oversight

FHFA Can Strengthen Controls over Its Office of Quality Assurance

Published by the Federal Housing Finance Agency, Office of Inspector General on 2013-09-30.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

          Federal Housing Finance Agency
              Office of Inspector General




FHFA Can Strengthen Controls over
  Its Office of Quality Assurance




Audit Report  AUD-2013-013  September 30, 2013
                FHFA Can Strengthen Controls over Its Office of Quality
                Assurance
                Why OIG Did This Report
                The Office of Quality Assurance (OQA) of the Federal Housing Finance Agency
                (FHFA or the agency) is a crucial internal control for the agency’s examinations of the
Synopsis        housing government-sponsored enterprises (GSEs). Internal controls, when effective,
                give FHFA management greater assurance that the agency can achieve its mission,
   ———          operate effectively and efficiently, report reliably, and comply with applicable laws
                and regulations.
September 30,   Per its charter, OQA conducts internal reviews of FHFA’s divisions that directly
    2013        meet the agency’s statutory supervisory and regulatory mission (i.e., examination
                and examination support functions). The agency uses OQA reviews to enhance the
                effectiveness of FHFA’s supervision of the housing GSEs, helping to ensure that
                they operate in a safe and sound manner and provide liquidity for the housing market.
                OQA reviews also can complement oversight by the Government Accountability
                Office (GAO) and the FHFA Office of Inspector General (OIG).
                OIG conducted this performance audit to assess controls related to the
                (1) effectiveness of OQA’s review of FHFA’s examination and examination support
                functions and (2) extent of OQA’s coverage of other FHFA functions that may pose
                significant risks.

                What OIG Found
                OQA generally conducted effective, risked-based reviews of FHFA’s examination and
                examination support functions. Further, OIG validated that in four of OQA’s reports
                the conclusions, findings, and recommendations were supported by adequate
                evidence.
                However, most of OQA’s 22 recommendations have not been fully or promptly
                resolved, primarily because OQA did not (1) require FHFA to respond formally
                in writing and commit to specific timelines for completing corrective actions and
                (2) follow up on corrective actions. As of March 31, 2013:
                   8 recommendations remained open, 6 of them for 520 or more days. These
                    included suggesting:
                        o   the Division of Enterprise Regulation (DER)—responsible for
                            supervising the Federal National Mortgage Association (Fannie Mae)
                            and the Federal Home Loan Mortgage Corporation (Freddie Mac)
                            (collectively, the enterprises)—to establish a comprehensive quality
                            control review process for examination work products, and
                        o   the Division of Bank Regulation (DBR) to assess examination
                            resource needs and priorities to ensure it provides sufficient coverage
                            of the Federal Home Loan Banks (FHLBanks).
                   14 recommendations were reported as “closed,” but OQA had not validated
                    7 to ensure that the proposed corrective actions had been implemented or
                    adequately addressed the recommendations. For example, without
                    confirming that corrective actions had been implemented, OQA closed
                    recommendations intended to ensure that DER monitors examination
                    findings to verify that appropriate reporting occurs.
                Addressing OQA recommendations in a complete and timely manner can help FHFA
Synopsis        ensure the quality of its examinations and maximize the value of its investment in
   ———          OQA.
                In addition, OQA’s risk-based reviews do not cover all of FHFA’s offices. The
September 30,   present focus of OQA on examination and related support functions excludes key
    2013        agency operations, such as the Office of Conservatorship Operations (OCO), which
                approves management decisions affecting the enterprises. FHFA needs to assess the
                potential benefits of broadening the scope of OQA’s operations, which can help
                ensure that the most critical risks to FHFA receive commensurate oversight.

                What OIG Recommends
                FHFA should strengthen controls over OQA reporting and follow up. In addition,
                FHFA should evaluate the roles and responsibilities of OQA across the agency and
                revise OQA’s charter accordingly. FHFA should also assess the risks across all
                agency operations for purposes of planning OQA review coverage, and direct
                performance reviews of those areas that pose the most significant risks to FHFA.
                FHFA provided comments agreeing with the recommendations in this report.
TABLE OF CONTENTS ................................................................

TABLE OF CONTENTS .................................................................................................................4

ABBREVIATIONS .........................................................................................................................6

PREFACE ........................................................................................................................................7

BACKGROUND .............................................................................................................................8
      FHFA’s Mission and the Office of Quality Assurance ............................................................8
      Importance of Internal Controls ...............................................................................................9
      OQA’s Internal Reviews ..........................................................................................................9

FINDINGS .....................................................................................................................................11
      1.     OQA’s Effectiveness Can Be Enhanced by Strengthening Its Reporting and
             Follow up on Recommendations ....................................................................................11
                    OQA Recommendations Remain Open for Extended Periods ................................11
                    OQA Closed Recommendations Without FHFA Management Fully
                    Addressing Them ....................................................................................................12
                    OQA Does Not Require Written Responses to Recommendations ........................13
      2.     OQA Does Not Cover Other Critical FHFA Functions ..................................................14

CONCLUSIONS............................................................................................................................20

RECOMMENDATIONS ...............................................................................................................20

