample testing cannot be projected to the entire population because we did not use statistical sampling. Total noncompliance may be greater than our results indicate.
We made 14 recommendations designed to assist the CFPB in strengthening its internal controls over the GTC program. Management concurred with our recommendations and is planning to take actions to implement them.
Opportunities Exist for the CFPB to Strengthen Compliance with Its Purchase Card Policies and Procedures
OIG Report No. 2013-AE-C-015
September 30, 2013
The OIG conducted an audit to assess whether the controls for the CFPB’s purchase card program were adequate to (1) ensure that purchase card use is appropriate and in compliance with applicable laws, regulations, and the CFPB’s policies and procedures and (2) prevent and detect improper or fraudulent use of purchase cards.
To streamline the acquisition process for qualifying purchases, the CFPB participates in the General Services Administration’s SmartPay2 program through a task order with Treasury’s master contract with Citibank. Within Treasury, the Bureau of Public Debt’s Administrative Resource Center provides purchase card administrative services and acts as the liaison between the CFPB and Citibank. The CFPB is operating under the Bureau of Public Debt’s 2011 Government Purchase Card Procedures and the CFPB’s Purchase Card Guides for the Mobile Workforce and Flagship Cardholders until internal purchase card policies and procedures are finalized.
We found that internal controls for the CFPB’s purchase card program are adequate and operating effectively to ensure that the program is generally in compliance with applicable laws, regulations, and the CFPB’s policies and procedures and to prevent and detect improper or fraudulent use of purchase cards. We did note, however, the following instances of noncompliance with applicable policies and procedures:
- Cardholders, including some who had separated, were missing purchase card files or missing supporting documentation in their purchase card files.
- Cardholders paid sales taxes.
- Cardholders did not document the reason for using convenience checks, and one cardholder improperly used a convenience check instead of a purchase card.
- Cardholders did not document the reason for purchases that had the appearance of split transactions.
We made two recommendations designed to ensure that purchase cardholders and agency program coordinators exercise appropriate internal controls to ensure the integrity of the purchase card program. Management concurred with our recommendations and has initiated steps to implement them.
Opportunities Exist to Enhance the CFPB's Policies, Procedures, and Monitoring Activities for Conferences
OIG Report No. 2013-AE-C-011
August 26, 2013
We evaluated the CFPB’s management controls, including its policies, procedures, and practices, associated with the agency’s sponsored and nonsponsored conferences. Additionally, we assessed whether the CFPB’s conference expenses and practices followed applicable policies and procedures.
The CFPB’s Chief Financial Officer formed an internal review team to assess the CFPB’s compliance with internal controls for conference-related activities. Subsequently, the CFPB implemented two conference-related policies in May 2012. The CFPB has four acquisition approaches through which to coordinate conferences: the Treasury Departmental Offices, the Bureau of Public Debt’s Administrative Resource Center, the CFPB’s Office of Procurement, and the use of purchase cards by CFPB offices.
We found that although the CFPB’s Policy for Conference/Meeting Planning and Attendance identified roles and responsibilities for conference coordination and approval, it did not adequately reflect the CFPB’s current process for conference activities in certain respects. For example, the policy does not define the individuals who are authorized to coordinate and approve conferences. In addition, the policy does not delineate the monetary thresholds used in selecting between two of the acquisition approaches and does not mention another of the approaches. In addition, we found that the policy does not include guidance on the expedited approval process for training requests that is provided in the CFPB’s Non-Academic External Training and Education Policy.
We did not identify any material discrepancies in our sample testing of conference expenses. However, sample testing did show that the CFPB’s Office of Human Capital has not consistently obtained conference and training certificates and affidavits from employees who attend conferences or training as required by the Non-Academic External Training and Education Policy. Inadequate recordkeeping and lack of reviews increase the risk that the CFPB could expend funds for conferences and training that employees do not attend or complete.
We recommended that the CFPB update its policies and procedures for conference activities to accurately reflect the agency’s current processes for conference coordination and approval, periodically review its conference policies and procedures and update them as needed, conduct monthly reviews to ensure the receipt of training certificates and affidavits, and follow up to obtain outstanding documentation. Management stated that it concurred with the process improvements included in our recommendations and has begun implementing specific aspects of the recommendations.
