Audits, Evaluations, and Inspections
Audits assess aspects of the economy, efficiency, and effectiveness of Board and CFPB programs and operations. For example, the OIG oversees audits of the Board's financial statements, and it conducts audits of (1) the efficiency and effectiveness of the Board's and the CFPB's processes and internal controls over their programs and operations; (2) the adequacy of controls and security measures governing these agencies' financial and management information systems and the safeguarding of assets and sensitive information; and (3) compliance with applicable laws and regulations related to agency financial, administrative, and program operations. OIG audits are performed in accordance with the Government Auditing Standards established by the Comptroller General of the United States.
Inspections and evaluations include program evaluations and legislatively mandated reviews of failed financial institutions supervised by the Board. Inspections are often narrowly focused on a particular issue or topic and provide time-critical analysis that cuts across functions and organizations. In contrast, evaluations are generally focused on a specific program or function and may make extensive use of statistical and quantitative analytical techniques. OIG inspections and evaluations are performed according to the Quality Standards for Inspection and Evaluation issued by CIGIE.
The information below summarizes OIG audit, evaluation, and inspection work completed during the reporting period and ongoing work that will continue into the next semiannual reporting period.
Board of Governors of the Federal Reserve System
Completed Project
The Board Should Enhance Its Supervisory Processes as a Result of Lessons Learned From the Federal Reserve's Supervision of JPMorgan Chase & Company's Chief Investment Office
We completed our evaluation of the Federal Reserve's supervisory activities related to the multibillion-dollar loss at JPMC's CIO. Our objectives for this evaluation were to (1) assess the effectiveness of the Board's and FRB New York's consolidated and other supervisory activities regarding JPMC's CIO and (2) identify lessons learned for enhancing future supervisory activities. In mid-July, we shared our final draft report with the agency for formal comment. We received the Board's and FRB New York's formal responses on September 29, 2014. Therefore, although we issued a summary report describing our results after the close of the semiannual reporting period, we are including this review in this semiannual report. We outline our four findings below.
First, as part of FRB New York's continuous monitoring activities at JPMC, it effectively identified risks related to the CIO's trading activities and planned two examinations of the CIO, including (1) a discovery review of the CIO's proprietary trading activities in 2008 and (2) a target examination of the CIO's governance framework, risk appetite, and risk management practices in 2010. Additionally, a Federal Reserve System team conducting a horizontal examination at JPMC recommended a full-scope examination of the CIO in 2009. However, FRB New York did not discuss the risks that resulted in the planned or recommended activities with the OCC in accordance with the expectations outlined in Supervision and Regulation Letter 08-9, Consolidated Supervision of Bank Holding Companies and the Combined U.S. Operations of Foreign Banking Organizations. As a result, there was a missed opportunity for FRB New York and the OCC to discuss risks related to the CIO and consider how to deploy the agencies' collective resources most effectively.
FRB New York did not conduct the planned or recommended examinations because (1) the Reserve Bank reassessed the prioritization of the initially planned activities related to the CIO due to many supervisory demands and a lack of supervisory resources; (2) weaknesses existed in controls surrounding the supervisory planning process; and (3) the 2011 reorganization of the supervisory team at JPMC resulted in a significant loss of institutional knowledge regarding the CIO. We acknowledge that FRB New York's competing supervisory priorities and limited resources contributed to the Reserve Bank not conducting these examinations. We believe that these practical limitations should have increased FRB New York's urgency to initiate conversations with the OCC concerning the purpose and rationale for the planned or recommended examinations related to the CIO. Even if FRB New York had either initiated conversations with the OCC to discuss the planned or recommended examinations in accordance with Supervision and Regulation Letter 08-9 or conducted the planned or recommended activities, we cannot predict whether completing any of those examinations would have resulted in an examination team detecting the specific control weaknesses that contributed to the CIO losses.
Second, we found that Federal Reserve and OCC staff lacked a common understanding of the Federal Reserve's approach for examining Edge Act corporations. In our opinion, this disconnect could result in gaps in supervisory coverage or duplication of efforts.
Third, we found that FRB New York staff were not clear about the expected deliverables resulting from continuous monitoring activities. Enhanced clarity concerning the expected deliverables could improve the effectiveness of this supervisory activity.
Finally, we found that FRB New York's JPMC supervisory teams appeared to exhibit key-person dependencies. In our opinion, these dependencies heightened FRB New York's vulnerability to the loss of institutional knowledge.
Our report contains 10 recommendations that encourage the Board's Division of Banking Supervision and Regulation to enhance its supervisory processes and approach to consolidated supervision for large, complex banking organizations. We received a response from the Board's Division of Banking Supervision and Regulation that describes the division's feedback on our report and refers to a separate response from FRB New York. In its response, the Division of Banking Supervision and Regulation acknowledged its appreciation for our recommendations for improving the Federal Reserve System's supervisory efforts. The Division of Banking Supervision and Regulation stated that in several instances, it has taken action or has planned activities to address issues raised in our report. In many instances, those activities appear to be responsive to our recommendations. Our report clarifies our expectations for corrective action where necessary. We will conduct future follow-up activities to determine whether the Board's actions fully address the issues raised in our report.
Opportunities Exist to Enhance the Board's Oversight of Future Complex Enforcement Actions
In February 2013, the Board and the OCC issued amended consent orders that require mortgage servicers to provide about $3.67 billion in payments to nearly 4.2 million borrowers based on possible harm and to provide other foreclosure prevention assistance. Our objectives for this evaluation were to (1) evaluate the Board's overall approach to oversight of the amended consent orders, (2) determine the effectiveness of the Board's oversight of the borrower slotting process, and (3) determine the effectiveness of the Board's oversight of the servicers' paying agent, Rust Consulting, Inc.