OBJECTIVE, SCOPE, AND METHODOLOGY .........................................................................21

APPENDIX A ................................................................................................................................23
      FHFA’s Comments on OIG’s Findings and Recommendations ............................................23

APPENDIX B ................................................................................................................................25
      OIG’s Response to FHFA’s Comments .................................................................................25

APPENDIX C ................................................................................................................................26
      Summary of Management’s Comments on the Recommendations .......................................26




                                        OIG  AUD-2013-013  September 30, 2013                                                                4
APPENDIX D ................................................................................................................................27
      Open Recommendations Aging Status as of March 31, 2013, for Recommendations
         Issued in 2011 and 2012 .................................................................................................27

ADDITIONAL INFORMATION AND COPIES .........................................................................29




                                       OIG  AUD-2013-013  September 30, 2013                                                              5
ABBREVIATIONS .......................................................................

COO                Chief Operating Officer

DBR                Division of Bank Regulation

DER                Division of Enterprise Regulation

DEPS               Division of Examination Programs and Support

DHMG               Division of Housing Mission and Goals

DSPS               Division of Supervision Policy and Support

ECIC               Executive Committee on Internal Controls

Fannie Mae         Federal National Mortgage Association

FHFA or agency     Federal Housing Finance Agency

FHLBank            Federal Home Loan Bank

Freddie Mac        Federal Home Loan Mortgage Corporation

GAO                Government Accountability Office

GSE                Government-Sponsored Enterprise

OCO                Office of Conservatorship Operations

OIG                Federal Housing Finance Agency Office of Inspector General

OMB                Office of Management and Budget

OMWI               Office of Minority and Women Inclusion

OQA                Office of Quality Assurance

OSI                Office of Strategic Initiatives

ROE                Report of Examination




                        OIG  AUD-2013-013  September 30, 2013                     6
PREFACE ...................................................................................

As a federal agency, FHFA is required to implement internal controls that help it meet
its mission, goals, and objectives and to minimize risks associated with its programs
and operations. One such control is the agency’s OQA, which is intended to enhance the
effectiveness of FHFA’s supervision of the housing GSEs. OQA reviews the agency’s
divisions that directly meet the agency’s statutory supervisory and regulatory mission. These
divisions are responsible for ensuring that the GSEs operate in a safe and sound manner.

In June 2012, OIG reported on internal control matters associated with FHFA’s quality
assurance processes for FHLBank examinations.1 In a related internal audit memorandum,
OIG identified several matters that warranted attention and encouraged FHFA to prepare
annual OQA plans related to FHLBank examinations, to prepare guidance for OQA staff
regarding FHLBank examination quality activities, and to document the process for
addressing OQA recommendations. Subsequently, OIG initiated this performance audit to
assess the (1) effectiveness of OQA’s review of FHFA’s examination and examination
support functions and (2) extent of OQA’s coverage of FHFA’s other functions that pose
significant risks.

OIG is authorized to conduct audits, evaluations, investigations, and other studies pertaining
to FHFA’s programs and operations. As a result of its work, OIG may recommend policies
that promote economy and efficiency in administering FHFA’s programs and operations,
or that prevent and detect fraud, waste, and abuse in them. OIG believes that this report’s
recommendations will improve FHFA’s internal controls to help it achieve its mission.

OIG appreciates the cooperation of all those who contributed to this audit, which was led by
Alisa Davis, Acting Assistant Inspector General for Audits, who was assisted by Mai Nguyen,
Audit Manager, and Theodore Kirby, Senior Auditor.

This audit report will be distributed to Congress, the Office of Management and Budget, and
others, and will be posted on OIG’s website, www.fhfaoig.gov.



Russell A. Rau
Deputy Inspector General for Audits

1
 OIG, FHFA’s Supervisory Framework for Federal Home Loan Banks’ Advances and Collateral Risk
Management (AUD-2012-004) (June 1, 2012); online at http://www.fhfaoig.gov/Content/Files/AUD-2012-
004.pdf).




                              OIG  AUD-2013-013  September 30, 2013                                7
BACKGROUND ..........................................................................

FHFA’s Mission and the Office of Quality Assurance

The Housing and Economic Recovery Act of 2008 established FHFA as the regulator and
supervisor of the GSEs: Fannie Mae, Freddie Mac, and the 12 FHLBanks. FHFA’s mission is
to ensure the GSEs are safe and sound and that they serve as a reliable source of liquidity and
funding for housing finance and community investment.

FHFA’s Strategic Plan Fiscal Years 2013-2017 sets
four strategic goals for FHFA:2                                       Supervision and Housing Mission
                                                                                  Divisions
      1. Ensure Safe and sound housing GSEs;
                                                                    Division of Bank Regulation is
      2. Facilitate stability, liquidity, and accessibility         responsible for supervising the
                                                                    FHLBanks and the Office of Finance
         in housing finance;
                                                                    and performs monitoring and
                                                                    examinations of these entities.
      3. Preserve and conserve enterprise assets; and
                                                                    Division of Enterprise Regulation is
      4. Prepare for the future of housing finance in               responsible for supervising Fannie
         the United States.                                         Mae and Freddie Mac and performs
                                                                    monitoring and examinations of
To accomplish its mission and strategic goals, FHFA                 them.
has organized itself into several divisions and offices
                                                                    Division of Supervision Policy and
to provide supervision, regulation, and housing
                                                                    Support provides support and
mission oversight of the GSEs and to manage the                     specialized resources for both DBR
conservatorships of Fannie Mae and Freddie Mac.                     and DER examinations.

