The CFPB has released a report for 2016 prepared by KPMG LLP of its independent audit of selected CFPB operations and budget. An annual independent audit is required by the Dodd-Frank Act. The report dated December 16, 2016 reflects work performed by KPMG during the period July 12, 2016 to December 16, 2016.
The audit evaluated the CFPB’s (1) budget process relative to CFPB policies and procedures established over budget formulation, execution, and monitoring; (2) asset management process relative to CFPB policies and procedures over managing and maintaining accountability of CFPB assets; (3) frequent traveler stipend program process relative to CFPB policies and procedures over issuing annual stipends to employees for extended overnight travel while on temporary office business, and (4) corrective actions taken to resolve the findings and recommendations included in KPMG’s 2015 audit.
While it only provided findings related to the CFPB’s asset management process, KPMG made observations for the CFPB’s consideration in enhancing its budget process and frequent traveler stipend program process. With regard to the CFPB’s asset management process, KPMG found that controls over the identification and documentation of information technology-related inventory items were not operating effectively to provide reasonable assurance that all IT assets are properly identified, tagged, and logged accurately onto the inventory tracking spreadsheet. KPMG also found that the CFPB’s IT and non-IT management policies and procedures lacked guidance related to how the results of the annual inventory, including discrepancies noted and adjustments made to the inventory tracking spreadsheet, are to be documented. KPMG commented that if not corrected, the deficiencies it found could prevent the CFPB from effectively managing and safeguarding its inventory assets.
The report included a series of recommendations for addressing the deficiencies. KPMG also determined that the deficiencies found in its 2015 audit related to the CFPB’s information privacy policies and procedures had only been partially remediated as of September 30, 2016 (which was the target completion date of the CFPB’s corrective action plan.)