oversight

FHFA's Examination Program for the FHLBanks' Internal Audit Functions Was Adequately Designed and Executed

Published by the Federal Housing Finance Agency, Office of Inspector General on 2017-05-05.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

         Federal Housing Finance Agency
             Office of Inspector General




 FHFA’s Examination Program for
  the FHLBanks’ Internal Audit
Functions Was Adequately Designed
          and Executed




  Audit Report • AUD-2017-003 • May 5, 2017
               Executive Summary
               Created by Congress in 2008, the Federal Housing Finance Agency is charged
               by the Housing and Economic Recovery Act of 2008 with oversight of the
               housing related government-sponsored enterprises: the Federal National
               Mortgage Association (Fannie Mae), the Federal Home Loan Mortgage
               Corporation (Freddie Mac), and the Federal Home Loan Bank System
AUD-2017-003   (FHLBank System) (collectively, the regulated entities).

May 5, 2017    FHFA conducts its supervision of the FHLBank System through its Division
               of Federal Home Loan Bank Regulation (DBR). One component of DBR
               examinations of the FHLBank System is review of the internal audit function.
               According to the Institute of Internal Auditors (IIA), “internal auditing is
               an independent, objective assurance and consulting activity” that uses “a
               systematic, disciplined approach to evaluate and improve the effectiveness
               of risk management, control, and governance processes.”

               In this audit, we assessed whether DBR’s examination program for internal audit
               functions within the FHLBank System has been adequately designed, if
               examination activities were executed and documented, and if supervisory
               determinations were supported. For this audit, we reviewed the DBR examinations
               of the internal audit functions of the 11 Federal Home Loan Banks (FHLBanks)
               and the Office of Finance for two examination cycles (review period). For 8 of the
               11 FHLBanks and the Office of Finance, we reviewed DBR’s workpapers related
               to the examination of the internal audit functions in 2015 and 2016. For the other 3
               FHLBanks, the 2016 examination was still ongoing as of October 2016 so we
               reviewed the 2014 and 2015 examinations for those banks. In total, we reviewed
               22 DBR examinations of internal audit functions of the FHLBanks and the Office
               of Finance.

               We found that the DBR examination program for internal audit functions within
               the FHLBank System was adequately designed and executed in a manner that
               provided adequate examination coverage during the review period. With two
               exceptions, we found that examination documentation supported DBR’s
               supervisory determinations with regard to FHLBanks’ internal audit functions
               during the review period. We determined the two exceptions were non-systemic;
               accordingly, we make no recommendations in this report.

               This report was prepared by Bob Taylor, Assistant Inspector General for Audits;
               James Lisle, Audit Director; Terese Blanchard, Auditor; April Ellison, Auditor;
               and Brian Maloney, Auditor. We appreciate the cooperation of FHFA staff, as well
               as the assistance of all those who contributed to the preparation of this report.
               This report has been distributed to Congress, the Office of Management and
               Budget, and others and will be posted on our website, www.fhfaoig.gov.

               Marla A. Freedman /s/
               Deputy Inspector General for Audits



AUD-2017-003
May 5, 2017
TABLE OF CONTENTS .............................................................
EXECUTIVE SUMMARY ........................................................................................... 2

ABBREVIATIONS ....................................................................................................... 5

BACKGROUND ........................................................................................................... 6
      Federal Home Loan Bank System .......................................................................... 6
      The Role of Internal Audit in the FHLBanks ......................................................... 6
      FHFA’s Division of Federal Home Loan Bank Regulation ................................... 7
      DBR’s Examination Process................................................................................... 7

FACTS AND ANALYSIS............................................................................................. 8
      Examination Guidance for DBR’s Examinations of the Internal Audit Functions
      within the FHLBank System Was Adequately Designed ....................................... 8
      DBR’s Examinations of Internal Audit Functions within the Federal Home Loan
      Bank System Provided Adequate Examination Coverage...................................... 9

CONCLUSION ............................................................................................................ 11

FHFA COMMENTS AND OIG RESPONSE ............................................................. 12

OBJECTIVE, SCOPE, AND METHODOLOGY ....................................................... 13

APPENDIX: FHFA COMMENTS TO OIG REPORT ............................................... 15

ADDITIONAL INFORMATION AND COPIES ....................................................... 16




                                           OIG • AUD-2017-003 • May 5, 2017                                                  4
ABBREVIATIONS ...............................................................

