Audits, Evaluations, and Inspections
Audits assess aspects of the economy, efficiency, and effectiveness of Board and CFPB programs and operations. For example, the OIG oversees audits of the Board's financial statements, and it conducts audits of (1) the efficiency and effectiveness of the Board's and the CFPB's processes and internal controls over their programs and operations; (2) the adequacy of controls and security measures governing these agencies' financial and management information systems and the safeguarding of assets and sensitive information; and (3) compliance with applicable laws and regulations related to agency financial, administrative, and program operations. OIG audits are performed in accordance with the Government Auditing Standards established by the Comptroller General of the United States.
Inspections and evaluations include program evaluations and legislatively mandated reviews of failed financial institutions supervised by the Board. Inspections are often narrowly focused on a particular issue or topic and provide time-critical analysis that cuts across functions and organizations. In contrast, evaluations are generally focused on a specific program or function and may make extensive use of statistical and quantitative analytical techniques. OIG inspections and evaluations are performed according to the Quality Standards for Inspection and Evaluation issued by the Council of the Inspectors General on Integrity and Efficiency (CIGIE).
The information below summarizes OIG audit and evaluation work completed during the reporting period.
Board of Governors of the Federal Reserve System
The Board Can Enhance Its Diversity and Inclusion Efforts
We completed our review of the Board's diversity and inclusion efforts, which was conducted in response to a congressional request. The Board has established diversity and inclusion practices that are embedded in its longstanding EEO programs. Recent activities include adopting a more standardized process for recruiting officers, developing a formal agency-wide succession planning program to help identify a diverse pool of candidates for senior management positions, and conducting an agency-wide employee survey.
We identified areas of the Board's diversity and inclusion efforts that can be enhanced. First, the Board can enhance its efforts to track and analyze certain types of workforce data that can be used to identify diversity and inclusion trends. Second, the Office of Diversity and Inclusion can increase its interaction with all Board divisions and provide diversity and inclusion and EEO training on a regular basis. Third, the Board should formalize standards for equal employment opportunity and the racial, ethnic, and gender diversity of the workforce to fully comply with section 342 of the Dodd-Frank Act. Fourth, the Board can further enhance its diversity and inclusion goals and objectives by finalizing and implementing its diversity strategic plan.
We acknowledge that initiatives and activities that are beyond the scope of our review also contribute to enhancing diversity and inclusion. Therefore, the Board's ability to attract, develop, and retain a diverse and inclusive workforce is affected by other factors not specifically identified in our report. Our report contains recommendations designed to enhance and promote diversity and inclusion at the Board. The Board concurred with our recommendations and outlined planned, ongoing, and completed activities. The Board has taken steps to improve the collection of applicant demographic data, provide non-EEO statistics, and finalize the diversity and inclusion strategic plan. In addition, the Board plans to enhance certain functions within the Office of Diversity and Inclusion.
The Board Should Enhance Its Supervisory Processes as a Result of Lessons Learned From the Federal Reserve's Supervision of JPMorgan Chase & Company's Chief Investment Office
We completed our evaluation of the Federal Reserve's supervisory activities related to the loss at JPMorgan Chase & Company's Chief Investment Office. We found that there was a missed opportunity for FRB New York and the OCC to discuss risks related to the Chief Investment Office and consider how to deploy the agencies' collective resources most effectively. We also found that (1) Federal Reserve and OCC staff lacked a common understanding of the Federal Reserve's approach for examining Edge Act corporations, (2) FRB New York staff were not clear about the expected deliverables resulting from continuous monitoring activities, and (3) FRB New York's JPMorgan Chase & Company supervisory teams appeared to exhibit key-person dependencies. We made recommendations that encourage the Board's Division of Banking Supervision and Regulation to enhance its supervisory processes and approach to consolidated supervision for large, complex banking organizations. We released the summary version of our report in October 2014 and a redacted version of our full report in January 2015.