We found that the Board's advance preparation and planning efforts for the payment agreement with the 13 servicers that joined the agreement in January 2013 were not commensurate with the complexity associated with this unprecedented interagency effort. In addition, project management resources were not available to the Board's oversight team for this initiative. Further, we found that data integrity issues at two mortgage servicers impacted the reliability and consistency of the slotting results. The payment agreement required servicers to slot borrowers into categories of possible harm—with payment amounts set for each category—that were defined by Board and OCC staff. The approach to resolving these data integrity issues may have resulted in borrowers who experienced similar harm receiving different payment amounts. We also determined that an approach has not been selected to end the payment agreement. Despite these challenges and limitations, as of August 15, 2014, borrowers had cashed or deposited checks representing about $3.15 billion, or approximately 86 percent, of the total $3.67 billion.
We made five recommendations to improve the Board's oversight of future complex enforcement strategies. The Board generally agreed with our recommendations and noted the corrective actions that it has implemented or intends to implement.
Opportunities Exist to Enhance the Onsite Reviews of the Reserve Banks' Wholesale Financial Services
The Reserve Banks provide wholesale financial services to depository institutions, the U.S. government, and foreign institutions, and the Board's Division of Reserve Bank Operations and Payment Systems (RBOPS) oversees the Reserve Banks. As such, our audit assessed the extent and effectiveness of RBOPS's oversight of the Reserve Banks' wholesale financial services.
The Dodd-Frank Act broadened the Board's supervisory authority over private payment, clearing, and settlement systems designated as systemically important financial market utilities. Since the enactment of the act, RBOPS's Financial Market Infrastructure Oversight (FMI Oversight) group has worked to closely align its Reserve Banks' wholesale financial services oversight processes with those applied in the supervision of designated financial market utilities.
We did not note any deficiencies regarding the efficiency and effectiveness of the FMI Oversight group's onsite review activities for wholesale financial services. We found, however, that the FMI Oversight group does not have comprehensive formal policies and procedures that guide the execution and documentation of its onsite review of wholesale financial services. In addition, we noted that a small percentage of onsite review documentation was incomplete, and we noted a few instances in which the reviewer indicated a lack of understanding of a review step. We generally did not see indications of a second-level review of this documentation.
We made one recommendation to enhance RBOPS's oversight of the Reserve Banks' wholesale financial services. RBOPS generally concurred with our recommendation and noted it has initiated efforts to augment existing procedures and, if necessary, develop new procedures that guide its onsite reviews of wholesale financial services.
Enforcement Actions and Professional Liability Claims Against Institution-Affiliated Parties and Individuals Associated with Failed Institutions
Our office, the FDIC OIG, and the Treasury OIG participated in this evaluation concerning actions that the FDIC, the Board, and the OCC took against individuals and entities in response to actions that harmed financial institutions. The objectives of the evaluation were to (1) describe the FDIC's, the Board's, and the OCC's processes for investigating and pursuing enforcement actions against institution-affiliated parties associated with failed institutions, as well as the results of those efforts; (2) describe the FDIC's process for investigating and pursuing professional liability claims against individuals and entities associated with failed institutions and its coordination with the Board and the OCC; (3) determine the results of the FDIC's, the Board's, and the OCC's efforts in investigating and pursuing enforcement actions against institution-affiliated parties and the FDIC's efforts in pursuing professional liability claims; and (4) assess key factors that may impact the pursuit of enforcement actions and professional liability claims.
The joint evaluation team found that several factors appeared to impact the three regulators' ability to pursue enforcement actions against institution-affiliated parties. Those factors included the rigorous statutory criteria for sustaining removal/prohibition orders; the extent to which each regulator was willing to use certain enforcement action tools, such as personal cease and desist orders; the risk appetite of the FDIC, the Board, and the OCC for bringing enforcement actions; enforcement action statutes of limitation; and staff resources. The report also notes that these regulators should address differences in how they notify each other when initiating enforcement actions against institution-affiliated parties and depository institutions.
The report contains three recommendations intended to strengthen the Board's and the OCC's programs for pursuing enforcement actions, and four recommendations that apply exclusively to the FDIC. The Board was responsive to the recommendations and adequately described its planned corrective actions.
The Board Should Enhance Its Policies and Procedures Related to Conference Activities
We evaluated the Board's policies and procedures to determine the requirements for Board-sponsored conference activities and to assess the Board's compliance with the relevant requirements. The Board uses a decentralized process that affords each Board division autonomy for initiating and procuring conference services.
Our findings focused on document retention and adherence to policies and procedures. For the conferences we reviewed, we did not identify any issues at the Board similar to those described in the 2012 U.S. General Services Administration OIG's management deficiency report on that agency's 2010 conference held near Las Vegas. The Board's preference for using its own facilities for conferences minimizes the cost and mitigates the potential reputational risk associated with conference-related activities. Although the Board has not established an agency-wide process for planning conference-related activities, the Board does have acquisition, food and beverage expense, and records retention policies that contain requirements applicable to conference-related activities. The Board should ensure that its divisions comply with these requirements and that the scope of its policies and procedures is updated to address various aspects of conference-related activities.
Our report contains five recommendations designed to strengthen and ensure compliance with the policies and procedures that guide Board divisions engaged in planning conference activities. The Board generally concurred with our recommendations and noted that it has made or will make changes to the relevant policies and procedures.
Security Control Review of the Board's E2 Solutions Travel Management System
FISMA requires the OIG to evaluate the effectiveness of the information security controls and techniques for a subset of the Board's information systems, including those provided or managed by another agency, a contractor, or another organization. As part of our work to fulfill this requirement, we reviewed the information system security controls for the Board's third-party E2 Solutions Travel Management System (E2). E2 is listed on the Board's FISMA inventory as a third-party application and is classified as a moderate-risk system. E2 contains sensitive financial and personally identifiable information on Board employees and contractors. The Board's Division of Financial Management is assigned overall responsibility for ensuring that the system meets FISMA requirements.
