The Office of Inspector General for the Fed and CFPB recently issued an audit report entitled “The CFPB Can Strengthen Contract Award Controls and Administrative Processes.” The objective of the OIG’s audit was to assess the CFPB’s compliance with applicable laws, regulations and CFPB policies and procedures related to contract solicitation, selection and award processes, as well as the effectiveness of the CFPB’s associated internal controls.
While finding the CFPB to be generally compliant, the OIG found occasions on which reviews and approvals were overlooked or not documented as required by regulation or CFPB policy. Among its other findings was that the CFPB could improve the documentation used to support price reasonableness determinations for sole-source contracts (i.e. contracts where there is other than a full and open competition).
The OIG’s work plan updated as of April 1, 2017 includes the following initiated projects in which the OIG will evaluate:
- the CFPB Enforcement Office’s processes for protecting confidential information obtained through the use of the CFPB’s enforcement powers, such as information received in response to a CID (completion expected second quarter 2017)
- the CFPB’s compliance with the requirements for issuing CIDs including those in the Dodd-Frank Act (completion expected third quarter 2017) (Last week, the D.C. Circuit affirmed the district court’s denial of the CFPB’s petition to enforce a CID because the CFPB had not complied with the Dodd-Frank requirements.)
- the effectiveness of the CFPB’s management of examiner commissioning and training (completion expected third quarter 2017)
Planned projects described in the work plan include (1) an evaluation of the effectiveness of the Division of Supervision, Enforcement, and Fair Lending in monitoring and ensuring that supervised entities take timely action to correct deficiencies identified in examinations, (2) an evaluation of the risk assessment framework used by the CFPB to prioritize examinations, and (3) a review of the extent to which the CFPB has assessed the risks associated with the collection, maintenance, storage, and disposal of privacy data and personally identifiable information and applied appropriate information security controls and protection over the data to mitigate those risks.