2. Work Plan | Current as of February 27, 2015
Overview
The Work Plan presents the audits and evaluations that the Office
of Inspector General (OIG) is conducting to assist the Board
of Governors of the Federal Reserve System (Board) and the
Consumer Financial Protection Bureau (CFPB) in fulfilling their
respective missions. Our statutory mandates are our highest priority,
and with our remaining resources, we focus on those programs
and operations that pose the highest risk to achieving the Board’s
and the CFPB’s strategic goals, objectives, and priorities; meeting
budgetary and financial commitments; and complying with
applicable laws, regulations, and guidance.
The Work Plan is updated twice a month. Projects are categorized as
ongoing or planned. Entries for ongoing projects include the calendar
quarter in which the project is expected to be completed. For a list
of completed projects, please view the Audit Reports page on our
website.
The OIG may be required to perform unanticipated work based
on congressional requests, OIG Hotline complaints, new statutory
mandates, or other input. Such work, as well as resource constraints,
may result in the deferral, cancellation, or modification of projects.
Our effectiveness depends on our flexibility to address other
priorities as they arise.
For congressional, media, or other inquiries, please e-mail
oig.media@frb.gov or call John Manibusan at 202-973-5043.
3. Work Plan | Current as of February 27, 2015
Contents
Board: Ongoing Projects 1
Board: Planned Projects 5
CFPB: Ongoing Projects 7
CFPB: Planned Projects 10
4. Work Plan | Current as of February 27, 2015 1 of 10
Board: Ongoing Projects
with calendar quarter of expected completion
Audit of the Board's Diversity and Inclusion
Processes
First quarter 2015
In response to a congressional request, we initiated an
audit of the Board’s diversity and inclusion processes.
The objective of this audit is to assess the Board’s
personnel operations and other efforts to provide for
equal employment opportunities, including equal
opportunity for minorities and women to obtain
senior management positions, and for racial, ethnic,
and gender diversity in the workforce. Our work will
include looking at the role of the Board’s Office of
Minority and Women Inclusion in these areas.
Audit of the Board's STAR Modernization
Project
First quarter 2015
STAR is the central computer application used by the
statistics function at the Federal Reserve Banks and
the Board to collect and edit over 75 periodic statistical
reports from financial institutions.These data reports
are subsequently delivered to end users at the Board,
the Federal Reserve Bank of New York’s Trading
Desk, and the Federal Reserve Banks’ Economic
Research and Banking Supervision Divisions for
use in performing their duties regarding monetary
policy and supervision and regulation of financial
institutions. STAR is also used by the Federal Reserve
System’s Reserve Administration function to calculate
reserve requirements, monitor reserve balances, and
perform other activities. In addition, STAR produces
reserve account information that can be used by
depository institutions to manage their accounts
effectively.The current technology is being updated
to better support business needs and to include a
server-based environment and support by the Federal
Reserve System’s National IT.The Board began
decommissioning the legacy STAR system in 2014.
Our audit focus includes the adequacy and internal
controls of the development process for the new
system, including the cost and schedule. In addition, we
are determining how security controls are being built
into the system.
Board Financial Statements as of and for the
Years Ended December 31, 2014 and 2013,
and Independent Auditors' Reports
First quarter 2015
The OIG contracted with an independent public
accounting firm to audit the 2014 financial statements
of the Board.The OIG will oversee the activities of
the independent public accounting firm to ensure
compliance with generally accepted government
auditing standards and Public Company Accounting
Oversight Board auditing standards related to internal
controls over financial reporting.
Evaluation of the Board's Corporate Services
First quarter 2015
The Board continues to provide corporate services,
such as Mail Services, Motor Transport services, and
Print Shop services, across all divisions. Our objective
is to assess the extent to which Board staff use these
services and to identify potential economies and
efficiencies.
Evaluation of the Operational Components of
the Board's Law Enforcement Unit (LEU)
First quarter 2015
Following the enactment of the USA Patriot Act of
2001, which granted the Board certain law enforcement
authorities, the Board increased its security staff
to include federal law enforcement officers.The
LEU safeguards most Board-designated property
and personnel 24 hours a day, 7 days a week.This
evaluation is assessing the economy and efficiency of
the LEU, including the various operational components
within the organization.This review considers the
5. Work Plan | Current as of February 27, 2015 2 of 10
LEU’s staffing models, cost reduction efforts in process,
and potential enhancements to LEU operations that
may use security technology more effectively.