Overall, we found that the Division of Financial Management has taken several steps to ensure that security controls for E2 are implemented in accordance with the requirements of FISMA and the Board Information Security Program. However, we identified improvements that are needed to ensure that security controls in the areas of risk assessment, system and services acquisition, personnel security, and audit and accountability are implemented effectively and operating as intended.
Our report includes five recommendations that focus on strengthening risk management and contractor oversight processes to ensure that controls in these areas are implemented consistently with the requirements of FISMA and the Board Information Security Program. The Board agreed with our recommendations and outlined actions that have been or will be taken to address them.
Ongoing Projects
Audit of the Board's Diversity and Inclusion Processes
In response to a congressional request from members of the House Committee on Financial Services, we are conducting an audit of the Board's diversity and inclusion processes. Our objective is to assess the Board's personnel operations and other efforts to provide for equal employment opportunities, including equal opportunity for minorities and women to obtain senior management positions, and for racial, ethnic, and gender diversity in the workforce. Our work will include looking at the role of the Board's Office of Minority and Women Inclusion in these areas. We plan to complete the audit during the next semiannual reporting period.
Evaluation of the Division of Banking Supervision and Regulation's Model Risk-Management Practices for Models Used in Support of the Annual Comprehensive Capital Analysis and Review
We are conducting an evaluation of the Board's Division of Banking Supervision and Regulation's model risk-management processes for the supervisory models used in support of the annual Comprehensive Capital Analysis and Review (CCAR). CCAR is an annual exercise by the Federal Reserve System to ensure that institutions have robust, forward-looking capital planning processes that account for their unique risks and also that these institutions have sufficient capital to continue operations throughout times of economic and financial stress. CCAR includes a supervisory stress test to support the Federal Reserve System's analysis of the adequacy of the firms' capital. Our review assesses the overall effectiveness of the model risk-management framework pertaining to the supervisory models, including a wide spectrum of current model risk-management practices and the related policies and procedures. The objectives of our audit are to (1) assess the extent to which the Federal Reserve System's model risk-management procedures for CCAR stress-testing supervisory models are consistent with Supervision and Regulation Letter 11-7, Supervisory Guidance on Model Risk Management, and (2) assess whether the model risk-management practices are consistent with internal policies and procedures.
Evaluation of the Operational Components of the Board's Law Enforcement Unit
The Law Enforcement Unit safeguards most Board-designated property and personnel 24 hours a day, 7 days a week. In the Board's 2012–2015 strategic framework, the sixth strategic theme is to establish a cost-reduction approach for Board operations that maintains an effective and efficient use of financial resources. Accordingly, the Board's Management Division, which includes the Law Enforcement Unit, identified opportunities for potential cost savings and for operational efficiency improvement. Our evaluation objective is to assess the economy and efficiency of the Law Enforcement Unit's operational components by reviewing the unit's approach to identifying cost savings and opportunities for operational efficiencies. We plan to issue the results of our evaluation during the next semiannual reporting period.
Evaluation of the Board's Corporate Services
We are conducting an evaluation of the Board's corporate services, specifically, Mail Services and Motor Transport, to identify potential efficiencies of such services. In the Board's 2012–2015 strategic framework, the sixth strategic theme is to establish a cost-reduction approach for Board operations that maintains an effective and efficient use of financial resources. Accordingly, the Board's Management Division has linked its program area objectives to the strategic framework and is working to identify opportunities for potential cost savings and to improve operational efficiencies. We expect to report the results of our evaluation during the next semiannual reporting period.
Audit of the Board's Data Center Relocation
We issued an initial draft report on an audit of the current phase of our ongoing oversight of the Board's relocation of its data center. The relocation of the data center is a multiyear project that is planned to be completed in 2015. We are monitoring the project and will issue reports at key points. Our objectives during the initial audit were to obtain information and gain an understanding of the project's scope, cost, and schedule. We issued our first report on February 7, 2014, with recommendations related to monitoring costs and schedule. As part of our current audit, we followed up on recommendations from our initial audit and are focusing on the construction and equipment procurement process to ensure that the Board is implementing physical and environmental controls. We plan to issue this report in the next semiannual reporting period.
Audit of the Board's IT Contingency Planning and Continuity of Operations Program
We issued a draft report for formal comments on our audit of the Board's IT contingency planning and continuity of operations program. The audit focused on determining whether the Board's program is consistent with federal guidelines and how the Board's contingency planning and continuity of operations program provide a coordinated strategy involving plans, procedures, and technical measures that enable the recovery of information systems, operations, and data after a disruption. We plan to issue this report during the next semiannual reporting period.
Audit of the Board's STAR Modernization Project
We are conducting an audit of the STAR Modernization Project. STAR is the central computer application used by the statistics function at the Board and the Reserve Banks to collect and edit over 75 periodic statistical reports from financial institutions. Through the STAR Modernization Project, the Board is upgrading the central computer application system hardware, software, and functionality. Our audit focuses on the adequacy and internal controls of the development process for the new system, including the cost and schedule. In addition, we are assessing how security controls are being built into the system. We plan to issue our report in the next semiannual reporting period.
Audit of the Board's Information System Security Life Cycle Process
We completed our fieldwork and briefed Board management regarding our audit of the Board's information system security life cycle process. Our audit focused on the Board's processes to meet FISMA requirements for security categorization, testing, security plans, and accreditation of its information systems. In addition, we reviewed how the Board's FISMA-related documents and reviews are compiled and maintained. We plan to issue our report during the next semiannual reporting period.
Security Control Review of the Board's C-SCAPE System
We initiated a security control review of the Board's Consolidated Supervision Comparative Analysis, Planning and Execution (C-SCAPE) system. C-SCAPE is a data input and reporting tool to support the Large Institution Supervision Coordinating Committee's reengineered supervisory processes for large banking organizations, foreign banking organizations, and financial market utilities. Our focus is to evaluate the adequacy of certain security controls designed to protect data in the system from unauthorized access, modification, destruction, or disclosure. We plan to issue our report during the next semiannual reporting period.
