Work Plan ongoing and planned audit and evaluation projects Current as of June 5, 2015
Overview The Work Plan presents the audits and evaluations that the Office of Inspector General (OIG) is conducting to assist the Board of Governors of the Federal Reserve System (Board) and the Consumer Financial Protection Bureau (CFPB) in fulfilling their respective missions. Our statutory mandates are our highest priority, and with our remaining resources, we focus on those programs and operations that pose the highest risk to achieving the Board s and the CFPB s strategic goals, objectives, and priorities; meeting budgetary and financial commitments; and complying with applicable laws, regulations, and guidance. The Work Plan is updated twice a month. Projects are categorized as ongoing or planned. Entries for ongoing projects include the calendar quarter in which the project is expected to be completed. For a list of completed projects, please view the Audit Reports page on our website. The OIG may be required to perform unanticipated work based on congressional requests, OIG Hotline complaints, new statutory mandates, or other input. Such work, as well as resource constraints, may result in the deferral, cancellation, or modification of projects. Our effectiveness depends on our flexibility to address other priorities as they arise. For congressional, media, or other inquiries, please e-mail oig.media@frb.gov or call John Manibusan at 202-973-5043. Work Plan Current as of June 5, 2015
Contents Board: Ongoing Projects 1 Board: Planned Projects 4 CFPB: Ongoing Projects 6 CFPB: Planned Projects 9 Work Plan Current as of June 5, 2015
Board: Ongoing Projects with calendar quarter of expected completion Audit of the Board s STAR Modernization Project STAR is the central computer application used by the statistics function at the Federal Reserve Banks and the Board to collect and edit over 75 periodic statistical reports from financial institutions. These data reports are subsequently delivered to end users at the Board, the Federal Reserve Bank of New York s Trading Desk, and the Federal Reserve Banks Economic Research and Banking Supervision Divisions for use in performing their duties regarding monetary policy and supervision and regulation of financial institutions. STAR is also used by the Federal Reserve System s Reserve Administration function to calculate reserve requirements, monitor reserve balances, and perform other activities. In addition, STAR produces reserve account information that can be used by depository institutions to manage their accounts effectively. The current technology is being updated to better support business needs and to include a server-based environment and support by the Federal Reserve System s National IT. The Board began decommissioning the legacy STAR system in 2014. Our audit focus includes the adequacy and internal controls of the development process for the new system, including the cost and schedule. In addition, we are determining how security controls are being built into the system. Evaluation of the Board s Corporate Services The Board continues to provide corporate services, such as Mail Services, Motor Transport services, and Print Shop services, across all divisions. Our objective is to assess the extent to which Board staff use these services and to identify potential economies and efficiencies. Security Control Review of the Board s C-SCAPE The Federal Information Security Management Act of 2002 requires that each agency Inspector General evaluate a representative subset of the agency s information systems. As part of meeting this requirement, we are conducting a security control review of the Board s Consolidated Supervision Comparative Analysis, Planning and Execution System (C-SCAPE). C-SCAPE is a data input and reporting tool used to support the supervisory program. C-SCAPE is intended to support the Large Institution Supervision Coordinating Committee s reengineered supervisory processes for large banking organizations, foreign banking organizations, and financial market utilities. Our specific audit objective is to evaluate the adequacy of certain control techniques designed to protect data in the system from unauthorized access, modification, destruction, or disclosure. Audit of the Board s Data Governance Third quarter 2015 Strategic theme 2 of the Board s Strategic Framework 2012 15 calls for redesigning data governance and management processes to enhance the Board s data environment in the wake of the Board s expanded mandates under the Dodd-Frank Act. Theme 2 objectives consist of improving data governance by establishing a new Office of the Chief Data Officer and ensuring clear roles and responsibilities among data users and the Board Data Council; ensuring that all enterprise data are appropriately handled, processed, stored, and disseminated; and strengthening the Board s data environment by establishing an infrastructure to share data and improve data integration. Our audit is focused on obtaining information on the current plans and activities to achieve the theme 2 strategic objectives and the progress made, including efforts to share data among divisions and achieve potential efficiencies in the procurement of data. Work Plan Current as of June 5, 2015 1 of 10
