February 27, 2015Current as of

ongoing and planned audit and evaluation projects

Work Plan

Work Plan | Current as of February 27, 2015

Overview

The Work Plan presents the audits and evaluations that the Office of Inspector General (OIG) is conducting to assist the Board of Governors of the Federal Reserve System (Board) and the Consumer Financial Protection Bureau (CFPB) in fulfilling their respective missions. Our statutory mandates are our highest priority, and with our remaining resources, we focus on those programs and operations that pose the highest risk to achieving the Board’s and the CFPB’s strategic goals, objectives, and priorities; meeting budgetary and financial commitments; and complying with applicable laws, regulations, and guidance.

The Work Plan is updated twice a month. Projects are categorized as ongoing or planned. Entries for ongoing projects include the calendar quarter in which the project is expected to be completed. For a list of completed projects, please view the Audit Reports page on our website.

The OIG may be required to perform unanticipated work based on congressional requests, OIG Hotline complaints, new statutory mandates, or other input. Such work, as well as resource constraints, may result in the deferral, cancellation, or modification of projects. Our effectiveness depends on our flexibility to address other priorities as they arise.

For congressional, media, or other inquiries, please e-mail oig.media@frb.gov or call John Manibusan at 202-973-5043.

Work Plan | Current as of February 27, 2015

Contents

Board: Ongoing Projects 1

Board: Planned Projects 5

CFPB: Ongoing Projects 7

CFPB: Planned Projects 10

Work Plan | Current as of February 27, 2015 1 of 10

Board: Ongoing Projectswith calendar quarter of expected completion

Audit of the Board's Diversity and Inclusion ProcessesFirst quarter 2015

In response to a congressional request, we initiated an audit of the Board’s diversity and inclusion processes. The objective of this audit is to assess the Board’s personnel operations and other efforts to provide for equal employment opportunities, including equal opportunity for minorities and women to obtain senior management positions, and for racial, ethnic, and gender diversity in the workforce. Our work will include looking at the role of the Board’s Office of Minority and Women Inclusion in these areas.

Audit of the Board's STAR Modernization ProjectFirst quarter 2015

STAR is the central computer application used by the statistics function at the Federal Reserve Banks and the Board to collect and edit over 75 periodic statistical reports from financial institutions. These data reports are subsequently delivered to end users at the Board, the Federal Reserve Bank of New York’s Trading Desk, and the Federal Reserve Banks’ Economic Research and Banking Supervision Divisions for use in performing their duties regarding monetary policy and supervision and regulation of financial institutions. STAR is also used by the Federal Reserve System’s Reserve Administration function to calculate reserve requirements, monitor reserve balances, and perform other activities. In addition, STAR produces reserve account information that can be used by depository institutions to manage their accounts effectively. The current technology is being updated to better support business needs and to include a server-based environment and support by the Federal Reserve System’s National IT. The Board began decommissioning the legacy STAR system in 2014. Our audit focus includes the adequacy and internal controls of the development process for the new

system, including the cost and schedule. In addition, we are determining how security controls are being built into the system.

Board Financial Statements as of and for the Years Ended December 31, 2014 and 2013, and Independent Auditors' ReportsFirst quarter 2015

The OIG contracted with an independent public accounting firm to audit the 2014 financial statements of the Board. The OIG will oversee the activities of the independent public accounting firm to ensure compliance with generally accepted government auditing standards and Public Company Accounting Oversight Board auditing standards related to internal controls over financial reporting.

Evaluation of the Board's Corporate ServicesFirst quarter 2015

The Board continues to provide corporate services, such as Mail Services, Motor Transport services, and Print Shop services, across all divisions. Our objective is to assess the extent to which Board staff use these services and to identify potential economies and efficiencies.

