oversight

FHFA Oversight of Freddie Mac's Information Technology Investments

Published by the Federal Housing Finance Agency, Office of Inspector General on 2014-09-25.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

          Federal Housing Finance Agency
              Office of Inspector General




 FHFA Oversight of Freddie Mac’s
Information Technology Investments




Audit Report  AUD-2014-017  September 25, 2014
                                             September 25, 2014


TO:                Nina Nichols, Deputy Director for Enterprise Regulation



FROM:              Russell A. Rau, Deputy Inspector General for Audits


SUBJECT:           FHFA Oversight of Freddie Mac’s Information Technology Investments


Summary

Freddie Mac annually makes substantial investments to maintain and improve its information
technology (IT) infrastructure, which is vital to its mission of helping to provide liquidity,
stability, and affordability in the nation’s housing market. In fact, Freddie Mac maintains an
IT investment portfolio of over 250 individual projects.1 Large organizations making such
substantial investments in IT should ensure that each investment decision is subjected to careful
scrutiny to ensure, among other things, that the investment’s risks and returns have been
evaluated and are understood; it aligns with the organization’s mission; it continues to meet
mission needs at the expected levels of cost and risk; and its impact on mission performance is
evaluated. In order to effectively scrutinize their investments, federal and industry organizations
implement and enforce IT investment management processes.

As conservator of Freddie Mac, FHFA is charged with preserving and conserving Freddie Mac’s
assets and has broad responsibility for managing the Enterprise’s activities to fulfill its mission.2
FHFA fulfills this obligation in part through the exercise of its delegations of authority to review
and approve Freddie Mac’s business decisions, and to review key documents, such as Freddie
Mac’s annual operating budget. FHFA requires that Freddie Mac’s systems provide relevant,
accurate, and timely information that is secure and supported by contingency arrangements.3
FHFA, under its supervisory and regulatory authorities regarding Freddie Mac, has a continuous
examination program that encompasses Freddie Mac’s IT infrastructure. FHFA’s Office of

1
 An IT investment portfolio is the combination of all IT assets, resources, and investments owned or planned by an
organization in order to achieve its mission and strategic goals and objectives.
2
    FHFA was appointed conservator for Freddie Mac in September 2008.
3
    12 CFR Part 1236, Appendix—“Prudential Management and Operational Standards.”


    Federal Housing Finance Agency Office of Inspector General • AUD-2014-017 • September 25, 2014
                                                        2
Inspector General (OIG) conducted this audit to evaluate FHFA’s oversight of Freddie Mac’s IT
investment management processes.

Overall, OIG concluded that FHFA could improve its oversight of IT investments at Freddie
Mac. Meeting Enterprise-wide business and user needs in a cost-effective and risk-based method
can be enhanced by: (1) determining through examination whether Freddie Mac has
implemented and is enforcing an effective IT investment management process; (2) issuing
guidance on required objectives and controls in IT investment management processes,
particularly at the portfolio level; and (3) and evaluating whether currently utilized Freddie Mac
reports provide the information necessary to conduct effective supervisory monitoring of Freddie
Mac’s portfolio of IT investments.

As conservator, FHFA approves Freddie Mac’s annual operating budget but does not specifically
review and approve the IT component of the budget, or review and approve individual IT
projects unless an investment would constitute a significant change to Freddie Mac’s operations.
Thus, supervisory review of Freddie Mac’s entire IT investment management process is even
more important to protect FHFA’s interests as there is no corresponding conservatorship control
to assess IT investments at the portfolio level. As a result, FHFA has limited assurance that
Freddie Mac has implemented and enforces effective IT investment management practices and
processes. Accordingly, OIG made recommendations to strengthen FHFA oversight, and the
Agency generally agreed. Refer to Appendix B for the Agency’s comments and Appendix C for
OIG’s evaluation of those comments.

