The most notable items added by the Office of Inspector General (OIG) to its work plan, updated as of July 7, 2014, are audits of the CFPB’s information security program, pay and compensation program, and distribution of civil penalty funds.

Information Security

Pursuant to the Federal Information Security Management Act of 2002 (“FISMA”), each agency Inspector General must annually evaluate the agency’s information security program. OIG will implement the statutory requirements by auditing

  • the Bureau’s compliance with FISMA and related information security policies, procedures, standards, and guidelines; and
  • the effectiveness of security controls and techniques for a subset of the Bureau’s information systems.

Pay and Compensation

The same 2010 Dodd-Frank legislation (“Dodd-Frank”) that created the CFPB requires it to provide employee compensation and benefits that are, at a minimum, comparable to those of the Board of Governors of the Federal Reserve System. As part of OIG’s audit of the Bureau’s pay and compensation program for compliance, OIG will evaluate the controls around setting employee pay.

Distribution of Civil Penalty Funds

Civil money penalties assessed by the prudential bank regulators are payable to the U.S. Treasury. By contrast, civil penalties obtained by the CFPB in either administrative or judicial actions must be paid into a Civil Penalty Fund (the “Fund”) established by Dodd-Frank. The purpose of the Fund is primarily to compensate consumers harmed by activities for which the civil penalties were imposed. A secondary purpose, to the extent that victims cannot be located or payment to them is impracticable, is to finance consumer education and financial literacy programs.

Although an audit of this fund was previously reported as being completed and no longer a “work in progress,” it appears there is more work to be done. OIG will audit the internal controls related to the Fund and will assess

  • the effectiveness of internal controls surrounding the distribution of money to victims, payment of administrative costs, and financing of consumer education and financial literacy programs;
  • compliance with applicable policies and procedures.