AB                 Advisory Bulletin

DBR                Division of Federal Home Loan Bank Regulation

DER                Division of Enterprise Regulation

EIC                Examiner-in-Charge

Fannie Mae         Federal National Mortgage Association

FHLBank System     Federal Home Loan Bank System

FHFA or Agency     Federal Housing Finance Agency

FHLBank            Federal Home Loan Bank

Freddie Mac        Federal Home Loan Mortgage Corporation

IIA                Institute of Internal Auditors

IMS                Information Management System

OCA                Office of the Chief Accountant

OIG                Federal Housing Finance Agency Office of Inspector General

OPB                Operating Procedure Bulletin

PMOS               Prudential Management and Operations Standards

ROE                Report of Examination




                            OIG • AUD-2017-003 • May 5, 2017                    5
BACKGROUND ....................................................................

Created by Congress in 2008, FHFA has been given the statutory authority and
responsibility to examine the FHLBank System, Fannie Mae, and Freddie Mac.

Federal Home Loan Bank System

The FHLBank System consists of the 11 FHLBanks and the Office of Finance. As of
September 30, 2016, the FHLBank System had combined total assets of $1.036 trillion
with total consolidated obligations of approximately $969 billion.

The FHLBanks are organized under the authority of the Federal Home Loan Bank Act of
1932, as amended. Their mission is to provide reliable liquidity to member institutions to
support housing finance and community investment. Although federally chartered, the
FHLBanks are cooperatives that are privately and wholly owned by their members and
former members. Each FHLBank operates as a separate entity within a defined geographic
region of the country, known as its district, with its own board of directors, management,
and employees. As a condition of membership, each member must purchase and maintain
capital stock. Membership in an FHLBank is voluntary and is generally limited to
federally insured depository institutions, insurance companies, and eligible community
development financial institutions. As of September 30, 2016, the total number of
members was 7,150.

To accomplish their mission, the FHLBanks provide financial products and services to
their members, which include advances. These advances provide a readily available, low-
cost source of funds that assist and enhance a member’s financing of: (1) housing,
including single-family and multi-family housing serving consumers at all income levels;
and (2) community lending. In addition, certain of the FHLBanks provide members and
housing associates with liquidity through programs under which the FHLBank purchases
mortgage loans originated by the members. Through its Affordable Housing Program, the
FHLBanks provide assistance in the purchase, construction, or rehabilitation of homes
designed for seniors, the disabled, homeless families, first-time homeowners, and others
with limited resources or special needs. The Office of Finance serves as the fiscal agent of
the FHLBanks and was established to facilitate the issuance and servicing of FHLBank
debt, known as consolidated obligations, and to prepare the quarterly and annual combined
financial reports of the FHLBanks.

The Role of Internal Audit in the FHLBanks

One component of an FHLBank’s or the Office of Finance’s risk management framework
is the internal audit function. IIA defines internal auditing as “an independent, objective
assurance and consulting activity designed to add value and improve the organization’s
operations. It helps an organization accomplish its objectives by bringing a systematic,



                               OIG • AUD-2017-003 • May 5, 2017                                6
disciplined approach to evaluate and improve the effectiveness of risk management,
control, and governance processes.” IIA has promulgated standards for the professional
practice of internal auditing. In addition, IIA requires an external quality assessment at
least once every five years to assess an entity’s internal audit function’s conformance with
IIA standards.

FHFA’s Prudential Management and Operations Standards (PMOS), 1 which establish
standards relating to the management and operations of its regulated entities, direct that the
internal audit function of each regulated entity should be independent, adequately staffed,
and should report to the Audit Committee of the Board of Directors of the regulated entity. 2
Standard 2 of the PMOS instructs, among other things, that the internal audit system of each
regulated entity should adequately test and review internal control and information systems;
conduct risk-based audits; and determine whether violations, findings, weaknesses and other
issues reported by regulators, external auditors, and others have been promptly addressed.

