OIG updated work plan adds focus to information security, compensation, and distribution of civil penalty funds


The most notable items added by the Office of Inspector General (OIG) to its work plan, updated as of July 7, 2014, are audits of the CFPB’s information security program, pay and compensation program, and distribution of civil penalty funds.

Information Security

Pursuant to the Federal Information Security Management Act of 2002 (“FISMA”), each agency Inspector General must annually evaluate the agency’s information security program. OIG will implement the statutory requirements by auditing

  • the Bureau’s compliance with FISMA and related information security policies, procedures, standards, and guidelines; and
  • the effectiveness of security controls and techniques for a subset of the Bureau’s information systems.

Pay and Compensation

The same 2010 Dodd-Frank legislation (“Dodd-Frank”) that created the CFPB requires it to provide employee compensation and benefits that are, at a minimum, comparable to those of the Board of Governors of the Federal Reserve System. As part of OIG’s audit of the Bureau’s pay and compensation program for compliance, OIG will evaluate the controls around setting employee pay.

Distribution of Civil Penalty Funds

Civil money penalties assessed by the prudential bank regulators are payable to the U.S. Treasury. By contrast, civil penalties obtained by the CFPB in either administrative or judicial actions must be paid into a Civil Penalty Fund (the “Fund”) established by Dodd-Frank. The purpose of the Fund is primarily to compensate consumers harmed by activities for which the civil penalties were imposed. A secondary purpose, to the extent that victims cannot be located or payment to them is impracticable, is to finance consumer education and financial literacy programs.

Although an audit of this fund was previously reported as being completed and no longer a “work in progress,” it appears there is more work to be done. OIG will audit the internal controls related to the Fund and will assess

  • the effectiveness of internal controls surrounding the distribution of money to victims, payment of administrative costs, and financing of consumer education and financial literacy programs;
  • compliance with applicable policies and procedures.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ballard Spahr LLP | Attorney Advertising

Written by:


Ballard Spahr LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.