Work in Progress
Audit of the CFPB's Information Security Program
During this reporting period, we began our annual audit of the CFPB’s information security program and practices. This audit is being performed pursuant to FISMA, which requires each agency IG to conduct an annual independent evaluation of the agency’s information security program and practices. Our specific audit objectives are to evaluate the effectiveness of security controls and techniques for selected information systems and to evaluate compliance by the CFPB with FISMA and related information security policies, procedures, standards, and guidelines provided by NIST, OMB, and the Department of Homeland Security. In accordance with reporting requirements, our FISMA review includes an analysis of the CFPB’s security-related processes in the following areas: risk management, continuous monitoring management, plan of action and milestones, identity and access management, remote access management, configuration management, security training, contractor systems, contingency planning, incident response and reporting, and security capital planning. We expect to complete this project and issue our final report in the next reporting period.
Evaluation of the CFPB's Integration of Enforcement Attorneys into Examinations
We initiated an evaluation of the CFPB’s integration of enforcement attorneys into its examinations of banking and nonbanking institutions’ compliance with applicable consumer protection laws and regulations. Our objectives for this evaluation are to assess (1) the potential risks associated with this approach to conducting examinations and (2) the effectiveness of any safeguards that the CFPB has adopted to mitigate the potential risks associated with this examination approach. We expect to complete our review and issue our report during the next semiannual reporting period.
Audit of the CFPB's Cloud Computing Environment
During this reporting period, we began an audit of the CFPB’s cloud computing environment. We are reviewing actions taken by the CFPB to implement best practices stipulated in NIST guidance for implementing and managing cloud computing technologies. These actions include the CFPB’s processes to select cloud computing providers and the contract vehicles the CFPB has in place. The CFPB is also in the process of reevaluating its current cloud computing environment and associated contracts. As the CFPB continues to establish its IT infrastructure, we are also reviewing the procurement processes used to select new cloud computing providers. Our audit will focus on internal controls and processes undertaken to ensure that information security controls are considered in the development process for the new environment. We expect to complete this project and issue our final report in the next reporting period.
Audit of a CFPB Cloud Provider
During this reporting period, we began a security control review of a third-party provider of the CFPB’s cloud environment. Our objectives are to (1) evaluate the adequacy of certain control techniques designed to protect data from unauthorized access, modification, destruction, or disclosure and (2) assess compliance with the CFPB’s security-related policies and FISMA requirements. We expect to complete the review and issue our final report during the next semiannual reporting period.
Evaluation of the CFPB's Compliance with Section 1100G of the Dodd-Frank Act
We are in the fieldwork stage of an evaluation to assess the CFPB’s compliance with section 1100G requirements of the Dodd-Frank Act. Section 1100G amends SBREFA and the Regulatory Flexibility Act to require the CFPB to assess a proposed rule’s economic impact and cost of credit for small entities. Among other requirements, the CFPB must perform a regulatory flexibility analysis that includes a description of (1) any projected increase in the cost of credit for small entities, (2) any significant alternatives to the proposed rule that accomplish the stated objectives of applicable statutes and that minimize any increase in the cost of credit for small entities, and (3) the advice and recommendations of representatives of small entities relating to issues associated with the projected increases or alternatives. We expect to complete our evaluation during the next semiannual reporting period.
Evaluation of the CFPB's Annual Budget Process
We completed our evaluation of the CFPB’s fiscal year 2013 budget formulation process and plan to issue our report before the end of the year. As an independent bureau within the Federal Reserve System, the CFPB is funded by the Federal Reserve System in amounts determined by the CFPB Director as necessary to carry out the agency’s operations, subject to limits established in the Dodd-Frank Act. Our objective for this review was to evaluate the extent to which the CFPB’s budget process facilitated the achievement of the agency’s goals and performance objectives, including transparency to the public.