Review of the Failure of Waccamaw Bank
Waccamaw Bank was supervised both by the Federal Reserve Bank of Richmond under delegated authority from the Board and by the North Carolina Office of the Commissioner of Banks. On June 8, 2012, the North Carolina Office of the Commissioner of Banks closed Waccamaw Bank and appointed the Federal Deposit Insurance Corporation (FDIC) as receiver. The FDIC estimated that the failure of Waccamaw Bank would result in a $51.1 million loss to the DIF, which was beneath the material loss threshold. Consistent with Dodd-Frank Act requirements, we concluded that Waccamaw Bank's failure presented unusual circumstances that warranted an in-depth review.
Based on the in-depth review, we determined that Waccamaw Bank failed because its board of directors and senior management did not control the risks associated with its rapid growth strategy. As a result, the bank sustained significant losses during a downturn in its local real estate market. In addition, we learned that (1) supervisory activity records were not retained in accordance with Board policy, (2) Waccamaw Bank's written agreement did not contain a provision that required regulatory approval of material transactions, and (3) Board and Federal Reserve Bank of Richmond appeals policies were silent on procedural aspects for second-level and third-level appeals. We made recommendations related to the Board's records retention and appeals policies and procedures. The Director of the Division of Banking Supervision and Regulation agreed with our recommendations and outlined planned corrective actions to address them.
The Board Can Better Coordinate Its Contingency Planning and Continuity of Operations Program
We completed our review of the Board's contingency planning and continuity of operations program (COOP). Overall, we found that the Board has developed a strategy and taken a number of actions to ensure the continuous operation of critical missions and essential functions in any emergency. The Board has developed a COOP that implements emergency management policy, identifies emergency management responsibilities, and specifies procedures for the development and implementation of timely emergency responses. The Board also has dedicated COOP personnel and has secured a well-equipped alternate work site.
Our audit identified areas in which the Board could improve its program to better ensure the timely recovery of mission-essential functions and systems. Specifically, we identified that the Board's ability to perform its mission during an emergency may be affected by (1) the lack of centralized governance for the Board's COOP and (2) several critical components that are missing from the Board's COOP. We also identified three areas for management consideration, related to the lodging of relocated Board staff, accounting for COOP-related costs, and analyzing leasing costs for the Board's contingency site. Our report includes recommendations that focus on strengthening the Board's ability to perform its mission-essential functions during an emergency. The Board outlined actions that have been or will be taken to address our recommendations.
2014 Audit of the Board's Information Security Program
We completed our annual review of the Board's information security program. FISMA requires the OIG to conduct an annual, independent evaluation of the agency's information security program and practices. Overall, we found that the Board's Chief Information Officer is maintaining a FISMA-compliant approach to the Board's information security program that is generally consistent with requirements established by the National Institute of Standards and Technology and the Office of Management and Budget. The Information Security Officer continues to issue policies and procedures to transition the Board's information security program to an integrated, organization-wide program for managing information security risks.
Our report includes one new recommendation for improving the tracking of division-level plans of action and milestones. Our 2012 recommendation on contractor systems and our 2013 recommendation on continuous monitoring remain open. The Director of the Division of Information Technology agreed with the new recommendation and stated that the division will take immediate action to address the recommendation, including continuing to manually collect quarterly plan of action and milestones reports from the offices and divisions until the automated plan of action and milestones tracking process is fully implemented.
Opportunities Exist to Improve the Operational Efficiency and Effectiveness of the Board's Information Security Life Cycle
We completed our review of the operational efficiency and effectiveness of the Board's information security life cycle. We performed this audit pursuant to requirements set forth in FISMA. Overall, we found that the Chief Information Officer maintains a FISMA-compliant information security program that is consistent with requirements for certification and accreditation established by the National Institute of Standards and Technology and the Office of Management and Budget; however, we identified opportunities to improve the operational efficiency and effectiveness of the Board's management of its information security life cycle. Our report contains recommendations designed to improve the operational efficiency and effectiveness of the Board's information security life cycle process. The Director of the Division of Information Technology agreed with the recommendations and stated that the division will take action to address the recommendations.