Audit of the Financial Stability Oversight Council s (FSOC) Oversight of Interest Rate Risk Third quarter 2015 In 2014, the Council of Inspectors General on Financial Oversight (CIGFO) convened a working group to audit FSOC s oversight of interest rate risk. As the independent oversight entity of the Board and the CFPB, the OIG is a member of CIGFO and the working group. The audit objective is to assess the extent to which FSOC is overseeing interest rate risk to the financial system. Evaluation of the Division of Banking Supervision and Regulation s (BS&R) Model Risk-Management Practices for Models Used in Support of the Annual Comprehensive Capital Analysis and Review (CCAR) Third quarter 2015 CCAR is the largest initiative of the Operating Committee of the Large Institution Supervision Coordinating Committee. CCAR is a supervisory assessment of the capital planning processes and capital adequacy of the largest, most complex bank holding companies. We are reviewing BS&R s model risk-management practices, including model validation activities, for the supervisory models used in support of the CCAR stress testing. Audit of the Board s Public Release of Economic Information Fourth quarter 2015 The Board produces several economic publications and statistical releases on a periodic schedule. Many of these releases have the potential to influence market trading; therefore, the Board needs to have sufficient controls over the release of this sensitive information to the public. We are auditing the Board s processes to ensure that these data are properly safeguarded on the day of issuance. Evaluation of the Examination Approach Used to Assess Office of Foreign Assets Control (OFAC) Compliance Fourth quarter 2015 In the past few years, there have been high-profile instances of foreign banking organizations (FBOs) operating in the United States that were facilitating payments to prohibited entities on OFAC s list of specially designated nationals. The Federal Financial Institutions Examination Council s Bank Secrecy Act/ Anti-Money Laundering Examination Manual contains specific examination procedures for assessing OFAC compliance programs. This evaluation seeks to assess the effectiveness of the Board s and the Federal Reserve Banks approach to examining the OFAC compliance programs for FBOs operating in the United States. This evaluation will assess the extent to which the current examination approach to OFAC compliance should be updated based on (1) lessons learned from these incidents or (2) evolving expectations for OFAC compliance programs based on recent updates to the sanctions list. In-Depth Review of the Failure of NBRS Financial Bank Fourth quarter 2015 In accordance with section 38(k) of the Federal Deposit Insurance Act, as amended, when a state member bank failure occurs that does not result in a material loss to the Deposit Insurance Fund, our office conducts a failed bank review to assess whether the failure presents unusual circumstances that would warrant an in-depth review. On conducting a failed bank review of NBRS Financial Bank, we determined that this state member bank failure warrants an in-depth review. As a result, we are conducting an in-depth review to assess the Board s supervision of the failed institution, including the Board s implementation of prompt corrective action ascertain why the institution s problems resulted in a nonmaterial loss to the Deposit Insurance Fund Work Plan Current as of June 5, 2015 2 of 10
make recommendations for preventing any such loss in the future 2015 Audit of the Board s Information Security Program Fourth quarter 2015 The Federal Information Security Management Act of 2002, as amended by the Federal Information Security Modernization Act of 2014 (FISMA), established a legislative mandate for ensuring the effectiveness of information security controls over resources that support federal operations and assets. In accordance with FISMA requirements, the OIG is required to conduct an independent evaluation of the Board s information security program. Our objectives are to evaluate (1) the effectiveness of the Board s security controls and techniques for select information systems and (2) the Board s compliance with FISMA and related information security policies, procedures, standards, and guidelines. issues regarding LISCC firms and LBOs. As a part of our project, we also plan to evaluate the effectiveness of continuous monitoring as a supervisory tool for LISCC firms and LBOs. This project is an evaluation conducted pursuant to the Council of the Inspectors General on Integrity and Efficiency s Quality Standards for Inspection and Evaluation and is not a criminal, civil, or administrative investigation. Unlike investigations conducted by law enforcement officials that may assess the actions of individual employees, auditors conduct evaluations that assess the effectiveness and efficiency of agency programs and operations. Our evaluations typically result in reports issued to Board officials that often include recommendations designed to improve the efficiency and effectiveness of the agency s operations, programs, and policies. Evaluation of the Federal Reserve System s Practices for Addressing Divergent Views and Making Supervisory Decisions for Large Bank Holding Companies First quarter 2016 In response to a request from the Board, the OIG is conducting an evaluation of the Federal Reserve System s practices for addressing divergent views and making supervisory decisions regarding large bank holding companies with total assets in excess of $50 billion, known as Large Institution Supervision Coordinating Committee (LISCC) firms, and large banking organizations (LBOs). Our objectives are to (1) assess the methods for Federal Reserve System decisionmakers to obtain material information necessary to ensure that decisions and conclusions resulting from supervisory activities at LISCC firms and LBOs are appropriate, supported by the record, and consistent with applicable policies and (2) determine whether there are adequate channels for Federal Reserve System decisionmakers to be aware of supervision staff s divergent views about material Work Plan Current as of June 5, 2015 3 of 10
