Audits, Evaluations, and Inspections
Audits assess aspects of the economy, efficiency, and effectiveness of Board and CFPB programs and operations. For example, the OIG oversees audits of the Board’s financial statements, and it conducts audits of (1) the efficiency and effectiveness of the Board’s and the CFPB’s processes and internal controls over their programs and operations; (2) the adequacy of controls and security measures governing these agencies’ financial and management information systems and the safeguarding of assets and sensitive information; and (3) compliance with applicable laws and regulations related to agency financial, administrative, and program operations. OIG audits are performed in accordance with the Government Auditing Standards established by the Comptroller General of the United States.
Inspections and evaluations include program evaluations and legislatively mandated reviews of failed financial institutions supervised by the Board. Inspections are often narrowly focused on a particular issue or topic and provide time-critical analysis that cuts across functions and organizations. In contrast, evaluations are generally focused on a specific program or function and may make extensive use of statistical and quantitative analytical techniques. OIG inspections and evaluations are performed according to the Quality Standards for Inspection and Evaluation issued by the Council of the Inspectors General on Integrity and Efficiency (CIGIE).
The information below summarizes OIG audit, evaluation, and inspection work completed during the reporting period and ongoing work that will continue into the next semiannual reporting period.
Board of Governors of the Federal Reserve System
Completed Projects
Opportunities Exist for the Board to Improve Recordkeeping, Cost Estimation, and Cost Management Processes for the Martin Building Construction and Renovation Project
OIG Report No. 2014-AE-B-007
March 31, 2014
We performed this audit because the Martin Building construction and renovation project requires a significant investment of resources, and it has been identified as a strategic theme in the Board’s strategic framework. Our objectives were to assess how the cost estimates for the project were determined and how costs will be managed within the Board’s strategic framework.
The Martin Building project comprises construction of a visitors’ center, construction of a conference center, and renovation of the Martin Building. The concept for the project began shortly after the events of September 11, 2001. Since the original concept was developed, the Martin Building project has gone through a lengthy design phase, primarily due to significant scope changes. These scope changes also resulted in the preparation of multiple estimates that were eventually consolidated into a single conceptual construction cost estimate of $179.9 million, which is one component of an overall estimated project cost of $280.4 million.
Our audit focused on the Martin Building project’s conceptual construction cost estimate that was available during our fieldwork. Conceptual cost estimates are typically used during initial planning and should be updated as scope and costs are clarified. Consistent with this practice, the Board’s architecture and engineering firm and construction administrator submitted updated estimates based on detailed project requirements in December 2013. These estimates were within the expected range of the conceptual cost estimate developed by the Martin Building project team.
Our audit identified opportunities for the Board to improve its recordkeeping, cost estimation, and cost management processes for the Martin Building project. Specifically, we found that the project team did not adequately maintain documentation supporting its conceptual construction cost estimate for the Martin Building project, and support was not available for several line items. We also found that the conceptual construction cost estimate contained errors and inconsistencies. In addition, the Board has not yet established a contractual stated cost limitation with the architecture and engineering firm and has not required the firm to submit cost-saving items to aid in cost management.
Actions that the Board has taken since 2011 to improve management of the Martin Building project include arranging for the preparation of an independent construction cost estimate; hiring additional personnel, including a senior project manager, with construction experience; dedicating a procurement staff member to the project; and acquiring a records management system. We made six recommendations to improve the Board’s cost estimation process and cost management and recordkeeping practices. The Board concurred with our recommendations and noted that it is taking actions to implement them.
Audit of the Board's Data Center Relocation
OIG Report No. 2014-IT-B-002
February 7, 2014
Our objective for this initial audit was to obtain information and gain an understanding of the scope, cost, and project schedule for the relocation of the Board’s data center. Overall, our audit determined that the Board is following a structured approach to planning the relocation of the data center, and Board staff are actively engaged in the planning and decisionmaking for the project. The Board has executed a memorandum of understanding with the Federal Reserve Bank of Richmond for the construction of the new data center and is maintaining a project management team and oversight group to monitor progress and risks.
We determined, however, that there are two areas for which additional actions by the Board are needed to keep the project progressing to meet requirements and remain on schedule. First, the Board has not reevaluated the overall funding for relocating the data center since initially approving the consultant’s cost projection of $201.5 million in June 2012 as the overall budget for the project. This figure was an initial estimate of project costs based on rough order of magnitude pricing used to analyze alternatives rather than a detailed budget for the project. Since the initial estimate, design changes have occurred. Second, the construction phase of the data center relocation project has an aggressive schedule with several identified risk areas; any delays in the data center project may impact the Martin Building renovation schedule.
We made two recommendations. The Board indicated that it agrees with our recommendations, and it outlined actions that have been taken, are underway, and are planned to address our recommendations. We intend to continue to monitor the Board’s data center relocation as the project continues through 2015.
2013 Audit of the Board's Information Security Program
OIG Report No. 2013-IT-B-019
November 14, 2013
To meet our annual FISMA reporting responsibilities, we reviewed the information security program and practices of the Board. FISMA requires federal agencies to develop, document, and implement an agency-wide information security program. FISMA also requires each IG to conduct an annual independent evaluation of the agency’s information security program and practices.
Overall, we found that the Board’s Chief Information Officer is maintaining a FISMA-compliant approach to the Board’s information security program that is generally consistent with requirements established by NIST and the Office of Management and Budget.
The Board’s Information Security Officer continues to issue policies and procedures that include attributes identified within the U.S. Department of Homeland Security (DHS) reporting metrics. In our response to the 11 DHS reporting metrics for 2013, we found that the Board has effective programs in place that are consistent with FISMA requirements and that include attributes identified by DHS for plan of action and milestones, remote access management, identity and access management, contingency planning, configuration management, and security capital planning. We also found that the Board has programs in place that include attributes identified within the DHS reporting metrics for incident response and reporting, security training, and contractor systems; however, our report identifies opportunities for improvement within those areas. During the past year, the Information Security Officer has continued to make progress in implementing an enterprise IT risk management framework and a continuous monitoring program; however, additional steps are needed to fully implement programs that are consistent with FISMA requirements.
We made two recommendations related to tracking training for individuals with significant information security responsibilities and continuous monitoring. The Director of the Division of Information Technology, in her capacity as Chief Information Officer, agreed with our recommendations and stated that she intends to take immediate action to address each recommendation. In addition, we kept open our 2012 recommendations related to incident reporting and contractor systems and our 2011 recommendation related to risk management.