Audit of Planned Physical and Environmental Controls for the Board's Data Center Relocation
We completed our review of the planned physical and environmental controls for the Board's data center relocation. In addition to these controls, we also reviewed the change order and procurement processes and followed up on the budget and project schedule recommendations from our initial audit.3 Overall, our audit determined that the Board is continuing to follow a structured approach to planning and executing the relocation of the data center, and Board staff are actively engaged in the planning and decisionmaking for the project. The tracking and monitoring of the budget have improved since our previous audit, and the budget has been updated to reflect the information currently available regarding actual costs. The Division of Information Technology has taken steps to monitor the timeline closely and to update the Chief Operating Officer about the project and delays that have occurred.
We identified, however, that additional actions are needed by the Board to ensure that all physical and environmental controls will be implemented in accordance with Board requirements. Further, prior to the relocation, the Board's data center must be authorized to operate based on a security package that includes a system security plan and risk assessment, in accordance with the Board Information Security Program. The Director of the Division of Information Technology agreed with our recommendation and outlined the actions that the division is taking to address the recommendation.
Board of Governors of the Federal Reserve System Financial Statements as of and for the Years Ended December 31, 2014 and 2013, and Independent Auditors' Reports
We contracted with an independent public accounting firm to audit the financial statements of the Board, and to audit the Board's internal control over financial reporting. The contract requires the audits of the financial statements to be performed in accordance with auditing standards generally accepted in the United States of America, the standards applicable to financial audits contained in Government Auditing Standards issued by the Comptroller General of the United States, and with auditing standards of the Public Company Accounting Oversight Board. The contract also requires the audit of internal control over financial reporting to be performed in accordance with attestation standards established by the American Institute of Certified Public Accountants and in accordance with the auditing standards of the Public Company Accounting Oversight Board. The OIG reviews and monitors the work of the independent public accounting firm to ensure compliance with Government Auditing Standards and the contract.
In the auditors' opinion, the financial statements presented fairly, in all material respects, the financial position of the Board as of December 31, 2014 and 2013, and the results of its operations and its cash flows for the years then ended in conformity with accounting principles generally accepted in the United States of America. Also, in the auditors' opinion, the Board maintained, in all material respects, effective internal control over financial reporting as of December 31, 2014, based on the criteria established in Internal Control—Integrated Framework (2013) by the Committee of Sponsoring Organizations of the Treadway Commission. The auditors' report on compliance and other matters disclosed no instances of noncompliance or other matters.
Federal Financial Institutions Examination Council Financial Statements as of and for the Years Ended December 31, 2014 and 2013, and Independent Auditors' Reports
The Board performs the accounting function for the FFIEC, and we contracted with an independent public accounting firm to audit the financial statements of the FFIEC. The contract requires the audits to be performed in accordance with auditing standards generally accepted in the United States of America and in accordance with the standards applicable to financial audits contained in Government Auditing Standards issued by the Comptroller General of the United States. The OIG reviews and monitors the work of the independent public accounting firm to ensure compliance with Government Auditing Standards and the contract.
In the auditors' opinion, the financial statements presented fairly, in all material respects, the financial position of the FFIEC as of December 31, 2014 and 2013, and the results of its operations and its cash flows for the years then ended in conformity with accounting principles generally accepted in the United States of America. However, in their report on internal control over financial reporting and on compliance and other matters, the auditors cited a matter involving internal control over financial reporting that they considered to be a material weakness. The material weakness identified related to the periodic determination and review of the useful life assigned to certain internal-use software. The report disclosed no instances of noncompliance or other matters.