Board: Planned Projects Audit of the Board s Contract Administration According to a recent U.S. Government Accountability Office report, agencies across the federal government increasingly rely on contractors to execute their missions. The government needs strong controls to provide reasonable assurance that these contract funds are not being lost to improper payments, waste, or mismanagement. Effective contract oversight, which includes effective internal controls throughout the contracting process, is essential to protecting government and taxpayer interests. Our focus will be to identify and assess the effectiveness of internal controls related to contract administration. Audit of the Board s C-SCAPE Project Building on lessons learned from the recent financial crisis, the Federal Reserve System has taken a number of important steps to improve its supervisory program for large financial institutions. The Consolidated Supervision Comparative Analysis, Planning and Execution System (C-SCAPE) is a data input and reporting tool used to support the supervisory program. C-SCAPE is intended to support the Large Institution Supervision Coordinating Committee s reengineered supervisory processes for large banking organizations, foreign banking organizations, and financial market utilities. C-SCAPE is being updated to match the new framework for the consolidated supervision of large financial institutions. Our focus will be to identify and assess the effectiveness of internal controls related to project management, including the oversight provided by the Investment Review Board. Audit of the Board s Process for Supervisory Assessments of Large Bank Holding Companies and Savings and Loan Holding Companies The collection process is new to the Board; the Federal Reserve System has not previously assessed supervised entities to cover expenses related to supervision. In addition, this process requires a coordinated effort among various divisions at the Board and with the Federal Reserve Banks. The Board issued a final rule in August 2013 that further describes the collection process for the supervised entities. We plan to evaluate the Board s internal controls related to the collection of these assessment fees as well as their disbursement. Audit of the Board s Strategic Plan Implementation and Governance Effective strategic planning helps organizations identify priorities and mitigate risks to achieving their missions. The Board s Strategic Framework 2012 15 contains six themes, including the importance of strengthening governance over its management processes to enable the effective implementation of the strategic framework s goals. We plan to assess the Board s implementation of its strategic plan, including how it measures strategic outcomes, identifies potential risks or challenges, establishes accountability, and monitors progress in implementing the framework. Board Security Control Reviews The Federal Information Security Management Act of 2002, as amended by the Federal Information Security Modernization Act of 2014, requires that each agency Inspector General evaluate a representative subset of the agency s information systems, including third-party systems. To meet this requirement, we will conduct security control reviews of a sample of the Board s major applications and general support system components throughout the year. We will use automated audit scanning tools to assist with conducting the security control reviews. The Dodd-Frank Act directed the Board to collect assessments, fees, and other charges for bank holding companies, savings and loan holding companies, and nonbank financial companies supervised by the Board. Work Plan Current as of June 5, 2015 4 of 10
Evaluation of Systemically Important Financial Institutions Supervision Teams: Preserving and Transferring Institutional Knowledge Within and Between Supervisory Teams Preserving and transferring institutional knowledge contributes to effective supervision, particularly in light of examiner rotation requirements, examiner turnover, and the Board s and the Federal Reserve Banks evolving supervisory responsibilities. This evaluation will assess Board guidance and the controls implemented by the Federal Reserve Banks of New York, San Francisco, Richmond, and Boston (the Reserve Banks responsible for supervising the systemically important financial institution portfolio) to evaluate the best practices for preserving and transferring institutional knowledge (1) within a supervisory team and (2) from an existing supervisory team to a new team. Failed Bank Reviews Section 38(k) of the Federal Deposit Insurance Act, as amended by the Dodd-Frank Act, requires that the Inspector General of the appropriate federal banking agency review the agency s supervision of a failed institution when the associated losses to the Deposit Insurance Fund are above the materiality threshold or are at or below the threshold but exhibit unusual circumstances warranting an in-depth review. In such cases, the Inspector General must prepare a report in a manner consistent with the requirements of a material loss review. For losses to the Deposit Insurance Fund that occurred on or after January 1, 2014, the materiality threshold is $50 million. Work Plan Current as of June 5, 2015 5 of 10