Federal Financial Institutions Examination
Council (FFIEC) Financial Statements as of and
for the Years Ended December 31, 2014 and
2013, and Independent Auditors' Reports
First quarter 2015
The OIG contracted with an independent public
accounting firm to audit the 2014 financial statements
of the FFIEC. (The Board performs the accounting
function for the FFIEC.) The OIG will oversee the
activities of the independent public accounting firm to
ensure compliance with generally accepted government
auditing standards.
In-Depth Review of the Failure of Waccamaw
Bank
First quarter 2015
We determined that the failure of Waccamaw Bank,
located in Whiteville, North Carolina, presented
unusual circumstances warranting an in-depth review.
When a loss to the Deposit Insurance Fund presents
unusual circumstances, section 38(k) of the Federal
Deposit Insurance Act, as amended by the Dodd-Frank
Act, requires that the Inspector General conduct a
material loss review. As required by the provisions of
section 38(k), we are
• reviewing the agency’s supervision of the failed
institution, including the agency’s implementation
of prompt corrective action
• ascertaining why the institution’s problems resulted
in a material loss to the Deposit Insurance Fund
• making recommendations for preventing any such
loss in the future
Security Control Review of the Board’s
C-SCAPE System
First quarter 2015
The Federal Information Security Management
Act of 2002 requires that each agency Inspector
General evaluate a representative subset of the
agency’s information systems. As part of meeting this
requirement, we are conducting a security control
review of the Board’s Consolidated Supervision
Comparative Analysis, Planning and Execution
(C-SCAPE) system. C-SCAPE is a data input and
reporting tool used to support the supervisory program.
C-SCAPE is intended to support the Large Institution
Supervision Coordinating Committee’s reengineered
supervisory processes for large banking organizations,
foreign banking organizations, and financial market
utilities. Our specific audit objective is to evaluate the
adequacy of certain control techniques designed to
protect data in the system from unauthorized access,
modification, destruction, or disclosure.
Evaluation of the Division of Banking
Supervision and Regulation's (BS&R) Model
Risk-Management Practices for Models Used
in Support of the Annual Comprehensive
Capital Analysis and Review (CCAR)
Second quarter 2015
CCAR is the largest initiative of the Operating
Committee of the Large Institution Supervision
Coordinating Committee. CCAR is a supervisory
assessment of the capital planning processes and
capital adequacy of the largest, most complex bank
holding companies. We are reviewing BS&R’s model
risk-management practices, including model validation
activities, for the supervisory models used in support of
the CCAR stress testing.
Audit of the Board's Data Governance
Third quarter 2015
Strategic theme 2 of the Board’s Strategic Framework
2012–15 calls for redesigning data governance and
management processes to enhance the Board’s data
environment in the wake of the Board’s expanded
6. Work Plan | Current as of February 27, 2015 3 of 10
mandates under the Dodd-Frank Act.Theme 2
objectives consist of improving data governance by
establishing a new Office of the Chief Data Officer
and ensuring clear roles and responsibilities among
data users and the Board Data Council; ensuring that
all enterprise data are appropriately handled, processed,
stored, and disseminated; and strengthening the Board’s
data environment by establishing an infrastructure to
share data and improve data integration. Our audit is
focused on obtaining information on the current plans
and activities to achieve the theme 2 strategic objectives
and the progress made, including efforts to share data
among divisions and achieve potential efficiencies in
the procurement of data.
Audit of the Financial Stability Oversight
Council's (FSOC) Oversight of Interest Rate
Risk
Third quarter 2015
In 2014, the Council of Inspectors General on
Financial Oversight (CIGFO) convened a working
group to audit FSOC’s oversight of interest rate risk.
As the independent oversight entity of the Board and
the CFPB, the OIG is a member of CIGFO and the
working group.The audit objective is to assess the
extent to which FSOC is overseeing interest rate risk
to the financial system.The CIGFO working group
plans to issue a report to FSOC in April 2015.