The Board's Law Enforcement Unit Could Benefit From Enhanced Oversight and Controls to Ensure Compliance With Applicable Regulations and Policies
OIG Report No. 2014-AE-B-006
March 28, 2014
The objective of this inspection was to assess the Law Enforcement Unit’s (LEU) compliance with Board and LEU internal policies, procedures, and applicable regulations. The Board’s General Orders and the Uniform Regulations for Federal Reserve Law Enforcement Officers cover qualifications and standards, jurisdiction, cross-designation, training, authority to carry firearms, use of force, arrest powers, execution of searches, plain-clothes operations, internal oversight, and external oversight. The Uniform Regulations for Federal Reserve Law Enforcement Officers requires each Federal Reserve System LEU to establish an internal oversight committee that will have inspection and evaluation responsibilities for the unit and designates the Board’s OIG to perform the external oversight function for the Board’s LEU.
We found that the LEU could benefit from enhanced oversight and controls to ensure compliance with applicable Board regulations and LEU policies and procedures. Specifically, we found that the Board’s internal oversight committee did not perform the required reviews of the LEU and that LEU management could not account for credentials and badges; did not confirm the assignment of credentials, badges, and firearms from inventory; and did not verify that instructors and officers met all training requirements. In addition, in some instances there was insufficient evidence that officers were eligible to possess firearms and understood the Use of Force Policy because the signed forms, which are required annually, were not available.
We made 10 recommendations designed to enhance the oversight of the LEU and improve the LEU’s programs and operations. Management concurred with our recommendations and noted that it is taking actions to implement them.
Opportunities Exist to Achieve Operational Efficiencies in the Board's Management of Information Technology Services
OIG Report No. 2014-IT-B-003
February 26, 2014
The Board’s strategic framework highlights achieving operational efficiencies and reducing costs as key priorities. In support of these strategic priorities, our audit objective was to determine how IT services are managed across Board divisions and identify areas where operational efficiencies could be achieved.
Overall, our audit determined that the Board does not track costs for IT services in a consistent manner, and the Board has not implemented consistent processes for applications development and help-desk services. In addition, we found that the Board’s efforts to develop an enterprise architecture have not included all technologies and services used across Board divisions. We made two recommendations and presented a matter for management’s consideration. The Board agreed with our recommendations and outlined actions that have been taken, are underway, or are planned to address our recommendations.
Response to a Congressional Request Regarding the Board's Compliance with Federal Requirements for Addressing Climate Change
October 29, 2013
The OIG responded to a letter from the co-chairs of the Bicameral Task Force on Climate Change regarding the Board’s response to climate change. The Task Force’s letter requests the identification of existing requirements in legislation, regulations, executive orders, and other directives that apply to the Board and our assessment of how the Board is meeting these requirements. The Task Force also requested an assessment of the Board’s authorities to reduce emissions of heat-trapping pollution and to make the nation more resilient to the effects of climate change.
The Board’s Legal Division is responsible for determining the federal climate change requirements to which the Board is subject. The Board’s response to the OIG’s inquiry stated that it is not legally required to comply with the provisions of the Energy Independence and Security Act of 2007, the Energy Policy Act of 2005, Executive Order 13514, or Executive Order 13423. Notwithstanding this determination, the Board’s response described several climate change initiatives it has voluntarily undertaken.
In our letter addressing the Task Force’s request, we summarized the Board’s response to our inquiry. We recognize the financial and environmental risks that climate change poses to the federal government, and we will consider additional reviews of the Board’s climate change initiatives during our annual planning process.
Board of Governors of the Federal Reserve System Financial Statements as of and for the Years Ended December 31, 2013 and 2012, and Independent Auditors' Reports
We contract with an independent public accounting firm to annually perform an audit to express an opinion on the fair presentation of the Board’s financial statements and an opinion on the effectiveness of the Board’s internal controls over financial reporting. The OIG oversees the activities of the contractor to ensure compliance with generally accepted government auditing standards and Public Company Accounting Oversight Board auditing standards related to internal controls over financial reporting. The audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the financial statements. The audit also includes evaluating the appropriateness of accounting policies used and the reasonableness of significant accounting estimates made by management, as well as evaluation of the overall financial statement presentation.
In the auditors’ opinion, the Board’s financial statements presented fairly, in all material respects, the financial position and the results of its operations and its cash flows as of December 31, 2013 and 2012, in conformity with U.S. generally accepted accounting principles. Also, in the auditors’ opinion the Board maintained, in all material respects, effective internal control over financial reporting as of December 31, 2013, based on the criteria established in Internal Control—Integrated Framework (1992) by the Committee of Sponsoring Organizations of the Treadway Commission.
As part of providing reasonable assurance that the financial statements are free of material misstatement, the auditors also performed tests of the Board’s compliance with certain provisions of laws and regulations that could have a direct and material effect on the determination of the financial statement amounts. The results of the auditors’ tests disclosed no instances of noncompliance that would be required to be reported under the Government Auditing Standards, issued by the Comptroller General of the United States.
Federal Financial Institutions Examination Council Financial Statements as of and for the Years Ended December 31, 2013 and 2012, and Independent Auditors' Reports
The Board performs the accounting function for the FFIEC, and we contract with an independent public accounting firm to annually audit the council’s financial statements to provide reasonable assurance that the financial statements are free of material misstatement. The OIG oversees the activities of the contractor to ensure compliance with generally accepted government auditing standards. The audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the financial statements. The audit also includes evaluating the appropriateness of accounting policies used and the reasonableness of significant accounting estimates made by management, as well as an evaluation of the overall financial statement presentation.
To determine the auditing procedures necessary to express an opinion on the financial statements, the auditors considered the FFIEC’s internal controls over financial reporting. As part of providing reasonable assurance that the financial statements are free of material misstatement, the auditors also performed tests of the FFIEC’s compliance with certain laws and regulations that could have a direct and material effect on the determination of the financial statement amounts.
In the auditors’ opinion, the FFIEC’s financial statements presented fairly, in all material respects, the financial position, results of operations, and cash flows as of December 31, 2013 and 2012, in conformity with accounting principles generally accepted in the United States. The auditors noted no matters involving internal control over financial reporting that would be required to be reported under the Government Auditing Standards, issued by the Comptroller General of the United States. The results of the auditors’ tests disclosed no instances of noncompliance that would be required to be reported under the Government Auditing Standards.
Transfer of Office of Thrift Supervision Functions Is Completed
OIG Report No. 2014-AE-B-004
March 26, 2014
Title III of the Dodd-Frank Act established provisions for the transfer of authorities from the Office of Thrift Supervision to the OCC, the FDIC, and the Board within one year after the July 21, 2010, enactment date. Title III transferred to the Board, on July 21, 2011, the functions and rulemaking authority for consolidated supervision of savings and loan holding companies and their nondepository subsidiaries. The Dodd-Frank Act required that, within 180 days after its enactment, the Office of Thrift Supervision, the OCC, the FDIC, and the Board jointly submit a plan—the Joint Implementation Plan—to Congress and the IGs of Treasury, the FDIC, and the Board that detailed the steps each agency would take to implement the title III provisions. The Joint Implementation Plan was submitted to Congress and the IGs on January 25, 2011. The Dodd-Frank Act also required the IGs to determine whether the implementation plan conformed to the title III provisions. On March 28, 2011, the IGs jointly issued a report concluding that the actions described in the Joint Implementation Plan generally conformed to the provisions of title III.