Evaluation of the CFPB's Hiring Process
We initiated an evaluation of the CFPB’s hiring process. The objective of our evaluation is to assess the efficiency and effectiveness of three CFPB recruitment and selection subprocesses: (1) personnel assessment methodology and vacancy announcement creation, (2) hiring authority and vacancy announcement posting, and (3) evaluation and selection of candidates. We will also assess the agency’s compliance with applicable laws, regulations, and policies and its administration of recruitment and selection incentives to recruit new employees. We have completed our fieldwork and plan to issue our report during the next semiannual reporting period.
Audit of the CFPB's Activities under the Government Performance and Results Act
We initiated an audit of the CFPB’s initiatives under the Government Performance and Results Act (GPRA) and the GPRA Modernization Act, which are part of a legislative framework to instill performance-based management across federal government agencies. GPRA requires agencies to establish a management system to set agency goals for program performance and to measure results against those goals. Agencies must incorporate the performance management concepts of strategic planning and performance measurement into their planning and budgeting processes and issue associated performance plans and reports. The objectives of this audit are to assess the CFPB’s compliance with applicable sections of GPRA and the effectiveness of processes that address GPRA and GPRA Modernization Act requirements. We have initiated our fieldwork and plan to issue our report during the next semiannual reporting period.
Development of a Comprehensive Audit Plan of the CFPB's Programs and Operations
The OIG has initiated a planning effort for audits and evaluations that includes reviewing aspects of the CFPB’s operations to identify an audit universe of core functions at the agency, division, and office levels. Our risk-based planning activities are designed to allow us to target our independent oversight on those programs and operations to which we can add value by providing timely products and services that will produce positive, measurable results. This analysis will facilitate the scheduling of projects to be undertaken in 2014 and the development of a multiyear general plan for subsequent planning years.
Audit of the CFPB's Civil Penalty Fund
We initiated an audit of the CFPB’s Civil Penalty Fund. Our audit will focus on determining whether the controls surrounding the eventual use of Civil Penalty Fund monies ensure that the CFPB is complying with applicable statutory, regulatory, and other appropriate criteria. As part of the audit, we are conducting an initial scoping effort to establish specific objectives, scope, and methodology. The Dodd-Frank Act established a Civil Penalty Fund for civil penalties obtained by the CFPB in judicial or administrative actions (including enforcement actions) under the federal consumer financial laws. Amounts in the Civil Penalty Fund are available to the CFPB, without fiscal year limitation, for payments to the victims of activities for which civil penalties have been imposed under federal consumer financial law. If victims cannot be located or such payments are otherwise not practicable, the CFPB may use Civil Penalty Fund monies for the purpose of consumer education and financial literacy programs. On May 30, 2013, the CFPB allocated $10.5 million to compensate victims in two cases where civil penalties were obtained from July 11, 2011, through March 31, 2013, and $13.4 million for consumer education and financial literacy programs. While the CFPB made these allocations on May 30, 2013, as of August 2013, the agency had not paid victims in these cases or contractors to administer consumer education and financial literacy programs. We expect to complete this audit during the next semiannual reporting period.
Evaluation of the CFPB's Supervision Program
We initiated an evaluation of the CFPB’s supervision program for large depository institutions and nondepository consumer financial service companies. Based on the authority granted by the Dodd-Frank Act, the CFPB began examinations of large depository institutions on July 21, 2011, and of nondepository consumer financial service companies on January 5, 2012. The objectives of our evaluation are to (1) review key program elements, including policies and procedures, examination guidance, and controls to promote consistent and timely reporting; (2) assess the approach for staffing examinations; and (3) assess the training program for examination staff. We are in the process of completing our fieldwork and plan to issue our report during the next semiannual reporting period.
Response to a Congressional Request Regarding the CFPB's Compliance with Federal Requirements for Addressing Climate Change
We received a letter from the co-chairs of the Bicameral Task Force on Climate Change regarding actions taken in response to climate change by the agencies that we oversee. As the independent oversight entity for the CFPB, we provided an initial reply to the task force during this reporting period, noting that we had requested that the CFPB’s General Counsel determine the federal requirements that apply as well as the CFPB’s authorities to reduce emissions of heat-trapping pollution. We have completed our assessment of the CFPB’s response and will issue a final response during the next reporting period.