FHFA’s supervision and housing mission divisions                    Division of Housing Mission and
consist of DBR, DER, the Division of Supervision                    Goals is responsible for overseeing
                                                                    the housing mission and goals of
Policy and Support (DSPS),3 and the Division of
                                                                    the enterprises and of the housing
Housing Mission and Goals (DHMG).                                   finance and community and
                                                                    economic development mission
FHFA’s other offices include, but are not limited to,               of the FHLBanks.
the Office of the Director, OCO, the Office of
Strategic Initiatives (OSI), and the Office of
Minority and Women Inclusion (OMWI).
2
 FHFA, Strategic Plan Fiscal Years 2013-2017, at 2 (October 9, 2012); accessed August 26, 2013, at
http://www.fhfa.gov/webfiles/24790/Final%20FHFA%20Strategic%20Plan-10-9-12.pdf.
3
    DSPS was formerly structured as the Division of Examination Programs and Support (DEPS).




                                 OIG  AUD-2013-013  September 30, 2013                                   8
FHFA established OQA in 2011 to perform internal reviews of FHFA’s supervision and
housing mission divisions: DBR, DER, DSPS, and DHMG. FHFA’s strategic plan states that
the agency will use quality assurance reviews to enhance the effectiveness of its supervision,
which entails ongoing monitoring and targeted examinations.

OQA started performing reviews in March 2011 but was formally chartered in September
2011. OQA reports to the chief operating officer (COO). OQA began with one associate
director, two managers, and seven staff. As of March 31, 2013, OQA had one manager and
eight staff. The associate director and one manager transferred to other FHFA divisions.

Importance of Internal Controls

FHFA has various internal controls, one of which is OQA.4 GAO issues standards for internal
control in the government, and the Office of Management and Budget (OMB) Circular A-123,
Management's Responsibility for Internal Control, provides the specific requirements for
assessing and reporting on controls. Internal control is an “integral component of an
organization’s management that provides reasonable assurance that the following objectives
are being achieved: effectiveness and efficiency of operations, reliability of financial
reporting, and compliance with applicable laws and regulations.” Internal control is a major
part of managing an organization.

One of the internal control standards—monitoring—addresses assessing the quality of internal
control performance over time and ensuring that the findings of audits and other reviews are
promptly resolved.5

OQA’s Internal Reviews

Through March 2013, OQA completed 27 quality assurance reviews and quality control
checks. OQA defines a review as an objective internal assessment of the effectiveness of the
system of internal controls employed by FHFA and management to achieve its goals. Reviews
are designed to assess the business unit’s processes or specific operations, or to address
special requests made by FHFA management. According to OQA, reviews incorporate risk
management techniques as well as aspects of application controls and technology.



4
  FHFA established the Executive Committee on Internal Controls (ECIC) in April 2012 to comply with OMB
Circular A-123, which recommends that agencies form senior management councils to assess and monitor
deficiencies in internal controls. One of the ECIC’s tasks is to monitor and track findings, deficiencies,
recommendations, and corrective actions from internal and external evaluations and reviews.
5
 Internal control standards and the definitions of internal control are based on GAO, Standards for Internal
Control in the Federal Government (November 1999).




                                 OIG  AUD-2013-013  September 30, 2013                                       9
In contrast, an OQA quality control check is an assessment of the quality of a division’s
interim product before the deliverable is finalized. OQA no longer performs these quality
control checks because it has focused on the more robust quality assurance reviews. See
Figure 1 for a timeline of the work performed by OQA.

                                   FIGURE 1. TIMELINE OF OQA’S WORK

 2011          March
                               OQA started
                 April
                  May
                 June
                               Completed 11 Quality Control Checks of FHLBanks’ reports
                                of examination (ROEs)
                  July
               August
           September           OQA formally chartered
              October          Completed 2 Reviews of DER’s ROE Compilation Process (1 report)
           November            Completed 2 Reviews of DBR’s ROE Compilation Process (1 report)
                               Completed 2 Quality Control Checks of FHLBanks’ ROEs
           December
 2012         January
             February
               March
                 April         Completed 2 Quality Control Checks of FHLBanks’ ROEs
                  May          Completed 3 Reviews of DBR functions
                 June          Completed 1 Review of DSPS function
                  July         Completed 1 Review of DHMG function
               August
                               Completed 1 Review of COO function (requested by COO)
           September
              October
           November
           December
                             Prepared draft OQA Policies and Procedures Manual
 2013         January
                             Completed 2 Reviews of DSPS functions
             February
               March           Finalized OQA Policies and Procedures Manual

Source: OIG analysis based on information provided by FHFA.