Audit of the Board's Public Release of
Economic Information
Fourth quarter 2015
The Board produces several economic publications
and statistical releases on a periodic schedule. Many of
these releases have the potential to influence market
trading; therefore, the Board needs to have sufficient
controls over the release of this sensitive information
to the public. We are auditing the Board’s processes to
ensure that these data are properly safeguarded on the
day of issuance.
Evaluation of the Examination Approach Used
to Assess Office of Foreign Assets Control
(OFAC) Compliance
Fourth quarter 2015
In the past few years, there have been high-profile
instances of foreign banking organizations (FBOs)
operating in the United States that were facilitating
payments to prohibited entities on OFAC’s list of
specially designated nationals.The Federal Financial
Institutions Examination Council’s Bank Secrecy Act/
Anti-Money Laundering Examination Manual contains
specific examination procedures for assessing OFAC
compliance programs.This evaluation seeks to assess
the effectiveness of the Board’s and the Federal Reserve
Banks’ approach to examining the OFAC compliance
programs for FBOs operating in the United States.
This evaluation will assess the extent to which the
current examination approach to OFAC compliance
should be updated based on (1) lessons learned from
these incidents or (2) evolving expectations for OFAC
compliance programs based on recent updates to the
sanctions list.
Evaluation of the Federal Reserve System’s
Practices for Addressing Divergent Views
and Making Supervisory Decisions for Large
Banking Holding Companies
First quarter 2016
In response to a request from the Board dated
November 17, 2014, the OIG is conducting an
evaluation of the Federal Reserve System’s practices
for addressing divergent views and making supervisory
decisions regarding large bank holding companies.
The Board requested that we initiate a review related
to the manner in which the Federal Reserve System
conducts examinations of bank holding companies with
total assets in excess of $50 billion, known as Large
Institution Supervision Coordinating Committee
(LISCC) firms and large banking organizations
(LBOs). As part of our project, we also plan to evaluate
the effectiveness of continuous monitoring as a
supervisory tool for LISCC firms and LBOs.
Our objectives are to (1) assess the methods for Federal
Reserve System decisionmakers to obtain material
7. Work Plan | Current as of February 27, 2015 4 of 10
information necessary to ensure that decisions and
conclusions resulting from supervisory activities at
LISCC firms and LBOs are appropriate, supported
by the record, and consistent with applicable policies;
(2) determine whether there are adequate channels
for Federal Reserve System decisionmakers to be
aware of supervision staff’s divergent views about
material issues regarding LISCC firms and LBOs; and
(3) assess the effectiveness of continuous monitoring
as a supervisory tool for LISCC firms and LBOs.
Our work will include reviewing applicable Board and
Federal Reserve Bank policies and procedures, meeting
with staff from the Board and the Federal Reserve
Banks, and reviewing documentation associated with
supervisory activities. We plan to visit a sample of
Federal Reserve Banks that have responsibility for
supervising LISCC firms and LBOs.
This project is an evaluation conducted pursuant to
the Council of the Inspectors General on Integrity
and Efficiency’s Quality Standards for Inspection and
Evaluation and is not a criminal, civil, or administrative
investigation. Unlike investigations conducted by law
enforcement officials that may assess the actions of
individual employees, auditors conduct evaluations
that assess the effectiveness and efficiency of agency
programs and operations. Our evaluations typically
result in reports issued to Board officials that often
include recommendations designed to improve the
efficiency and effectiveness of the agency’s operations,
programs, and policies.
8. Work Plan | Current as of February 27, 2015 5 of 10
Board: Planned Projects
Audit of the Board's Contract Administration
According to a recent U.S. Government Accountability
Office report, agencies across the federal government
increasingly rely on contractors to execute their
missions.The government needs strong controls
to provide reasonable assurance that these contract
funds are not being lost to improper payments, waste,
or mismanagement. Effective contract oversight,
which includes effective internal controls throughout
the contracting process, is essential to protecting
government and taxpayer interests. Our focus will be to
identify and assess the effectiveness of internal controls
related to contract administration.
Audit of the Board's C-SCAPE Project
Building on lessons learned from the recent financial
crisis, the Federal Reserve System has taken a number
of important steps to improve its supervisory program
for large financial institutions.The Consolidated
Supervision Comparative Analysis, Planning and
Execution (C-SCAPE) application is a data input and
reporting tool used to support the supervisory program.