2014 Audit of the Board's Information Security Program
We initiated our 2014 audit of the Board's information security program. FISMA requires that each agency IG conduct an annual independent evaluation of the agency's information security program. Based on FISMA's requirements, our audit objectives are to evaluate (1) the Board's compliance with FISMA and related information security policies, procedures, standards, and guidelines and (2) the effectiveness of security controls and techniques for a subset of the Board's information systems. We plan to issue our report during the next semiannual reporting period.
Audit of the Financial Stability Oversight Council's Oversight of Interest Rate Risk
In 2014, CIGFO convened a working group to audit the Financial Stability Oversight Council's oversight of interest rate risk. As the independent oversight entity of the Board and the CFPB, the OIG is a member of CIGFO and the working group. The audit objective is to assess the extent to which the Financial Stability Oversight Council is overseeing interest rate risk to the financial system. The CIGFO working group plans to issue a report to the Financial Stability Oversight Council in April 2015.
Audit of the Board of Governors of the Federal Reserve System Financial Statements as of and for the Years Ending December 31, 2014, and 2013
We contract with an independent public accounting firm for its auditors to annually perform an integrated audit of the Board's financial statements. The auditors perform the audit in accordance with generally accepted government auditing standards and express an opinion on the Board's financial statements. In addition, as part of the integrated audit, and in accordance with the auditing standards of the Public Company Accounting Oversight Board, the auditors perform an audit of the effectiveness of internal controls over financial reporting and express an opinion on these controls. We oversee the activities of the auditors to ensure compliance with generally accepted government auditing standards and Public Company Accounting Oversight Board auditing standards related to internal controls over financial reporting.
In accordance with generally accepted government auditing standards, the auditors also will perform tests of the Board's compliance with certain provisions of laws and regulations, since noncompliance with these provisions could have a direct and material effect on the determination of the financial statement amounts, and will issue a compliance report. The independent auditors' reports will be issued in the next semiannual reporting period.
Audit of the Federal Financial Institutions Examination Council Financial Statements as of and for the Years Ending December 31, 2014, and 2013
The Board performs the accounting function for the FFIEC, and we contract with an independent public accounting firm for its auditors to annually audit the FFIEC's financial statements. The auditors perform the audit in accordance with generally accepted government auditing standards and express an opinion on the FFIEC's financial statements. We oversee the activities of the auditors to ensure compliance with generally accepted government auditing standards.
In accordance with generally accepted government auditing standards, the auditors also will consider the FFIEC's internal controls over financial reporting and will perform tests of the FFIEC's compliance with certain provisions of laws and regulations, since noncompliance with these provisions could have a direct and material effect on the determination of the financial statement amounts, and will issue a report on internal control and compliance. The independent auditors' reports will be issued in the next semiannual reporting period.
Table 1: Audit, Inspection, and Evaluation Reports Issued to the Board During the Reporting Period
Total number of audit reports: 2 Total number of inspection and evaluation reports: 3 |
|
Title |
Type of report |
Opportunities Exist to Enhance the Board's Oversight of Future Complex Enforcement Actions |
Evaluation |
Opportunities Exist to Enhance the Onsite Reviews of the Reserve Banks' Wholesale Financial Services |
Audit |
Security Control Review of the Board's E2 Solutions Travel Management System |
Audit |
Enforcement Actions and Professional Liability Claims Against Institution-Affiliated Parties and Individuals Associated with Failed Institutions |
Evaluation |
The Board Should Enhance Its Policies and Procedures Related to Conference Activities |
Evaluation |
Table 2: Audit, Inspection, and Evaluation Reports Issued to the Board With Questioned Costs During the Reporting Perioda
a Because the Board is primarily a regulatory and policymaking agency, our recommendations typically focus on program effectiveness and efficiency, as well as strengthening internal controls. As such, the monetary benefit associated with their implementation typically is not readily quantifiable. |
||
Report |
Number |
Dollar value |
For which no management decision had been made by the commencement of the reporting period |
0 |
$0 |
That were issued during the reporting period |
0 |
$0 |
For which a management decision was made during the reporting period |
0 |
$0 |
(i) dollar value of recommendations that were agreed to by management |
0 |
$0 |
(ii) dollar value of recommendations that were not agreed to by management |
0 |
$0 |
For which no management decision had been made by the end of the reporting period |
0 |
$0 |
For which no management decision was made within six months of issuance |
0 |
$0 |
Table 3: Audit, Inspection, and Evaluation Reports Issued to the Board With Recommendations That Funds Be Put to Better Use During the Reporting Perioda
a Because the Board is primarily a regulatory and policymaking agency, our recommendations typically focus on program effectiveness and efficiency, as well as strengthening internal controls. As such, the monetary benefit associated with their implementation typically is not readily quantifiable. |
||
Report |
Number |
Dollar value |
For which no management decision had been made by the commencement of the reporting period |
0 |
$0 |
That were issued during the reporting period |
0 |
$0 |
For which a management decision was made during the reporting period |
0 |
$0 |
(i) dollar value of recommendations that were agreed to by management |
0 |
$0 |
(ii) dollar value of recommendations that were not agreed to by management |
0 |
$0 |
For which no management decision had been made by the end of the reporting period |
0 |
$0 |