CFPB: Ongoing Projects with calendar quarter of expected completion Audit of the CFPB s Contract Management Process The CFPB s procurement process follows the requirements established by the Federal Acquisition Regulation, which is the primary regulation governing the acquisition of supplies and services by all federal executive agencies. This audit is a follow-on to the evaluation of the CFPB s contract solicitation and selection process. Our focus is on the CFPB s contract management processes, compliance with applicable rules established by the Federal Acquisition Regulation, and the effectiveness of the CFPB s internal controls related to contract management. Audit of the CFPB s Distribution of Funds From the Civil Penalty Fund The Dodd-Frank Act established the Civil Penalty Fund. The CFPB must deposit any civil penalty it obtains in any judicial or administrative action under federal consumer financial law into the fund. The CFPB is to use the funds collected to compensate consumers who were harmed by activities for which civil penalties have been imposed. To the extent that victims cannot be located or payment is not practicable, the CFPB may use the funds for consumer education and financial literacy programs. Our audit is focused on internal controls related to the administration of the Civil Penalty Fund. Specifically, our audit will assess the efficiency and effectiveness of the process for identifying victims. Audit of the CFPB s Headquarters Renovation Costs In June 2014, we completed a review and issued a letter report in response to a request from the Chairman of the Subcommittee on Oversight and Investigations, House Committee on Financial Services, regarding the CFPB s headquarters renovation budget. As a followon to this work, we are evaluating the reasonableness of the overall estimated and proposed costs for the CFPB s headquarters renovation. We will also assess the effectiveness of the CFPB s processes and controls for approving, managing, and documenting headquarters renovation costs and project decisions. Audit of the CFPB s Public Consumer Complaint Database In June 2012, the CFPB became the first federal regulator to publicly share individual-level consumer financial complaint data. While the Consumer Complaint Database initially contained only credit card complaints, the CFPB has extended the database to other consumer financial products and services covered by the CFPB. Our audit objective is to assess the effectiveness of the CFPB s controls over the accuracy and completeness of the public complaint database. Evaluation of the CFPB s Hiring Process In accordance with section 1013(a)(1)(B) of the Dodd- Frank Act, the Director of the CFPB is authorized to employ attorneys, compliance examiners, compliance supervision analysts, economists, statisticians, and other employees as may be deemed necessary to conduct the business of the Bureau. We initiated this evaluation in response to the CFPB s volume of hiring and its establishment of field offices. The objective of our evaluation is to assess the efficiency and effectiveness of certain CFPB recruitment and selection subprocesses, including (1) assessment and vacancy announcement creation, (2) hiring authority and vacancy announcement posting, and (3) evaluation and selection of candidates. We are also evaluating the agency s compliance with applicable laws, regulations, and policies. This evaluation includes a review of Work Plan Current as of June 5, 2015 6 of 10
competitive service, excepted service, and special program hiring practices. In addition, we are reviewing the CFPB s administration of recruitment and selection incentives to recruit new employees. Security Control Review of the CFPB s DT Complaints Database The Federal Information Security Management Act of 2002 requires that each agency Inspector General evaluate a representative subset of the agency s information systems. As part of meeting this requirement, we are conducting a security control review of the CFPB s DT Complaints Database. The DT Complaints Database supports the CFPB s Public Consumer Complaint Database. Our specific audit objective is to evaluate the adequacy of certain control techniques designed to protect data in the system from unauthorized access, modification, destruction, or disclosure. Audit of the CFPB s Space-Planning Activities Third quarter 2015 The CFPB is in the process of renovating its headquarters building. As the CFPB continues to add personnel and simultaneously manage office space allocation, the funds to be expended for the renovation as well as for the additional space required for displaced and new employees will likely be significant. We will determine whether the CFPB has established adequate controls to properly manage its space needs and whether the CFPB is complying with applicable requirements. Evaluation of the Effectiveness of the CFPB s Examination Workpaper Documentation Third quarter 2015 The CFPB s Supervision and Examination Manual (version 2.0) summarizes the agency s expectations for workpaper documentation to support the results of its examination activity. The manual describes the following three principal purposes for workpaper documentation: (1) providing a record of the work performed that supports examination results, (2) maintaining the evidence necessary to support supervisory agreements or formal enforcement actions, and (3) facilitating internal quality control reviews. This evaluation will assess the CFPB s policies and procedures for documenting examination results, the training programs and materials used to implement workpaper documentation expectations, and the extent to which each of the CFPB s regions meets those expectations. 2015 Audit of the CFPB s Information Security Program Fourth quarter 2015 The Federal Information Security Management Act of 2002, as amended by the Federal Information Security Modernization Act of 2014 (FISMA), established a legislative mandate for ensuring the effectiveness of information security controls over resources that support federal operations and assets. In accordance with FISMA requirements, the OIG is required to conduct an independent evaluation of the CFPB s information security program. Our objectives are to evaluate (1) the effectiveness of the CFPB s security controls and techniques for select information systems and (2) the CFPB s compliance with FISMA and related information security policies, procedures, standards, and guidelines. Evaluation of the CFPB s Coordination With External Organizations to Implement Targeted Consumer Education First quarter 2016 The Dodd-Frank Act requires the CFPB to create offices or functions to address the needs of specific populations, including students, older Americans, service members, and traditionally underserved individuals. The CFPB created four offices in response to this mandate, and the CFPB works with other governmental and private organizations to leverage resources to carry out its consumer education mission for these targeted groups. We are assessing the effectiveness of the CFPB s coordination with external Work Plan Current as of June 5, 2015 7 of 10