Table 1: Audit, Inspection, and Evaluation Reports Issued to the Board During the Reporting Period
| Report title | Type of report |
|---|---|
| The Board Can Enhance Its Diversity and Inclusion Efforts | Audit |
| Review of the Failure of Waccamaw Bank | Evaluation |
| Federal Financial Institutions Examination Council Financial Statements as of and for the Years Ended December 31, 2014 and 2013, and Independent Auditors' Reports | Audit |
| Board of Governors of the Federal Reserve System Financial Statements as of and for the Years Ended December 31, 2014 and 2013, and Independent Auditors' Reports | Audit |
| Audit of Planned Physical and Environmental Controls for the Board's Data Center Relocation | Audit |
| Opportunities Exist to Improve the Operational Efficiency and Effectiveness of the Board's Information Security Life Cycle | Audit |
| 2014 Audit of the Board's Information Security Program | Audit |
| The Board Can Better Coordinate Its Contingency Planning and Continuity of Operations Program | Audit |
| The Board Should Enhance Its Supervisory Processes as a Result of Lessons Learned From the Federal Reserve's Supervision of JPMorgan Chase & Company's Chief Investment Office | Evaluation |
|
Total number of audit reports: 7 Total number of inspection and evaluation reports: 2 |
|
Table 2: Audit, Inspection, and Evaluation Reports Issued to the Board With Questioned Costs and Unsupported Costs During the Reporting Perioda
| aBecause the Board is primarily a regulatory and policymaking agency, our recommendations typically focus on program effectiveness and efficiency, as well as strengthening internal controls. As such, the monetary benefit associated with their implementation typically is not readily quantifiable. Return to table | |||
| Reports | Number of reports | Questioned costs | Unsupported costs |
|---|---|---|---|
| For which no management decision had been made by the commencement of the reporting period | 0 | $0 | $0 |
| That were issued during the reporting period | 0 | $0 | $0 |
| For which a management decision was made during the reporting period | 0 | $0 | $0 |
| (i) dollar value of recommendations that were agreed to by management | 0 | $0 | $0 |
| (ii) dollar value of recommendations that were not agreed to by management | 0 | $0 | $0 |
| For which no management decision had been made by the end of the reporting period | 0 | $0 | $0 |
| For which no management decision was made within six months of issuance | 0 | $0 | $0 |
Table 3: Audit, Inspection, and Evaluation Reports Issued to the Board With Recommendations That Funds Be Put to Better Use During the Reporting Perioda
| aBecause the Board is primarily a regulatory and policymaking agency, our recommendations typically focus on program effectiveness and efficiency, as well as strengthening internal controls. As such, the monetary benefit associated with their implementation typically is not readily quantifiable. Return to table | ||
| Reports | Number | Dollar value |
|---|---|---|
| For which no management decision had been made by the commencement of the reporting period | 0 | $0 |
| That were issued during the reporting period | 0 | $0 |
| For which a management decision was made during the reporting period | 0 | $0 |
| (i) dollar value of recommendations that were agreed to by management | 0 | $0 |
| (ii) dollar value of recommendations that were not agreed to by management | 0 | $0 |
| For which no management decision had been made by the end of the reporting period | 0 | $0 |
| For which no management decision was made within six months of issuance | 0 | $0 |
Table 4: OIG Reports to the Board With Recommendations That Were Open During the Reporting Perioda
| Report title | Issue date | Recommendations | Status of recommendations | ||||
|---|---|---|---|---|---|---|---|
| Number | Mgmt. agrees | Mgmt. disagrees | Last follow-up date | Closed | Open | ||
| Evaluation of Service Credit Computations | 08/05 | 3 | 3 | – | 09/13 | 2 | 1 |
| Evaluation of Data Flows for Board Employee Data Received by Office of Employee Benefits and Its Contractors (nonpublic report) | 09/08 | 2 | 2 | – | 12/14 | 2 | – |
| Security Control Review of the Internet Electronic Submission System (nonpublic report) | 12/10 | 6 | 6 | – | 03/15 | 3 | 3 |
| Response to a Congressional Request Regarding the Economic Analysis Associated with Specified Rulemakings | 06/11 | 2 | 2 | – | 03/15 | – | 2 |
| Review of the Failure of Pierce Commercial Bank | 09/11 | 2 | 2 | – | 03/15 | 1 | 1 |
| Security Control Review of the Visitor Registration System (nonpublic report) | 09/11 | 10 | 10 | – | 12/14 | 10 | – |