                                OIG  AUD-2013-013  September 30, 2013                           10
FINDINGS .................................................................................

    1. OQA’s Effectiveness Can Be Enhanced by Strengthening Its Reporting and
       Follow up on Recommendations

Overall, OQA was effective in evaluating FHFA’s supervisory and regulatory functions
because it completed or was in the process of completing all of its planned work for 2012,
reviewed all areas it deemed to be high risk, and reported findings and recommendations that
led to management improvements. Additionally, OQA’s risk assessments, work plans, and
completed work products were adequate for the reviews performed. For example, OQA
completed a risk assessment that identified the relative risk of FHFA’s examination functions,
and OQA performed work based on the areas posing the more significant risk. When doing
so, it considered external and internal risks, consistent with internal control standards. Further,
OIG validated that four OQA reports were based on the evidence supporting OQA’s findings,
recommendations, and conclusions.

However, OQA did not consistently ensure that FHFA management promptly resolved
reported findings and recommendations, closed certain recommendations without validating
whether management actions addressed them, and did not require written responses to
recommendations.

    OQA Recommendations Remain Open for Extended Periods

As of March 31, 2013, 8 of 22 OQA
                                                        FIGURE 2. STATUS OF IN-SCOPE OQA
recommendations (or 36%)—made before 2013                       RECOMMENDATIONS
that relate to FHFA’s examination and examination
support functions—remained open, as shown in         Issuance Date        2011      2012      Total
Figure 2. (See Appendix D for more details on all   Source:
                                                    Open    OIG analysis of information
                                                                               6        provided
                                                                                          2        8
                                                    by FHFA.
eight open recommendations.) Six of the eight       Closed                     5          9       14
recommendations (or 75%) had been open for 520      Total                     11        11        22
or more days as of March 31, 2013. These six        % Open                  55%       18%        36%
recommendations were the result of two October
2011 OQA reports that relate to FHFA examinations.6

For example, OQA identified concerns about examination work papers used to support
findings and documentation of the supervisory review. In some cases, mandatory examination

6
  OQA stated it was aware that FHFA had potentially taken corrective actions in response to its
recommendations. However, OQA had not performed follow up activities to confirm that corrective actions
were completed.




                               OIG  AUD-2013-013  September 30, 2013                                    11
documents missed required information or contained inexact information. OQA also reported
that examination products and processes were not subject to a comprehensive quality control
review process. A lack of quality control review could result in FHFA directing the GSEs
to take action that is not supported by its examinations or may result in unmitigated risk
if examination findings are not completely and accurately reported. OQA therefore
recommended that FHFA establish a comprehensive quality control review process for
examination reports, work papers, and other examination work products.

OQA also recommended that FHFA assess examination resource needs and priorities
as warranted, and that examination supervisors monitor the completion and filing of
assignments. Regarding the open recommendation about assessing resource needs, inadequate
staffing can result in insufficient coverage of the risks identified in the examiners’
assessments and planning. As such, FHFA may not have comprehensive supervision
concerning the GSEs’ safety and soundness. GSE processes and functions posing the highest
risk should receive the highest examination priority to ensure that the agency highlights areas
requiring action to mitigate risk to an acceptable level.

Standards for internal control state that there should be policies and procedures governing
prompt resolution of findings. Further, OMB Circular A-123 states, “Agency managers
are responsible for taking timely and effective action to correct deficiencies. Correcting
deficiencies is an integral part of management responsibility and must be considered a priority
by the agency.”

   OQA Closed Recommendations Without FHFA Management Fully Addressing Them

Of the 14 recommendations OQA closed, 7 (or 50%) were closed without FHFA management
completing actions to address the recommendations. For example, five recommendations
were closed even though DER’s management stated that it only partially addressed the
recommendations or was working on actions that would address them. These
recommendations to DER included:

      Coordinating with DEPS (now DSPS) on the preparation of FHFA’s new examiner
       guidance manual and related material;
      Monitoring the frequency and number of instances in which findings are removed
       from draft examination reports when an enterprise objects to the findings, to identify
       trends that may indicate undue influence; and
      Encouraging examiners in meetings with the enterprises to prepare minutes and have
       at least two employees in attendance at interviews to avoid the appearance that the
       enterprises have too much influence over the contents of the examination reports.




                           OIG  AUD-2013-013  September 30, 2013                                12
OQA closed the seven recommendations without evaluating whether corrective actions had
been implemented or whether the actions had adequately addressed the recommendations.
Instead, OQA relied on management’s assertion that it would make the recommended
corrections.

In addition to accepting management’s assertion as the basis for closing certain
recommendations, OQA closed two recommendations based on its judgment—but again
without validation—that management had taken responsive action to address the reported
findings. OQA closed these two recommendations based on an organizational change FHFA
made, rather than its management directly addressing the recommendation. When OIG
inquired about the rationale for closing these two recommendations, OQA management
acknowledged that it should have characterized the recommendations’ status as “postponed to
be re-addressed.”