FHFA’s Division of Federal Home Loan Bank Regulation

FHFA has delegated to DBR the duties to supervise the FHLBanks and the Office of
Finance. DBR has adopted and implemented a risk-based supervision program consisting
of both on-site annual examinations and off-site monitoring of the FHLBanks and the
Office of Finance. Under the leadership of the Deputy Director of DBR, DBR has three
teams focused on safety and soundness examinations. As of December 5, 2016, DBR had
110 employees, including 46 safety and soundness examiners, and 2 examination
specialists who performed examination quality control functions. A third examination
specialist performed examination quality control functions on a temporary basis for part of
2016. In addition, FHFA’s Office of the Chief Accountant (OCA) provides resources to
DBR to perform examinations of internal audit functions and internal controls over
financial reporting within the FHLBank System.

DBR’s Examination Process

On an annual basis, the Examiner-in Charge (EIC) for each FHLBank and the Office of
Finance develops a supervisory strategy that identifies key areas of risk and addresses the
timeframe and the focus of the supervision for the next examination cycle. 3 In planning
the next examination, pre-examination analysis memoranda are prepared to support the
EIC’s decision to include or exclude risk areas from the examination scope. The
memoranda also describe how examiners will evaluate and test the quality and

1
  FHFA Prudential Management and Operations Standards, 12 C.F.R. pt. 1236, Appendix to Part 1236
(2016).
2
 The Office of Finance is not a regulated entity as the term is defined in the Federal Housing Enterprises
Financial Safety and Soundness Act as amended. Accordingly, the PMOS do not apply to the Office of
Finance.
3
  The supervisory strategy is prepared at the end of each annual examination and lays out the examination
strategy for the next examination cycle.



                                     OIG • AUD-2017-003 • May 5, 2017                                        7
effectiveness of the FHLBanks’ or the Office of Finance’s policies, procedures, and
internal controls related to the areas to be examined.

FHFA’s Examination Manual provides guidance and policies to DBR teams performing
examinations within the FHLBank System. Specifically, Part I of the Examination Manual
provides a description of the examination program, sets forth the processes examiners are
to follow when conducting examination activities at a regulated entity, and describes the
work products examiners are to produce during those examinations. 4 Part II of the
Examination Manual includes a general description of individual supplemental
examination modules. Of the 26 supplemental examination modules with detailed
examination guidance on specific risk areas, one relates to internal and external audit.

Supplementing the Examination Manual is DBR Operating Procedure Bulletin (OPB)
2012-DBR-OPB-03, Work Program Minimum Frequency, as updated February 7, 2014,
which establishes how often (annually, biennially, triennially), at a minimum, examiners
are to complete the various work programs in FHFA’s Examination Manual that cover the
scope of operations for an FHLBank or the Office of Finance. According to the OPB,
“core” FHLBank activities, such as advances funding, oversight and governance, and
information technology, have higher inherent risk and should be examined annually.
Activities that “support” core activities are deemed to have a lower inherent risk and the
associated work programs are to be completed biennially or triennially, at a minimum.

DBR officials reported to us that DBR considers internal audit a low risk function and
emphasized that they do not rely on testing performed by the internal auditors to reduce
the scope of their own examination testing. As directed in 2012-DBR-OPB-03, the
Internal and External Audit examination module of the Examination Manual should be
completed at least every other year, which is consistent with DBR’s view that internal
audit is considered a low risk function.


FACTS AND ANALYSIS .......................................................

Examination Guidance for DBR’s Examinations of the Internal Audit Functions
within the FHLBank System Was Adequately Designed

In November 2013, FHFA issued the Internal and External Audit examination module to
its Examination Manual, which includes guidance to examiners on assessing internal audit
functions of an FHFA-regulated entity. To evaluate the sufficiency of this guidance, we
compared the illustrative work steps included in the module as well as illustrative work
steps separately developed by OCA to: (1) the standards promulgated by the IIA and

4
 Pursuant to FHFA’s Examination Manual, DBR examiners post completed examination workpapers to
FHFA’s electronic recordkeeping system, called its Information Management System (IMS).




