United States Government Accountability Office Washington, DC 20548 May 21, 2012 The Honorable Richard Cordray Director Bureau of Consumer Financial Protection Subject: Management Report: Opportunities for Improvement in the Bureau of Consumer Financial Protection’s Internal Controls and Accounting Procedures Dear Mr. Cordray: In November 2011, we issued our opinion on the Bureau of Consumer Financial Protection’s (CFPB) fiscal year 2011 financial statements. Our report also included our opinion on the effectiveness of CFPB’s internal control over financial reporting as of September 30, 2011, and our evaluation of CFPB’s compliance with provisions of selected laws and regulations for the fiscal year ended September 30, 2011. 1 Title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act, 2 referred to as the Consumer Financial Protection Act of 2010, created CFPB. The act charged it with the responsibility of regulating the offering and provision of consumer financial products or services under the federal consumer financial laws. The act also requires CFPB to annually prepare financial statements, and further requires GAO to audit these statements. The Full-Year Continuing Appropriations Act, 2011, also requires that GAO audit CFPB’s financial statements. While CFPB began operations in 2010, fiscal year 2011 was its first full year of operations. As a newly established entity, CFPB spent the majority of fiscal year 2011 forming its structure and commencing operations. The purpose of this report is to present additional information on the internal control and accounting procedure issues we identified during our audit of CFPB’s fiscal year 2011 financial statements and to provide our recommended actions to address those issues. We are making 10 recommendations for strengthening CFPB’s internal controls and accounting procedures. 1 GAO, Financial Audit: Bureau of Consumer Financial Protection’s Fiscal Year 2011 Financial Statements, GAO-12-186 (Washington, D.C.: Nov. 15, 2011). 2 Pub. L. No. 111-203, Title X, 124 Stat. 1955 (July 21, 2010). Page 1 GAO-12-528R CFPB Management Report In addition, because of the sensitive nature of some of our findings related to CFPB information security, we will present our findings and recommendations setting out corrective actions to address issues we identified concerning CFPB’s internal control over information security in a separate letter to CFPB management with limited distribution. Results in Brief During our audit of CFPB’s fiscal year 2011 financial statements, we identified seven internal control issues that could adversely affect CFPB’s ability to meet its internal control objectives. We do not consider these issues to represent material weaknesses or significant deficiencies 3 in relation to CFPB’s financial statements. Nonetheless, we believe they warrant management’s attention and action. These issues concern necessary controls to ensure • complete and finalized documentation of CFPB’s accounting processes and procedures, • an effective internal control assessment process supporting management’s internal control assertion, • security over CFPB’s data and information systems, • accurate calculation and timely recording of CFPB undelivered orders balances, • accurate calculation and timely disbursement of CFPB payroll transactions, • proper prior approval of CFPB travel transactions, and • timely recording of CFPB prepaid expenses as assets. These issues increase the risk of CFPB not preventing or promptly detecting and correcting (1) misappropriation of assets because of reliance on insufficient internal controls; (2) unauthorized access, modification, or both of its data; and (3) misstatements in its financial statements. At the end of our discussion of each of these issues in the sections that follow, we present our related recommendations. These recommendations are intended to improve management’s oversight and controls and minimize the risk of misappropriation of assets, misstatements in CFPB’s accounts and financial statements, and unidentified vulnerabilities over the security of its data. 3 A material weakness is a deficiency, or combination of deficiencies, in internal control such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected on a timely basis. A significant deficiency is a deficiency, or combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. Page 2 GAO-12-528R CFPB Management Report In providing written comments on a draft of this report, CFPB concurred with our findings and corresponding recommendations. While CFPB stated that it has implemented, or is in the process of implementing, actions to address the issues discussed in this report, it did not specifically address each finding and recommendation in its written comments. CFPB’s comments are summarized at the end of this report and reproduced in their entirety in enclosure I. Scope and Methodology As part of our audit of CFPB’s fiscal year 2011 financial statements, we evaluated CFPB’s internal controls and tested its compliance with selected provisions of laws and regulations. We designed our audit procedures to test relevant controls over financial reporting, including those designed to provide reasonable assurance that transactions are properly recorded, processed, and summarized to permit the preparation of CFPB’s financial statements in conformity with U.S. generally accepted accounting principles. We performed our audit of CFPB’s fiscal year 2011 financial statements in accordance with U.S. generally accepted government auditing standards. We believe that our audit provided a reasonable basis for our conclusions in this report. Further details on our audit methodology are presented in enclosure II. Accounting Policies and Procedures As fiscal year 2011 was CFPB’s first full year of operations, our audit found that CFPB’s policies and procedures were not yet fully documented and finalized, which is typical of any newly established entity. Specifically, many of CFPB’s policies and procedures were in draft form and had not yet been approved by CFPB management. Furthermore, they did not include all steps and personnel involved in initiating, authorizing, approving, recording, and summarizing and reporting CFPB’s various transactions, nor were all of CFPB’s accounting policies and procedures documented. This increased the difficulty of assessing CFPB’s control environment for management, led to deficiencies in CFPB’s performance and evaluation of certain information system security internal control activities, and contributed to errors in the processing of CFPB’s undelivered orders and expense transactions. For example, CFPB’s documented accounting policies and procedures as of fiscal year-end did not include all of the accounting policies and procedures governing the activities that the Bureau of the Public Debt Administrative Resource Center (BPD- ARC), a Department of the Treasury (Treasury) franchise fund 4, performed for CFPB 4 A franchise fund is a type of statutorily established intragovernmental revolving fund that operates as a self-supporting entrepreneurial entity to provide common administrative services benefiting other Page 3 GAO-12-528R CFPB Management Report pursuant to an agreement. In September 2010, CFPB entered into a reimbursable services agreement with BPD-ARC for certain accounting services. 