Section 327 of title III requires the IGs to report on the status of the implementation of the Joint Implementation Plan every six months. The IGs have issued six status reports to date, the latest and final having been issued on March 26, 2014. This report concluded that all title III requirements have been met.
Work in Progress
Review of the Federal Reserve's Supervisory Activities Related to the Loss at JPMorgan Chase & Co.'s Chief Investment Office
We continued fieldwork for our evaluation of the Federal Reserve’s supervisory activities related to the multibillion-dollar loss at JPMorgan Chase & Co.’s Chief Investment Office. Our objectives for this evaluation are to (1) assess the effectiveness of the Board’s and the Federal Reserve Bank of New York’s consolidated and other supervisory activities regarding JPMorgan Chase & Co.’s Chief Investment Office and (2) identify lessons learned for enhancing future supervisory activities. We plan to issue this report in the next semiannual reporting period.
Audit of the Board's Information Technology Contingency Planning and Continuity of Operations Program
During this reporting period, we completed our fieldwork and briefed Board management on the cost of maintaining the Board’s IT continuity of operations program. In addition to identifying potential cost savings and opportunities to enhance efficiencies, our audit focuses on determining whether the Board’s program is consistent with federal guidelines and how the Board’s contingency planning and its continuity of operations program provide a coordinated strategy involving plans, procedures, and technical measures that enable the recovery of information systems, operations, and data after a disruption. We expect to issue our final report during the next semiannual reporting period.
Evaluation of the Operational Components of the Board's Law Enforcement Unit
We completed our evaluation of the operational components of the Board’s LEU and plan to issue the results of our evaluation during the next semiannual reporting period. The LEU safeguards most Board-designated property and personnel 24 hours a day, 7 days a week. In the Board’s 2012–2015 strategic framework, the sixth strategic theme is to establish a cost-reduction approach for Board operations that maintains an effective and efficient use of financial resources. Accordingly, the Board’s Management Division, which includes the LEU, linked its program area objectives to the strategic framework and identified opportunities for potential cost savings and for operational efficiency improvement. We addressed our evaluation objective to assess the economy and efficiency of the LEU’s operational components by reviewing the LEU’s approach to identifying cost savings and opportunities for operational efficiencies. We plan to issue this report in the next semiannual reporting period.
Audit of the Relocation of the Board's Data Center
During this period, we initiated the next phase of our ongoing oversight of the Board’s relocation of its data center. The relocation of the data center is a multiyear project that is planned to be completed in 2015. We are monitoring the project and will issue reports at key points. Our objectives during the initial audit were to obtain information and gain an understanding of the project’s scope, cost, and schedule. We issued our first report on February 7, 2014, with recommendations related to monitoring costs and schedule. During this phase, we will follow up on recommendations from our initial audit and focus on the construction and equipment procurement process to ensure that the Board is implementing physical and environmental controls. We plan to issue this report in the next semiannual reporting period.
Evaluation of the Board's Policies, Procedures, and Practices Associated With Agency-Sponsored Conferences
We continued our evaluation of the Board’s conference-related activities. The objectives of our evaluation focus on determining the controls, policies, procedures, and practices associated with conferences. The review is limited to conference activities sponsored by the Board. We plan to issue this report during the next semiannual reporting period.
Evaluation of the Board's Corporate Services
We are conducting an evaluation of the Board’s corporate services function to determine the extent to which Board staff use such services and to identify potential efficiencies. We completed fieldwork for two sections of the corporate services evaluation: Mail Services and Motor Transport. In the Board’s 2012–2015 strategic framework, the sixth strategic theme is to establish a cost-reduction approach for Board operations that maintains an effective and efficient use of financial resources. Accordingly, Board divisions, such as the Management Division, have linked their program area objectives to the strategic framework and are working to identify opportunities for potential cost savings and to improve operational efficiencies. We expect to report the results of our evaluation during the next semiannual reporting period.
Evaluation of Enforcement Actions Against Institution-Affiliated Parties
In 2013, the OIGs for the Board, the FDIC, and the OCC initiated a joint evaluation of the processes for initiating enforcement actions and professional liability claims against institution-affiliated parties of failed institutions. Our objectives are to (1) describe the process for initiating enforcement actions against institution-affiliated parties for state member banks, (2) report the results of the Board’s efforts in pursuing enforcement actions against institution-affiliated parties with a focus on individuals associated with failed state member banks, and (3) identify key factors that may impact the pursuit of enforcement actions against institution-affiliated parties. We have completed our fieldwork and expect to issue this report during the next semiannual reporting period.
Evaluation of the Board's Oversight of Mortgage Servicing Enforcement Actions and Settlement Agreements
We are conducting an evaluation of the Board’s oversight of a settlement with mortgage servicers for alleged deficient mortgage foreclosure practices. In January 2013, the Board and the OCC announced a settlement with mortgage servicers to compensate borrowers who were potentially harmed. The settlement covers borrowers who had a mortgage on their primary residence that was in any stage of foreclosure in 2009 or 2010 and that was serviced by one of the participating servicers. The settlement required mortgage servicers to slot the borrowers into various categories based on possible harm. The Board and the OCC assigned payment amounts to each category. The amounts range from $300 to $125,000. A paying agent was hired by the servicers to mail checks, totaling about $3.6 billion, to approximately 4.2 million borrowers. Our objectives are to (1) evaluate the Board’s overall approach to oversight of the settlement, (2) determine the effectiveness of the Board’s oversight of the slotting process, and (3) determine the effectiveness of the Board’s oversight of the payment process executed by the paying agent. We have completed our fieldwork and expect to issue our report during the next semiannual reporting period.
Audit of the Division of Reserve Bank Operations and Payment Systems' Oversight of Reserve Banks' Wholesale Financial Services
We initiated an audit of the Division of Reserve Bank Operations and Payment Systems’ (RBOPS) oversight of the Reserve Banks’ wholesale financial services. Our objective is to assess the extent and effectiveness of RBOPS’s oversight of those services. Specifically, we will review how RBOPS assesses wholesale services against the standards defined in the Federal Reserve Policy on Payment System Risk to determine whether the payment and settlement systems incorporate (1) an appropriate risk-management framework and (2) the internationally accepted guidelines in their policies and procedures. We have completed our fieldwork and expect to issue our report during the next semiannual reporting period.