                                 OIG • AUD-2017-003 • May 5, 2017                                8
(2) the sections of FHFA’s PMOS Standard 2 covering the independence and adequacy of
internal audit systems. 5 We found that the illustrative work steps taken together with
background information contained within the Internal and External Audit examination
module addressed the IIA standards, and the Standard 2 sections related to the
independence and adequacy of internal audit systems.

We also compared FHFA’s Internal and External Audit examination module to a similar
manual 6 used by another Federal financial regulator, the Office of the Comptroller of the
Currency (OCC), and interviewed OCC officials responsible for examinations of internal
audit functions at national banks and federal savings associations. We found that FHFA’s
approach to the examination of internal audit functions was consistent with OCC’s
approach. 7

DBR’s Examinations of Internal Audit Functions within the Federal Home Loan Bank
System Provided Adequate Examination Coverage

As explained earlier, examiners must follow the processes set forth in FHFA’s
Examination Manual to plan, execute, and document examinations of FHLBanks. As the
work steps are executed, examiners must document analysis, findings, and conclusions in
the applicable work program. The results of this work are carried forward to the
conclusion memorandum for the applicable individual component ratings. The conclusion
memorandum is required to document the analysis used to arrive at the recommended
component rating. The overall results and ratings are then summarized and included in the
report of examination (ROE) issued to the FHLBank’s or the Office of Finance’s board of
directors.

We reviewed workpapers documenting the examinations of FHLBank and Office of
Finance System internal audit functions conducted within our review period and

5
  In 2011, prior to the issuance of the Internal and External Audit examination module, an OCA accountant
developed a checklist of work steps to assist examiners conducting exams of internal audit at Fannie Mae
and Freddie Mac. Because we found that some work programs used by OCA accountants and DBR
examiners to examine the internal audit functions of the FHLBanks during the two examination cycles
sourced work program steps from this checklist, rather than from the Internal and External Audit
examination module, we included the work steps in the Internal and External Audit examination module
and the OCA-developed checklist in our assessment.
6
  OCC, Comptroller’s Handbook booklet “Internal and External Audits” (Dec. 2016) (online at
https://www.occ.gov/publications/publications-by-type/comptrollers-handbook/pub-ch-m-iea.pdf)
(accessed May 1, 2017).
7
  During fieldwork for this audit, FHFA issued Advisory Bulletin (AB) 2016-05, Internal Audit
Governance and Function, in October 2016, which rescinded and replaced three prior advisory bulletins on
the internal audit function. AB 2016-05 presents comprehensive guidance and supervisory expectations of
the regulated entities regarding (1) audit committee oversight of the internal audit function, (2) internal
audit independence and objectivity, and (3) internal audit attributes and operations. OCA officials told us
that the rescinded ABs on internal and external audit were out of date and not being used. OCA officials
also told us that, in connection with the issuance of this new AB, they plan to revise the Internal and
External Audit examination module within the next year.




                                     OIG • AUD-2017-003 • May 5, 2017                                         9
determined that the examination frequency requirement in 2012-DBR-OPB-03 was
followed. For nine of the FHLBanks and the Office of Finance during the two examination
cycles that we reviewed, the internal audit function was examined during both cycles,
exceeding the biennial examination requirement in the 2012-DBR-OPB-03. Our analysis
also found:

•   DBR issued 10 Matters Requiring Attention (MRAs) and 9 Recommendations related
    to internal audit functions at 8 FHLBanks and the Office of Finance over the course of
    the examination cycles that we reviewed. 8 These examination findings communicated
    concerns related to issues such as management of the internal audit function, internal
    audit planning and scoping of engagements, and the quality of the internal audit
    function’s audit committee reporting.

•   Supervisory strategies were documented and internal audit pre-examination analysis
    memoranda were prepared for each of the 24 examinations included in our review
    period. The planned work program steps detailed in these pre-examination analysis
    memoranda addressed internal audit risk factors identified in the supervisory
    strategies. We noted that, for two of the examinations, internal audit work was “scoped
    out” (not performed), as allowed by 2012-DBR-OPB-03.

