Office of the Inspector General Home
|
Semiannual Report to Congress Other format: PDF (215 MB) (Download Accessible PDF Plug-in) Board of Governors of the Federal Reserve System Semiannual Report to Congress
OFFICE OF INSPECTOR GENERAL
Dear Chairman Bernanke: We are pleased to present our Semiannual Report to Congress which summarizes the activities of our office for the reporting period October 1, 2006, through March 31, 2007. The Inspector General Act requires that you transmit this report to the appropriate committees of Congress within thirty days of receipt, together with a separate management report and any comments you wish to make. This will be my last semiannual report given I will be retiring on May 4, 2007. It has been a privilege serving as the Board’s Inspector General and I appreciate the support that you and other members of the Board have shown me and our office. Sincerely, /signed/ Barry R. Snyder Enclosure Board of Governors of the Federal Reserve System Semiannual Report to Congress
OFFICE OF INSPECTOR GENERAL TABLE OF CONTENTS Introduction Return to table of contents Consistent with the Inspector General Act of 1978 (IG Act), as amended, the mission of the Office of Inspector General (OIG) of the Board of Governors of the Federal Reserve System (Board) is to
Congress has also mandated additional responsibilities that impact where the OIG directs its resources. For example, section 38(k) of the Federal Deposit Insurance Act, as amended, 12 U.S.C. 1831o(k), requires the Board’s OIG to review failed financial institutions supervised by the Board that result in a material loss to the bank insurance funds, and to produce, within six months of the loss, a report that includes possible suggestions for improvement in the Board’s banking supervision practices. In the information technology arena, the Federal Information Security Management Act of 2002 (FISMA), Title III of Public Law 107-347, provides a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support federal operations and assets. Consistent with FISMA’s requirements, we perform an annual independent evaluation of the Board’s information security program and practices, which includes evaluating the effectiveness of security controls and techniques for selected information systems. OFFICE OF INSPECTOR GENERAL
OIG Staffing
Goals and Objectives Return to table of contents The OIG has identified three strategic goals and developed corresponding objectives to guide our work through 2008. For each strategic goal, we have also identified specific strategies to help achieve the underlying objectives. The diagram below depicts the relationship of the various elements of our strategic plan, within the context of our mission and values.
The OIG’s audit and attestation activities are designed to evaluate or examine certain aspects of the economy, efficiency, and overall effectiveness of the Board's programs and operations; the presentation and accuracy of the Board's financial statements, budget data, and financial performance reports; the effectiveness of internal controls governing the Board's contracts and procurement activities; the adequacy of controls and security measures governing the Board's financial and management information systems and the safeguarding of the Board's assets and sensitive information; and the degree of compliance with applicable laws and regulations related to the Board's financial, administrative, and program operations. The information below summarizes our work completed during the period, including our follow-up activities. Audit of the Board's Payroll Process During this reporting period, we completed an audit of the Board’s payroll processes. Based on a risk analysis performed during our initial scoping work, we focused our audit fieldwork on the Board's higher-risk core payroll processes, including the new hire process, the biweekly payroll cycle, and the processing of overtime and other types of premium pay. We performed this audit to ensure that the processes were adequately controlled, that they operated efficiently and effectively, and that they resulted in accurate pay and deduction calculations. Overall, we did not identify significant data errors, and a survey of all employees hired during 2005 did not identify any systemic problems. We found, however, that the Board’s payroll processes were inappropriately controlled, relying more on people than processes to pay Board staff. As a result, payroll-related activities are labor-intensive and inefficient, characterized by multiple data transcriptions, unnecessary document hand-offs, and redundant record-keeping. Our fieldwork showed that staff involved in payroll processes are conscientious, dedicated individuals who collectively possess considerable institutional knowledge. However, we also found that responsibilities were misaligned between benefits and payroll staff and that processes for recording overtime and other types of premium pay were inconsistent and relied on manual forms and multiple spreadsheets to process the same information. In addition, our field work identified opportunities to increase the use of, and strengthen the controls over, automation. Our testing also identified compliance issues related to the payment of overtime for law enforcement