Management Report: Opportunities for Improvement in the Bureau of Consumer Financial Protection's Internal Controls and Accounting Procedures
Highlights
What GAO Found
During our audit of CFPBs fiscal year 2011 financial statements, we identified seven internal control issues that could adversely affect CFPBs ability to meet its internal control objectives. We do not consider these issues to represent material weaknesses or significant deficiencies in relation to CFPBs financial statements. Nonetheless, we believe they warrant managements attention and action. These issues concern necessary controls to ensure
- complete and finalized documentation of CFPBs accounting processes and procedures,in relation to CFPBs financial statements. Nonetheless, we believe they warrant managements attention and action. These issues concern necessary controls to ensure
- an effective internal control assessment process supporting managements internal control assertion,
- security over CFPBs data and information systems,
- accurate calculation and timely recording of CFPB undelivered orders balances,
- accurate calculation and timely disbursement of CFPB payroll transactions,
- proper prior approval of CFPB travel transactions, and
- timely recording of CFPB prepaid expenses as assets.
These issues increase the risk of CFPB not preventing or promptly detecting and correcting (1) misappropriation of assets because of reliance on insufficient internal controls; (2) unauthorized access, modification, or both of its data; and (3) misstatements in its financial statements. At the end of our discussion of each of these issues in the sections that follow, we present our related recommendations. These recommendations are intended to improve managements oversight and controls and minimize the risk of misappropriation of assets, misstatements in CFPBs accounts and financial statements, and unidentified vulnerabilities over the security of its data.
Why GAO Did This Study
In November 2011, we issued our opinion on the Bureau of Consumer Financial Protections (CFPB) fiscal year 2011 financial statements. Our report also included our opinion on the effectiveness of CFPBs internal control over financial reporting as of September 30, 2011, and our evaluation of CFPBs compliance with provisions of selected laws and regulations for the fiscal year ended September 30, 2011.
Title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act, referred to as the Consumer Financial Protection Act of 2010, created CFPB. The act charged it with the responsibility of regulating the offering and provision of consumer financial products or services under the federal consumer financial laws. The act also requires CFPB to annually prepare financial statements, and further requires GAO to audit these statements. The Full-Year Continuing Appropriations Act, 2011, also requires that GAO audit CFPBs financial statements. While CFPB began operations in 2010, fiscal year 2011 was its first full year of operations. As a newly established entity, CFPB spent the majority of fiscal year 2011 forming its structure and commencing operations.
The purpose of this report is to present additional information on the internal control and accounting procedure issues we identified during our audit of CFPBs fiscal year 2011 financial statements and to provide our recommended actions to address those issues.
Recommendations
We are making 10 recommendations for strengthening CFPBs internal controls and accounting procedures.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Consumer Financial Protection Bureau | The director of the CFPB should direct the Chief Financial Officer to finalize and approve CFPB's documented accounting policies and procedures to include requirements for thoroughly documenting all key accounting policies and procedures, clearly defining those performed by the Bureau of the Public Debt Administrative Resource Center (BPD-ARC) and those performed by CFPB, and identifying the personnel responsible for executing these processes to ensure accountability. |
During the fiscal years 2012 through 2014, the Consumer Financial Protection Bureau developed and finalized several policies and procedures including those related to the Civil Penalty Fund, the Legal or Equitable Relief Fund, and the Misc. Receipt Fund. While we recognize that CFPB is continuing to develop and implement new procedures as it grows, we determined that the actions taken as of September 30, 2014 were sufficient to address our recommendation. Therefore, we consider this recommendation closed.
|
Consumer Financial Protection Bureau | The director of the CFPB should direct the Chief Financial Officer to augment CFPB's internal control review procedures to include (1) all components of CFPB controls (including controls over financial reporting services provided to CFPB), (2) all key laws and regulations governing CFPB's financial reporting functions, and (3) monitoring steps to ensure procedures are completed in time for management to consider in its required annual internal control assertion. |
CFPB implemented this recommendation and during fiscal year 2012, CFPB (1) assessed and tested the internal controls over high and medium-risk areas identified by CFPB's internal control team to include controls over financial reporting services provided to CFPB, (2) analyzed applicable laws and regulations which potentially impact CFPB's internal controls and financial reporting process, and (3) timely completed documentation to support management's annual assertions of internal control. As a result, CFPB has reduced the risk of relying on insufficient internal controls over financial reporting when concluding on the effectiveness of such controls.
|
Consumer Financial Protection Bureau | The director of the CFPB should direct the Chief Information Officer to establish an agency-wide information security program in accordance with FISMA guidance. Such a program should clearly delineate the roles and responsibilities of CFPB and its service providers in maintaining effective security over the systems and information CFPB relies on for its financial reporting. Specifically, this program should include provisions for periodic CFPB risk assessments; policies and procedures that include related security plans; periodic management testing and evaluation of all major systems; a remedial action process to address any deficiencies found during monitoring and testing; procedures for detecting, reporting, and responding to security incidents; security awareness training for agency employees, contractors, and other service providers; continuity of operations plans and procedures for information systems; and a process for evaluating the information system security of any and all service providers. |
In fiscal year 2013 the agency developed, documented, and implemented an Information Security Program. We reviewed the Information Security Program during our fiscal year 2014 audit and determined that the actions taken were sufficient to address our recommendation. Therefore, we consider this recommendation closed.