Evaluation of the Operational Components of the Board's Law Enforcement Unit (LEU)First quarter 2015

Following the enactment of the USA Patriot Act of 2001, which granted the Board certain law enforcement authorities, the Board increased its security staff to include federal law enforcement officers. The LEU safeguards most Board-designated property and personnel 24 hours a day, 7 days a week. This evaluation is assessing the economy and efficiency of the LEU, including the various operational components within the organization. This review considers the

Work Plan | Current as of February 27, 2015 2 of 10

LEU’s staffing models, cost reduction efforts in process, and potential enhancements to LEU operations that may use security technology more effectively.

Federal Financial Institutions Examination Council (FFIEC) Financial Statements as of and for the Years Ended December 31, 2014 and 2013, and Independent Auditors' ReportsFirst quarter 2015

The OIG contracted with an independent public accounting firm to audit the 2014 financial statements of the FFIEC. (The Board performs the accounting function for the FFIEC.) The OIG will oversee the activities of the independent public accounting firm to ensure compliance with generally accepted government auditing standards.

In-Depth Review of the Failure of Waccamaw BankFirst quarter 2015

We determined that the failure of Waccamaw Bank, located in Whiteville, North Carolina, presented unusual circumstances warranting an in-depth review. When a loss to the Deposit Insurance Fund presents unusual circumstances, section 38(k) of the Federal Deposit Insurance Act, as amended by the Dodd-Frank Act, requires that the Inspector General conduct a material loss review. As required by the provisions of section 38(k), we are

• reviewing the agency’s supervision of the failed institution, including the agency’s implementation of prompt corrective action

• ascertaining why the institution’s problems resulted in a material loss to the Deposit Insurance Fund

• making recommendations for preventing any such loss in the future

Security Control Review of the Board’s C-SCAPE SystemFirst quarter 2015

The Federal Information Security Management Act of 2002 requires that each agency Inspector General evaluate a representative subset of the agency’s information systems. As part of meeting this requirement, we are conducting a security control review of the Board’s Consolidated Supervision Comparative Analysis, Planning and Execution (C-SCAPE) system. C-SCAPE is a data input and reporting tool used to support the supervisory program. C-SCAPE is intended to support the Large Institution Supervision Coordinating Committee’s reengineered supervisory processes for large banking organizations, foreign banking organizations, and financial market utilities. Our specific audit objective is to evaluate the adequacy of certain control techniques designed to protect data in the system from unauthorized access, modification, destruction, or disclosure.

Evaluation of the Division of Banking Supervision and Regulation's (BS&R) Model Risk-Management Practices for Models Used in Support of the Annual Comprehensive Capital Analysis and Review (CCAR)Second quarter 2015

CCAR is the largest initiative of the Operating Committee of the Large Institution Supervision Coordinating Committee. CCAR is a supervisory assessment of the capital planning processes and capital adequacy of the largest, most complex bank holding companies. We are reviewing BS&R’s model risk-management practices, including model validation activities, for the supervisory models used in support of the CCAR stress testing.

Audit of the Board's Data GovernanceThird quarter 2015

Strategic theme 2 of the Board’s Strategic Framework 2012–15 calls for redesigning data governance and management processes to enhance the Board’s data environment in the wake of the Board’s expanded

Work Plan | Current as of February 27, 2015 3 of 10

mandates under the Dodd-Frank Act. Theme 2 objectives consist of improving data governance by establishing a new Office of the Chief Data Officer and ensuring clear roles and responsibilities among data users and the Board Data Council; ensuring that all enterprise data are appropriately handled, processed, stored, and disseminated; and strengthening the Board’s data environment by establishing an infrastructure to share data and improve data integration. Our audit is focused on obtaining information on the current plans and activities to achieve the theme 2 strategic objectives and the progress made, including efforts to share data among divisions and achieve potential efficiencies in the procurement of data.

Audit of the Financial Stability Oversight Council's (FSOC) Oversight of Interest Rate RiskThird quarter 2015

In 2014, the Council of Inspectors General on Financial Oversight (CIGFO) convened a working group to audit FSOC’s oversight of interest rate risk. As the independent oversight entity of the Board and the CFPB, the OIG is a member of CIGFO and the working group. The audit objective is to assess the extent to which FSOC is overseeing interest rate risk to the financial system. The CIGFO working group plans to issue a report to FSOC in April 2015.