personnel and the withholding of state income taxes for a defined group of employees. Specifically, our review of overtime payments identified about $487,000 paid to law enforcement personnel that was not paid in accordance with established Board guidelines; we classified these payments as questioned costs. We also found that the Board did not comply with requirements to withhold state taxes for employees who live and work outside the Washington, D.C., metropolitan area. We believe that the Board needs to fundamentally redesign its payroll-related processes. In our opinion, this redesign effort needs to be completed before payroll can be outsourced as currently contemplated, and before an opinion is requested on the adequacy of internal controls as part of future financial statement audits. Our report contains five recommendations related to control and process efficiency concerns. Our report also contains two recommendations to address the compliance issues described above. We provided a copy of our report to the director of the Management Division (MGT) for review and comment. We also provided copies of process flowcharts and narratives prepared during the audit to MGT staff for their use in ongoing work related to documenting and evaluating the adequacy of internal controls over financial reporting. In the director’s response, she indicated agreement with the report recommendations and discussed actions already underway or that will be taken to implement the recommendations. During the course of our audit, we also identified potential issues related to compliance with requirements of the Fair Labor Standards Act (FLSA) and the computation of overtime in accordance with the Board’s policy. We performed additional fieldwork related to these issues, and separately reported on the results of our analysis as discussed below. Our audit work also identified several records management issues related to electronic and hard-copy document retention. Although we did not consider these issues significant enough to include in our audit report, we provided the director of MGT with a separate letter discussing our concerns to assist in implementing our payroll audit recommendations. Audit of the Board’s Compliance with Overtime Requirements of the Fair Labor Standards Act As a result of the questions raised during our audit of the Board’s payroll process, we performed additional audit work related to the Board’s compliance with FLSA overtime requirements. Our audit objectives were to determine whether the Board’s payroll system correctly calculates FLSA overtime premiums and whether Board employees eligible to receive the premium have been appropriately identified in the system. As part of our audit, we analyzed payroll data and reviewed appropriate policies, laws, and regulatory guidance. Overall, we found that the software calculations for the FLSA overtime premium were correct and that the payroll system correctly identified staff eligible to receive premium, in accordance with current Board practice. However, we found that payroll staff must manually initiate the process to compute the premium and we identified instances where the payments were not processed. Our audit work also identified other opportunities to enhance controls related to FLSA processing, as well as areas where Board policy does not adequately describe the current methods of calculating overtime for all Board employees. Our report contains two recommendations to address these concerns. We presented our audit results in a briefing to responsible MGT and Legal Division (Legal) officials. During the briefing, MGT officials generally concurred with our findings and discussed actions that have been or will be taken to address the recommendations. Audit of the Federal Financial Institutions Examination Council’s Financial Statements for the Year Ended December 31, 2006 Each year, we contract for an independent public accounting firm to audit the financial statements of the Federal Financial Institutions Examination Council (FFIEC); the Board performs the accounting function for the FFIEC. KPMG LLP, our current contract auditors, planned and performed the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement. The audit included examining, on a test basis, evidence supporting the amounts and disclosures in the financial statements. The audit also included an assessment of the accounting principles used and significant estimates made by management, as well as an evaluation of overall financial statement presentation. During the reporting period, the auditors completed fieldwork related to the FFIEC audit and issued the audit report. In the auditors’ opinion, the FFIEC’s financial statements present fairly, in all material respects, the FFIEC’s financial position as of December 31, 2006, and the results of operations and cash flows for the year then ended, in conformity with accounting principles generally accepted in the United States of America. To determine the auditing procedures needed to express an opinion on the financial statements, the auditors considered the FFIEC’s internal controls over financial reporting. Although the auditors’ consideration of the internal controls would not necessarily disclose all matters that might be material