Standards for internal control state:

       The resolution process begins when audit or other review results are reported
       to management, and is completed only after action has been taken that
       (1) corrects identified deficiencies, (2) produces improvements, or
       (3) demonstrates the findings and recommendations do not warrant
       management attention.

   OQA Does Not Require Written Responses to Recommendations

The primary reason that OQA recommendations remained open beyond a year or were
prematurely closed is that OQA policy allows reports to be issued without written
management responses, including a commitment to and specific timelines for corrective
action. OQA management stated that either verbal or written management responses are
acceptable.

The lack of written responses means that OQA has neither specific timelines for anticipated
closure of recommendations nor agreed-upon corrective action as a basis for judging whether
a recommendation has been adequately addressed. Specifically, four of eight OQA reports
within OIG’s audit scope did not have a written management response that was obtained
before the final report was issued. Further, although none of the four reports had evidence of
management disagreements at the time of report issuance, in two cases FHFA business units
identified points of disagreement with the findings and recommendations in writing after the
final reports were issued.

Management’s written responses to OQA’s findings and recommendations can memorialize
management’s commitment to take corrective actions, or document the justification for not



                            OIG  AUD-2013-013  September 30, 2013                              13
taking them. OIG believes written responses serve to hold management accountable for
implementing agreed-upon actions and facilitate tracking of management commitments.

Tracking commitments is particularly important in times of management changes. For
example, the lack of written management responses appears to have resulted in disagreements
and delays in correcting findings, such as the appearance of the enterprises’ undue influence
on the agency’s ROEs, and not having comprehensive quality control review processes for
examination work products. Specifically, the DER ROE review was completed in October
2011, and although OQA says the former DER deputy director agreed with its findings
and recommendations, FHFA management did not respond in writing. Thus, management
corrective actions and timeframes for addressing the recommendations were not
memorialized. A new DER deputy director was appointed in November 2011. OQA
followed up with the new DER deputy director on DER’s progress in addressing OQA’s
recommendations. In September 2012 (almost one year after the report was issued), DER
responded that OQA’s report lacked critical details or views of key staff. DER also stated that
it had partially addressed some of the recommendations or was taking actions to address them,
such as coordinating with DEPS (now DSPS) on the preparation of FHFA’s new examiner
manual and related guidance. Nevertheless, some recommendations remained open as of the
end of audit fieldwork.

OQA findings and recommendations that are not resolved timely or addressed adequately
can reduce OQA’s effectiveness and result in quality issues in FHFA examinations. For
example, examiners could have had clearer guidance in performing examinations if the
recommendation to coordinate with DEPS (now DSPS) on the preparation of FHFA’s
new examiner manual and related guidance had been promptly addressed. Likewise, FHFA
examinations could have been enhanced with prompt resolution of the recommendation for
FHFA management to remind examiners of the requirements for examination documentation.
OQA found that there were several instances where examiners did not include required
information or documentation in the examination work papers, which could raise questions as
to the sufficiency and validity of evidence supporting the findings.

   2. OQA Does Not Cover Other Critical FHFA Functions

Although OQA assesses risk for four of FHFA’s supervision and housing mission divisions
(i.e., DBR, DER, DSPS, and DHMG), it does not routinely perform risk assessments or
quality assurance reviews for other important offices. Instead, offices outside of the
examination and examination support functions may be subject to ad hoc OQA reviews,




                           OIG  AUD-2013-013  September 30, 2013                                14
according to the office’s policies and procedures. As such, during the audit period, OQA
issued only one report covering other offices.7

Without OQA oversight, FHFA’s other offices are not reviewed by any internal, independent
entity to identify comprehensively and assess internal and external risk across the agency.
Rather, these offices—some of which provide critical agency functions8—are reviewed by
their own managers, who perform self-assessments in response to OMB Circular A-123
review requirements. The self-assessments performed to fulfill OMB Circular A-123
requirements are not a substitute for independent reviews.

The areas highlighted in blue in Figure 3 are outside of OQA’s coverage.




7
    OQA reviewed FHFA’s complaint processing at the request of the COO.
8
 OCO, for example, has authority to approve enterprise actions, ranging from those related to the Senior
Preferred Stock Purchase Agreements with the Department of the Treasury to material actions in connection
with legal or regulatory settlements exceeding $50 million. In fact, OCO received from the enterprises 611
conservatorship action requests as of May 17, 2012.




                                 OIG  AUD-2013-013  September 30, 2013                                     15
                       FIGURE 3. OQA’S ROLE IN FHFA’S ORGANIZATIONAL CHART




Source: OIG analysis based on FHFA organizational chart as of January 2, 2013, and OQA September 2011
Charter.



                              OIG  AUD-2013-013  September 30, 2013                                   16
Three key criteria support more comprehensive OQA coverage of the risks within the various
agency divisions and offices: FHFA’s Annual Performance Plan for Fiscal Year 2013,9
GAO’s Standards for Internal Control in the Federal Government, and OMB Circular A-123.