Table 5: Audit, Inspection, and Evaluation Reports Issued to the CFPB during the Reporting Period
| Title | Type of report |
|
Total number of audit reports: 2 Total number of inspection and evaluation reports: 1 |
|
| Program audits, inspections, and evaluations | |
| Opportunities Exist to Enhance the CFPB’s Policies, Procedures, and Monitoring Activities for Conferences | Evaluation |
| The CFPB Should Strengthen Internal Controls for Its Government Travel Card Program to Ensure Program Integrity | Audit |
| Opportunities Exist for the CFPB to Strengthen Compliance with Its Purchase Card Policies and Procedures | Audit |
Table 6: Audit, Inspection, and Evaluation Reports Issued to the CFPB with Questioned Costs during the Reporting Perioda
| Reports | Number | Dollar value |
|
a. Because the CFPB is primarily a regulatory and policymaking agency, our recommendations typically focus on program effectiveness and efficiency, as well as strengthening internal controls. As such, the monetary benefit associated with their implementation typically is not readily quantifiable. Return to text |
||
| For which no management decision had been made by the commencement of the reporting period | 0 | $0 |
| That were issued during the reporting period | 0 | $0 |
| For which a management decision was made during the reporting period | 0 | $0 |
| (i)dollar value of recommendations that were agreed to by management | 0 | $0 |
| (ii)dollar value of recommendations that were not agreed to by management | 0 | $0 |
| For which no management decision had been made by the end of the reporting period | 0 | $0 |
| For which no management decision was made within six months of issuance | 0 | $0 |
Table 7: Audit, Inspection, and Evaluation Reports Issued to the CFPB with Recommendations That Funds Be Put to Better Use during the Reporting Perioda
| Reports | Number | Dollar value |
| a.See note to table 6. | ||
| For which no management decision had been made by the commencement of the reporting period | 0 | $0 |
| That were issued during the reporting period | 0 | $0 |
| For which a management decision was made during the reporting period | 0 | $0 |
| (i)dollar value of recommendations that were agreed to by management | 0 | $0 |
| (ii)dollar value of recommendations that were not agreed to by management | 0 | $0 |
| For which no management decision had been made by the end of the reporting period | 0 | $0 |
| For which no management decision was made within six months of issuance | 0 | $0 |
Table 8: OIG Reports to the CFPB with Recommendations That Were Open during the Reporting Perioda
| Report title | Issuedate | Recommendations | Status of recommendations | ||||
| No. | Mgmt.agrees | Mgmt.disagrees | Lastfollow-update | Closed | Open | ||
|
a. A recommendation is closed if (1) the corrective action has been taken; (2) the recommendation is no longer applicable; or (3) the appropriate oversight committee or administrator has determined, after reviewing the position of the OIG and division management, that no further action by the agency is warranted. A recommendation is open if (1) division management agrees with the recommendation and is in the process of taking corrective action or (2) division management disagrees with the recommendation and we have referred or are referring it to the appropriate oversight committee or administrator for a final decision. Return to text |
|||||||
| Evaluation of the Consumer Financial Protection Bureau’s Consumer Response Unit | 09/12 | 5 | 5 | – | 08/13 | 3 | 2 |
| 2012 Audit of the Consumer Financial Protection Bureau’s Information Security Program | 11/12 | 3 | 3 | – | – | – | 3 |
| Security Control Review of the Consumer Financial Protection Bureau’s Consumer Response System (nonpublic report) | 03/13 | 9 | 9 | – | – | – | 9 |
| CFPB Contract Solicitation and Selection Processes Facilitate FAR Compliance, but Opportunities Exist to Strengthen Internal Controls | 03/13 | 3 | 3 | – | – | – | 3 |
| Opportunities Exist to Enhance the CFPB’s Policies, Procedures, and Monitoring Activities for Conferences | 08/13 | 4 | 4 | – | – | – | 4 |
| The CFPB Should Strengthen Internal Controls for Its Government Travel Card Program to Ensure Program Integrity | 09/13 | 14 | 14 | – | – | – | 14 |
| Opportunities Exist for the CFPB to Strengthen Compliance with Its Purchase Card Policies and Procedures | 09/13 | 2 | 2 | – | – | – | 2 |