5 While BPD- ARC staff process CFPB transactions, CFPB is ultimately responsible for ensuring that the amounts, transactions, and balances are properly recorded, complete, and fairly presented in its financial statements and other financial reports. Therefore, CFPB’s policies and procedures should include, or incorporate by reference, BPD- ARC’s accounting policies and procedures. Furthermore, CFPB’s documented policies and procedures should clearly delineate BPD-ARC’s roles and responsibilities for processing CFPB’s transactions and CFPB’s roles and responsibilities for monitoring the work performed by BPD-ARC. Standards for Internal Control in the Federal Government 6 provides that control activities are the policies, procedures, techniques, and mechanisms that enforce management’s directives and are an integral part of an entity’s planning, implementing, reviewing, and accountability for stewardship of government resources and achieving effective results. The standards also provide that internal control activities are to be clearly documented and that the documentation should appear in management directives, administrative policies, or operating manuals. The lack of finalized policies and procedures could lead to transactions being inaccurately recorded in, or omitted from, CFPB’s general ledger and ultimately its financial statements. Furthermore, without finalized policies and procedures, CFPB cannot ensure that control activities are carried out in accordance with management’s intent or in accordance with applicable laws and regulations. Recommendation We recommend that you direct the Chief Financial Officer to finalize and approve CFPB’s documented accounting policies and procedures to include requirements for thoroughly documenting all key accounting policies and procedures, clearly defining those performed by BPD-ARC and those performed by CFPB, and identifying the personnel responsible for executing these processes to ensure accountability. federal entities. Franchise funds function entirely from the fees charged for the services they provide consistent with their statutory authority. The Consolidated Appropriations Act, 2005, established Treasury’s franchise fund as a permanent indefinite appropriation. See Pub. L. No. 108-447, § 219, 118 Stat. 2809, 3242 (Dec. 8, 2004) (reprinted in 31 U.S.C. § 322 note). 5 BPD-ARC provides CFPB with accounting services in several areas, including procurement, accounts payable, accounts receivable, budget execution, travel, and financial reporting. 6 GAO, Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999). Page 4 GAO-12-528R CFPB Management Report Internal Control Assessment Process During our audit of CFPB’s fiscal year 2011 financial statements, the entity’s first full year of operations, we found that CFPB’s process for assessing the effectiveness of its internal control over financial reporting was not sufficient to fully support management’s conclusions regarding the effectiveness of CFPB’s internal control over financial reporting. Specifically, we identified deficiencies regarding CFPB’s internal control testing, consideration of certain information security controls to CFPB’s control environment, and CFPB’s review of its compliance with laws and regulations. Such weaknesses are not unexpected for any entity in its first year of operation. The Consumer Financial Protection Act requires CFPB to provide to the Comptroller General of the United States an assertion as to the effectiveness of its internal controls over financial reporting based on the standards established in 31 U.S.C. § 3512 (c), commonly known as the Federal Managers’ Financial Integrity Act of 1982. Furthermore, the Office of Management and Budget’s (OMB) Circular No. A-123, Management’s Responsibility for Internal Control, provides that federal agencies are to assess the extent to which their internal control provides reasonable assurance that the following objectives are being achieved: (1) effectiveness and efficiency of operations, (2) reliability of financial reporting, and (3) compliance with applicable laws and regulations. In August 2011, CFPB executed a 2-year contract for accounting and internal control support services and awarded a task order under the contract for the contractor to (1) develop an inventory of CFPB programs and associated risks and control activities, (2) perform a risk assessment for each key process, (3) determine and document existing controls, (4) determine whether existing controls were sufficient, (5) identify any policies or procedures in place to offset potential risks, and (6) provide specific recommendations to improve controls. As of fiscal year-end, the contractor was not able to complete its planned testing on four of the nine key process areas identified. Because the contractor did not begin work until August and CFPB’s fiscal year-end is September 30, the time allotted for the contractor to perform the internal control review was limited. However, for the testing that was not complete, the contractor concluded that the open issues were minor and that for the processes for which it completed work, CFPB’s internal control over financial reporting was operating effectively. CFPB also developed an internal control review plan for assessing its internal control. As part of the plan, CFPB incorporated elements of the GAO Internal Control Management and Evaluation Tool 7 with respect to the five components of internal 7 GAO, Internal Control Management and Evaluation Tool, GAO-01-1008G (Washington, D.C.: August 2001). This tool is intended to assist agencies in maintaining or implementing effective internal controls and, when needed, to help determine what, where, and how improvements can be implemented. Page 5 GAO-12-528R CFPB Management Report control: the control environment, control activities, risk assessment, information and communication, and monitoring. However, our review determined that CFPB’s analysis of the five components of internal control did not consider all key internal controls related to CFPB’s information security. Specifically, CFPB determined that it did not need to assess control activities related to an entity-wide security management program, including access controls, application software development, system software controls, service continuity, and control over integrity of processing and data files, because the systems related to these control activities were owned and operated by another agency under a service agreement. 