|
Consumer Financial Protection Bureau | The director of the CFPB should direct the Chief Financial Officer to implement procedures to ensure that contracting officers verify that the date an obligation is recorded in the Procurement Request Information System Management (PRISM) system corresponds to the date that the contracting officer signed the official obligating document. |
In October 2012, CFPB updated its Policy for Internal Procurement Data Review to require the Office of Procurement to (1) review contract award dates against the posting dates recorded in the general ledger and (2) on a quarterly basis to randomly sample and compare the contract award date against the general ledger posting date to ensure obligations are recorded in a timely manner in the financial system. Furthermore, CFPB's accounting services provider updated its procedures to specifically state that awards and modifications that obligate funds must be approved in the procurement requisition management system on the day the award is signed. As a result, CFPB has reduced the risk of inaccurate undelivered orders balances in its financial statements.
|
Consumer Financial Protection Bureau | The director of the CFPB should direct the Chief Financial Officer to implement procedures to ensure that amendments to travel relocation obligations are recorded in the proper period as part of ensuring the accuracy of obligation balances. |
During our work on the fiscal year 2013 financial audit, we evaluated the status of the recommendation we made to CFPB in GAO-12-528R. Specifically, we found that CFPB implemented additional procedures and corrective actions as of November 19, 2012 over the undelivered order subledger to general ledger reconciliation that includes reviewing travel related purchase activity for September and October. If offsetting activity is identified and it is determined that a mistake was made, CFPB corrects the error by posted a journal entry to the general ledger.
|
Consumer Financial Protection Bureau | The director of the CFPB should direct the Chief Financial Officer to strengthen payroll policies and procedures by including steps to follow to (1) test individual payroll transactions to ensure that transactions processed by the National Finance Center (NFC) are properly programmed and disbursed and (2) ensure that NFC promptly corrects any identified errors in payroll disbursements. |
During our work on the fiscal year 2013 financial audit, we evaluated the status of the recommendation we made to CFPB in GAO-12-528R. Specifically, we found that CFPB implemented strengthened payroll policies and procedures that included payroll process mapping and testing and procedures to review changes in payroll transactions on a pay period basis.
|
Consumer Financial Protection Bureau | The director of the CFPB should direct the Chief Financial Officer to enhance CFPB's travel policies and procedures to expressly state that prior written approval be obtained for all reimbursed travel expenses. |
In May 2012, CFPB revised its Policy on Travel Cards and Temporary Duty Travel to require supervisors to approve all travel authorizations prior to the trip start date. The policy requires travelers to submit travel authorizations along with a signed Travel Authorization Form which details the expenses to be incurred on travel. Further, the revised travel policy and Travel Authorization Form were sent to all CFPB staff via e-mail and are also posted on CFPB's internal website. As a result, CFPB has reduced the risk of incurring inappropriate expenses.
|
Consumer Financial Protection Bureau | The director of the CFPB should direct the Chief Financial Officer to issue a memorandum to all staff on CFPB's policy on obtaining prior written approval for all reimbursed travel expenses. |
In May 2012, CFPB revised its Policy on Travel Cards and Temporary Duty Travel to require supervisors to approve all travel authorizations prior to the trip start date. The policy requires travelers to submit travel authorizations along with a signed Travel Authorization Form which details the expenses to be incurred on travel. Further, the revised travel policy and Travel Authorization Form were sent to all CFPB staff via e-mail and are also posted on CFPB's internal website. As a result, CFPB has reduced the risk of incurring inappropriate expenses.
|
Consumer Financial Protection Bureau | The director of the CFPB should direct the Chief Financial Officer to modify CFPB's existing procedures over the post-payment review process to require that CFPB conduct such reviews at least quarterly. |
In October 2012, CFPB developed its Policy and Procedures for Advances and Prepaid Expenses to require the Office of the Chief Financial Officer to (1) review obligations and expenditures over its $250,000 materiality threshold to ascertain that advances and prepayments are properly classified initially as assets and expensed as goods or services are received, and (2) at least quarterly notify CFPB's accounting services provider of material advances and prepayments that should be established as assets, and of the amounts and timing of expensing those assets. Furthermore, CFPB implemented a Review/Approval Checklist to document the procedures for identifying and reviewing obligations and expenditures over the materiality threshold to ensure advances and prepaid expenses are properly recorded. The Review/Approval Checklist requires the review of quarterly financial statements and supporting details to ensure that the financial statements accurately reflect the asset balances and expenses. As a result, CFPB has improved the reliability of net cost information and total assets reported on its financial statements.
|
Consumer Financial Protection Bureau | The director of the CFPB should direct the Chief Financial Officer to incorporate into CFPB's policies and procedures the requirement for its contracting officer technical representatives (COTRs) to indicate on the invoice approval form whether a transaction should be classified as a prepayment. |
In October 2012, CFPB developed its Policy and Procedures for Advances and Prepaid Expenses to require the Office of the Chief Financial Officer to (1) review obligations and expenditures over its $250,000 materiality threshold to ascertain that advances and prepayments are properly classified initially as assets and expensed as goods or services are received, and (2) at least quarterly notify CFPB's accounting services provider of material advances and prepayments that should be established as assets, and of the amounts and timing of expensing those assets. Furthermore, CFPB implemented a Review/Approval Checklist to document the procedures for identifying and reviewing obligations and expenditures over the materiality threshold to ensure advances and prepaid expenses are properly recorded. The Review/Approval Checklist requires the review of quarterly financial statements and supporting details to ensure that the financial statements accurately reflect the asset balances and expenses. As a result, CFPB has improved the reliability of net cost information and total assets reported on its financial statements.
|