First, FHFA’s Annual Performance Plan states:

        Program evaluation is an important feedback tool to ensure that FHFA’s
        activities are meaningful and effective. FHFA regularly evaluates its progress
        towards achieving its goals in an ongoing manner throughout the year. The
        agency uses its quarterly management meetings to communicate and discuss
        organizational goals and objectives, and the status of activities which further
        their achievement. FHFA’s Executive Committee on Internal Controls meets
        quarterly to review the results of internal and external program evaluations.
        The committee evaluates the findings and establishes appropriate remediation
        activities for FHFA. The Quality Assurance internal review process
        likewise informs on results to help determine a program’s relevance.
        (Emphasis added.)

Second, applicable internal control standards identify risk assessment as one of the five
standards of internal control. Risk assessment is the identification and analysis of relevant
risks associated with achieving program objectives and forming a basis for determining how
risks should be managed. According to the internal control standards, management needs to
comprehensively identify risks, including all significant interactions between the entity and
other parties, and internal factors at both the entity-wide and activity level. Once risks have
been identified, management should analyze their possible effect.

Third, OMB Circular A-123 identifies program evaluations as an important component of an
agency’s assessment of internal control.

OQA serves as one of FHFA’s management monitoring tools, although FHFA has not
assessed OQA’s role in complementing the internal control and related A-123 activities
performed across the agency. Specifically, the framework for OQA was envisioned by the
former acting COO to encompass only the supervision, regulation, and housing mission areas
of FHFA’s mission. As a result, OQA’s charter, dated September 2011, states its mission as
follows:

        The Office of Quality Assurance is an organizationally independent and
        objective advisory office established within FHFA to evaluate the quality of

9
 FHFA, Annual Performance Plan for Fiscal Year 2013, at 36 (October 24, 2012); accessed September 24,
2013, at http://www.fhfa.gov/webfiles/24624/FinalFHFAFY2013APP102412.pdf.




                              OIG  AUD-2013-013  September 30, 2013                                   17
        work of the Division of Enterprise Regulation (DER), Division of Federal
        Home Loan Bank Regulation (DBR), Division of Examination Programs and
        Support (DEPS), and the Division of Housing Mission and Goals (DHMG),
        collectively, “the supervision and housing mission offices.”

Assessing the scope of OQA’s coverage to include agency offices that pose significant
risk can give FHFA greater assurance that its management direction is being successfully
implemented across the entire agency. For example, since September 2008 FHFA has
overseen the Fannie Mae and Freddie Mac conservatorships, which FHFA describes as
the “largest, most complex conservatorships in history;” and the enterprises have received
over $187 billion from the federal government. It is OCO’s role and duty to support the
conservator, FHFA’s Acting Director, who issues conservatorship directives, and DER
examiners assess the enterprises’ compliance with those directives. Yet, whereas DER’s
efforts to ensure compliance with conservatorship directives are subject to OQA review,
OCO’s creation and implementation of such directives is beyond the scope of OQA’s charter.

Similarly, OSI supports FHFA’s fourth strategic plan goal of “prepar[ing] for the future of
housing finance in the United States.” It was established in May 2012 to lead, coordinate, and
clarify as needed all agency and enterprise activities related to FHFA’s A Strategic Plan
for the Enterprise Conservatorships.10 OSI supports three broad goals that will define the
conservatorships for the next few years: (1) building a new infrastructure for the secondary
mortgage market, (2) contracting enterprise operations, and (3) maintaining foreclosure
prevention efforts and credit availability. In spite of these vital responsibilities, OSI is not
subject to OQA reviews. Without independent review of OSI’s activities, there is a risk that
the enterprises and FHFA could inaccurately assess the enterprises’ progress toward those
goals.

Likewise, OMWI fulfills a critical requirement for the agency. In January 2011, FHFA
established OMWI pursuant to section 342 of the Dodd-Frank Wall Street Reform and
Consumer Protection Act of 2010. OMWI’s statutory mission is to ensure that minorities,
women, service-disabled veterans, and individuals with disabilities are fully included in any
and all job and business opportunities created as a part of the federal government’s efforts to
reform and strengthen the banking system and the financial services industry. Except
pursuant to an ad hoc request, OQA will not assess the quality of OMWI’s efforts.

FHFA can have greater assurance that its objectives are achieved and risks are managed if
there is comprehensive OQA coverage of all agency functions in its risk assessments. OIG

10
  FHFA, A Strategic Plan for Enterprise Conservatorships: The Next Chapter in a Story that Needs an Ending
(February 21, 2012); accessed August 27, 2013, at
http://www.fhfa.gov/webfiles/23344/StrategicPlanConservatorshipsFINAL.pdf.




                               OIG  AUD-2013-013  September 30, 2013                                       18
recognizes that resource constraints do not allow every division or office to be reviewed by
OQA or FHFA, but reviews can and should be performed based on FHFA’s assessment of its
highest risks.11 Nevertheless, without a comprehensive, risk-based approach to monitoring,
FHFA may have unmitigated risk residing in offices that are either not covered by OQA or
not monitored in an effective manner.




11
  Both the OIG and GAO perform external reviews, audits, or separate evaluations of FHFA on specific
subjects and at specific points in time. Such external reviews, audits, or separate evaluations should be
considered in FHFA’s risk assessment process.