•   Work programs were prepared and executed for 21 of the 22 internal audit
    examinations conducted during our review period. We found that the internal audit
    work programs for the FHLBanks and Office of Finance examinations, taken as a
    whole over the course of the two examinations in our review period, provided
    coverage of key aspects of internal audit as required by IIA standards and PMOS
    Standard 2. The one exception was the 2015 examination for the FHLBank of Chicago
    for which the internal audit examination work program was not completed before the
    ROE issued. The responsible OCA accountant unexpectedly had to take extended
    leave during the examination and did not upload a completed work program into IMS.

•   The results of testing documented in the internal audit work programs supported
    the supervisory determinations included in the conclusion memorandum for the
    management component and ROE for 20 of 22 internal audit examinations conducted.
    For one examination (the 2015 examination of the FHLBank of Chicago discussed
    above), the supervisory determinations in the conclusion memorandum for the
    management component could not be validated because the work program was not
    completed before the ROE issued.


8
  FHFA uses three categories of examination findings: (1) MRAs, (2) Violations, and (3)
Recommendations. MRAs are the most serious supervisory matters. For a complete description of each
category of examination findings, see OIG, FHFA’s Failure to Consistently Identify Specific Deficiencies
and Their Root Causes in Its Reports of Examination Constrains the Ability of the Enterprise Boards to
Exercise Effective Oversight of Management’s Remediation of Supervisory Concerns at 9 (Jul. 14, 2016)
(EVL-2016-008) (online at www.fhfaoig.gov/Content/Files/EVL-2016-008.pdf ) (accessed May 1, 2017).




                                    OIG • AUD-2017-003 • May 5, 2017                                       10
    For the other examination, the 2015 examination of the Office of Finance, we found
    that a conclusion memorandum for the management component had not been prepared.
    The EIC for this examination reported to us that examiners had not followed DBR
    policy because the Office of Finance is only rated on two of the seven CAMELSO 9
    components – Management and Operational Risk – and that the final component
    ratings were determined by collaborative discussions among the examination team.
    This ad hoc, undocumented practice is contrary to the Office of Finance examination
    module in FHFA’s Examination Manual, which requires that the conclusions for all
    examination work performed be documented in a memorandum that “include[s]
    recommended component ratings for Management and Operational Risk[.]” We
    discussed the lack of a conclusion memorandum with a DBR official, who
    acknowledged that one should have been prepared. We found that a conclusion
    memorandum for the management component was completed for the 2016
    examination of the Office of Finance, which was led by a different EIC.


CONCLUSION ....................................................................

We found that the DBR examination program for internal audit functions within the
FHLBank System was adequately designed and executed in a manner that provided adequate
examination coverage during the review period. With two exceptions, we found that
examination documentation supported DBR’s supervisory determinations with respect to the
FHLBank’s internal audit functions during the review period.
For one exception, we noted that the missing internal audit work program in the 2015
examination of the FHLBank of Chicago was attributable to an unusual circumstance: the
OCA accountant unexpectedly needed to take extended leave. For the other exception, while
the examiners did not prepare a conclusion memorandum for the management component in
the 2015 Office of Finance examination, the examiners did prepare a conclusion
memorandum in the 2016 examination for that office.
We considered these two documentation exceptions to be non-systemic. Accordingly, while
we emphasize the importance of compliance with documentation requirements defined in
FHFA’s Examination Manual, we make no recommendations in this report.




9
  CAMELSO is a risk-focused rating system under which each FHLBank and the Office of Finance is
assigned a composite rating based on an evaluation of various aspects of its operations. The individual
components are Capital; Asset Quality; Management; Earnings; Liquidity; Sensitivity to Market Risk; and
Operational Risk.



                                    OIG • AUD-2017-003 • May 5, 2017                                      11
FHFA COMMENTS AND OIG RESPONSE .............................

OIG provided FHFA an opportunity to respond to a draft report for this audit. In its
management response, which is included as an appendix to this report, FHFA stated that
they will continue to emphasize the importance of complete exam and adherence to FHFA
documentation standards. FHFA also provided technical comments that we incorporated
into the report, as appropriate.




                             OIG • AUD-2017-003 • May 5, 2017                            12
OBJECTIVE, SCOPE, AND METHODOLOGY .........................