For which no management decision was made within six months of issuance |
0 |
$0 |
Table 4: OIG Reports to the Board With Recommendations That Were Open During the Reporting Perioda
Report title |
Issue |
Recommendations |
Status of recommendations |
||||
No. |
Mgmt. |
Mgmt. |
Last |
Closed |
Open |
||
a. A recommendation is closed if (1) the corrective action has been taken; (2) the recommendation is no longer applicable; or (3) the appropriate oversight committee or administrator has determined, after reviewing the position of the OIG and division management, that no further action by the agency is warranted. A recommendation is open if (1) division management agrees with the recommendation and is in the process of taking corrective action or (2) division management disagrees with the recommendation and we have referred or are referring it to the appropriate oversight committee or administrator for a final decision. b. This recommendation was directed jointly to the OCC, the FDIC, and the Board. |
|||||||
Evaluation of Service Credit Computations |
08/05 |
3 |
3 |
– |
09/13 |
2 |
1 |
Evaluation of Data Flows for Board Employee Data Received by Office of Employee Benefits and Its Contractors (nonpublic report) |
09/08 |
2 |
2 |
– |
02/14 |
1 |
1 |
Security Control Review of the Internet Electronic Submission System (nonpublic report) |
12/10 |
6 |
6 |
– |
03/13 |
3 |
3 |
Response to a Congressional Request Regarding the Economic Analysis Associated with Specified Rulemakings |
06/11 |
2 |
2 |
– |
09/14 |
– |
2 |
Review of the Failure of Pierce Commercial Bank |
09/11 |
2 |
2 |
– |
09/14 |
1 |
1 |
Security Control Review of the Visitor Registration System (nonpublic report) |
09/11 |
10 |
10 |
– |
07/13 |
4 |
6 |
Evaluation of Prompt Regulatory Action Implementation |
09/11 |
1b |
1 |
– |
– |
– |
1 |
Audit of the Board's Information Security Program |
11/11 |
1 |
1 |
– |
11/13 |
– |
1 |
Review of RBOPS' Oversight of the Next Generation $100 Note |
01/12 |
2 |
2 |
– |
09/14 |
2 |
– |
Security Control Review of the National Remote Access Services System (nonpublic report) |
03/12 |
8 |
8 |
– |
09/13 |
7 |
1 |
Material Loss Review of the Bank of the Commonwealth |
04/12 |
4 |
4 |
– |
09/14 |
4 |
– |
Security Control Review of the Board's Public Website (nonpublic report) |
04/12 |
12 |
12 |
– |
– |
– |
12 |
Review of the Unauthorized Disclosure of a Confidential Staff Draft of the Volcker Rule Notice of Proposed Rulemaking |
07/12 |
3 |
3 |
– |
09/14 |
– |
3 |
Security Control Review of the Federal Reserve Bank of Richmond's Lotus Notes Systems Supporting the Board's Division of Banking Supervision and Regulation (nonpublic report) |
08/12 |
9 |
9 |
– |
– |
– |
9 |
Audit of the Small Community Bank Examination Process |
08/12 |
1 |
1 |
– |
– |
– |
1 |
Audit of the Board's Actions to Analyze Mortgage Foreclosure Processing Risks |
09/12 |
2 |
2 |
– |
09/14 |
1 |
1 |
Security Control Review of the Aon Hewitt Employee Benefits System (nonpublic report) |
09/12 |
8 |
8 |
– |
– |
– |
8 |
2012 Audit of the Board's Information Security Program |
11/12 |
2 |
2 |
– |
11/13 |
– |
2 |
Security Control Review of Contingency Planning Controls for the Information Technology General Support System (nonpublic report) |
12/12 |
5 |
5 |
– |
– |
– |
5 |
Review of the Failure of Bank of Whitman |
03/13 |
1 |
1 |
– |
09/14 |
– |
1 |
Controls over the Board's Purchase Card Program Can Be Strengthened |
03/13 |
3 |
3 |
– |
09/14 |
2 |
1 |
Board Should Enhance Compliance with Small Entity Compliance Guide Requirements Contained in the Small Business Regulatory Enforcement Fairness Act of 1996 |
07/13 |
2 |
2 |
– |
– |
– |
2 |
Security Control Review of the Board's National Examination Database System (nonpublic report) |
07/13 |
4 |
4 |
– |
– |
– |
4 |
Security Control Review of a Third-party Commercial Data Exchange Service Used by the Board's Division of Banking Supervision and Regulation (nonpublic report) |
08/13 |
11 |
11 |
– |
– |
– |
11 |
Board Should Strengthen Controls over the Handling of the Federal Open Market Committee Meeting Minutes |
08/13 |
4 |
4 |
– |
09/14 |
4 |
– |
The Board Can Benefit from Implementing an Agency-Wide Process for Maintaining and Monitoring Administrative Internal Control |
09/13 |
1 |
1 |
– |
– |
– |
1 |
The Board Should Improve Procedures for Preparing for and Responding to Emergency Events |
09/13 |
7 |
7 |
– |
09/14 |
1 |
6 |
2013 Audit of the Board's Information Security Program |
11/13 |
2 |
2 |
– |
– |
– |
2 |
Audit of the Board's Data Center Relocation |
02/14 |
2 |
2 |
– |
– |
– |
2 |
Opportunities Exist to Achieve Operational Efficiencies in the Board's Management of Information Technology Services |
02/14 |
2 |
2 |
– |
– |
– |
2 |
The Board's Law Enforcement Unit Could Benefit From Enhanced Oversight and Controls to Ensure Compliance With Applicable Regulations and Policies |
03/14 |
10 |
10 |
– |
09/14 |
3 |
7 |
Opportunities Exist for the Board to Improve Recordkeeping, Cost Estimation, and Cost Management Processes for the Martin Building Construction and Renovation Project |
03/14 |
6 |
6 |
– |
09/14 |
3 |
3 |
The Board Should Enhance Its Policies and Procedures Related to Conference Activities |
06/14 |
5 |
5 |
– |
– |
– |
5 |
Enforcement Actions and Professional Liability Claims Against Institution-Affiliated Parties and Individuals Associated with Failed Institutions |
07/14 |
3 |
3 |
– |
– |
– |
3 |
Security Control Review of the Board's E2 Solutions Travel Management System |
08/14 |
5 |
5 |
– |
– |
– |
5 |
Opportunities Exist to Enhance the Onsite Reviews of the Reserve Banks' Wholesale Financial Services |
09/14 |
1 |
1 |
– |
– |
– |
1 |
Opportunities Exist to Enhance the Board's Oversight of Future Complex Enforcement Actions |
09/14 |
5 |
5 |
– |
– |
– |
5 |
Consumer Financial Protection Bureau
Completed Projects
Response to the January 29, 2014, Congressional Request Regarding the CFPB's Headquarters Renovation Project
In a letter dated January 29, 2014, the Chairman of the Subcommittee on Oversight and Investigations of the House Committee on Financial Services expressed concern about the renovation budget for the CFPB's headquarters, stating that it had increased from $55 million to more than $95 million and that the CFPB later published year-to-date expenses for building improvements of $150.8 million. To address the Chairman's concerns, we evaluated, with respect to the CFPB's headquarters renovation project, (1) the budgeting and approval process, (2) the scope and justification for estimates, and (3) the use of competitive procedures.