8 However, OMB Circular No. A-123, in reference to the Federal Information Security Management Act of 2002 (FISMA), 9 provides that agency heads are required to annually report on the effectiveness of their agency’s information security programs, including systems and data controlled and carried out by service providers on behalf of that agency. Therefore, the design and effectiveness of these control activities should have been evaluated by CFPB. Further CFPB’s internal control review plan for assessing compliance with key laws and regulations applicable to the bureau’s operations was not comprehensive as it did not include all key laws related to CFPB’s operations with respect to financial reporting. CFPB explained that the compliance schedule was not compiled until September 2011, which did not allow adequate time to review it to ensure its completeness. Standards for Internal Control in the Federal Government provides that internal control should provide for an assessment of the risks an agency faces from both external and internal sources and that internal control should generally be designed to ensure that ongoing monitoring occurs in the course of normal operations. While CFPB did provide an assertion as to the effectiveness of its internal control over financial reporting, our review found areas in which CFPB needs to enhance and strengthen the process and documentation supporting its assertion. Deficiencies in CFPB’s processes for assessing internal controls can lead to inappropriate conclusions as to the effectiveness of its internal controls, which could in turn lead to CFPB relying on insufficient internal controls over financial reporting. 8 As a newly established entity, CFPB spent the majority of fiscal year 2011 forming its structure and commencing operations. To assist in this process, in September 2010 CFPB entered into an interagency agreement with the Treasury’s departmental offices for administrative and operational support in a variety of areas, including information system infrastructure. Also, in September 2010, CFPB entered into a reimbursable services agreement with BPD-ARC to provide administrative accounting services. 9 FISMA was enacted as Title III of the E-Government Act of 2002, Pub. L. No. 107-347, 116 Stat. 2899, 2946 (Dec. 17, 2002), and the FISMA requirements for agencywide security programs are codified at 44 U.S.C. § 3544. Page 6 GAO-12-528R CFPB Management Report Recommendation We recommend that you direct the Chief Financial Officer to augment CFPB’s internal control review procedures to include (1) all components of CFPB controls (including controls over financial reporting services provided to CFPB), (2) all key laws and regulations governing CFPB’s financial reporting functions, and (3) monitoring steps to ensure procedures are completed in time for management to consider in its required annual internal control assertion. Information Security Program During our audit of CFPB’s fiscal year 2011 financial statements, we found that CFPB, contrary to the provisions of FISMA, had not developed, documented, and implemented an agencywide program to provide information security for the information and information systems that support the financial reporting, operations, and assets of the bureau, including those systems provided or managed by its service provider organizations. 10 We identified several information systems vulnerabilities related to its controls over financial reporting. Specifically, CFPB had not ensured that its service providers consistently or fully implemented controls for (1) authenticating users, (2) authorizing access to resources, (3) managing system configurations, and (4) protecting system and network boundaries on information systems owned and operated on behalf of CFPB by service provider organizations. In addition, CFPB had not yet established an information security program that included a clear delineation of the roles and responsibilities of CFPB and those of its service providers. In our review, we found the following vulnerabilities resulting from the lack of an overall information security program: • Controls were not consistently implemented for authenticating users. A computer system needs to be able to identify and authenticate each user so that activities on the system can be linked and traced to a specific individual. An organization does this by assigning a unique user account to each user, and in so doing, the system is able to distinguish one user from another—a process called identification. The system also needs to establish the validity of a user’s claimed identity by requesting some kind of information, such as a password, that is known only by the user—a process known as 10 FISMA provides a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support federal operations and assets to strengthen the security of information systems within federal agencies. The agency’s information security program required under FISMA applies not only to information systems used or operated by an agency but also to information systems used or operated by a contractor or other service provider on behalf of an agency. Security requirements for service providers should be expressed in appropriate contracts or agreements. The level of trust an agency can apply to the external provider depends on a variety of factors, including the extent to which the agency can monitor and verify the security controls of the provider. If the level of trust in the external provider does not meet expectations, the agency must employ compensating security controls, accept a greater degree of risk, or not use the service provider. Ultimately, the responsibility for adequately mitigating unacceptable risks arising from the use of service providers remains with the authorizing official of the originating agency. Page 7 GAO-12-528R CFPB Management Report authentication. The combination of identification and authentication—such as user account-password