Audit of the Board's Public Release of Economic InformationFourth quarter 2015

The Board produces several economic publications and statistical releases on a periodic schedule. Many of these releases have the potential to influence market trading; therefore, the Board needs to have sufficient controls over the release of this sensitive information to the public. We are auditing the Board’s processes to ensure that these data are properly safeguarded on the day of issuance.

Evaluation of the Examination Approach Used to Assess Office of Foreign Assets Control (OFAC) ComplianceFourth quarter 2015

In the past few years, there have been high-profile instances of foreign banking organizations (FBOs) operating in the United States that were facilitating payments to prohibited entities on OFAC’s list of specially designated nationals. The Federal Financial Institutions Examination Council’s Bank Secrecy Act/Anti-Money Laundering Examination Manual contains specific examination procedures for assessing OFAC compliance programs. This evaluation seeks to assess the effectiveness of the Board’s and the Federal Reserve Banks’ approach to examining the OFAC compliance programs for FBOs operating in the United States. This evaluation will assess the extent to which the current examination approach to OFAC compliance should be updated based on (1) lessons learned from these incidents or (2) evolving expectations for OFAC compliance programs based on recent updates to the sanctions list.

Evaluation of the Federal Reserve System’s Practices for Addressing Divergent Views and Making Supervisory Decisions for Large Banking Holding Companies First quarter 2016

In response to a request from the Board dated November 17, 2014, the OIG is conducting an evaluation of the Federal Reserve System’s practices for addressing divergent views and making supervisory decisions regarding large bank holding companies. The Board requested that we initiate a review related to the manner in which the Federal Reserve System conducts examinations of bank holding companies with total assets in excess of $50 billion, known as Large Institution Supervision Coordinating Committee (LISCC) firms and large banking organizations (LBOs). As part of our project, we also plan to evaluate the effectiveness of continuous monitoring as a supervisory tool for LISCC firms and LBOs.

Our objectives are to (1) assess the methods for Federal Reserve System decisionmakers to obtain material

Work Plan | Current as of February 27, 2015 4 of 10

information necessary to ensure that decisions and conclusions resulting from supervisory activities at LISCC firms and LBOs are appropriate, supported by the record, and consistent with applicable policies; (2) determine whether there are adequate channels for Federal Reserve System decisionmakers to be aware of supervision staff ’s divergent views about material issues regarding LISCC firms and LBOs; and (3) assess the effectiveness of continuous monitoring as a supervisory tool for LISCC firms and LBOs. Our work will include reviewing applicable Board and Federal Reserve Bank policies and procedures, meeting with staff from the Board and the Federal Reserve Banks, and reviewing documentation associated with supervisory activities. We plan to visit a sample of Federal Reserve Banks that have responsibility for supervising LISCC firms and LBOs.

This project is an evaluation conducted pursuant to the Council of the Inspectors General on Integrity and Efficiency’s Quality Standards for Inspection and Evaluation and is not a criminal, civil, or administrative investigation. Unlike investigations conducted by law enforcement officials that may assess the actions of individual employees, auditors conduct evaluations that assess the effectiveness and efficiency of agency programs and operations. Our evaluations typically result in reports issued to Board officials that often include recommendations designed to improve the efficiency and effectiveness of the agency’s operations, programs, and policies.

Work Plan | Current as of February 27, 2015 5 of 10

Board: Planned ProjectsAudit of the Board's Contract Administration

According to a recent U.S. Government Accountability Office report, agencies across the federal government increasingly rely on contractors to execute their missions. The government needs strong controls to provide reasonable assurance that these contract funds are not being lost to improper payments, waste, or mismanagement. Effective contract oversight, which includes effective internal controls throughout the contracting process, is essential to protecting government and taxpayer interests. Our focus will be to identify and assess the effectiveness of internal controls related to contract administration.