| Evaluation of Prompt Regulatory Action Implementation | 09/11 | 1b | 1 | – | – | – | 1 |
| Audit of the Board's Information Security Program | 11/11 | 1 | 1 | – | 12/14 | 1 | – |
| Security Control Review of the National Remote Access Services System (nonpublic report) | 03/12 | 8 | 8 | – | 11/14 | 7 | 1 |
| Security Control Review of the Board's Public Website (nonpublic report) | 04/12 | 12 | 12 | – | – | – | 12 |
| Review of the Unauthorized Disclosure of a Confidential Staff Draft of the Volcker Rule Notice of Proposed Rulemaking | 07/12 | 3 | 3 | – | 03/15 | – | 3 |
| Security Control Review of the Federal Reserve Bank of Richmond's Lotus Notes Systems Supporting the Board's Division of Banking Supervision and Regulation (nonpublic report) | 08/12 | 9 | 9 | – | – | – | 9 |
| Audit of the Small Community Bank Examination Process | 08/12 | 1 | 1 | – | – | – | 1 |
| Audit of the Board's Actions to Analyze Mortgage Foreclosure Processing Risks | 09/12 | 2 | 2 | – | 03/15 | 1 | 1 |
| Security Control Review of the Aon Hewitt Employee Benefits System (nonpublic report) | 09/12 | 8 | 8 | – | 12/14 | 4 | 4 |
| 2012 Audit of the Board's Information Security Program | 11/12 | 2 | 2 | – | 11/14 | 1 | 1 |
| Security Control Review of Contingency Planning Controls for the Information Technology General Support System (nonpublic report) | 12/12 | 5 | 5 | – | 12/14 | 3 | 2 |
| Review of the Failure of Bank of Whitman | 03/13 | 1 | 1 | – | 03/15 | – | 1 |
| Controls over the Board's Purchase Card Program Can Be Strengthened | 03/13 | 3 | 3 | – | 09/14 | 2 | 1 |
| Board Should Enhance Compliance with Small Entity Compliance Guide Requirements Contained in the Small Business Regulatory Enforcement Fairness Act of 1996 | 07/13 | 2 | 2 | – | 03/15 | – | 2 |
| Security Control Review of the Board's National Examination Database System (nonpublic report) | 07/13 | 4 | 4 | – | – | – | 4 |
| Security Control Review of a Third-party Commercial Data Exchange Service Used by the Board's Division of Banking Supervision and Regulation (nonpublic report) | 08/13 | 11 | 11 | – | – | – | 11 |
| The Board Can Benefit from Implementing an Agency-Wide Process for Maintaining and Monitoring Administrative Internal Control | 09/13 | 1 | 1 | – | – | – | 1 |
| The Board Should Improve Procedures for Preparing for and Responding to Emergency Events | 09/13 | 7 | 7 | – | 03/15 | 4 | 3 |
| 2013 Audit of the Board's Information Security Program | 11/13 | 2 | 2 | – | 12/14 | 1 | 1 |
| Audit of the Board's Data Center Relocation | 02/14 | 2 | 2 | – | 01/15 | 1 | 1 |
| Opportunities Exist to Achieve Operational Efficiencies in the Board's Management of Information Technology Services | 02/14 | 2 | 2 | – | – | – | 2 |
| The Board's Law Enforcement Unit Could Benefit From Enhanced Oversight and Controls to Ensure Compliance With Applicable Regulations and Policies | 03/14 | 10 | 10 | – | 03/15 | 10 | – |
| Opportunities Exist for the Board to Improve Recordkeeping, Cost Estimation, and Cost Management Processes for the Martin Building Construction and Renovation Project | 03/14 | 6 | 6 | – | 09/14 | 3 | 3 |
| The Board Should Enhance Its Policies and Procedures Related to Conference Activities | 06/14 | 5 | 5 | – | 03/15 | 2 | 3 |
| Enforcement Actions and Professional Liability Claims Against Institution-Affiliated Parties and Individuals Associated with Failed Institutions | 07/14 | 3b | 3 | – | – | – | 3 |
| Security Control Review of the Board's E2 Solutions Travel Management System | 08/14 | 5 | 5 | – | – | – | 5 |
| Opportunities Exist to Enhance the Onsite Reviews of the Reserve Banks' Wholesale Financial Services | 09/14 | 1 | 1 | – | – | – | 1 |
| Opportunities Exist to Enhance the Board's Oversight of Future Complex Enforcement Actions | 09/14 | 5 | 5 | – | 03/15 | – | 5 |
| The Board Should Enhance Its Supervisory Processes as a Result of Lessons Learned From the Federal Reserve's Supervision of JPMorgan Chase & Company's Chief Investment Office | 10/14 | 10 | 10 | – | 03/15 | – | 10 |
| The Board Can Better Coordinate Its Contingency Planning and Continuity of Operations Program | 10/14 | 4 | 4 | – | – | – | 4 |
| 2014 Audit of the Board's Information Security Program | 11/14 | 1 | 1 | – | – | – | 1 |
| Opportunities Exist to Improve the Operational Efficiency and Effectiveness of the Board's Information Security Life Cycle | 12/14 | 3 | 3 | – | – | – | 3 |
| Audit of Planned Physical and Environmental Controls for the Board's Data Center Relocation | 01/15 | 1 | 1 | – | – | – | 1 |
| Review of the Failure of Waccamaw Bank | 03/15 | 5 | 5 | – | – | – | 5 |