combinations—provides the basis for establishing individual accountability and for controlling access to the system. However, CFPB did not ensure that appropriate password management controls were implemented on key systems we reviewed. As a result, an increased risk exists that accounts could be compromised and used by unauthorized individuals to access sensitive information. • Weaknesses in authorization controls limited their effectiveness. Authorization is the process of granting or denying access rights and permissions to a protected resource, such as a network, a system, an application, a function, or a file. A key component of granting or denying access rights is the concept of “least privilege.” Least privilege is a basic principle for securing computer resources and data that means that users are granted only those access rights and permissions that they need to perform their official duties. However, users were granted excessive levels of access privileges and permissions that were not required to perform their job. As a result, data could be inappropriately modified, either inadvertently or deliberately. • Systems were not always securely configured. Configuration management involves, among other things, (1) verifying the correctness of the security settings in the operating systems, applications, or computing and network devices and (2) obtaining reasonable assurance that systems are configured and operating securely and as intended. Patch management, a component of configuration management, is an important element in mitigating the risks associated with software vulnerabilities. When a software vulnerability is discovered, the software vendor may develop and distribute a patch or work- around to mitigate the vulnerability. Without the patch, an attacker can exploit a software vulnerability to read, modify, or delete sensitive information; disrupt operations; or launch attacks against systems at another organization. Nevertheless, servers for systems used by CFPB had not been routinely and consistently patched in a timely manner. In addition, network vulnerabilities existed on multiple network devices. Failing to apply critical patches and the appropriate configuration settings for systems and network devices increases the risk of exposing systems to vulnerabilities that could be exploited. • System boundaries were not sufficiently protected. Boundary protection involves the protection of a logical or physical boundary around a set of information resources and implementation of measures to prevent unauthorized information exchange across the boundary in either direction. Firewall devices represent the most common boundary protection technology at the network level. However, firewalls operating on systems we reviewed did not appropriately restrict access to the systems. These weaknesses increase the risk that malicious activity could occur and escape detection. Page 8 GAO-12-528R CFPB Management Report FISMA states that agencies should develop, document, and implement an agency- wide information security program that includes periodic risk assessments; policies and procedures that include related security plans; periodic management testing and evaluation of all major systems; a remedial action process to address any deficiencies found during monitoring and testing; procedures for detecting, reporting, and responding to security incidents; security awareness training for agency employees, contractors, and other service providers; and continuity of operations plans and procedures for information systems. However, CFPB did not have a program in place that addressed these requirements. For example, CFPB did not assess the risks associated with the information systems of its service providers, including BPD-ARC, which serves as CFPB’s accounting service provider. Moreover, in September 2010 CFPB entered into an interagency agreement with Treasury’s departmental offices for administrative and operational support in a variety of areas, including information system infrastructure. For example, CFPB utilized Treasury’s wide area and local area network communications services and desktop computer resources. However, CFPB did not perform a risk assessment of its service providers because it did not consider certain internal controls related to information security to be applicable to the bureau since it did not own these systems. Because it was newly established, CFPB was in the process of drafting policies and procedures addressing the security of its information systems; however, none had been finalized as of September 30, 2011. Until CFPB develops, documents, and fully implements its information security program, including clearly delineating the roles and responsibilities of its service providers, its financial systems and the information they contain will be subject to increased risk of unauthorized access, use, disclosure, modification, disruption, and destruction. Recommendation We recommend that you direct the Chief Information Officer to establish an agency- wide information security program in accordance with FISMA guidance. Such a program should clearly delineate the roles and responsibilities of CFPB and its service providers in maintaining effective security over the systems and information CFPB relies on for its financial reporting. Specifically, this program should include provisions for periodic CFPB risk assessments; policies and procedures that include related security plans; periodic management testing and evaluation of all major systems; a remedial action process to address any deficiencies found during monitoring and testing; procedures for detecting, reporting, and responding to security incidents; security awareness training for agency employees, contractors, and other service providers; continuity of operations plans and procedures for information systems; and a process for evaluating the information system security of any and all service providers. Additionally, in a separate letter with limited distribution, we are providing specific details of the technical weaknesses identified above and are making additional recommendations to enhance CFPB’s internal control over information security. Page 9 GAO-12-528R CFPB Management Report Undelivered Orders During our audit of CFPB’s fiscal year 2011 financial statements, we found that the bureau’s controls, and those of its service provider, were not fully effective in ensuring that certain budgetary transactions were accurately and timely recorded. Specifically, we found that transactions affecting the bureau’s undelivered orders 11 balances were not always recorded accurately and timely in the general ledger. For example, we found that CFPB executed a procurement contract for the purchase of computer equipment in the amount of nearly $1.2 million on July 22, 2011, but the obligation 12 amount was not included in the undelivered orders balance at July 31, 2011. As discussed previously, CFPB entered into a reimbursable services agreement with BPD-ARC for certain accounting services, including procurement services. With respect to procurement services, BPD-ARC staff serve as CFPB’s contracting officers and input CFPB’s obligations into the accounting system. BPD- ARC officials explained that funds are to be obligated at the time the award document is signed and that the obligation is recorded in the accounting system when transactions are approved in the Procurement Request Information System Management (PRISM) system. 