We can’t help finding a bit of irony in the Government Accountability Office’s report issued on May 21 that discusses seven internal control issues the GAO identified during its audit of the CFPB’s fiscal year 2011 statements. According to the report, the issues identified by the GAO increase the risk of the CFPB “not preventing or promptly detecting and
correcting (1) misappropriation of assets because of insufficient internal controls; (2) unauthorized access, modification, or both of its data; and (3) misstatements in its financial statements.”

Among the seven issues identified by the GAO was the CFPB’s failure to develop, document and implement “an agencywide program to provide information security for the information and information systems that support the financial reporting, operations, and assets of the bureau, including those systems provided or managed by its service provider organizations.” Although the GAO’s comments regarding information security appear to be limited to the CFPB’s financial reporting systems, they lead us to question whether any similar deficiencies exist in the CFPB’s information security program for data that relates to its supervisory activities, such as consumer complaint data.

The report includes the GAO’s recommendations for how the CFPB should address these issues and the CFPB’s written comments on the draft of the report provided to it by the GAO.