C-SCAPE is intended to support the Large Institution
Supervision Coordinating Committee’s reengineered
supervisory processes for large banking organizations,
foreign banking organizations, and financial market
utilities. C-SCAPE is being updated to match the new
framework for the consolidated supervision of large
financial institutions. Our focus will be to identify and
assess the effectiveness of internal controls related to
project management, including the oversight provided
by the Investment Review Board.
Audit of the Board's Process for Supervisory
Assessments of Large Bank Holding
Companies and Savings and Loan Holding
Companies
The Dodd-Frank Act directed the Board to collect
assessments, fees, and other charges for bank holding
companies, savings and loan holding companies, and
nonbank financial companies supervised by the Board.
The collection process is new to the Board; the Federal
Reserve System has not previously assessed supervised
entities to cover expenses related to supervision. In
addition, this process requires a coordinated effort
among various divisions at the Board and with the
Federal Reserve Banks.The Board issued a final rule
in August 2013 that further describes the collection
process for the supervised entities. We plan to evaluate
the Board’s internal controls related to the collection of
these assessment fees as well as their disbursement.
Audit of the Board's Strategic Plan
Implementation and Governance
Effective strategic planning helps organizations identify
priorities and mitigate risks to achieving their missions.
The Board’s Strategic Framework 2012–15 contains
six themes, including the importance of strengthening
governance over its management processes to
enable the effective implementation of the strategic
framework’s goals. We plan to assess the Board’s
implementation of its strategic plan, including how it
measures strategic outcomes, identifies potential risks
or challenges, establishes accountability, and monitors
progress in implementing the framework.
Board Security Control Reviews
The Federal Information Security Management Act
of 2002 requires that each agency Inspector General
evaluate a representative subset of the agency’s
information systems, including third-party systems.To
meet this requirement, we will conduct security control
reviews of a sample of the Board’s major applications
and general support system components throughout
the year. We will use automated audit scanning tools
to assist with conducting the security control reviews.
For 2014, we plan to focus our scanning on web
application, mainframe, VMware, Apache, and IIS
technologies.
9. Work Plan | Current as of February 27, 2015 6 of 10
Evaluation of Systemically Important Financial
Institutions Supervision Teams: Preserving
and Transferring Institutional Knowledge
Within and Between Supervisory Teams
Preserving and transferring institutional knowledge
contributes to effective supervision, particularly in light
of examiner rotation requirements, examiner turnover,
and the Board’s and the Reserve Banks’ evolving
supervisory responsibilities.This evaluation will assess
Board guidance and the controls implemented by the
Federal Reserve Banks of New York, San Francisco,
Richmond, and Boston (the Reserve Banks responsible
for supervising the systemically important financial
institution portfolio) to evaluate the best practices for
preserving and transferring institutional knowledge
(1) within a supervisory team and (2) from an existing
supervisory team to a new team.
Failed Bank Reviews
Section 38(k) of the Federal Deposit Insurance Act,
as amended by the Dodd-Frank Act, requires that the
Inspector General of the appropriate federal banking
agency review the agency’s supervision of a failed
institution when the associated losses to the Deposit
Insurance Fund are above the materiality threshold
or are at or below the threshold but exhibit unusual
circumstances warranting an in-depth review. In such
cases, the Inspector General must prepare a report in a
manner consistent with the requirements of a material
loss review. For losses to the Deposit Insurance
Fund that occurred from January 1, 2012, through
December 31, 2013, a $150 million threshold applies;
for all such losses occurring on or after January 1, 2014,
the materiality threshold is $50 million.
10. Work Plan | Current as of February 27, 2015 7 of 10
CFPB: Ongoing Projects
with calendar quarter of expected completion
Audit of the CFPB's Contract Management
Process
First quarter 2015
The CFPB’s procurement process follows the
requirements established by the Federal Acquisition
Regulation, which is the primary regulation governing
the acquisition of supplies and services by all federal
executive agencies.This audit is a follow-on to the
evaluation of the CFPB’s contract solicitation and
selection process. Our focus will be on the CFPB’s
contract management processes, compliance with
applicable rules established by the Federal Acquisition
Regulation, and the effectiveness of the CFPB’s internal
controls related to contract management.