Audit of the Board's Oversight of Federal Reserve Banks' Law Enforcement Units
The Uniform Regulations for Federal Reserve Law Enforcement Officers designated RBOPS as the external oversight function responsible for performing periodic reviews and evaluations of the Reserve Banks’ law enforcement programs and operations. Our objective is to assess the effectiveness of RBOPS’s reviews and evaluations in ensuring compliance with applicable laws, regulations, and policies. In addition, our audit aims to assess the overall impact of the oversight by reviewing the frequency and scope of RBOPS’s evaluations and its follow-up on evaluation recommendations.
Audit of the Division of Banking Supervision and Regulation's Validation Process for Models Used During the Annual Comprehensive Capital Analysis and Review
We are conducting an audit of the Division of Banking Supervision and Regulation’s (BS&R) model risk-management processes for the supervisory models used in support of the annual Comprehensive Capital Analysis and Review (CCAR). CCAR is an annual exercise by the Federal Reserve System to ensure that institutions have robust, forward-looking capital planning processes that account for their unique risks and that they have sufficient capital to continue operations throughout times of economic and financial stress. CCAR includes a supervisory stress test to support the Federal Reserve System’s analysis of the adequacy of the firms’ capital. Our review assesses the overall effectiveness of the model risk-management framework pertaining to the supervisory models, including a wide spectrum of current model risk-management practices and the related policies and procedures. The objectives of our audit are to (1) assess the extent to which the Federal Reserve System’s model risk-management procedures for CCAR stress-testing supervisory models are consistent with Supervision and Regulation Letter 11-7 on model risk management and (2) assess whether the model risk-management practices are consistent with internal policies and procedures.
Security Control Review of the E2 Solutions Travel Management System
During this reporting period, we completed our fieldwork and issued an early alert memorandum on December 20, 2013. The E2 Solutions Travel Management System is a web-based, end-to-end travel management system to plan, authorize, arrange, process, and manage official federal travel. This application is listed on the Board’s FISMA inventory as a third-party system. Our objectives are to (1) evaluate the adequacy of certain control techniques designed to protect data in the system from unauthorized access, modification, destruction, or disclosure and (2) assess compliance with Board information security program and FISMA requirements. We expect to issue our final report during the next semiannual reporting period.
Audit of the Board's STAR Modernization Project
We are conducting an audit of the STAR Modernization Project. STAR is the central computer application used by the statistics function at the Federal Reserve Banks and the Board to collect and edit over 75 periodic statistical reports from financial institutions. Through the STAR Modernization Project, the Board is upgrading the system hardware, software, and functionality. Our audit focuses on the adequacy and internal controls of the development process for the new system, including the cost and schedule. In addition, we are assessing how security controls are being built into the system. We plan to issue our final report in the next semiannual reporting period.
Audit of the Board's Information System Security Life Cycle Process
During this period, we initiated an audit of the Board’s information system security life cycle process. Our audit will focus on the Board’s processes to meet FISMA requirements for security categorization, testing, security plans, and accreditation of its information systems. In addition, we will review how the Board’s FISMA-related documents and review activities are compiled and maintained.
Table 1: Audit, Inspection, and Evaluation Reports Issued to the Board During the Reporting Period
| Title | Type of report |
|
Total number of audit reports: 6 Total number of inspection and evaluation reports: 2 Total number of letters to requestor: 1 |
|
| Information technology audits | |
| Opportunities Exist to Achieve Operational Efficiencies in the Board’s Management of Information Technology Services | Audit |
| Audit of the Board’s Data Center Relocation | Audit |
| 2013 Audit of the Board’s Information Security Program | Audit |
| Program audits, inspections, and evaluations | |
| Opportunities Exist for the Board to Improve Recordkeeping, Cost Estimation, and Cost Management Processes for the Martin Building Construction and Renovation Project | Audit |
| Board of Governors of the Federal Reserve System Financial Statements as of and for the Years Ended December 31, 2013 and 2012, and Independent Auditors’ Reports | Audit |
| Federal Financial Institutions Examination Council Financial Statements as of and for the Years Ended December 31, 2013 and 2012, and Independent Auditors’ Reports | Audit |
| The Board’s Law Enforcement Unit Could Benefit From Enhanced Oversight and Controls to Ensure Compliance With Applicable Regulations and Policies | Inspection |
| Transfer of Office of Thrift Supervision Functions Is Completed | Evaluation |
| Response to a Congressional Request Regarding the Board’s Compliance with Federal Requirements for Addressing Climate Change | Letter to requestor |
Table 2: Audit, Inspection, and Evaluation Reports Issued to the Board With Questioned Costs During the Reporting Perioda
| Reports | Number | Dollar value |
| a. Because the Board is primarily a regulatory and policymaking agency, our recommendations typically focus on program effectiveness and efficiency, as well as strengthening internal controls. As such, the monetary benefit associated with their implementation typically is not readily quantifiable. | ||
| For which no management decision had been made by the commencement of the reporting period | 0 | $0 |
| That were issued during the reporting period | 0 | $0 |
| For which a management decision was made during the reporting period | 0 | $0 |
| (i) dollar value of recommendations that were agreed to by management | 0 | $0 |
| (ii) dollar value of recommendations that were not agreed to by management | 0 | $0 |
| For which no management decision had been made by the end of the reporting period | 0 | $0 |
| For which no management decision was made within six months of issuance | 0 | $0 |
Table 3: Audit, Inspection, and Evaluation Reports Issued to the Board With Recommendations That Funds Be Put to Better Use During the Reporting Perioda
| Reports | Number | Dollar value |
| a. Because the Board is primarily a regulatory and policymaking agency, our recommendations typically focus on program effectiveness and efficiency, as well as strengthening internal controls. As such, the monetary benefit associated with their implementation typically is not readily quantifiable. | ||