                                 OIG  AUD-2013-013  September 30, 2013                                    19
CONCLUSIONS ..........................................................................

Within the last couple of years, OQA has established processes, policies, and procedures to
perform internal reviews primarily of FHFA’s examination and examination support
divisions. OQA provides an important internal monitoring mechanism for FHFA, but it is still
evolving and can make improvements in its processes, policies, and procedures to ensure its
effectiveness. For example, it should implement procedures to follow up proactively on its
recommendations and validate management’s corrective actions. Moreover, there are gaps in
FHFA’s internal review coverage that may pose significant risks to FHFA and merit
consideration in OQA’s risk assessments and review coverage.

RECOMMENDATIONS ...............................................................

To enhance OQA’s policies and procedures for reporting and follow up, FHFA should:

   1. Update OQA’s policy to require management to provide written responses and
      corrective action timelines to OQA findings;

   2. Track the corrective action timelines provided by management and follow up on
      corrective actions based on those timelines;

   3. Implement a policy to escalate to the appropriate level of management when
      corrective action is not implemented by the reported deadline; and

   4. Evaluate management corrective actions and document evidence supporting closure of
      its recommendations.

To enhance the comprehensiveness of the agency’s internal risk assessments, FHFA should:

   5. Evaluate the roles and responsibilities of OQA across the agency and revise OQA’s
      charter accordingly;

   6. Assess risks across all agency operations for purposes of planning OQA review
      coverage; and

   7. Direct performance of reviews of those areas that pose the most significant risk to
      FHFA.




                          OIG  AUD-2013-013  September 30, 2013                              20
OBJECTIVE, SCOPE, AND METHODOLOGY .................................

The objective of this performance audit is to assess the effectiveness of FHFA’s OQA.
The audit scope is OQA reviews—completed between March 2011 and March 2013—of
FHFA’s examination and examination support divisions: DBR, DER, and DSPS. (OIG did
not include DHMG in the audit scope because it does not perform enterprise examination
and examination support functions which were the focus of the audit.) In addition, while
completing the audit work, OIG assessed the significance of a broader issue and adjusted
the scope to include the extent of OQA’s coverage of FHFA’s other functions that may pose
significant risks.

To accomplish its objectives, OIG interviewed senior officials in FHFA’s DBR, DER,
and DSPS, as well as the COO, OQA managers, and OQA staff. OIG reviewed relevant
regulations, laws, and other federal guidance. OIG also reviewed OQA’s policies and
procedures, risk assessments, planning documents, and other work products. OIG
judgmentally selected four of eight OQA reports specific to the examination and examination
support functions and conducted a detailed review of the work papers, reported findings,
recommendations, and OQA’s recommendation tracking and associated support. OIG
reviewed recommendations that were issued between March 2011 and December 2012
and that were open as of March 31, 2013. OIG conducted this audit at FHFA’s office in
Washington, D.C.

OIG also assessed the internal controls related to its audit objective. Internal controls are an
integral component of an organization’s management and provide reasonable assurance that
the following objectives are achieved:

      Effectiveness and efficiency of operations,
      Reliability of financial reporting, and
      Compliance with applicable laws and regulations.

Internal controls relate to management’s plans, methods, and procedures used to meet its
mission, goals, and objectives, and include the processes and procedures for planning,
organizing, directing, and controlling program operations, as well as the systems for
measuring, reporting, and monitoring program performance. Based on the work completed
on this performance audit, OIG considers weaknesses in FHFA’s OQA reviews to be
significant in the context of the audit’s objectives.

OIG conducted this performance audit from December 2012 through August 2013 in
accordance with generally accepted government auditing standards. Those standards require
that audits be planned and performed to obtain sufficient, appropriate evidence to provide a


                            OIG  AUD-2013-013  September 30, 2013                                21
reasonable basis for the report’s findings and conclusions based on the audit objective.
OIG believes that the evidence obtained provides a reasonable basis for its findings and
conclusions, based on the audit objectives.




                           OIG  AUD-2013-013  September 30, 2013                         22
APPENDIX A .............................................................................

FHFA’s Comments on OIG’s Findings and Recommendations




                        OIG  AUD-2013-013  September 30, 2013                        23
OIG  AUD-2013-013  September 30, 2013   24
APPENDIX B..............................................................................

OIG’s Response to FHFA’s Comments

On September 20, 2013, FHFA provided comments to a draft of this report, agreeing with
OIG’s recommendations and identifying specific actions it would take to address the
recommendations. FHFA agreed to enhance OQA policies and procedures to improve the
effectiveness of follow up and reporting activities by April 30, 2014. With respect to the
recommendations to enhance the comprehensiveness of FHFA’s risk assessment and coverage
of areas representing the most significant risk, FHFA stated that it will evaluate the current
roles, responsibilities, risk assessment, planning, and coverage of OQA in the broader agency
context and framework and, if necessary, FHFA will modify the OQA charter and coverage
during fiscal year 2014. FHFA officials clarified that the completion date related to these
actions is September 30, 2014.