We conducted this audit to determine whether FHFA’s DBR examination program for
internal audit functions within the FHLBank System is adequately designed, executed, and
sufficient to document examination activities and support supervisory determinations.

To accomplish our objective, we reviewed FHFA’s Internal and External Audit
examination module (November 2013) contained within FHFA’s Examination Manual
and examination documentation supporting DBR’s examinations of internal audit
functions within the FHLBank System. Our review period covered DBR examinations of
the FHLBanks’ and the Office of Finance’s internal audit functions for two examination
cycles. For nine of these entities (8 FHLBanks and the Office of Finance), we reviewed
DBR’s workpapers related to the examination of the internal audit functions in 2015 and
2016. For three entities (3 FHLBanks), the 2016 examination was still ongoing as of
October 2016 so we reviewed the 2014 and 2015 examinations for those entities.

Specifically, we performed the following.

•   Interviewed DBR and OCA management, EICs, examiners, and OCA accountants to
    gain an understanding of the examination approach used to evaluate internal audit
    functions within the FHLBank System.

•   Reviewed FHFA’s Examination Manual and Internal and External Audit examination
    module. We evaluated the illustrative work steps contained within the Internal and
    External Audit examination module to determine if they provided coverage of the
    broad categories of IIA’s Internal Auditing Standards and FHFA’s PMOS – Standard 2
    (12 C.F.R. Part 1236, Appendix).

•   Compared the examination approach and work steps contained in FHFA’s Internal and
    External Audit examination module to those used by another Federal financial
    regulator, OCC. In this regard, we reviewed the Comptroller’s Handbook booklet
    “Internal and External Audits” (December 2016) and interviewed OCC officials
    responsible for examination of internal audit functions at national banks and federal
    savings associations.

•   Reviewed the FHLBanks’ and the Office of Finance’s 2015 annual financial
    statements to identify factors in each entity that may impact the risks faced by the
    entity’s internal audit function.

•   Reviewed workpapers for the 11 FHLBanks and Office of Finance for examinations
    within our review period to determine whether:

       o DBR complied with the internal audit examination frequency requirements
         defined in 2012-DBR-OPB-03;


                                OIG • AUD-2017-003 • May 5, 2017                            13
       o DBR’s internal audit examination scopes were consistent with those planned in
         DBR’s (1) prior year supervisory strategy and (2) internal audit pre-
         examination analysis memo;

       o Work steps contained in DBR’s internal audit work programs provided
         adequate coverage of the FHLBank System’s internal audit functions;

       o Results/conclusions documented in DBR’s internal audit work program traced
         to (1) the findings memo(s) (if applicable), (2) the management conclusion
         memo, and (3) the ROE; and

       o DBR’s supervisory strategy for the subsequent year was informed by the
         current examination’s results and conclusions.

•   Interviewed DBR’s quality control review team and reviewed the results of reviews of
    internal audit examination workpapers completed within our review period.

We conducted this performance audit between October 2016 and May 2017 in accordance
with generally accepted government auditing standards. Those standards require that we
plan and perform the audit to obtain sufficient, appropriate evidence to provide a
reasonable basis for the findings and conclusions based on our audit objectives. We
believe that the evidence obtained provides a reasonable basis for our findings and
conclusions based on our audit objectives.




                              OIG • AUD-2017-003 • May 5, 2017                             14
APPENDIX: FHFA COMMENTS TO OIG REPORT .................

For help placing a file, see instructions on SharePoint

                       How to insert an Agency response letter.docx




                                OIG • AUD-2017-003 • May 5, 2017      15
ADDITIONAL INFORMATION AND COPIES .........................


For additional copies of this report:

•   Call: 202-730-0880

•   Fax: 202-318-0239

•   Visit: www.fhfaoig.gov



To report potential fraud, waste, abuse, mismanagement, or any other kind of criminal or
noncriminal misconduct relative to FHFA’s programs or operations:

•   Call: 1-800-793-7724

•   Fax: 202-318-0358

•   Visit: www.fhfaoig.gov/ReportFraud

•   Write:

               FHFA Office of Inspector General
               Attn: Office of Investigations – Hotline
               400 Seventh Street SW
               Washington, DC 20219




                                OIG • AUD-2017-003 • May 5, 2017                           16