| For which no management decision had been made by the commencement of the reporting period | 0 | $0 |
| That were issued during the reporting period | 0 | $0 |
| For which a management decision was made during the reporting period | 0 | $0 |
| (i) dollar value of recommendations that were agreed to by management | 0 | $0 |
| (ii) dollar value of recommendations that were not agreed to by management | 0 | $0 |
| For which no management decision had been made by the end of the reporting period | 0 | $0 |
| For which no management decision was made within six months of issuance | 0 | $0 |
Table 4: OIG Reports to the Board With Recommendations That Were Open During the Reporting Perioda
| Report title | Issue date | Recommendations | Status of recommendations | ||||
| No. | Mgmt. agrees | Mgmt. disagrees | Last follow-up date | Closed | Open | ||
|
a. A recommendation is closed if (1) the corrective action has been taken; (2) the recommendation is no longer applicable; or (3) the appropriate oversight committee or administrator has determined, after reviewing the position of the OIG and division management, that no further action by the agency is warranted. A recommendation is open if (1) division management agrees with the recommendation and is in the process of taking corrective action or (2) division management disagrees with the recommendation and we have referred or are referring it to the appropriate oversight committee or administrator for a final decision. b. This recommendation was directed jointly to the OCC, the FDIC, and the Board. |
|||||||
| Evaluation of Service Credit Computations | 08/05 | 3 | 3 | – | 09/13 | 2 | 1 |
| Security Control Review of the FISMA Assets Maintained by the Federal Reserve Bank of Boston (nonpublic report) | 09/08 | 11 | 11 | – | 02/14 | 11 | – |
| Evaluation of Data Flows for Board Employee Data Received by Office of Employee Benefits and Its Contractors (nonpublic report) | 09/08 | 2 | 2 | – | 02/14 | 1 | 1 |
| Security Control Review of the Internet Electronic Submission System (nonpublic report) | 12/10 | 6 | 6 | – | 03/13 | 3 | 3 |
| Response to a Congressional Request Regarding the Economic Analysis Associated with Specified Rulemakings | 06/11 | 2 | 2 | – | 03/14 | – | 2 |
| Review of the Failure of Pierce Commercial Bank | 09/11 | 2 | 2 | – | 03/14 | 1 | 1 |
| Security Control Review of the Visitor Registration System (nonpublic report) | 09/11 | 10 | 10 | – | 07/13 | 4 | 6 |
| Summary Analysis of Failed Bank Reviews | 09/11 | 3 | 3 | – | 03/14 | 3 | – |
| Evaluation of Prompt Regulatory Action Implementation | 09/11 | 1b | 1 | – | – | – | 1 |
| Audit of the Board’s Information Security Program | 11/11 | 1 | 1 | – | 11/13 | – | 1 |
| Review of RBOPS’ Oversight of the Next Generation $100 Note | 01/12 | 2 | 2 | – | – | – | 2 |
| Security Control Review of the National Remote Access Services System (nonpublic report) | 03/12 | 8 | 8 | – | 09/13 | 7 | 1 |
| Material Loss Review of the Bank of the Commonwealth | 04/12 | 4 | 4 | – | 03/14 | 3 | 1 |
| Security Control Review of the Board’s Public Website (nonpublic report) | 04/12 | 12 | 12 | – | – | – | 12 |
| Review of the Unauthorized Disclosure of a Confidential Staff Draft of the Volcker Rule Notice of Proposed Rulemaking | 07/12 | 3 | 3 | – | 03/14 | – | 3 |
| Security Control Review of the Federal Reserve Bank of Richmond’s Lotus Notes Systems Supporting the Board’s Division of Banking Supervision and Regulation (nonpublic report) | 08/12 | 9 | 9 | – | – | – | 9 |
| Audit of the Small Community Bank Examination Process | 08/12 | 1 | 1 | – | – | – | 1 |
| Audit of the Board’s Government Travel Card Program | 09/12 | 4 | 4 | – | – | – | 4 |
| Audit of the Board’s Actions to Analyze Mortgage Foreclosure Processing Risks | 09/12 | 2 | 2 | – | 03/14 | 1 | 1 |
| Security Control Review of the Aon Hewitt Employee Benefits System (nonpublic report) | 09/12 | 8 | 8 | – | – | – | 8 |
| 2012 Audit of the Board’s Information Security Program | 11/12 | 2 | 2 | – | 11/13 | – | 2 |
| Security Control Review of Contingency Planning Controls for the Information Technology General Support System (nonpublic report) | 12/12 | 5 | 5 | – | – | – | 5 |
| Review of the Failure of Bank of Whitman | 03/13 | 1 | 1 | – | 03/14 | – | 1 |
| Controls over the Board’s Purchase Card Program Can Be Strengthened | 03/13 | 3 | 3 | – | – | – | 3 |
| Board Should Enhance Compliance with Small Entity Compliance Guide Requirements Contained in the Small Business Regulatory Enforcement Fairness Act of 1996 | 07/13 | 2 | 2 | – | – | – | 2 |
| Security Control Review of the Board’s National Examination Database System (nonpublic report) | 07/13 | 4 | 4 | – | – | – | 4 |
| Security Control Review of a Third-party Commercial Data Exchange Service Used by the Board’s Division of Banking Supervision and Regulation (nonpublic report) | 08/13 | 11 | 11 | – | – | – | 11 |
| Board Should Strengthen Controls over the Handling of the Federal Open Market Committee Meeting Minutes | 08/13 | 4 | 4 | – | – | – | 4 |
| The Board Can Benefit from Implementing an Agency-Wide Process for Maintaining and Monitoring Administrative Internal Control | 09/13 | 1 | 1 | – | – | – | 1 |
| The Board Should Improve Procedures for Preparing for and Responding to Emergency Events | 09/13 | 7 | 7 | – | – | – | 7 |
| 2013 Audit of the Board's Information Security Program | 11/13 | 2 | 2 | – | – | – | 2 |
| Audit of the Board’s Data Center Relocation | 02/14 | 2 | 2 | – | – | – | 2 |
| Opportunities Exist to Achieve Operational Efficiencies in the Board's Management of Information Technology Services | 02/14 | 2 | 2 | – | – | – | 2 |
| The Board’s Law Enforcement Unit Could Benefit From Enhanced Oversight and Controls to Ensure Compliance With Applicable Regulations and Policies | 03/14 | 10 | 10 | – | – | – | 10 |
| Opportunities Exist for the Board to Improve Recordkeeping, Cost Estimation, and Cost Management Processes for the Martin Building Construction and Renovation Project | 03/14 | 6 | 6 | – | – | – | 6 |
Consumer Financial Protection Bureau
Completed Projects
The CFPB Can Improve the Efficiency and Effectiveness of Its Supervisory Activities
OIG Report No. 2014-AE-C-005
March 27, 2014
We conducted this evaluation to assess the operational efficiency and effectiveness of the CFPB’s supervision program. The CFPB’s supervision activities include prioritizing, scheduling, planning, and executing examinations and reporting findings in the form of reports of examination or supervisory letters. Our objectives for this evaluation included (1) reviewing key program elements, such as policies and procedures, examination guidance, and controls to promote consistent and timely reporting; (2) assessing the approach for staffing examinations; and (3) assessing the training program for examination staff.