13 However, in this instance a BPD-ARC contracting officer erroneously released the award transaction. Consequently, the obligation was not recorded in the accounting system and not included in the July 31, 2011, undelivered orders balance. The error was found in August 2011 when CFPB received the first invoice to be paid on this obligation. The BPD-ARC contracting officer determined that the obligation had not been recorded in the accounting system and subsequently approved the award in PRISM. BPD-ARC contracting officers are not explicitly required to compare the contract award date and the date the obligation is recorded in PRISM to ensure that they are consistent. In addition, we found that the undelivered orders balance for a travel relocation transaction was overstated by nearly $145,000 at fiscal year-end. BPD-ARC officials explained that the error occurred when a travel relocation technician was amending the obligation. The relocation technician inaccurately obligated additional funds to the travel authorization’s September 30, 2011, balance. The relocation technician realized the error on the same day that the amount was posted and deobligated 14 the $145,000. However, the deobligation was incorrectly recorded in fiscal year 2012, and thus did not correct the overstatement to the 2011 fiscal year-end undelivered orders balance caused by the initial error. According to BPD-ARC, relocation technicians are instructed to review amendments to obligations to ensure the accuracy of the obligation balance. However, the relocation technicians’ review 11 Undelivered orders are the value of goods and services ordered and obligated but not received. 12 An obligation is a definite commitment that creates a legal liability of the government for the payment of goods and services ordered or received. 13 Oracle contains CFPB’s general ledger system, and PRISM is used to record CFPB’s procurement transactions. Obligations are recorded in the general ledger through a real-time interface between PRISM and Oracle. 14 Deobligation refers to an agency’s cancellation or downward adjustment of previously incurred obligations. Page 10 GAO-12-528R CFPB Management Report does not require the technicians to ensure that the amendments are recorded in the proper period. Standards for Internal Control in the Federal Government provides that control activities are the policies, procedures, techniques, and mechanisms that enforce management’s directives. The standards also provide that agencies are to ensure accurate and timely recording of transactions. Deficiencies with respect to the accurate and timely recording of contract/obligation activity can lead to misstatements in undelivered orders balances reported in CFPB’s financial statements. Recommendations We recommend that you direct the Chief Financial Officer to • implement procedures to ensure that contracting officers verify that the date an obligation is recorded in PRISM corresponds to the date that the contracting officer signed the official obligating document and • implement procedures to ensure that amendments to travel relocation obligations are recorded in the proper period as part of ensuring the accuracy of obligation balances. Calculation of Payroll Transactions The Consumer Financial Protection Act permits certain CFPB employees transferred from other federal agencies to elect to remain enrolled in their existing defined benefit and defined contribution retirement plans; further, for those employees who so elect, the act requires CFPB to make any required employer contributions to the employees’ retirement plans. 15 During our testing of payroll transactions conducted as part of our fiscal year 2011 audit, we found that CFPB did not have controls in place to ensure that required retirement benefit contributions were made. Specifically, we found that CFPB did not originally make the required agency contributions, nor in some instances the employee deductions, to the Thrift Savings Plan (TSP), other non-TSP defined contribution retirement plans (non-TSP retirement plans), or the Federal Insurance Contributions Act (FICA) tax for eight employees. CFPB has entered into a reimbursable services agreement with BPD-ARC to assist with hiring employees and recording payroll disbursements, and with the Department of Agriculture’s (USDA) National Finance Center (NFC), a USDA working capital 15 12 U.S.C. § 5584(i), Benefits for Certain Transferred Personnel. Page 11 GAO-12-528R CFPB Management Report fund, 16 to process payroll disbursements. Employees transferred from several other agencies to work at CFPB. The Consumer Financial Protection Act provided employees who transferred from other agencies 17 with the option to continue participation in some of the transferring agencies’ non-Title 5 retirement and other benefits programs, 18 such as medical, vision, dental, long-term disability, and life insurance plans, for a defined period of time. Unless they elected otherwise, employees who transferred to CFPB were to remain enrolled in their respective retirement plans as of the date of transfer. The transferring agencies would continue to administer the non-Title 5 benefit programs for those transferred employees, and upon conclusion of the defined period of time, the employees had the option to enroll in non-Title 5 benefits programs sponsored by CFPB. Furthermore, CFPB was required to pay any employer contributions to the existing retirement plan of each transferred employee. These requirements created a complex payroll structure for CFPB. During our testing of CFPB’s payroll expense transactions, we identified a contribution problem with an employee who transferred from the Federal Deposit Insurance Corporation (FDIC) and was enrolled in both the TSP and the FDIC Savings Plan, a non-TSP retirement plan, at the time of transfer. We found that CFPB did not make the mandatory 1 percent contribution and the matching 4 percent contribution to this employee’s TSP. 19 We also found that CFPB did not make the matching contribution to the employee’s FDIC Savings Plan (the non-TSP retirement plan). According to FDIC, the FDIC Savings Plan required matching agency contributions up to 5 percent of the employee’s adjusted basic pay. According to CFPB, year-to-date contribution amounts were entered incorrectly into the NFC system by FDIC personnel for both retirement plans, causing it to appear as though the employee’s contribution total exceeded the annual tax deferral limit for retirement plan contributions. Consequently, NFC did not withhold the employee deductions or agency matching contributions for the two pay periods affected. BPD- ARC became aware of the agency contribution errors while processing payroll transactions for CFPB. Prior to our testing, CFPB worked with BPD-ARC and NFC to 16 A working capital fund is a type of agency intragovernmental revolving fund, which conducts a regular cycle of businesslike activities and operates entirely from the proceeds of fees charged to federal entities for their goods or services. NFC is a USDA working capital fund that provides administrative and financial services to many federal agencies, including CFPB. CFPB forwards personnel and payroll data to NFC so that NFC can process CFPB’s payroll. 17 The agencies from which CFPB employees were transferred include the Board of Governors of the Federal Reserve System, the Federal Reserve Banks, the Office of the Comptroller of the Currency, the Office of Thrift Supervision, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Department of Housing and Urban Development. 18 Title 5 of the U.S. Code outlines benefit programs for the majority of the federal workforce, in which programs are typically administered by the Office of Personnel Management. Non-Title 5 benefits are those benefits not covered under Title 5. For those CFPB employees participating in non-Title 5 benefit programs, CFPB states that it contracts directly with vendors to provide those services. 19 For employees in the Federal Employees Retirement System, an agency will contribute an amount equal to 1 percent of an employee’s basic pay each pay period to a TSP account. These are called Agency Automatic 1% Contributions, and the employee does not need to be making employee contributions to receive them. In addition, based on the employee’s contribution election, the agency will also provide matching contributions on the first 5 percent of an employee’s basic pay each pay period to a TSP account. Page 12 GAO-12-528R CFPB Management Report correct these issues. By the end of November 2011, CFPB had retroactively collected the employee contributions and made the missed agency contributions to the transferred FDIC employee’s TSP. However, as of February 2012, CFPB had not collected the employee contributions or made the matching agency contributions to the employee’s non-TSP retirement plan. Similarly, we found that CFPB did not make the mandatory 1 percent contribution to two other transferred employees’ non-TSP retirement plans. According to CFPB, NFC’s system was not programmed to process certain codes assigned to transferred employees, resulting in missed agency contributions. During February 2012, CFPB paid the missed contributions to the two transferred employees’ non- TSP retirement plans. In addition, we found that CFPB did not make FICA contributions, as required by the Social Security Act of 1935, for five employees transferred from the Federal Reserve System for two pay periods tested. Also, for these five employees, CFPB did not properly deduct the employee portion for FICA contributions from each of their pay. According to CFPB, NFC had not modified its procedures to enable its systems to process FICA contributions for the group of employees that transferred from the Federal Reserve System. BPD-ARC was aware of the FICA errors prior to our testing and worked with CFPB and NFC to resolve the programming issues. However, throughout October 2011, CFPB paid the missed FICA payments for four of the employees who transferred from the Federal Reserve System. 20 By December 2011, CFPB ensured that the employee portion of the missed FICA payments was retroactively collected from each of these employees. Moreover, we reviewed the entire population of employees who transferred from the Federal Reserve System for the two pay periods affected by the programming issue and identified additional employees for whom CFPB did not make FICA contributions. For these employees, CFPB also did not properly deduct the employee portion for FICA contributions from these employees’ pay. Since BPD- ARC was aware of the FICA errors, it worked with CFPB and NFC to identify employees who transferred from the Federal Reserve System for the two pay periods affected by the programming issue. By December 2011, CFPB paid the corresponding missed FICA contributions. CFPB also recouped the employee portion of the missed FICA payments from the employees affected. Standards for Internal Control in the Federal Government provides that agencies are to ensure accurate and timely recording of transactions. The standards also state that monitoring of internal control should include policies and procedures for ensuring that the findings of audits and other reviews are promptly resolved. In addition, USDA’s Office of Inspector General (IG) conducts an annual audit of NFC’s internal control structure in accordance with the American Institute of Certified Public 20 The fifth employee had already reached the maximum contribution amount required for FICA. Therefore, no collection for missed FICA payments was necessary. Page 13 GAO-12-528R CFPB Management Report Accountants Statement on Standards for Attestation Engagements (SSAE) No. 16 and issues a report (an SSAE 16 report). In its 2011 SSAE 16 report on NFC, the IG issued an unqualified opinion and reported no material weaknesses in internal control. 