OIG considers the planned actions sufficient to resolve the recommendations, which will
remain open until OIG determines that the agreed-upon corrective actions are completed and
responsive to the recommendations. OIG considered the agency’s full response (attached as
Appendix A), along with technical comments, in finalizing this report. Appendix C provides a
summary of management’s comments on the recommendations and the status of agreed-upon
corrective actions.




                           OIG  AUD-2013-013  September 30, 2013                               25
APPENDIX C ..............................................................................

Summary of Management’s Comments on the Recommendations

This table presents management’s responses to the recommendations in OIG’s report and the
status of their resolution as of the date when the report was issued.

                                                      Expected
                       Corrective Action:            Completion        Monetary       Resolveda       Open or
  Rec. No.             Taken or Planned                 Date           Benefits       Yes or No       Closedb
                FHFA will review current
                OQA policies and procedures
                and make appropriate
1 through 4                                           4/30/2014            $0             Yes          Open
                enhancements to improve the
                effectiveness of follow up and
                reporting activities.
                FHFA will evaluate the current
                roles and responsibilities, risk
                assessment, planning, and
                coverage of OQA in the
5 through 7                                           9/30/2014            $0             Yes          Open
                broader agency context and
                framework. If necessary, FHFA
                will modify the OQA charter
                and coverage.

(a) Resolved means: (1) management agrees with the recommendation, and the planned, ongoing, or
completed corrective action is consistent with the recommendation; (2) management does not agree with the
recommendation, but alternative action meets the intent of the recommendation; or (3) management agrees to
the OIG monetary benefits, a different amount, or no ($0) amount. Monetary benefits are considered resolved
as long as management provides an amount.
(b) Once OIG determines that the agreed-upon corrective actions have been completed and are responsive to
the recommendations, the recommendations can be closed.




                                OIG  AUD-2013-013  September 30, 2013                                         26
APPENDIX D .............................................................................

Open Recommendations Aging Status as of March 31, 2013, for Recommendations
Issued in 2011 and 2012

                      Subject
                       FHFA
       Report Date    Division               Recommendation Description                   Days Open
 1   October 7,      DER           Establish a comprehensive quality control review       541
     2011                          process for examination reports, work papers,
                                   and other examination work products.
 2   October 28,     DBR           Work programs should include a reference or link       520
     2011                          to supporting work papers, and DBR’s quality
                                   control processes should check to ensure work
                                   programs include such references or links.
 3   October 28,     DBR           Examiners should include their names and the           520
     2011                          name of the FHLBank under examination on all
                                   work papers they prepare.
 4   October 28,     DBR           The basis section of examination findings              520
     2011                          explicitly includes, when possible, the cause of
                                   the problem and the effect of not correcting the
                                   problem or of following the recommended or
                                   required course of action. FHFA should expand
                                   the guidance for the basis section to better
                                   explain expectations for describing the cause
                                   and effect; including examples may help provide
                                   clarity. In addition, FHFA should consider
                                   clarifying the guidance since, as currently written,
                                   an examiner would need to identify the cause in
                                   all cases.
 5   October 28,     DBR           DBR management should remind examiners of              520
     2011                          its work paper requirements. Recommend that
                                   work papers memorialize exceptions to the
                                   requirements by including a brief summary/
                                   statement or memo to file that discusses the
                                   reason for noncompliance. Further, the Examiner-
                                   In-Charge, or an assigned member of the
                                   examination team, finalizes the findings tracker
                                   document for the specific examination at that
                                   designated point in time to ensure that all of the
                                   vetted findings included in the ROE appear on the
                                   findings tracker for that particular time period.



                           OIG  AUD-2013-013  September 30, 2013                                    27
                           Subject
                            FHFA
        Report Date        Division              Recommendation Description                Days Open
  6    October 28,       DBR            Examination management should review               520
       2011                             resource needs and priorities as warranted. In
                                        addition, examination supervisors should monitor
                                        the completion and filing of assignments.
  7    April 12, 2012    DBR            Enhance the Office of Bank Analysis’ supervisory   353
                                        oversight procedures to include a process that
                                        memorializes the supervisory and peer review
                                        efforts.*
  8    December 28,      DBR            Develop formal written policies and procedures     93
       2012                             for DBR’s fatal flaw review process.*


Source: OIG analysis of OQA recommendations.
* OQA closed recommendations #7 and #8 as of September 6, 2013.




                               OIG  AUD-2013-013  September 30, 2013                                 28
ADDITIONAL INFORMATION AND COPIES .................................

For additional copies of this report:

      Visit: www.fhfaoig.gov
      Call: 202-730-0880
      Fax: 202-318-0239



To report potential fraud, waste, abuse, mismanagement, or any other kind of criminal or
noncriminal misconduct relative to FHFA’s programs or operations:

      Visit: www.fhfaoig.gov/ReportFraud
      Call: 800-793-7724
      Fax: 202-318-0358
      Write: FHFA Office of Inspector General
             Attn: Office of Investigation – Hotline
             400 Seventh Street, S.W.
             Washington, DC 20024




                            OIG  AUD-2013-013  September 30, 2013                        29