Since it began operations in July 2011, the CFPB has made significant progress toward developing and implementing a comprehensive supervision program for depository and nondepository institutions. The agency has implemented this program on a nationwide basis across its four regional offices. While we recognize the considerable efforts associated with the initial development and implementation of the program, we believe that the CFPB can improve the efficiency and effectiveness of its supervisory activities. Specifically, we found that the CFPB needs to (1) improve its reporting timeliness and reduce the number of examination reports that have not been issued, (2) adhere to its unequivocal standards concerning the use of standard compliance rating definitions in its examination reports, and (3) update its policies and procedures to reflect current practices.
We completed our fieldwork in October 2013, using data as of July 31, 2013. Following the completion of our fieldwork, senior CFPB officials indicated that management had taken various measures to address certain findings in our report, including streamlining the report review process and reducing the number of examination reports that had not been issued. As part of our future follow-up activities, we will assess whether these actions, as well as the planned actions described in management’s response, address our findings and recommendations.
We made 12 recommendations designed to assist the CFPB in strengthening its supervision program. We recommended that the CFPB create and update relevant policies and procedures; track and monitor examination processes for staffing examinations and producing examination products; and finalize its examiner commissioning program. Management concurred with our recommendations and outlined actions that have been taken or will be implemented to address our recommendations.
The CFPB Should Reassess Its Approach to Integrating Enforcement Attorneys Into Examinations and Enhance Associated Safeguards
OIG Report No. 2013-AE-C-021
December 16, 2013
We conducted an evaluation of the CFPB’s integration of enforcement attorneys into its examinations of depository and nondepository institutions’ compliance with applicable laws and regulations. Our objectives were to assess (1) the potential risks associated with the CFPB’s approach to integrating enforcement attorneys into examinations and (2) the effectiveness of any safeguards that the CFPB adopted to mitigate the potential risks associated with this examination approach.
We found that the CFPB should determine the appropriate level of enforcement attorney integration into examinations by reassessing the potential risks associated with the practice against the potential benefits and document the results of the assessment. Our evaluation results indicated that the CFPB’s February 2012 policy describing the general principles of the integrated approach did not sufficiently detail how the approach should be implemented and was not uniformly distributed to CFPB supervision and enforcement staff. As a result, CFPB supervision and enforcement staff’s awareness, understanding, and execution of the policy, as well as their messaging to supervised institutions concerning the role of enforcement attorneys, varied considerably. During our evaluation, we also learned that enforcement attorneys did not receive formal training on the CFPB’s examination process and that the CFPB lacked a policy on enforcement attorneys’ access to institutions’ systems during examinations. In addition, we learned that the CFPB reorganized its supervision function in December 2012 and established points of contact within the Office of Supervision Policy to address legal questions that arise during examinations, in part to ensure more consistent interpretations of applicable laws or regulations. As of the end of our fieldwork, August 2013, the CFPB had not updated its February 2012 policy describing the integrated approach to reflect changes to the process for resolving legal questions.
When we commenced our evaluation, the CFPB informed us that it had initiated an internal review to evaluate its approach to integrating enforcement attorneys into examinations. During our evaluation, we routinely met with CFPB senior officials and shared our preliminary observations concerning the integrated approach, including its potential risks. In October 2013, when our draft report was nearing completion, CFPB senior officials informed us that the agency had finalized its internal review and had reconsidered its approach regarding integrating enforcement attorneys into examinations. According to CFPB senior officials, new policies and procedures reflecting the revised approach became effective in November 2013, which was outside the scope of our evaluation. Thus, our report reflects our assessment of the CFPB’s February 2012 policy related to the integrated approach.
We made seven recommendations. The CFPB indicated that it had taken actions or has planned activities to address our recommendations.
2013 Audit of the CFPB's Information Security Program
OIG Report No. 2013-IT-C-020
December 2, 2013
To meet our annual FISMA reporting responsibilities, we reviewed the information security program and practices of the CFPB. FISMA requires federal agencies to develop, document, and implement an agency-wide information security program. FISMA also requires each IG to conduct an annual independent evaluation of the agency’s information security program and practices.
Overall, we found that the CFPB has taken multiple steps over the past year to develop, document, and implement an information security program that is consistent with FISMA requirements. The CFPB has also taken several actions to strengthen its information security program in the 11 areas outlined in DHS’s 2013 FISMA reporting guidance for IGs. We found that the CFPB’s information security program is generally consistent with the requirements outlined in DHS’s FISMA reporting guidance for IGs in 6 out of 11 information security areas: identity and access management, incident response and reporting, risk management, plan of action and milestones, remote access management, and contractor systems.
We identified opportunities to improve the CFPB’s information security program through automation, centralization, and other enhancements to ensure that key DHS requirements for continuous monitoring, configuration management, and security training are met. We also identified improvements needed in contingency planning for a select system we reviewed and found that while the CFPB had not met several security capital planning requirements outlined in DHS’s FISMA reporting guidance, it was taking sufficient actions to establish a security capital planning program. Further, while we found the CFPB’s information security program to be generally consistent with DHS’s requirements for incident response and reporting, we identified opportunities to strengthen CFPB’s incident correlation processes.
We made four recommendations designed to assist the CFPB in strengthening its information security program in the areas of continuous monitoring, configuration management, security training, and incident response and reporting. The CFPB’s Chief Information Officer concurred with our recommendations and outlined actions that have been taken, are underway, and are planned to strengthen CFPB’s information security program.
Audit of the CFPB's Civil Penalty Fund
OIG Report No. 2014-AE-C-001
January 16, 2014
The Dodd-Frank Act required the CFPB to establish the Civil Penalty Fund (CPF). The CFPB must deposit any civil penalty it obtains against any person in any judicial or administrative action under federal consumer financial law into this separate fund, which is maintained in an account at the Federal Reserve Bank of New York. The CFPB will use the money collected in the CPF to compensate consumers who were harmed by activities for which civil penalties have been imposed. To the extent that victims cannot be located or payment is not practicable, the CFPB may use the funds for consumer education and financial literacy programs. Our objective for this audit was to determine whether the CFPB had developed controls to implement the statutory provisions concerning the CPF.
Overall, our audit determined that the CFPB has been implementing internal controls for the CPF since June 2012. For example, the CFPB developed a CPF rule as well as internal procedures titled Procedures for Civil Penalty Fund Administration. We determined, however, that the CFPB can clarify its internal procedures. The U.S. Government Accountability Office’s Standards for Internal Control in the Federal Government states that internal controls should be clearly documented. The current practice of the Fund Administrator is to obtain case-related information in writing; however, the CFPB’s Procedures for Civil Penalty Fund Administration does not state that case-related information should be collected in writing. During our audit, we also observed that information on the CPF was not consolidated in a single location on the CFPB’s public website. We relayed this observation to CFPB officials, who took steps to consolidate the CPF information on the CFPB’s public website.