weaknesses, they noted no such matters. As part of obtaining reasonable assurance about whether the financial statements are free of material misstatement, the auditors also performed tests of the FFIEC’s compliance with certain provisions of laws, regulations, and contracts since noncompliance with these provisions could have a direct and material effect on the determination of the financial statement amounts. The results of the auditors’ tests disclosed no instances of noncompliance required to be reported under Government Auditing Standards. Agreed-Upon Procedures Reports During this period, we issued three agreed-upon procedures reports to help MGT officials respond to the recommendations made during the 2005 financial statement audit and to assist them in verifying the accuracy of census data files. Specifically, the System’s actuary provided census data supporting certain financial statement disclosures for retirement and benefit amounts which we compared to data retrieved from the Board’s human resources management system. Our work was conducted in accordance with generally accepted government auditing standards, which incorporate financial audit and attestation standards established by the American Institute of Certified Public Accountants. These standards also provide guidance for performing and reporting the results of agreed-upon procedures. Information Security Work During the reporting period, we continued ongoing work related to our information security responsibilities under FISMA. We updated our control testing methodology to reflect revised guidance in the National Institute of Standards and Technology (NIST) Special Publication 800-53, Recommended Security Controls for Federal Information Systems (SP800-53), and began two system control reviews using the revised assessment tool. We also completed fieldwork and issued three restricted reports related to information security, as described below.
During our 2006 information security audit, our work on configuration management identified several issues regarding the Board’s processes for establishing, implementing, and maintaining baseline system configurations. We performed this audit work in order to address reporting requirements established by the Office of Management and Budget (OMB) pursuant to FISMA. In July 2006, OMB issued memorandum M-06-20 to assist agencies in fulfilling their FISMA evaluation and reporting requirements. M-06-20 requires each agency’s OIG to report on specific security-related performance measures, including whether the agency has established an agencywide security configuration policy and the extent of the policy’s implementation regarding various hardware and software products. Based on OMB’s requirement, we reviewed pertinent documentation, interviewed staff responsible for establishing and maintaining configuration settings, and performed testing of actual configuration settings. We found that the Board’s Information Security Officer (ISO) had not developed specific procedures for establishing, monitoring, and remediating security settings. We also identified a few configuration settings in the production environment that differed from the documented baselines. We provided the Board’s Chief Information Officer (CIO) with two recommendations to address these concerns. In her response, the CIO partially agreed with our recommendations, but identified actions that, if fully implemented, will generally meet the intent of our recommendations.
During the previous reporting period, we began a control review over a banking supervision and regulation system maintained at the Board. Our objective, consistent with FISMA’s requirements, was to evaluate the adequacy of control techniques in place for protecting the system’s data from unauthorized access, modification, destruction, or disclosure. Our review showed that information security controls need to be strengthened in eight of the seventeen control families included in SP800-53. Because some of the issues we identified are more significant—either alone or in combination with other weaknesses—we classified several of our findings as “control deficiencies.” Our restricted report to management contained sixteen recommendations to address the weaknesses we identified. We provided our report to the directors of the Division of Information Technology, MGT, and the Division of Banking Supervision and Regulation (BS&R) for review and comment, and we will follow-up on the implementation of the recommendations as part of our future audit activities related to the Board’s continuing implementation of FISMA