21 However, the IG reported that user entities should establish controls or procedures to complement those at NFC. Although CFPB had draft payroll policies and procedures, these policies and procedures did not include controls that would have promptly detected these types of errors. Given CFPB’s complex payroll structure and the significant amount of hiring that occurred at the end of fiscal year 2011, CFPB should have established controls to verify the accuracy of its payroll transactions. Deficiencies with respect to controls over CFPB’s payroll processing procedures can increase the risk of misstating expenses in its financial statements. In addition, deficiencies in payroll processing can lead to inaccurate employee compensation, withholdings, and accumulation of benefits. Recommendation We recommend that you direct the Chief Financial Officer to strengthen payroll policies and procedures by including steps to follow to (1) test individual payroll transactions to ensure that transactions processed by NFC are properly programmed and disbursed and (2) ensure that NFC promptly corrects any identified errors in payroll disbursements. Documentation to Support the Approval of Travel Expenses During our testing of expense transactions conducted as part of our fiscal year 2011 audit, we found that CFPB employees did not always obtain prior written approval for all reimbursed travel expenses. Specifically, we found that a senior CFPB employee was reimbursed nearly $4,000 for fees paid for two individuals to attend a conference that were not included on the related travel authorization. In this instance, the travel voucher for the traveling CFPB employee included a reimbursement claim in the amount of nearly $2,000 for the conference fees of another CFPB employee. A CFPB official explained that the employee received oral approval from a senior executive to attend the conference along with another CFPB employee. We identified another instance for the same senior CFPB employee where a conference fee in the amount of about $500 was omitted from the travel authorization, but the employee was still reimbursed for the expense. 21 Department of Agriculture, Office of Inspector General, Audit Report: Statement on Standards for Attestation Engagements No. 16 Report on Controls at the National Finance Center, Report No. 11401-2-11 (Washington, D.C.: Sept. 23, 2011). Page 14 GAO-12-528R CFPB Management Report Standards for Internal Control in the Federal Government provides that internal control and all transactions and other significant events need to be clearly documented, and the documentation should be readily available for examination. In reviewing CFPB’s travel policy, entitled “Use of Limited Open Travel Authorizations and Travel Cards for Temporary Duty Travel,” which was still in draft at the time of our testing, we found that it did not specifically include requirements for obtaining prior written approval for all travel expenses. However, the draft policy also incorporates by reference the Federal Travel Regulation (FTR), 22 which under part 301-71, provides that conference rates are to be included on the travel authorizations and approved prior to travel. Deficiencies with respect to requiring the prior approval and maintenance of related written documentation to support prior authorization of travel expenses can result in CFPB incurring inappropriate expenses. Recommendations We recommend that you direct the Chief Financial Officer to • enhance CFPB’s travel policies and procedures to expressly state that prior written approval be obtained for all reimbursed travel expenses and • issue a memorandum to all staff on CFPB’s policy on obtaining prior written approval for all reimbursed travel expenses. Process for Recording Prepaid Expenses During our testing of expense transactions conducted as part of our fiscal year 2011 audit, we found that CFPB’s process for recording prepaid expenses did not ensure that assets and expenses were recorded in the proper period in a timely manner. Specifically, we found that a CFPB subscription with a period of performance spanning 2 fiscal years was initially fully expensed in fiscal year 2011. Prepaid expenses represent future economic benefits that are paid in advance of their use or consumption. The subscription we identified was for access to financial information for fiscal years 2011 and 2012, beginning at the end of May 2011. Accordingly, the subscription needed to be allocated on a systematic basis to recognize the cost over the entire period of benefit. During fiscal year 2011, CFPB’s procedure for identifying prepayments was through a post-payment review process conducted at fiscal year-end during which CFPB reviewed its expense accounts to identify any transaction that should be reclassified as a prepayment. Therefore, under this process, prepaid expenses that should have 22 The FTR, 41 C.F.R. chs. 300 to 304, is the regulation that implements statutory requirements and executive branch policies for travel by federal civilian employees and others authorized to travel at government expense. Page 15 GAO-12-528R CFPB Management Report been reclassified as assets would incorrectly be recorded and reported as expenses in CFPB’s accounts and interim financial statements throughout the fiscal year. In this instance, the fiscal year 2012 portion of the subscription expense, nearly $206,000, was eventually reclassified as an asset in October 2011. Furthermore, the initial recording of a transaction should be to the correct general ledger account. BPD-ARC accounting technicians process invoices for payment on behalf of CFPB. A BPD-ARC accounting technician sends a copy of the invoice and an invoice approval form to the assigned CFPB contracting officer technical representative (COTR) 23 for review and approval prior to payment. However, CFPB’s COTRs are not required to inform the BPD-ARC accounting technician that the transaction amount should be recorded as a prepayment as part of this review and approval process. Therefore, when an invoice is paid, the prepaid portion of the expense is initially recorded to an expense account rather than to an asset account. Standards for Internal Control in the Federal Government provides that agencies are to ensure the timely recording of transactions. Furthermore, in accordance with the Consumer Financial Protection Act, CFPB is required to submit quarterly financial statements to the Director of OMB. Deficiencies with respect to the timely recording of prepayment transactions can lead to misstatements in asset balances and expense amounts reported in CFPB’s interim accounts and financial statements. Recommendations We recommend that you direct the Chief Financial Officer to • modify CFPB’s existing procedures over the post-payment review process to require that CFPB conduct such reviews at least quarterly and • incorporate into CFPB’s policies and procedures the requirement for its COTRs to indicate on the invoice approval form whether a transaction should