Audit of the CFPB's Diversity and Inclusion
Processes
First quarter 2015
In response to a congressional request, we initiated an
audit of the CFPB’s diversity and inclusion processes.
The objective of this audit is to assess the CFPB’s
personnel operations and other efforts to provide for
equal employment opportunities, including equal
opportunity for minorities and women to obtain
senior management positions, and for racial, ethnic,
and gender diversity in the workforce. Our work will
include looking at the role of the CFPB’s Office of
Minority and Women Inclusion in these areas.
Audit of the CFPB's Headquarters Renovation
Costs
First quarter 2015
In June 2014, we completed a review and issued a letter
report in response to a request from the Chairman of
the Subcommittee on Oversight and Investigations,
House Committee on Financial Services, regarding the
CFPB’s headquarters renovation budget. As a follow-
on to this work, we are evaluating the reasonableness
of the overall estimated and proposed costs for
the CFPB’s headquarters renovation. We will also
assess the effectiveness of the CFPB’s processes and
controls for approving, managing, and documenting
headquarters renovation costs and project decisions.
Audit of the CFPB's Public Consumer
Complaint Database
First quarter 2015
In June 2012, the CFPB became the first federal
regulator to publicly share individual-level consumer
financial complaint data. While the Consumer
Complaint Database initially contained only credit card
complaints, the CFPB has extended the database to
other consumer financial products and services covered
by the CFPB. Our audit objective is to assess the
effectiveness of the CFPB’s controls over the accuracy
and completeness of the public complaint database.
Audit of the CFPB's Space-Planning Activities
First quarter 2015
The CFPB is in the process of renovating its
headquarters building. As the CFPB continues to add
personnel and simultaneously manage office space
allocation, the funds to be expended for the renovation
as well as for the additional space required for displaced
and new employees will likely be significant. We
will determine whether the CFPB has established
adequate controls to properly manage its space needs
and whether the CFPB is complying with applicable
requirements.
Audit of the CFPB's Tableau System
First quarter 2015
The Federal Information Security Management Act
of 2002 (FISMA) requires that each agency Inspector
General evaluate a representative subset of the agency’s
information systems, including third-party systems. As
part of meeting this requirement, we are conducting a
11. Work Plan | Current as of February 27, 2015 8 of 10
security control review of the CFPB’s Tableau system.
Tableau is an application used to develop, publish, and
view business intelligence data. Our focus is to review
the adequacy of certain security controls designed to
protect data in the system from unauthorized access,
modification, destruction, or disclosure.
Evaluation of the CFPB's Hiring Process
First quarter 2015
In accordance with section 1013(a)(1)(B) of the Dodd-
Frank Act, the Director of the CFPB “is authorized to
employ attorneys, compliance examiners, compliance
supervision analysts, economists, statisticians, and
other employees as may be deemed necessary to
conduct the business of the Bureau.”We initiated
this evaluation in response to the CFPB’s volume
of hiring and its establishment of field offices.The
objective of our evaluation is to assess the efficiency
and effectiveness of certain CFPB recruitment and
selection subprocesses, including (1) assessment and
vacancy announcement creation, (2) hiring authority
and vacancy announcement posting, and (3) evaluation
and selection of candidates. We are also evaluating the
agency’s compliance with applicable laws, regulations,
and policies.This evaluation includes a review of
competitive service, excepted service, and special
program hiring practices. In addition, we are reviewing
the CFPB’s administration of recruitment and selection
incentives to recruit new employees.
Joint Evaluation of Coordination Between the
CFPB and Other Regulatory Agencies
First quarter 2015
The Board-CFPB OIG, the Federal Deposit Insurance
Corporation OIG, the National Credit Union
Administration OIG, and the U.S. Department of the
Treasury OIG are conducting an evaluation of the
coordination between the CFPB and other regulatory
agencies with respect to conducting supervisory
activities.The Dodd-Frank Act requires the CFPB to
coordinate its supervisory activities with the federal
prudential regulatory agencies and state financial
regulatory authorities. In June 2012, the CFPB and the
prudential regulatory agencies issued a memorandum
of understanding to clarify how the agencies will
coordinate their supervisory activities.The objective
of the evaluation is to confirm that the required
coordination is occurring and has been effective in
avoiding conflicts or duplication of efforts.