During the previous reporting period, we also began a control review over a system developed and maintained by the Federal Reserve Bank of New York (FRBNY) on behalf of the Board’s Division of Monetary Affairs (MA). Our objective was to evaluate the adequacy of control techniques in place for protecting the system’s data from unauthorized access, modification, destruction, or disclosure. Our review showed that the system does not fully comply with the security requirements established by FISMA and implemented by the Board’s Security Program. We found that the Board had not provided guidance regarding FISMA or the Board’s Security Program to FRBNY staff responsible for the system. The system instead complies with requirements established by the security policies and procedures defined in the System’s new Information Security Manual (nISM) and Risk Management Process (RMP). While the nISM and RMP share similar objectives with FISMA and may have similar requirements in some areas, they differ from FISMA in their approach to information security protection as well as the extent to which standards promulgated by NIST apply. Our control review report contains thirteen recommendations designed to improve the system’s security controls. A joint response from MA and FRBNY states that they will work together to address the report’s recommendations. Follow-up Work Report on the Audit of the Board’s Outsourcing Operations Process and the Report on the Effectiveness of Administrative Controls over an Outsourced Contract During this reporting period, we completed a follow-up of our April 2004 Review of the Board’s Outsourcing Operations Process and our June 2004 Review on the Effectiveness of Administrative Controls over an Outsourced Contract. Our outsourcing audit report contained three recommendations designed to enhance the management of outsourcing contracts and the Board’s overall outsourcing approach; our audit report regarding administrative controls over a specific contract contained two recommendations related to contract modifications and use of the General Services Administrative (GSA) schedules. Our follow-up work showed that sufficient action has been taken to close all five recommendations. Specifically:
Although we closed all of our recommendations related to our outsourcing audit work, we plan to periodically review outsourced contracts as part of future audit, inspection, and evaluation activities to ensure that the elements contained in our recommendations continue to be addressed. In communicating the results of our follow-up work to management, we also encouraged the Board to incorporate outsourcing requirements into future budget formulation processes. Information Security Follow-up Work As part of our ongoing FISMA-related audit work, we have followed-up on outstanding recommendations related to information security. Our follow-up work found that sufficient action has been taken to close three of the open recommendations related to prior system control reviews. In addition, we have closed two outstanding recommendations from security-related audit reports as shown in the following table.
The Inspections and Evaluations program area encompasses OIG inspections, program evaluations, enterprise risk management activities, process design and life-cycle evaluations, and legislatively-mandated material loss reviews of failed financial institutions that the Board supervises. Inspections are generally narrowly focused on a particular issue or topic, and provide time-critical analysis that cuts across functions and organizations. In contrast, evaluations are generally focused on a specific program or function, and make heavy use of statistical and quantitative analytical techniques. Evaluations can also encompass other non-audit, preventive activities such as System Development Life Cycle projects, and participation on task forces and workgroups. Extended Telecommuting / Pandemic Flu Pilot During the period, the OIG conducted a four-week extended telecommuting/ pandemic flu pilot with the objective of assessing OIG’s and the Board’s capacity to operate (1) in a full-scale telecommuting environment; and (2) during a pandemic flu scenario simulating various “points of failure,” such as unexpected absences and lapses in information technology (IT) and communications resources. The exercise started on Monday, January 29, 2007, and, for three weeks, we operated in an extended telecommuting environment where staff conducted most of the OIG’s project work from home. During week four, we operated under a pandemic flu scenario in which our offices were closed and all work had to be completed from home. The test was completed on Friday, February 23, 2007. We provided MGT’s officers and supervisors with a comprehensive overview of our pilot test results during a briefing conducted in March 2007, and are completing a final written report. Follow-up Work Evaluation of Service Credit Computations During this reporting period, we completed a follow-up of our August 2005 Evaluation of Service Credit Computations. The evaluation report contained three recommendations designed to strengthen or enhance controls over the service credit computation process. The first recommendation, which had three components, called for reducing or eliminating the number of data transcriptions, requiring automated verifications from the System’s outsourced vendor for all data transmissions, and performing periodic reconciliations between Board and the vendor’s systems. During the follow-up, we found that the MGT initiated an upgrade to the Board’s human resources management system that was to include the development of a custom module designed to eliminate some of the manual data transcriptions performed by MGT staff. The Board’s human resources management system upgrade is underway and scheduled to be completed in May 2007; however, due to other priorities, the customization of the service credit computation process has