Audit of the Board's C-SCAPE Project

Building on lessons learned from the recent financial crisis, the Federal Reserve System has taken a number of important steps to improve its supervisory program for large financial institutions. The Consolidated Supervision Comparative Analysis, Planning and Execution (C-SCAPE) application is a data input and reporting tool used to support the supervisory program. C-SCAPE is intended to support the Large Institution Supervision Coordinating Committee’s reengineered supervisory processes for large banking organizations, foreign banking organizations, and financial market utilities. C-SCAPE is being updated to match the new framework for the consolidated supervision of large financial institutions. Our focus will be to identify and assess the effectiveness of internal controls related to project management, including the oversight provided by the Investment Review Board.

Audit of the Board's Process for Supervisory Assessments of Large Bank Holding Companies and Savings and Loan Holding Companies

The Dodd-Frank Act directed the Board to collect assessments, fees, and other charges for bank holding companies, savings and loan holding companies, and nonbank financial companies supervised by the Board.

The collection process is new to the Board; the Federal Reserve System has not previously assessed supervised entities to cover expenses related to supervision. In addition, this process requires a coordinated effort among various divisions at the Board and with the Federal Reserve Banks. The Board issued a final rule in August 2013 that further describes the collection process for the supervised entities. We plan to evaluate the Board’s internal controls related to the collection of these assessment fees as well as their disbursement.

Audit of the Board's Strategic Plan Implementation and Governance

Effective strategic planning helps organizations identify priorities and mitigate risks to achieving their missions. The Board’s Strategic Framework 2012–15 contains six themes, including the importance of strengthening governance over its management processes to enable the effective implementation of the strategic framework’s goals. We plan to assess the Board’s implementation of its strategic plan, including how it measures strategic outcomes, identifies potential risks or challenges, establishes accountability, and monitors progress in implementing the framework.

Board Security Control Reviews

The Federal Information Security Management Act of 2002 requires that each agency Inspector General evaluate a representative subset of the agency’s information systems, including third-party systems. To meet this requirement, we will conduct security control reviews of a sample of the Board’s major applications and general support system components throughout the year. We will use automated audit scanning tools to assist with conducting the security control reviews. For 2014, we plan to focus our scanning on web application, mainframe, VMware, Apache, and IIS technologies.

Work Plan | Current as of February 27, 2015 6 of 10

Evaluation of Systemically Important Financial Institutions Supervision Teams: Preserving and Transferring Institutional Knowledge Within and Between Supervisory Teams

Preserving and transferring institutional knowledge contributes to effective supervision, particularly in light of examiner rotation requirements, examiner turnover, and the Board’s and the Reserve Banks’ evolving supervisory responsibilities. This evaluation will assess Board guidance and the controls implemented by the Federal Reserve Banks of New York, San Francisco, Richmond, and Boston (the Reserve Banks responsible for supervising the systemically important financial institution portfolio) to evaluate the best practices for preserving and transferring institutional knowledge (1) within a supervisory team and (2) from an existing supervisory team to a new team.

Failed Bank Reviews

Section 38(k) of the Federal Deposit Insurance Act, as amended by the Dodd-Frank Act, requires that the Inspector General of the appropriate federal banking agency review the agency’s supervision of a failed institution when the associated losses to the Deposit Insurance Fund are above the materiality threshold or are at or below the threshold but exhibit unusual circumstances warranting an in-depth review. In such cases, the Inspector General must prepare a report in a manner consistent with the requirements of a material loss review. For losses to the Deposit Insurance Fund that occurred from January 1, 2012, through December 31, 2013, a $150 million threshold applies; for all such losses occurring on or after January 1, 2014, the materiality threshold is $50 million.

Work Plan | Current as of February 27, 2015 7 of 10

CFPB: Ongoing Projectswith calendar quarter of expected completion

Audit of the CFPB's Contract Management ProcessFirst quarter 2015

The CFPB’s procurement process follows the requirements established by the Federal Acquisition Regulation, which is the primary regulation governing the acquisition of supplies and services by all federal executive agencies. This audit is a follow-on to the evaluation of the CFPB’s contract solicitation and selection process. Our focus will be on the CFPB’s contract management processes, compliance with applicable rules established by the Federal Acquisition Regulation, and the effectiveness of the CFPB’s internal controls related to contract management.