Security Control Review of the CFPB's DT
Complaints Database
First quarter 2015
The Federal Information Security Management
Act of 2002 requires that each agency Inspector
General evaluate a representative subset of the
agency’s information systems. As part of meeting this
requirement, we are conducting a security control
review of the CFPB’s DT Complaints Database.The
DT Complaints Database supports the CFPB’s Public
Consumer Complaint Database. Our specific audit
objective is to evaluate the adequacy of certain control
techniques designed to protect data in the system from
unauthorized access, modification, destruction, or
disclosure.
Audit of the CFPB's Distribution of Funds From
the Civil Penalty Fund
Second quarter 2015
The Dodd-Frank Act established the Civil Penalty
Fund.The CFPB must deposit any civil penalty it
obtains in any judicial or administrative action under
federal consumer financial law into the fund.The
CFPB is to use the funds collected to compensate
consumers who were harmed by activities for which
civil penalties have been imposed.To the extent that
victims cannot be located or payment is not practicable,
the CFPB may use the funds for consumer education
and financial literacy programs. Our audit is focused
on internal controls related to the administration of
the Civil Penalty Fund. Specifically, our audit will
assess the efficiency and effectiveness of the process for
identifying victims.
12. Work Plan | Current as of February 27, 2015 9 of 10
Evaluation of the Effectiveness of the CFPB's
Examination Workpaper Documentation
Second quarter 2015
The CFPB’s Supervision and Examination Manual
(version 2.0) summarizes the agency’s expectations
for workpaper documentation to support the results
of its examination activity.The manual describes the
following three principal purposes for workpaper
documentation: (1) providing a record of the work
performed that supports examination results,
(2) maintaining the evidence necessary to support
supervisory agreements or formal enforcement actions,
and (3) facilitating internal quality control reviews.
This evaluation will assess the CFPB’s policies and
procedures for documenting examination results, the
training programs and materials used to implement
workpaper documentation expectations, and the extent
to which each of the CFPB’s regions meets those
expectations.
13. Work Plan | Current as of February 27, 2015 10 of 10
CFPB: Planned Projects
Audit of the CFPB's Pay and Compensation
Program
The CFPB is required by the Dodd-Frank Act to
provide employees with compensation and benefits
that, at a minimum, are comparable to those of the
Board, regardless of any otherwise applicable provisions
of title 5 of the United States Code. We plan to audit the
CFPB’s pay and compensation program for compliance
with applicable statutory requirements.This audit will
include assessing the controls around setting employees’
pay.
Evaluation of the CFPB Enforcement Office's
Processes for Protecting Confidential
Information
The Enforcement office within the Division of
Supervision, Enforcement, and Fair Lending routinely
possesses confidential information as a result of the
agency exercising its enforcement powers under title X,
subtitle E, of the Dodd-Frank Act. For example,
the CFPB can issue civil investigative demands to
compel document production when the CFPB has
reason to believe that a violation of federal consumer
financial law has occurred.This evaluation will assess
the Enforcement office’s regulations, policies, and
procedures for safeguarding confidential information
and the effectiveness of its controls designed to
maintain the confidentiality of such information.
Evaluation of the CFPB's Compliance With the
Requirements for Issuing Civil Investigative
Demands (CIDs)
Section 1052(c) of the Dodd-Frank Act authorizes
the CFPB to issue CIDs when the agency has reason
to believe that a person has documentary materials,
tangible things, or any other information relevant to
a possible violation of federal consumer financial law.
These CIDs may be issued to produce documents,
produce tangible things, or compel testimony.
Section 1052(c) contains a series of compliance
requirements related to the use of CID authority,
ranging from mandatory content requirements to
procedures for issuing CIDs.This evaluation will assess
the CFPB’s (1) policies and procedures for issuing
CIDs, (2) training programs and materials related to
the issuance of CIDs, and (3) compliance with section
1052(c)’s requirements, applicable regulations, and the
agency’s policies and procedures for issuing CIDs.