We made one recommendation. The CFPB indicated that it had taken actions to address our recommendation.
Observations and Matters for Consideration Regarding the CFPB's Annual Budget Process
OIG Report No. 2013-AE-C-018
October 22, 2013
We completed an evaluation of the CFPB’s budget process related to the agency’s fiscal year (FY) 2013 budget. Our objective was to evaluate the extent to which the CFPB’s budget process facilitated the achievement of the agency’s goals and performance objectives, including transparency to the public. We focused our review on the CFPB’s initial FY 2013 and revised FY 2012 budgets presented in the agency’s FY 2013 budget justification issued in February 2012.
Overall, our evaluation showed that the CFPB has a budget process in place to facilitate the achievement of its goals and performance objectives, including transparency to the public. For example, we found that the CFPB linked the budget we reviewed to strategic principles and developed policies to link future budgets to the strategic plan. Further, as part of the budget formulation process, the CFPB estimated by quarter the amount of funds to be provided by the Federal Reserve System and then, each quarter, reviewed these estimates and the agency’s financial position. We also found that the CFPB presented budgetary information to the public, posting on its website its first annual performance plan in February 2012 and its draft strategic plan in September 2012.
We did not make any formal recommendations; however, we noted opportunities for the CFPB to enhance its practices related to preparing funding requests and posting budget-related information on its website. The agency informed us that it had continued to improve and refine its budget process since the completion of our fieldwork and had taken actions to address our observations.
Response to a Congressional Request Regarding the CFPB's Compliance with Federal Requirements for Addressing Climate Change
October 29, 2013
The OIG responded to a letter from the co-chairs of the Bicameral Task Force on Climate Change regarding the actions taken in response to climate change by the agencies we oversee. As the oversight entity for the CFPB, we responded to the Task Force’s letter requesting the identification of existing requirements in legislation, regulations, executive orders, and other directives that apply to the CFPB and our assessment of how the CFPB is meeting these requirements. The Task Force also requested an assessment of the agency’s authorities to reduce emissions of heat-trapping pollution and to make the nation more resilient to the effects of climate change.
The CFPB’s Legal Division is responsible for determining the federal climate change requirements to which the CFPB is subject. The CFPB’s Legal Division identified that the Energy Independence and Security Act of 2007, the Energy Policy Act of 2005, Executive Order 13514, and Executive Order 13423 apply to the agency. CFPB officials described the climate change initiatives the CFPB has taken to comply with applicable climate change requirements. In our letter addressing the Task Force’s request, we summarized the CFPB’s response to our inquiry. The CFPB did not identify any authorities it has to reduce emissions from heat-trapping pollution or to make the nation more resilient to the effects of climate change. The CFPB did not identify any additional steps that it could take to reduce emissions or strengthen resiliency. We recognize the financial and environmental risks that climate change poses to the federal government, and we will consider additional reviews of the CFPB’s climate change initiatives during our annual planning process.
Work in Progress
Evaluation of the CFPB's Headquarters Renovation Project
We initiated an evaluation of the CFPB’s headquarters renovation budget in response to a request from the Chairman of the Subcommittee on Oversight and Investigations, House Committee on Financial Services. To address this congressional request, our objectives are to evaluate, with respect to the CFPB’s headquarters renovation project, (1) the capital budgeting and approval process, (2) the scope and justification for cost estimates, and (3) the use of competitive procedures. We expect to complete this evaluation and issue our final report in the next semiannual reporting period.
Audit of the CFPB's Contract Management Process
We initiated an audit of the CFPB’s contract management process. The CFPB’s procurement process follows the requirements established by the Federal Acquisition Regulation, which is the primary regulation governing the acquisition of supplies and services by federal executive agencies. This audit will focus on the CFPB’s contract management processes, compliance with applicable rules established by the Federal Acquisition Regulation, and the effectiveness of the CFPB’s internal controls related to contract management. We expect to complete this audit and issue our report by the end of the calendar year.
Audit of the CFPB's Public Consumer Complaint Database
We initiated an audit of the CFPB’s public consumer complaint database. Since June 2012, the CFPB has publicly shared individual-level consumer complaint data. While the public consumer complaint database initially contained only credit card complaints, it has since been expanded to include complaints about other consumer financial products and services regulated by the CFPB, such as mortgages and credit reporting. This audit will focus on the CFPB’s controls for managing the consumer complaint database and will assess the accuracy and completeness of the consumer complaint data that are available to the public. We expect to complete fieldwork for this audit during the next semiannual reporting period.
Evaluation of the CFPB's Hiring Process
We concluded our fieldwork for the evaluation of the CFPB’s hiring process. The objective of our evaluation is to assess the efficiency and effectiveness of three CFPB recruitment and selection subprocesses: (1) personnel assessment methodology and vacancy announcement creation, (2) hiring authority and vacancy announcement posting, and (3) evaluation and selection of candidates. We also assessed the agency’s compliance with certain laws, applicable regulations, and policies and its administration of recruitment and selection incentives to recruit new employees. We plan to issue our report during the next semiannual reporting period.
Audit of the CFPB's Cloud Computing Environment
During this reporting period, we modified the scope of our ongoing audit of the CFPB’s cloud computing environment to include our participation in a governmentwide initiative coordinated by CIGIE. The CIGIE project will focus on evaluating agencies’ efforts to adopt cloud computing technologies and to review executed contracts between agencies and cloud service providers for compliance with applicable standards. We will continue to review actions taken by the CFPB to implement best practices stipulated in NIST guidance for implementing and managing cloud computing technologies. Information gathered during the CIGIE project will be incorporated into a governmentwide report to be released by CIGIE. We expect to complete this project and issue our own report on the CFPB’s cloud computing environment in the next semiannual reporting period.
Audit of a CFPB Cloud Provider
During this period, we completed our fieldwork and briefed CFPB management on our security control review of a third-party provider of the CFPB’s cloud environment. Our audit objectives are to (1) evaluate the adequacy of certain control techniques designed to protect data from unauthorized access, modification, destruction, or disclosure and (2) assess compliance with the CFPB’s security-related policies and FISMA requirements. We expect to issue this report during the next semiannual reporting period.
Evaluation of the CFPB's Compliance With Section 1100G of the Dodd-Frank Act
We have completed our fieldwork to assess the CFPB’s compliance with the section 1100G requirements of the Dodd-Frank Act. Section 1100G amends the Small Business Regulatory Enforcement Fairness Act of 1996 and the Regulatory Flexibility Act to require the CFPB to assess a proposed rule’s economic impact and the cost of credit for small entities. Among other requirements, the CFPB must perform a regulatory flexibility analysis that includes a description of (1) any projected increase in the cost of credit for small entities, (2) any significant alternatives to the proposed rule that accomplish the stated objectives of applicable statutes and that minimize any increase in the cost of credit for small entities, and (3) the advice and recommendations of representatives of small entities relating to issues associated with the projected increases or alternatives. We expect to complete our evaluation during the next semiannual reporting period.