| The Board Can Enhance Its Diversity and Inclusion Efforts | 03/15 | 11 | 11 | – | – | – | 11 |
|
aA recommendation is closed if (1) the corrective action has been taken; (2) the recommendation is no longer applicable; or (3) the appropriate oversight committee or administrator has determined, after reviewing the position of the OIG and division management, that no further action by the agency is warranted. A recommendation is open if (1) division management agrees with the recommendation and is in the process of taking corrective action or (2) division management disagrees with the recommendation and we have referred or are referring it to the appropriate oversight committee or administrator for a final decision. Return to table bThese recommendations were directed jointly to the OCC, the FDIC, and the Board. Return to table |
|||||||
Consumer Financial Protection Bureau
The CFPB Can Enhance Its Diversity and Inclusion Efforts
We completed our review of the CFPB's diversity and inclusion efforts, which was conducted in response to a congressional request. Overall, our audit determined that the CFPB has taken steps to foster a diverse and inclusive workforce since it began operations in July 2011. Recent activities include elevating the Office of Minority and Women Inclusion and the Office of Equal Employment Opportunity to the Office of the Director; conducting listening sessions with employees to identify and respond to perceptions of fairness, equality, and inclusion; and creating an internal advisory council and working groups to focus on diversity and inclusion issues.
We identified four areas of the CFPB's diversity and inclusion efforts that can be enhanced. First, diversity and inclusion training is not mandatory for CFPB employees, supervisors, and senior managers. Second, data quality issues exist in the CFPB's tracking spreadsheets for EEO complaints and negotiated grievances, and certain data related to performance management are not analyzed for trends that could indicate potential diversity and inclusion issues. Third, the CFPB's diversity and inclusion strategic plan has not been finalized, and opportunities exist for the CFPB to strengthen supervisors' and senior managers' accountability for implementing diversity and inclusion initiatives and human resources–related policies. Finally, the CFPB would benefit from a formal succession planning process to help ensure that it will have a sufficient and diverse pool of candidates for its senior management positions. We acknowledge that initiatives and activities that are beyond the scope of our review also contribute to enhancing diversity and inclusion. Therefore, the CFPB's ability to attract, develop, and retain a diverse and inclusive workforce is affected by other factors not specifically identified in our report.
Our report contains recommendations designed to improve the monitoring and the promotion of diversity and inclusion at the CFPB, as well as to strengthen related controls. The CFPB concurred with our recommendations and outlined planned, ongoing, and completed activities related to analyzing performance management data, performance management training, and tracking of EEO and non-EEO complaints. In addition, the CFPB developed and approved standard operating procedures to address several recommendations and has worked with its union to develop a new performance management system.
Security Control Review of the CFPB's Tableau System
FISMA requires the OIG to evaluate the effectiveness of the information security controls and techniques for a subset of the agency's information systems, including those provided or managed by another agency, a contractor, or another organization. To meet FISMA requirements, we reviewed the information system security controls for the CFPB's Tableau system. Tableau is a commercial-off-the-shelf tool deployed on the CFPB's cloud computing–based general support system that provides business intelligence capabilities, such as data analysis and integration, for multiple CFPB systems.
Overall, we found that the CFPB has taken a number of steps to secure the Tableau system in accordance with FISMA and the agency's information security policies and procedures. However, we found that improvements are needed in the implementation and monitoring of baseline security configurations to ensure that components of Tableau are securely configured. Our report includes recommendations to strengthen configuration management processes for Tableau. The Chief Information Officer concurred with our recommendations and outlined actions that have been or will be taken to address our recommendations.