Audit of the CFPB's Diversity and Inclusion ProcessesFirst quarter 2015

In response to a congressional request, we initiated an audit of the CFPB’s diversity and inclusion processes. The objective of this audit is to assess the CFPB’s personnel operations and other efforts to provide for equal employment opportunities, including equal opportunity for minorities and women to obtain senior management positions, and for racial, ethnic, and gender diversity in the workforce. Our work will include looking at the role of the CFPB’s Office of Minority and Women Inclusion in these areas.

Audit of the CFPB's Headquarters Renovation CostsFirst quarter 2015

In June 2014, we completed a review and issued a letter report in response to a request from the Chairman of the Subcommittee on Oversight and Investigations, House Committee on Financial Services, regarding the CFPB’s headquarters renovation budget. As a follow-on to this work, we are evaluating the reasonableness of the overall estimated and proposed costs for

the CFPB’s headquarters renovation. We will also assess the effectiveness of the CFPB’s processes and controls for approving, managing, and documenting headquarters renovation costs and project decisions.

Audit of the CFPB's Public Consumer Complaint DatabaseFirst quarter 2015

In June 2012, the CFPB became the first federal regulator to publicly share individual-level consumer financial complaint data. While the Consumer Complaint Database initially contained only credit card complaints, the CFPB has extended the database to other consumer financial products and services covered by the CFPB. Our audit objective is to assess the effectiveness of the CFPB’s controls over the accuracy and completeness of the public complaint database.

Audit of the CFPB's Space-Planning ActivitiesFirst quarter 2015

The CFPB is in the process of renovating its headquarters building. As the CFPB continues to add personnel and simultaneously manage office space allocation, the funds to be expended for the renovation as well as for the additional space required for displaced and new employees will likely be significant. We will determine whether the CFPB has established adequate controls to properly manage its space needs and whether the CFPB is complying with applicable requirements.

Audit of the CFPB's Tableau SystemFirst quarter 2015

The Federal Information Security Management Act of 2002 (FISMA) requires that each agency Inspector General evaluate a representative subset of the agency’s information systems, including third-party systems. As part of meeting this requirement, we are conducting a

Work Plan | Current as of February 27, 2015 8 of 10

security control review of the CFPB’s Tableau system. Tableau is an application used to develop, publish, and view business intelligence data. Our focus is to review the adequacy of certain security controls designed to protect data in the system from unauthorized access, modification, destruction, or disclosure.

Evaluation of the CFPB's Hiring ProcessFirst quarter 2015

In accordance with section 1013(a)(1)(B) of the Dodd-Frank Act, the Director of the CFPB “is authorized to employ attorneys, compliance examiners, compliance supervision analysts, economists, statisticians, and other employees as may be deemed necessary to conduct the business of the Bureau.” We initiated this evaluation in response to the CFPB’s volume of hiring and its establishment of field offices. The objective of our evaluation is to assess the efficiency and effectiveness of certain CFPB recruitment and selection subprocesses, including (1) assessment and vacancy announcement creation, (2) hiring authority and vacancy announcement posting, and (3) evaluation and selection of candidates. We are also evaluating the agency’s compliance with applicable laws, regulations, and policies. This evaluation includes a review of competitive service, excepted service, and special program hiring practices. In addition, we are reviewing the CFPB’s administration of recruitment and selection incentives to recruit new employees.

Joint Evaluation of Coordination Between the CFPB and Other Regulatory AgenciesFirst quarter 2015

The Board-CFPB OIG, the Federal Deposit Insurance Corporation OIG, the National Credit Union Administration OIG, and the U.S. Department of the Treasury OIG are conducting an evaluation of the coordination between the CFPB and other regulatory agencies with respect to conducting supervisory activities. The Dodd-Frank Act requires the CFPB to coordinate its supervisory activities with the federal prudential regulatory agencies and state financial regulatory authorities. In June 2012, the CFPB and the prudential regulatory agencies issued a memorandum

of understanding to clarify how the agencies will coordinate their supervisory activities. The objective of the evaluation is to confirm that the required coordination is occurring and has been effective in avoiding conflicts or duplication of efforts.