Audit of the CFPB's Activities Under the Government Performance and Results Act
We continued our audit of the CFPB’s initiatives under the Government Performance and Results Act of 1993, as amended by the GPRA Modernization Act of 2010 (collectively, GPRA), which is part of a legislative framework to instill performance-based management across federal government agencies. GPRA requires agencies to establish a management system to set agency goals for program performance and to measure results against those goals. Agencies must incorporate the performance management concepts of strategic planning and performance measurement into their planning and budgeting processes and issue associated performance plans and reports. The objectives of this audit are to assess the CFPB’s compliance with applicable sections of GPRA and the effectiveness of processes that address GPRA requirements. We have completed our fieldwork and will issue our report during the next semiannual reporting period.
Audit of the CFPB's Space-Planning Activities
During this reporting period, we initiated an audit to assess the CFPB’s short-term and long-term space-planning activities to determine whether controls are in place to effectively manage the agency’s space needs and associated costs. Our audit will focus on the CFPB’s processes for planning, obtaining, and managing space for both its headquarters and regional offices, to include how the agency manages its transition to new office space. We are currently conducting fieldwork and expect to complete this audit and issue our report in 2014.
Table 5: Audit, Inspection, and Evaluation Reports Issued to the CFPB During the Reporting Period
| Title | Type of report |
|
Total number of audit reports: 2 Total number of inspection and evaluation reports: 3 Total number of letters to requestor: 1 |
|
| Program audits, inspections, and evaluations | |
| Audit of the CFPB’s Civil Penalty Fund | Audit |
| 2013 Audit of the CFPB’s Information Security Program | Audit |
| Observations and Matters for Consideration Regarding the CFPB’s Annual Budget Process | Evaluation |
| The CFPB Can Improve the Efficiency and Effectiveness of Its Supervisory Activities | Evaluation |
| The CFPB Should Reassess Its Approach to Integrating Enforcement Attorneys Into Examinations and Enhance Associated Safeguards | Evaluation |
| Response to a Congressional Request Regarding the CFPB’s Compliance with Federal Requirements for Addressing Climate Change | Letter to requestor |
Table 6: Audit, Inspection, and Evaluation Reports Issued to the CFPB With Questioned Costs During the Reporting Perioda
| Reports | Number | Dollar value |
| a. Because the CFPB is primarily a regulatory and policymaking agency, our recommendations typically focus on program effectiveness and efficiency, as well as strengthening internal controls. As such, the monetary benefit associated with their implementation typically is not readily quantifiable. | ||
| For which no management decision had been made by the commencement of the reporting period | 0 | $0 |
| That were issued during the reporting period | 0 | $0 |
| For which a management decision was made during the reporting period | 0 | $0 |
| (i) dollar value of recommendations that were agreed to by management | 0 | $0 |
| (ii) dollar value of recommendations that were not agreed to by management | 0 | $0 |
| For which no management decision had been made by the end of the reporting period | 0 | $0 |
| For which no management decision was made within six months of issuance | 0 | $0 |
Table 7: Audit, Inspection, and Evaluation Reports Issued to the CFPB With Recommendations That Funds Be Put to Better Use During the Reporting Perioda
| Reports | Number | Dollar value |
| a. Because the CFPB is primarily a regulatory and policymaking agency, our recommendations typically focus on program effectiveness and efficiency, as well as strengthening internal controls. As such, the monetary benefit associated with their implementation typically is not readily quantifiable. | ||
| For which no management decision had been made by the commencement of the reporting period | 0 | $0 |
| That were issued during the reporting period | 0 | $0 |
| For which a management decision was made during the reporting period | 0 | $0 |
| (i) dollar value of recommendations that were agreed to by management | 0 | $0 |
| (ii) dollar value of recommendations that were not agreed to by management | 0 | $0 |
| For which no management decision had been made by the end of the reporting period | 0 | $0 |
| For which no management decision was made within six months of issuance | 0 | $0 |
Table 8: OIG Reports to the CFPB With Recommendations That Were Open During the Reporting Perioda
| Report title | Issue date | Recommendations | Status of recommendations | ||||
| No. | Mgmt. agrees | Mgmt. disagrees | Last follow-up date | Closed | Open | ||
| a. A recommendation is closed if (1) the corrective action has been taken; (2) the recommendation is no longer applicable; or (3) the appropriate oversight committee or administrator has determined, after reviewing the position of the OIG and division management, that no further action by the agency is warranted. A recommendation is open if (1) division management agrees with the recommendation and is in the process of taking corrective action or (2) division management disagrees with the recommendation and we have referred or are referring it to the appropriate oversight committee or administrator for a final decision. | |||||||
| Evaluation of the Consumer Financial Protection Bureau’s Consumer Response Unit | 09/12 | 5 | 5 | – | 08/13 | 3 | 2 |
| 2012 Audit of the Consumer Financial Protection Bureau’s Information Security Program | 11/12 | 3 | 3 | – | 12/13 | 3 | – |
| Security Control Review of the Consumer Financial Protection Bureau’s Consumer Response System (nonpublic report) | 03/13 | 9 | 9 | – | 03/14 | 8 | 1 |
| CFPB Contract Solicitation and Selection Processes Facilitate FAR Compliance, but Opportunities Exist to Strengthen Internal Controls | 03/13 | 3 | 3 | – | – | – | 3 |
| Opportunities Exist to Enhance the CFPB’s Policies, Procedures, and Monitoring Activities for Conferences | 08/13 | 4 | 4 | – | – | – | 4 |
| The CFPB Should Strengthen Internal Controls for Its Government Travel Card Program to Ensure Program Integrity | 09/13 | 14 | 14 | – | 01/14 | 3 | 11 |
| Opportunities Exist for the CFPB to Strengthen Compliance with Its Purchase Card Policies and Procedures | 09/13 | 2 | 2 | – | 01/14 | 2 | – |
| 2013 Audit of the CFPB’s Information Security Program | 12/13 | 4 | 4 | – | – | – | 4 |
| The CFPB Should Reassess Its Approach to Integrating Enforcement Attorneys Into Examinations and Enhance Associated Safeguards | 12/13 | 7 | 7 | – | – | – | 7 |
| Audit of the CFPB’s Civil Penalty Fund | 01/14 | 1 | 1 | – | – | – | 1 |
| The CFPB Can Improve the Efficiency and Effectiveness of Its Supervisory Activities | 03/14 | 12 | 12 | – | – | – | 12 |
