Since our last blog post about the OIG’s work plan, the work plan has been updated as of August 7, 2015 to add four new projects.  A newly added ongoing project is a “Security Control Review of the CFPB’s SQL Environment.”  (An SQL environment is a database management system.)  The OIG’s specific audit objective is to evaluate the adequacy of certain control techniques designed to protect data within the system from unauthorized access, modification, destruction, or disclosure.  The audit has a first quarter 2016 estimated completion date.

New planned projects are:

  • Evaluation of the CFPB’s Risk Assessment Framework for Prioritizing Examination Activities.  The evaluation will assess the CFPB Division of Supervision, Enforcement, and Fair Lending’s risk assessment framework and methodology for prioritizing its examination activities at its supervised institutions.
  • Risk Assessment of the CFPB’s Purchase Card Program. The assessment will identify and analyze the risks of illegal, improper, or erroneous purchases and payments.
  • Audit of the CFPB’s Privacy Data and Personally Identifiable Information (PII) Program.  The OIG  will review the extent to which the CFPB has assessed the risks associated with the collection, maintenance, storage, and disposal of privacy data and PII and applied appropriate information security controls and protection over the data to mitigate those risks.  The audit will focus on (1) CFPB systems that house PII, (2) access to PII,
    (3) disposal and destruction mechanisms, (4) the handling of privacy incidents, (5) privacy training, and (6) National Institute of Standards and Technology privacy controls.

Missing from the updated work plan is an audit of the CFPB’s pay and compensation program which had previously been listed as a planned project.