We also identified opportunities to improve security controls related to the auditing and contingency planning capabilities for the system. The CFPB is taking steps to strengthen these areas, and as a result, we did not issue recommendations in these areas.
Fiscal Year 2014 Risk Assessment of the CFPB's Purchase Card and Travel Card Programs
As required by the Government Charge Card Abuse Prevention Act of 2012 and related guidance from the Office of Management and Budget, the OIG conducted a risk assessment of the CFPB's purchase card and travel card programs to determine the frequency and scope of future audits of these programs. This risk assessment is the OIG's first risk assessment of the CFPB's purchase card and travel card programs. The results of the risk assessment, conducted for fiscal year 2014, show that the risk of illegal, improper, or erroneous use in the CFPB's purchase card program is low and the risk level for the travel card program is medium.4 As a result, we will include an audit of the travel card program in the OIG's 2015 annual audit plan, and we will not include an audit of the purchase card program in that plan.
2014 Audit of the CFPB's Information Security Program
We completed our annual review of the CFPB's information security program. FISMA requires the OIG to conduct an annual, independent evaluation of the agency's information security program and practices. We found that the CFPB continues to take steps to mature its information security program and to ensure that it is consistent with the requirements of FISMA. Overall, we found that the CFPB's information security program is consistent with 9 of 11 information security areas. Although corrective actions are underway, further improvements are needed in security training and contingency planning. While we found that the CFPB's information security program was generally consistent with the requirements for continuous monitoring, configuration management, and incident response, we identified opportunities to strengthen these areas through automation and centralization.
Our report includes three new recommendations designed to strengthen the CFPB's information security continuous monitoring and configuration management practices. The Chief Information Officer concurred with our recommendations and outlined actions that have been taken, are underway, and are planned to strengthen the CFPB's information security program. In addition, our 2013 FISMA audit report included recommendations to develop and implement (1) an organization-wide configuration management plan and consistent process for patch management, (2) a capability to centrally track and analyze audit logs and security incident information, and (3) a role-based training program. Corrective actions to address these recommendations have not been finalized, and the recommendations remain open.
Table 5: Audit, Inspection, and Evaluation Reports Issued to the CFPB During the Reporting Period
|
Total number of audit reports: 3 Total number of inspection and evaluation reports: 0 Total number of risk assessments: 1 |
|
| Report title | Type of report |
|---|---|
| Security Control Review of the CFPB's Tableau System | Audit |
| The CFPB Can Enhance Its Diversity and Inclusion Efforts | Audit |
| Fiscal Year 2014 Risk Assessment of the CFPB's Purchase Card and Travel Card Programs | Risk assessment |
| 2014 Audit of the CFPB's Information Security Program | Audit |
Table 6: Audit, Inspection, and Evaluation Reports Issued to the CFPB With Questioned Costs and Unsupported Costs During the Reporting Perioda
| Reports | Number of reports | Questioned costs | Unsupported costs |
|---|---|---|---|
| For which no management decision had been made by the commencement of the reporting period | 0 | $0 | $0 |
| That were issued during the reporting period | 0 | $0 | $0 |
| For which a management decision was made during the reporting period | 0 | $0 | $0 |
| (i) dollar value of recommendations that were agreed to by management | 0 | $0 | $0 |
| (ii) dollar value of recommendations that were not agreed to by management | 0 | $0 | $0 |
| For which no management decision had been made by the end of the reporting period | 0 | $0 | $0 |
| For which no management decision was made within six months of issuance | 0 | $0 | $0 |