We found that the CFPB has formalized policies for budgeting and funding, as well as for approving major investments prior to obligating funds. However, we noted that the approval of funding for the renovation was not in accordance with the CFPB's policies for major investments. We also found that the figures associated with the renovation had significantly different scopes. The $55 million figure represented 1 year of costs from a 10-year renovation plan, and the $95 million internally developed estimate did not include certain contingencies and fees; these figures were used as estimates for budget purposes. The $150.8 million figure was based on a construction cost estimate developed specifically for this renovation. Lastly, we identified three major contracting efforts associated with the CFPB headquarters building renovation: an architecture/engineering contract awarded by the CFPB, and a construction contract and a construction management contract that are in the process of being awarded by the U.S. General Services Administration. We determined that competitive procedures were used in awarding the architecture/engineering design contract and that the U.S. General Services Administration is using competitive procedures to award the construction and construction management contracts.
Audit of the CFPB's Acquisition and Contract Management of Select Cloud Computing Services
In January 2014, CIGIE spearheaded a governmentwide review of select agencies' efforts to adopt cloud computing technologies. In support of this initiative, our objective was to review the CFPB's acquisition and contract management for two of the CFPB's seven cloud service providers to determine whether requirements for security, service levels, and access to records were planned for, defined in contracts, and being monitored.
Overall, we found that (1) the CFPB's contracts for cloud computing services included roles and responsibilities, information security requirements, and service-level expectations; (2) the CFPB has established a process to monitor both contractual and service-level requirements for its cloud service providers; and (3) the agency collects and maintains nondisclosure agreements from contractor personnel to protect sensitive information. However, we identified opportunities for improvement in the procurement and use of cloud services, such as performing alternatives analysis and cost analysis and including clauses that provide the access needed for electronic discovery and performance of criminal and noncriminal investigations. We also found that one of the contracts we reviewed did not (1) include a clause granting the OIG the right to examine agency records or (2) detail specific penalties or remedies for noncompliance with contract terms and service levels.
Our report contains four recommendations to assist the CFPB's Chief Information Officer in strengthening processes for the acquisition and contract management of cloud services. The Chief Information Officer concurred with our recommendations and outlined actions that have been taken or will be implemented to address them.
The CFPB Has Established Effective GPRA Processes, but Opportunities Exist for Further Enhancement
We conducted this audit to assess (1) the effectiveness of the CFPB's processes that address GPRA and (2) the CFPB's compliance with applicable sections of GPRA. GPRA requires that most executive agencies produce strategic plans every four years and publish annual agency performance plans. The CFPB has determined that it is generally subject to the requirements of GPRA, except for those provisions of GPRA that require agencies to follow guidance issued by the Office of Management and Budget or to submit to the Office of Management and Budget's jurisdiction or oversight.
We found that the CFPB has developed effective strategic and performance planning processes. The CFPB expanded these processes beyond GPRA requirements by developing division-level strategic plans with division-level performance goals and performance measures and implementing a quarterly performance review process. We found that the CFPB fully satisfied 22 of 28 applicable GPRA requirements and that opportunities exist for the CFPB to further enhance its GPRA processes.
Our report contains three recommendations designed to ensure full GPRA compliance and to assist the CFPB in building on its current success in establishing GPRA processes. Management identified actions that have been or will be taken to address our recommendations.
The CFPB Complies With Section 1100G of the Dodd-Frank Act, but Opportunities Exist for the CFPB to Enhance Its Process
We conducted this evaluation to assess the CFPB's compliance with section 1100G of the Dodd‑Frank Act. The Regulatory Flexibility Act, as amended, requires federal agencies to analyze the impact of their regulatory actions on small entities. Section 1100G of the Dodd-Frank Act amended some of the provisions of the Regulatory Flexibility Act, requiring the CFPB to assess the impact of any proposed rule on the cost of credit for small business entities and convene panels to seek direct input from small business entities prior to issuing certain rules. The CFPB created two interim policy and procedures documents that outline the agency's process to comply with these requirements.
Overall, we found that the CFPB complied with the provisions of section 1100G of the Dodd-Frank Act as well as the agency's two interim policies and procedures. We found, however, that the interim policies and procedures have been in use for approximately two years without being updated or finalized. We also found that the interim policies and procedures afforded teams significant discretion in their 1100G rulemaking approach to regulatory analysis, which contributed to a variance in documentation and inconsistent knowledge transfer practices. Finally, we found that the CFPB's Division of Research, Markets, and Regulation uses an inconsistent approach to storing supporting documentation related to 1100G rulemakings. After the close of our fieldwork, we were informed by CFPB officials that the division had finalized and reissued the two policy and procedures documents.
Our recommendations include that the CFPB establish a standard approach to manage electronic 1100G rulemaking supporting documents and ensure that the standard approach complies with CFPB and other applicable provisions. The CFPB concurred with our recommendations and outlined actions that have been or will be taken to address them.
Security Control Review of the CFPB's Cloud Computing–Based General Support System
FISMA requires the OIG to evaluate the effectiveness of the information security controls and techniques for a subset of the agency's information systems, including those provided or managed by another agency, a contractor, or another organization. To meet FISMA requirements, we reviewed the information system security controls for the CFPB's cloud computing–based general support system.