be classified as a prepayment. Agency Comments In the written comments provided on a draft of this report, CFPB stated that it is committed to continuously improving its internal control environment as the agency continues to build its staffing, structure, and processes. CFPB concurred with our recommendations and further stated that it has implemented, or is in the process of implementing, actions to address the issues discussed in this report. Such actions include developing and implementing policies and procedures, working with service providers to ensure that their controls are complementary to those of CFPB, 23 COTRs perform critical acquisition and technical functions, and contracting officers rely on them to ensure that contracts and other acquisition agreements are managed properly. Page 16 GAO-12-528R CFPB Management Report monitoring the timely correction of identified errors, and implementing additional information security controls. We will evaluate CFPB’s actions to address these issues as part of our fiscal year 2012 audit. CFPB’s written comments are reprinted in enclosure I. ______________ This report contains recommendations to you. The head of a federal agency is required by 31 U.S.C. § 720 to submit a written statement on actions taken on these recommendations. You should submit your statement to the Senate Committee on Homeland Security and Governmental Affairs and the House Committee on Oversight and Government Reform within 60 days of the date of this report. A written statement must also be sent to the House and Senate Committees on Appropriations with the agency’s first request for appropriations made more than 60 days after the date of this report. This report is intended for use by CFPB management. We are sending copies of this report to the Chairmen and Ranking Members of the Senate Committee on Banking, Housing, and Urban Affairs; the House Committee on Financial Services; the Senate Committee on Appropriations; and the House Committee on Appropriations, and to the Secretary of the Treasury, the Director of the Office of Management and Budget, and other interested parties. In addition, the report is available at no charge on the GAO website at http://www.gao.gov. Page 17 GAO-12-528R CFPB Management Report We acknowledge and appreciate the cooperation and assistance provided by CFPB management and staff during our audit of CFPB’s fiscal year 2011 financial statements. If you have any questions about this report or need assistance in addressing these issues, please contact Steven J. Sebastian at (202) 512-3406 or firstname.lastname@example.org or Gregory C. Wilshusen at (202) 512-6244 or email@example.com. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. Sincerely yours, Steven J. Sebastian Managing Director Financial Management and Assurance Gregory C. Wilshusen Director Information Security Issues Enclosures – 2 Page 18 GAO-12-528R CFPB Management Report Enclosure I: Comments from the Bureau of Consumer Financial Protection Page 19 GAO-12-528R CFPB Management Report Page 20 GAO-12-528R CFPB Management Report Enclosure II: Details on Audit Scope and Methodology To fulfill our responsibilities as auditor of the financial statements of the Bureau of Consumer Financial Protection (CFPB), we did the following: • examined, on a test basis, evidence supporting the amounts and disclosures in the financial statements; • assessed the accounting principles used and significant estimates made by management; • evaluated the overall presentation of the financial statements; • obtained an understanding of the entity and its operations, including its internal control over financial reporting; • considered CFPB’s process for evaluating and reporting on internal control over financial reporting that CFPB is required to perform by the Federal Managers’ Financial Integrity Act of 1982 and the Consumer Financial Protection Act; • assessed the risk that a material misstatement exists in the financial statements and the risk that a material weakness exists in internal control over financial reporting; • evaluated the design and operating effectiveness of internal control over financial reporting based on the assessed risk; • tested relevant internal control over financial reporting; and Page 21 GAO-12-528R CFPB Management Report • tested compliance with selected provisions of the following laws and their related regulations: 31 U.S.C. § 3902 – Interest penalties under the Prompt Payment Act; 31 U.S.C. § 3904 – Limitations on Discount Payments Under the Prompt Payment Act; 5 U.S.C. § 8334 (a)(1), (2) – Civil Service Retirement Act; 5 U.S.C. §§ 8422, 8423, 8432 – Federal Employees’ Retirement System Act of 1986; Social Security Act of 1935, as amended; 5 U.S.C. §§ 8905-8909 – Federal Employees Health Benefits Act of 1959, as amended; and Title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act. (196254) Page 22 GAO-12-528R CFPB Management Report This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. The Government Accountability Office, the audit, evaluation, and GAO’s Mission investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability. The fastest and easiest way to obtain copies of GAO documents at no Obtaining Copies of cost is through GAO’s website (www.gao.gov). Each weekday afternoon, GAO Reports and GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, Testimony go to www.gao.gov and select “E-mail Updates.” Order by Phone The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, http://www.gao.gov/ordering.htm. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO on Facebook, Flickr, Twitter, and YouTube. Connect with GAO Subscribe to our RSS Feeds or E-mail Updates. Listen to our Podcasts. Visit GAO on the web at www.gao.gov. Contact: To Report Fraud, Waste, and Abuse in Website: www.gao.gov/fraudnet/fraudnet.htm E-mail: firstname.lastname@example.org Federal Programs Automated answering system: (800) 424-5454 or (202) 512-7470 Katherine Siggerud, Managing Director, email@example.com, (202) 512- Congressional 4400, U.S. Government Accountability Office, 441 G Street NW, Room Relations 7125, Washington, DC 20548 Chuck Young, Managing Director, firstname.lastname@example.org, (202) 512-4800 Public Affairs U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, DC 20548 Please Print on Recycled Paper.
Management Report: Opportunities for Improvement in the Bureau of Consumer Financial Protection's Internal Controls and Accounting Procedures
Published by the Government Accountability Office on 2012-05-21.
Below is a raw (and likely hideous) rendition of the original report. (PDF)