organizations to implement consumer education efforts for targeted populations. Work Plan Current as of June 5, 2015 8 of 10
CFPB: Planned Projects Audit of the CFPB s Advisory Board and Councils The Dodd-Frank Act requires the CFPB to establish a Consumer Advisory Board to provide consultation to the agency in performing its functions and to inform the CFPB about emerging trends in the consumer finance industry. In addition to the Consumer Advisory Board, the CFPB has established a Community Bank Advisory Council, a Credit Union Advisory Council, and an Academic Advisory Council. We plan to audit the CFPB s administration of its advisory board and councils and assess their effectiveness in informing the CFPB s activities. Audit of the CFPB s Contract Solicitation, Selection, and Award Process The CFPB s Office of Procurement uses its staff, as well as resources from the U.S. Department of the Treasury s Bureau of the Fiscal Service, to enter into contracts for goods and services on behalf of the CFPB. The CFPB s procurement process follows the requirements established by the Federal Acquisition Regulation, the primary regulation governing the acquisition of supplies and services by all federal executive agencies. We will assess the CFPB s compliance with the Federal Acquisition Regulation and CFPB policy, as well as the effectiveness of the CFPB s internal controls related to contract solicitation, selection, and award processes, including awards made on behalf of the CFPB by the Bureau of the Fiscal Service. Audit of the CFPB s Pay and Compensation Program The CFPB is required by the Dodd-Frank Act to provide employees with compensation and benefits that, at a minimum, are comparable to those of the Board, regardless of any otherwise applicable provisions of title 5 of the United States Code. We plan to audit the CFPB s pay and compensation program for compliance with applicable statutory requirements. This audit will include assessing the controls around setting employees pay. Audit of the CFPB s Travel Card Program The Government Charge Card Abuse Prevention Act of 2012 directs the Inspector General of each executive agency to conduct periodic audits or reviews of agency travel card programs with more than $10 million in spending to analyze the risks of illegal, improper, or erroneous purchases and payments. The travel card provides a convenient method for federal agencies and their employees to pay for official government travel and travel-related expenses. Last year, we conducted a risk assessment of the CFPB s travel card program and concluded that the risk of illegal, improper, or erroneous use in the program was medium. We will assess the effectiveness of the CFPB s internal controls for its travel card program. CFPB Security Control Reviews The Federal Information Security Management Act of 2002, as amended by the Federal Information Security Modernization Act of 2014, requires that each agency Inspector General evaluate a representative subset of the agency s information systems, including third-party systems. To meet this requirement, we will conduct security control reviews of a sample of the CFPB s major applications and general support system components throughout the year. We will use automated audit scanning tools to assist with conducting the security control reviews. Evaluation of the CFPB Enforcement Office s Processes for Protecting Confidential Information The Enforcement office within the Division of Supervision, Enforcement, and Fair Lending routinely possesses confidential information as a result of the agency exercising its enforcement powers under title X, subtitle E, of the Dodd-Frank Act. For example, Work Plan Current as of June 5, 2015 9 of 10
the CFPB can issue civil investigative demands to compel document production when the CFPB has reason to believe that a violation of federal consumer financial law has occurred. This evaluation will assess the Enforcement office s regulations, policies, and procedures for safeguarding confidential information and the effectiveness of its controls designed to maintain the confidentiality of such information. Evaluation of the CFPB s Compliance With the Requirements for Issuing Civil Investigative Demands (CIDs) Section 1052(c) of the Dodd-Frank Act authorizes the CFPB to issue CIDs when the agency has reason to believe that a person has documentary materials, tangible things, or any other information relevant to a possible violation of federal consumer financial law. These CIDs may be issued to produce documents, produce tangible things, or compel testimony. Section 1052(c) contains a series of compliance requirements related to the use of CID authority, ranging from mandatory content requirements to procedures for issuing CIDs. This evaluation will assess the CFPB s (1) policies and procedures for issuing CIDs, (2) training programs and materials related to the issuance of CIDs, and (3) compliance with section 1052(c) s requirements, applicable regulations, and the agency s policies and procedures for issuing CIDs. Work Plan Current as of June 5, 2015 10 of 10