been postponed. This recommendation will remain open until the customization has been completed. In our second recommendation, we recommended that MGT enhance existing controls over the service credit computation process by redesigning the prior creditable service form to provide additional space and clear instructions for documenting all applicable types of prior service, and establishing a tickler file to ensure timely follow up of pending employee files. Our follow-up work revealed that the form has been modified to provide additional space and instructions. In addition, MGT has created a tickler system that notifies employees if information requested for verification of prior government or military service is not received within ninety days. We believe that sufficient actions have been taken to warrant closing this recommendation. Our third recommendation was to provide periodic employee reminders regarding deposits/redeposits and renouncements (to include dollar amounts) to help employees with retirement-related decisions. MGT processed a program change order with the outsourced vendor to create periodic employee reminders regarding unpaid deposits and/or redeposits; however, this change has not been finalized. During the follow-up, we were told that employees with prior military service will receive a generic letter indicating that they owe a deposit for time served in the military, with a contact number for questions. This letter, however, will not provide the dollar amount of the deposit because of the complexity of the calculation. The recommendation will remain open until the program change is finalized and implemented. Investigations Return to table of contentsThe OIG’s Investigations program conducts criminal and administrative investigations relating to the Board’s programs and operations. To effectively carry out its mission, OIG special agents must possess a thorough knowledge of current federal criminal statutes and the rules of criminal procedure, as well as other rules, regulations, and court decisions governing the conduct of criminal, civil, and administrative investigations. OIG special agents have full law enforcement authority as a result of a blanket deputation agreement with the Department of Justice (U.S. Marshals Service). As Special Deputy U.S. Marshals, OIG agents are authorized to carry firearms, and to obtain and execute search and arrest warrants, as necessary. As the challenges to the federal law enforcement community have increased so, too, have the challenges to the financial regulators to implement new requirements for banks to detect illegal activities, such as money laundering and terrorist financing. As a result, the nature and complexity of our investigations have also increased the demands on to our special agents. During this reporting period, our criminal investigative activity involved leading or participating in multi-agency task forces where bank fraud, terrorist financing, and money laundering were often the potential crimes being investigated. In addition, OIG special agents continue to address allegations of wrongdoing related to the Board’s programs and operations, as well as violations of the Board’s standards of conduct. Summary Statistics on Investigations for the Period October 1, 2006, through March 31, 2007
Hotline Operations OIG special agents continue to review complaints received from the toll-free Hotline number, correspondence, email and facsimile communications, requests from System employees, and members of the public. The information received is analyzed to determine if further inquiry is warranted and provides the basis for potential investigations. Most hotline contacts were calls from consumers with complaints or questions about practices of private financial institutions. Those inquiries involved matters such as funds availability, account fees and charges, and accuracy and availability of account records. We also continued to receive numerous questions concerning how to process Treasury securities and savings bonds. Other hotline contacts were from individuals seeking advice about programs and operations of the Board, Federal Reserve Banks, other OIGs, and other financial regulatory agencies. These inquiries were directed to the appropriate Board offices, Reserve Banks, or federal or state agencies. In addition, we continually receive fictitious instrument fraud complaints. Fictitious instrument fraud schemes are those in which promoters promise very high profits based on fictitious instruments that they claim are issued, endorsed, or authorized by the System or a well-known financial institution. Our summary statistics of the hotline results are provided in the following table: Summary Statistics on Hotline Results for the Period of October 1, 2006, through March 31, 2007
Legal Services Return to table of contents During this reporting period, the Legal Services Program provided comprehensive legal services to support the OIG’s “business side” (its audits, investigations, inspections, evaluations, and other professional and administrative functions). These services included legal advice, formal written opinions, counseling, and representation, all based upon extensive research and critical analysis of relevant laws, regulations, and policies. This work often provides the legal basis for conclusions, findings, and recommendations in various OIG reports. The Legal Services staff also keeps the IG and OIG staff aware of recent developments in the law that may have an impact on the activities of the OIG and the Board. The following illustrates a sample of the Legal Services staff’s work conducted during this reporting period:
Participation in the larger IG community plays an important role in the Legal staff’s activities. We remained active in the Council of Counsels to the Inspector General. For example, building upon our efforts from last summer, we have begun work to spearhead, again, a government-wide program for this year’s upcoming summer law interns in the various Inspector General offices. We also work with the IG community’s Legislation Committee on a variety of matters affecting the community. Finally, we participated this year, as we have previously, in the Government & Public Interest Law Internship Program of the George Washington University Law School. In addition, pursuant to the IG Act, as amended, the Legal Services staff conducts independent reviews of new and proposed legislation and regulations to analyze and ascertain their potential effect on the economy and efficiency of the Board’s programs and operations. We reviewed twenty-seven legislative and regulatory items during this reporting period. The following table contains selected highlights of our work in this area. Highlights of the OIG’s Review of Laws and Regulations, October 1, 2006, through March 31, 2007
While the OIG’s primary mission is to enhance Board programs and operations, we also coordinate externally and work internally to achieve our goals and objectives. Externally, we are active members of broader IG and professional communities and promote coordination on shared concerns. Internally, we continue to leverage IT to enhance and streamline business processes and to ensure the security of our information resources. Highlights of our activities follow: Executive Council on Integrity and Efficiency (ECIE) Participation The Board’s IG serves as the Vice Chair of the ECIE, which was created by Executive Order in 1992 to facilitate coordination among IGs of designated Federal entities. As Vice Chair, the Board’s IG provides leadership, vision, and direction to the ECIE, and represents the ECIE on the President’s Council on Integrity and Efficiency (PCIE). He promotes professionalism and coordination among the Councils’ membership, provides a forum to discuss government-wide issues and shared concerns, and facilitates work on a wide range of Council projects and initiatives. Collectively, the members of the ECIE continue to work with the members of the PCIE on a number of issues to help improve Government programs and operations. Advisory Council on Government Auditing Standards To help ensure that Government Auditing Standards (the "Yellow Book") continue to meet the needs of the audit community and the public it serves, the Comptroller General of the United States appointed the Advisory Council on Government Auditing Standards to review the standards and recommend necessary changes. The Council includes experts in financial and performance auditing drawn from all levels of government, private enterprise, public accounting, and academia. The Board’s IG participates as a member of the Advisory Council and provides perspective on a variety of issues and proposals related to the standards. IT Infrastructure Enhancements During this reporting period, the OIG continued its focus on upgrading and enhancing our IT infrastructure to more efficiently and effectively support the audit, evaluation, legal, and investigative work discussed in the earlier sections of our report. We have updated and strengthened our IT-related policies and procedures to better ensure OIG compliance with FISMA. In addition, we have consolidated this guidance into our newly-designed IT infrastructure database, providing us with an easy-to-use central repository for IT-related standards, profiles, inventories, and documentation. Appendix 1 Return to table of contentsAudit Reports Issued with Questioned Costs for the Period October 1, 2006, through March 31, 2007
Appendix 2 Return to table of contents Audit Reports Issued with Recommendations that Funds be Put to Better Use for the Period October 1, 2006, through March 31, 2007
Appendix 3 Return to table of contents OIG Reports with Outstanding Recommendations
Appendix 4 Return to table of contents Cross-References to the Inspector General Act
Inspector General Hotline Report: Fraud, Waste or Mismanagement You may also write the: Footnote 1 A recommendation is closed if (1) the corrective action has been taken; (2) the recommendation is no longer applicable, or (3) the appropriate oversight committee or administrator has determined, after reviewing the position of the OIG and division management, that no further action by the Board is warranted. A recommendation is open if (1) division management agrees with the recommendation and is in the process of taking corrective action or (2) division management disagrees with the recommendation and we have referred it to the appropriate oversight committee or administrator for a final decision. Return to text
|