| aBecause the CFPB is primarily a regulatory and policymaking agency, our recommendations typically focus on program effectiveness and efficiency, as well as strengthening internal controls. As such, the monetary benefit associated with their implementation typically is not readily quantifiable. Return to table | |||
Table 7: Audit, Inspection, and Evaluation Reports Issued to the CFPB With Recommendations That Funds Be Put to Better Use During the Reporting Perioda
| aBecause the CFPB is primarily a regulatory and policymaking agency, our recommendations typically focus on program effectiveness and efficiency, as well as strengthening internal controls. As such, the monetary benefit associated with their implementation typically is not readily quantifiable. Return to table | ||
| Reports | Number | Dollar value |
|---|---|---|
| For which no management decision had been made by the commencement of the reporting period | 0 | $0 |
| That were issued during the reporting period | 0 | $0 |
| For which a management decision was made during the reporting period | 0 | $0 |
| (i) dollar value of recommendations that were agreed to by management | 0 | $0 |
| (ii) dollar value of recommendations that were not agreed to by management | 0 | $0 |
| For which no management decision had been made by the end of the reporting period | 0 | $0 |
| For which no management decision was made within six months of issuance | 0 | $0 |
Table 8: OIG Reports to the CFPB With Recommendations That Were Open During the Reporting Perioda
| Report title |
Issue date |
Recommendations | Status of recommendations | ||||
|---|---|---|---|---|---|---|---|
| Number |
Mgmt. agrees |
Mgmt. disagrees |
Last follow-up date |
Closed | Open | ||
| Evaluation of the Consumer Financial Protection Bureau's Consumer Response Unit | 09/12 | 5 | 5 | – | 03/15 | 3 | 2 |
| Security Control Review of the Consumer Financial Protection Bureau's Consumer Response System (nonpublic report) | 03/13 | 9 | 9 | – | 03/14 | 8 | 1 |
| Opportunities Exist to Enhance the CFPB's Policies, Procedures, and Monitoring Activities for Conferences | 08/13 | 4 | 4 | – | 03/15 | 2 | 2 |
| The CFPB Should Strengthen Internal Controls for Its Government Travel Card Program to Ensure Program Integrity | 09/13 | 14 | 14 | – | 01/15 | 8 | 6 |
| 2013 Audit of the CFPB's Information Security Program | 12/13 | 4 | 4 | – | 11/14 | 1 | 3 |
| The CFPB Should Reassess Its Approach to Integrating Enforcement Attorneys Into Examinations and Enhance Associated Safeguards | 12/13 | 7 | 7 | – | 03/15 | 7 | – |
| The CFPB Can Improve the Efficiency and Effectiveness of Its Supervisory Activities | 03/14 | 12 | 12 | – | 03/15 | 8 | 4 |
| The CFPB Has Established Effective GPRA Processes, but Opportunities Exist for Further Enhancement | 06/14 | 3 | 3 | – | – | – | 3 |
| Security Control Review of the CFPB's Cloud Computing–Based General Support System | 07/14 | 4 | 4 | – | – | – | 4 |
| The CFPB Complies With Section 1100G of the Dodd-Frank Act, but Opportunities Exist for the CFPB to Enhance Its Process | 09/14 | 3 | 3 | – | – | – | 3 |
| Audit of the CFPB's Acquisition and Contract Management of Select Cloud Computing Services | 09/14 | 4 | 4 | – | – | – | 4 |
| 2014 Audit of the CFPB's Information Security Program | 11/14 | 3 | 3 | – | – | – | 3 |
| The CFPB Can Enhance Its Diversity and Inclusion Efforts | 03/15 | 17 | 17 | – | – | – | 17 |
| Security Control Review of the CFPB's Tableau System | 03/15 | 3 | 3 | – | – | – | 3 |
| aA recommendation is closed if (1) the corrective action has been taken; (2) the recommendation is no longer applicable; or (3) the appropriate oversight committee or administrator has determined, after reviewing the position of the OIG and division management, that no further action by the agency is warranted. A recommendation is open if (1) division management agrees with the recommendation and is in the process of taking corrective action or (2) division management disagrees with the recommendation and we have referred or are referring it to the appropriate oversight committee or administrator for a final decision. Return to table | |||||||
- 3. Office of Inspector General, Audit of the Board’s Data Center Relocation, OIG Report No. 2014-IT-B-002, February 7, 2014. Return to text
- 4. Low signifies minimal impact on current operations and long-term objectives and that the likelihood of the event happening is remote. Medium signifies limited impact on current operations and long-term objectives and that the event could occur. Return to text