Security Control Review of the CFPB's DT Complaints DatabaseFirst quarter 2015

The Federal Information Security Management Act of 2002 requires that each agency Inspector General evaluate a representative subset of the agency’s information systems. As part of meeting this requirement, we are conducting a security control review of the CFPB’s DT Complaints Database. The DT Complaints Database supports the CFPB’s Public Consumer Complaint Database. Our specific audit objective is to evaluate the adequacy of certain control techniques designed to protect data in the system from unauthorized access, modification, destruction, or disclosure.

Audit of the CFPB's Distribution of Funds From the Civil Penalty FundSecond quarter 2015

The Dodd-Frank Act established the Civil Penalty Fund. The CFPB must deposit any civil penalty it obtains in any judicial or administrative action under federal consumer financial law into the fund. The CFPB is to use the funds collected to compensate consumers who were harmed by activities for which civil penalties have been imposed. To the extent that victims cannot be located or payment is not practicable, the CFPB may use the funds for consumer education and financial literacy programs. Our audit is focused on internal controls related to the administration of the Civil Penalty Fund. Specifically, our audit will assess the efficiency and effectiveness of the process for identifying victims.

Work Plan | Current as of February 27, 2015 9 of 10

Evaluation of the Effectiveness of the CFPB's Examination Workpaper DocumentationSecond quarter 2015

The CFPB’s Supervision and Examination Manual (version 2.0) summarizes the agency’s expectations for workpaper documentation to support the results of its examination activity. The manual describes the following three principal purposes for workpaper documentation: (1) providing a record of the work performed that supports examination results, (2) maintaining the evidence necessary to support supervisory agreements or formal enforcement actions, and (3) facilitating internal quality control reviews. This evaluation will assess the CFPB’s policies and procedures for documenting examination results, the training programs and materials used to implement workpaper documentation expectations, and the extent to which each of the CFPB’s regions meets those expectations.

Work Plan | Current as of February 27, 2015 10 of 10

CFPB: Planned ProjectsAudit of the CFPB's Pay and Compensation Program

The CFPB is required by the Dodd-Frank Act to provide employees with compensation and benefits that, at a minimum, are comparable to those of the Board, regardless of any otherwise applicable provisions of title 5 of the United States Code. We plan to audit the CFPB’s pay and compensation program for compliance with applicable statutory requirements. This audit will include assessing the controls around setting employees’ pay.

Evaluation of the CFPB Enforcement Office's Processes for Protecting Confidential Information

The Enforcement office within the Division of Supervision, Enforcement, and Fair Lending routinely possesses confidential information as a result of the agency exercising its enforcement powers under title X, subtitle E, of the Dodd-Frank Act. For example, the CFPB can issue civil investigative demands to compel document production when the CFPB has reason to believe that a violation of federal consumer financial law has occurred. This evaluation will assess the Enforcement office’s regulations, policies, and procedures for safeguarding confidential information and the effectiveness of its controls designed to maintain the confidentiality of such information.

Evaluation of the CFPB's Compliance With the Requirements for Issuing Civil Investigative Demands (CIDs)

Section 1052(c) of the Dodd-Frank Act authorizes the CFPB to issue CIDs when the agency has reason to believe that a person has documentary materials, tangible things, or any other information relevant to a possible violation of federal consumer financial law. These CIDs may be issued to produce documents, produce tangible things, or compel testimony. Section 1052(c) contains a series of compliance requirements related to the use of CID authority,

ranging from mandatory content requirements to procedures for issuing CIDs. This evaluation will assess the CFPB’s (1) policies and procedures for issuing CIDs, (2) training programs and materials related to the issuance of CIDs, and (3) compliance with section 1052(c)’s requirements, applicable regulations, and the agency’s policies and procedures for issuing CIDs.