The CFPB has invested in a cloud computing–based general support system that provides the IT infrastructure to support the agency's applications and common enterprise services, such as e-mail, instant messaging, and file storage. The general support system is jointly managed and operated by the CFPB and a third party, and it is classified as a moderate-risk system.
Overall, we found that the CFPB has taken a number of steps to secure its cloud computing–based general support system in accordance with FISMA requirements. However, we found that improvements are needed to ensure that FISMA processes and controls are effective and consistently implemented across all information security areas for the general support system.
Our report includes recommendations to strengthen security controls for the general support system in four information security areas: system and information integrity, configuration management, contingency planning, and incident response. The CFPB's Chief Information Officer concurred with our recommendations and outlined actions that have been or will be taken to address them.
Ongoing Projects
Audit of the CFPB's Diversity and Inclusion Processes
In response to a congressional request from members of the House Committee on Financial Services, we are conducting an audit of the CFPB's diversity and inclusion processes. Our objective is to assess the CFPB's personnel operations and other efforts to provide for equal employment opportunities, including equal opportunity for minorities and women to obtain senior management positions, and for racial, ethnic, and gender diversity in the workforce. Our work will include looking at the role of the CFPB's Office of Minority and Women Inclusion in these areas. We plan to complete the audit during the next semiannual reporting period.
Joint Evaluation of Coordination Between the CFPB and Other Regulatory Agencies
In 2014, our office, the FDIC OIG, the National Credit Union Administration OIG, and the Treasury OIG initiated a joint evaluation of the coordination between the CFPB and other regulatory agencies with respect to conducting supervisory activities. The Dodd-Frank Act requires the CFPB to coordinate its supervisory activities with the federal prudential regulatory agencies and state financial regulatory authorities. The objective of this evaluation is to confirm that the required coordination is occurring and has been effective in avoiding conflicts or duplication of efforts, in particular for financial institutions with less than $10 billion in assets. Fieldwork is ongoing, and we expect to issue a product during the next semiannual reporting period.
Audit of the CFPB's Headquarters Renovation Costs
We initiated an audit to evaluate the reasonableness of the overall estimated and proposed costs for the CFPB's headquarters renovation. This audit is a follow-on to the work we previously completed in response to a congressional request regarding the CFPB's headquarters renovation budget. Our audit will assess the effectiveness of the CFPB's processes and controls for approving, managing, and documenting headquarters renovation costs and project decisions. We are currently conducting fieldwork and expect to complete this audit and issue our report in the next semiannual reporting period.
Risk Assessment of the CFPB's Government Charge Card Programs
The Government Charge Card Abuse Prevention Act of 2012 requires each agency that issues and uses purchase and travel cards to establish and maintain safeguards and internal controls to ensure the proper, efficient, and effective use of government charge cards. The act directs the IG of each executive agency to conduct periodic risk assessments of the agency's purchase card program and periodic audits or reviews of the agency's travel card program to identify illegal, improper, or erroneous purchases and payments. The OIG has initiated risk assessments of the CFPB's travel and purchase card programs to determine the frequency and scope of future OIG audits of the programs.
Evaluation of the CFPB's Hiring Process
The objective of this evaluation is to assess the efficiency and effectiveness of certain CFPB recruitment and selection subprocesses. We also are assessing the agency's compliance with certain laws, applicable regulations, and policies and its administration of recruitment and selection incentives to recruit new employees. We plan to issue the results of our evaluation of the CFPB's hiring process during the next semiannual reporting period.
Audit of the CFPB's Public Consumer Complaint Database
While the CFPB's public Consumer Complaint Database initially contained only individual-level consumer credit card complaints, it has since been expanded to include individual-level consumer complaints about other consumer financial products and services regulated by the CFPB, such as mortgages and credit reporting. Our audit objective is to assess the effectiveness of the CFPB's controls over the accuracy and completeness of the public complaint database. We plan to issue our report during the next semiannual reporting period.
Audit of the CFPB's Contract Management Process
We continued our audit of the CFPB's contract management process. The objective of this audit is to determine compliance with applicable laws, regulations, and CFPB policies and procedures, as well as the effectiveness of the CFPB's internal controls related to contract management. We plan to issue our report during the next semiannual reporting period.
Audit of the CFPB's Space-Planning Activities
We continued our audit of the CFPB's short-term and long-term space-planning activities to determine whether controls are in place to effectively manage the agency's space needs and associated costs. Our audit is focused on the CFPB's processes for planning, obtaining, and managing space for both its headquarters and regional offices, including how the agency manages its transition to new office space. We are currently conducting fieldwork and expect to complete this audit and issue our report in the next semiannual reporting period.
Audit of the CFPB's Distribution of Funds From the Civil Penalty Fund
We initiated an audit of the CFPB's distribution of funds from the CPF. As of June 30, 2014, the CFPB has collected and deposited approximately $143 million in civil penalties into the CPF. The agency has also allocated $31 million to compensate victims in six cases and has distributed approximately $1 million to victims in two of those cases. Our audit will assess the process for identifying victims and determining victim compensation. We expect to complete this audit and issue our report during the next semiannual reporting period.
Audit of the CFPB's Tableau System
We initiated a security control review of the CFPB's Tableau System. Tableau is an application used to develop, publish, and view business intelligence data. Our focus is to review the adequacy of certain security controls designed to protect data in the system from unauthorized access, modification, destruction, or disclosure. We plan to issue our report during the next semiannual reporting period.
2014 Audit of the CFPB's Information Security Program
We initiated our 2014 audit of the CFPB's information security program. FISMA requires that each agency IG conduct an annual independent evaluation of the agency's information security program. Based on FISMA's requirements, our audit objectives are to evaluate (1) the CFPB's compliance with FISMA and related information security policies, procedures, standards, and guidelines and (2) the effectiveness of security controls and techniques for a subset of the CFPB's information systems. We plan to issue our report during the next semiannual reporting period.
