Management Report:
Opportunities for Improvement in the Bureau of Consumer Financial Protection's Internal Controls and Accounting Procedures
GAO-12-528R, May 21, 2012
Additional Materials:
- Accessible Text:
Contact:
202-512-9521
sebastians@gao.gov
Gregory C. Wilshusen
(202) 512-6244
wilshuseng@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
What GAO Found
During our audit of CFPB’s fiscal year 2011 financial statements, we identified seven internal control issues that could adversely affect CFPB’s ability to meet its internal control objectives. We do not consider these issues to represent material weaknesses or significant deficiencies in relation to CFPB’s financial statements. Nonetheless, we believe they warrant management’s attention and action. These issues concern necessary controls to ensure
- complete and finalized documentation of CFPB’s accounting processes and procedures,in relation to CFPB’s financial statements. Nonetheless, we believe they warrant management’s attention and action. These issues concern necessary controls to ensure
- an effective internal control assessment process supporting management’s internal control assertion,
- security over CFPB’s data and information systems,
- accurate calculation and timely recording of CFPB undelivered orders balances,
- accurate calculation and timely disbursement of CFPB payroll transactions,
- proper prior approval of CFPB travel transactions, and
- timely recording of CFPB prepaid expenses as assets.
These issues increase the risk of CFPB not preventing or promptly detecting and correcting (1) misappropriation of assets because of reliance on insufficient internal controls; (2) unauthorized access, modification, or both of its data; and (3) misstatements in its financial statements. At the end of our discussion of each of these issues in the sections that follow, we present our related recommendations. These recommendations are intended to improve management’s oversight and controls and minimize the risk of misappropriation of assets, misstatements in CFPB’s accounts and financial statements, and unidentified vulnerabilities over the security of its data.
Why GAO Did This Study
In November 2011, we issued our opinion on the Bureau of Consumer Financial Protection’s (CFPB) fiscal year 2011 financial statements. Our report also included our opinion on the effectiveness of CFPB’s internal control over financial reporting as of September 30, 2011, and our evaluation of CFPB’s compliance with provisions of selected laws and regulations for the fiscal year ended September 30, 2011.
Title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act, referred to as the Consumer Financial Protection Act of 2010, created CFPB. The act charged it with the responsibility of regulating the offering and provision of consumer financial products or services under the federal consumer financial laws. The act also requires CFPB to annually prepare financial statements, and further requires GAO to audit these statements. The Full-Year Continuing Appropriations Act, 2011, also requires that GAO audit CFPB’s financial statements. While CFPB began operations in 2010, fiscal year 2011 was its first full year of operations. As a newly established entity, CFPB spent the majority of fiscal year 2011 forming its structure and commencing operations.
The purpose of this report is to present additional information on the internal control and accounting procedure issues we identified during our audit of CFPB’s fiscal year 2011 financial statements and to provide our recommended actions to address those issues.
What GAO Recommends
We are making 10 recommendations for strengthening CFPB’s internal controls and accounting procedures.
For more information, contact contact Steven J. Sebastian at (202) 512-3406 or sebastians@gao.gov or Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov.
Status Legend:
- Review Pending
- Open
- Closed - implemented
- Closed - not implemented
Recommendations for Executive Action
Recommendation: The director of the CFPB should direct the Chief Financial Officer to incorporate into CFPB’s policies and procedures the requirement for its contracting officer technical representatives (COTRs) to indicate on the invoice approval form whether a transaction should be classified as a prepayment.
Agency Affected: Consumer Financial Protection Bureau
Status: Review Pending
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The director of the CFPB should direct the Chief Financial Officer to augment CFPB’s internal control review procedures to include (1) all components of CFPB controls (including controls over financial reporting services provided to CFPB), (2) all key laws and regulations governing CFPB’s financial reporting functions, and (3) monitoring steps to ensure procedures are completed in time for management to consider in its required annual internal control assertion.
Agency Affected: Consumer Financial Protection Bureau
Status: Review Pending
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The director of the CFPB should direct the Chief Information Officer to establish an agency-wide information security program in accordance with FISMA guidance. Such a program should clearly delineate the roles and responsibilities of CFPB and its service providers in maintaining effective security over the systems and information CFPB relies on for its financial reporting. Specifically, this program should include provisions for periodic CFPB risk assessments; policies and procedures that include related security plans; periodic management testing and evaluation of all major systems; a remedial action process to address any deficiencies found during monitoring and testing; procedures for detecting, reporting, and responding to security incidents; security awareness training for agency employees, contractors, and other service providers; continuity of operations plans and procedures for information systems; and a process for evaluating the information system security of any and all service providers.
Agency Affected: Consumer Financial Protection Bureau
Status: Review Pending
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The director of the CFPB should direct the Chief Financial Officer to implement procedures to ensure that contracting officers verify that the date an obligation is recorded in the Procurement Request Information System Management (PRISM) system corresponds to the date that the contracting officer signed the official obligating document.
Agency Affected: Consumer Financial Protection Bureau
Status: Review Pending
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The director of the CFPB should direct the Chief Financial Officer to implement procedures to ensure that amendments to travel relocation obligations are recorded in the proper period as part of ensuring the accuracy of obligation balances.
Agency Affected: Consumer Financial Protection Bureau
Status: Review Pending
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The director of the CFPB should direct the Chief Financial Officer to strengthen payroll policies and procedures by including steps to follow to (1) test individual payroll transactions to ensure that transactions processed by the National Finance Center (NFC) are properly programmed and disbursed and (2) ensure that NFC promptly corrects any identified errors in payroll disbursements.
Agency Affected: Consumer Financial Protection Bureau
Status: Review Pending
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The director of the CFPB should direct the Chief Financial Officer to enhance CFPB’s travel policies and procedures to expressly state that prior written approval be obtained for all reimbursed travel expenses.
Agency Affected: Consumer Financial Protection Bureau
Status: Review Pending
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The director of the CFPB should direct the Chief Financial Officer to issue a memorandum to all staff on CFPB’s policy on obtaining prior written approval for all reimbursed travel expenses.
Agency Affected: Consumer Financial Protection Bureau
Status: Review Pending
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The director of the CFPB should direct the Chief Financial Officer to modify CFPB’s existing procedures over the post-payment review process to require that CFPB conduct such reviews at least quarterly.
Agency Affected: Consumer Financial Protection Bureau
Status: Review Pending
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The director of the CFPB should direct the Chief Financial Officer to finalize and approve CFPB’s documented accounting policies and procedures to include requirements for thoroughly documenting all key accounting policies and procedures, clearly defining those performed by the Bureau of the Public Debt Administrative Resource Center (BPD-ARC) and those performed by CFPB, and identifying the personnel responsible for executing these processes to ensure accountability.
Agency Affected: Consumer Financial Protection Bureau
Status: Review Pending
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.