Security Control Review of the CFPB's DT Complaints Database
We initiated a security control review of the CFPB's DT Complaints Database. The DT Complaints Database supports the CFPB's public Consumer Complaint Database. Our focus is to evaluate the adequacy of certain control techniques designed to protect data in the system from unauthorized access, modification, destruction, or disclosure. We plan to issue our report during the next semiannual reporting period.
Table 5: Audit, Inspection, and Evaluation Reports Issued to the CFPB During the Reporting Period
Total number of audit reports: 3 Total number of inspection and evaluation reports: 1 Total number of letters to requestor: 1 |
|
Title |
Type of report |
Audit of the CFPB's Acquisition and Contract Management of Select Cloud Computing Services |
Audit |
The CFPB Complies With Section 1100G of the Dodd-Frank Act, but Opportunities Exist for the CFPB to Enhance Its Process |
Evaluation |
Security Control Review of the CFPB's Cloud Computing–Based General Support System |
Audit |
Response to the January 29, 2014, Congressional Request Regarding the CFPB's Headquarters Renovation Project |
Letter to requestor |
The CFPB Has Established Effective GPRA Processes, but Opportunities Exist for Further Enhancement |
Audit |
Table 6: Audit, Inspection, and Evaluation Reports Issued to the CFPB With Questioned Costs During the Reporting Perioda
a Because the CFPB is primarily a regulatory and policymaking agency, our recommendations typically focus on program effectiveness and efficiency, as well as strengthening internal controls. As such, the monetary benefit associated with their implementation typically is not readily quantifiable. |
||
Reports |
Number |
Dollar value |
For which no management decision had been made by the commencement of the reporting period |
0 |
$0 |
That were issued during the reporting period |
0 |
$0 |
For which a management decision was made during the reporting period |
0 |
$0 |
(i) dollar value of recommendations that were agreed to by management |
0 |
$0 |
(ii) dollar value of recommendations that were not agreed to by management |
0 |
$0 |
For which no management decision had been made by the end of the reporting period |
0 |
$0 |
For which no management decision was made within six months of issuance |
0 |
$0 |
Table 7: Audit, Inspection, and Evaluation Reports Issued to the CFPB With Recommendations That Funds Be Put to Better Use During the Reporting Perioda
a Because the CFPB is primarily a regulatory and policymaking agency, our recommendations typically focus on program effectiveness and efficiency, as well as strengthening internal controls. As such, the monetary benefit associated with their implementation typically is not readily quantifiable. |
||
Reports |
Number |
Dollar value |
For which no management decision had been made by the commencement of the reporting period |
0 |
$0 |
That were issued during the reporting period |
0 |
$0 |
For which a management decision was made during the reporting period |
0 |
$0 |
(i) dollar value of recommendations that were agreed to by management |
0 |
$0 |
(ii) dollar value of recommendations that were not agreed to by management |
0 |
$0 |
For which no management decision had been made by the end of the reporting period |
0 |
$0 |
For which no management decision was made within six months of issuance |
0 |
$0 |
Table 8: OIG Reports to the CFPB With Recommendations That Were Open During the Reporting Perioda
Report title |
Issue |
Recommendations |
Status of recommendations |
||||
No. |
Mgmt. |
Mgmt. |
Last |
Closed |
Open |
||
a A recommendation is closed if (1) the corrective action has been taken; (2) the recommendation is no longer applicable; or (3) the appropriate oversight committee or administrator has determined, after reviewing the position of the OIG and division management, that no further action by the agency is warranted. A recommendation is open if (1) division management agrees with the recommendation and is in the process of taking corrective action or (2) division management disagrees with the recommendation and we have referred or are referring it to the appropriate oversight committee or administrator for a final decision. |
|||||||
Evaluation of the Consumer Financial Protection Bureau's Consumer Response Unit |
09/12 |
5 |
5 |
– |
08/13 |
3 |
2 |
Security Control Review of the Consumer Financial Protection Bureau's Consumer Response System (nonpublic report) |
03/13 |
9 |
9 |
– |
03/14 |
8 |
1 |
CFPB Contract Solicitation and Selection Processes Facilitate FAR Compliance, but Opportunities Exist to Strengthen Internal Controls |
03/13 |
3 |
3 |
– |
09/14 |
3 |
– |
Opportunities Exist to Enhance the CFPB's Policies, Procedures, and Monitoring Activities for Conferences |
08/13 |
4 |
4 |
– |
– |
– |
4 |
The CFPB Should Strengthen Internal Controls for Its Government Travel Card Program to Ensure Program Integrity |
09/13 |
14 |
14 |
– |
09/14 |
5 |
9 |
2013 Audit of the CFPB's Information Security Program |
12/13 |
4 |
4 |
– |
– |
– |
4 |
The CFPB Should Reassess Its Approach to Integrating Enforcement Attorneys Into Examinations and Enhance Associated Safeguards |
12/13 |
7 |
7 |
– |
09/14 |
3 |
4 |
Audit of the CFPB's Civil Penalty Fund |
01/14 |
1 |
1 |
– |
09/14 |
1 |
– |
The CFPB Can Improve the Efficiency and Effectiveness of Its Supervisory Activities |
03/14 |
12 |
12 |
– |
– |
– |
12 |
The CFPB Has Established Effective GPRA Processes, but Opportunities Exist for Further Enhancement |
06/14 |
3 |
3 |
– |
– |
– |
3 |
Security Control Review of the CFPB's Cloud Computing–Based General Support System |
07/14 |
4 |
4 |
– |
– |
– |
4 |
The CFPB Complies With Section 1100G of the Dodd-Frank Act, but Opportunities Exist for the CFPB to Enhance Its Process |
09/14 |
3 |
3 |
– |
– |
– |
3 |
Audit of the CFPB's Acquisition and Contract Management of Select Cloud Computing Services |
09/14 |
4 |
4 |
– |
– |
– |
4 |