Background

Fannie Mae and Freddie Mac are federally chartered to provide stability and liquidity in the
home mortgage loan market. On July 30, 2008, the Housing and Economic Recovery Act of
2008 established FHFA as the Enterprises’ regulator. Among its responsibilities, the Agency
oversees their safety and soundness, supervises their support of housing finance and affordable
housing goals, and facilitates a stable and liquid mortgage market. On September 6, 2008, FHFA
became the Enterprises’ conservator to help protect them—and therefore the wider financial
market—from collapse. As conservator, FHFA is charged with preserving and conserving
Enterprise assets, ensuring their focus on the housing mission, and preparing for the future of the
housing market. Through supervision and regulation, FHFA helps to ensure that the Enterprises
are operating in a safe and sound manner so that they can serve as a reliable source of liquidity
and funding for housing finance and community investment.

Freddie Mac is making substantial investments in IT in order to better support its operations and
reduce risk. As reported in its 2013 annual financial statements, Freddie Mac recently completed
a 3-year multimillion dollar project to move key legacy applications and infrastructure to more
current technology. It is making investments to maintain technology, to standardize its
technology portfolio, and to focus on emerging information security risks.4 These investments

4
  Federal Home Loan Mortgage Corporation, Form 10-K, Annual Report Pursuant to Section 13 or 15(d) of the
Security Exchange Act of 1934, for the fiscal year ended December 31, 2013,
http://www.freddiemac.com/investors/er/pdf/10k_022714.pdf. Accessed on July 30, 2014.


    Federal Housing Finance Agency Office of Inspector General • AUD-2014-017 • September 25 2014
                                                      3
are deemed by FHFA to be critical to Freddie Mac’s safety and soundness. A strong IT
investment management process is critical to an organization such as Freddie Mac that is making
such large IT investments.5 The process should help ensure that decisions on major IT
expenditures are required and cost-effective, and that the investments, once funded, are regularly
monitored and managed.

Research suggests that the quality of investment decisions for IT projects can have a dramatic
effect on an organization. One study published by the Massachusetts Institute of Technology
found that investment in IT had a greater impact on an organization’s profitability than
investments in advertising or research and development.6 Another study found that economic and
competitive pressures can compel organizations to cut costs and force them to scrutinize their IT
operating and capital budgets more carefully, thereby making correct IT investment decisions
economic and competitive necessities. Further, failure in IT projects is partly attributable to a
lack of solid management tools for evaluating, prioritizing, monitoring, and controlling IT
investments.7

Federal agencies are required by the Clinger-Cohen Act to establish IT investment and capital
planning processes and performance management.8 Additionally, the Office of Management and
Budget has issued related directives and guidance. The Government Accountability Office
(GAO) developed the IT Investment Management Maturity (ITIM) framework around the
select/control/evaluate approach described in Clinger-Cohen.9 It provides a systematic method
for federal agencies to minimize risk while maximizing the returns of IT investments. ITIM
identifies and organizes processes critical for successful IT investment as an organization’s IT
systems mature, which offers agencies a way to evaluate and assess how well they are selecting
and managing their IT resources. GAO framed ITIM in terms of five stages of maturity, as
shown in Figure 1.




5
  IT investment is defined as the expenditure of resources on selected information technology or IT-related
initiatives. The expectation is that the benefits from the expenditure will exceed the value of the resources expended.
6
  Sunil Mithas et al., The Impact of IT Investments on Profits, MIT Sloan Management Review (Spring 2012),
http://sloanreview.mit.edu/article/the-impact-of-it-investments-on-profits/. Accessed July 29, 2014.
7
  A. Gunasekaran et al., A Model for Investment Justification in Information Technology Projects, International
Journal of Information Management, at 349-64, (2001).
http://www.umassd.edu/media/umassdartmouth/businessinnovationresearchcenter/publications/it_justification.pdf.
Accessed July 28, 2014.
8
 The Clinger-Cohn Act (also known as the “Information Technology Management Reform Act of 1996”), Pub. L.
104-106, Division E, codified at 40 U.S.C. Chapter 25.
9
 GAO, Information Technology Investment Management: A Framework for Assessing and Improving Process
Maturity, GAO-04-394G (March 1, 2004), http://www.gao.gov/products/GAO-04-394G. Accessed July 29, 2014.


    Federal Housing Finance Agency Office of Inspector General • AUD-2014-017 • September 25 2014
                                                           4
                     FIGURE 1: The Five Stages of Maturity within the ITIM Framework


                                   Maturity                                       Description
                  STAGE 5:                                    The organization has mastered the selection,
                  Leveraging IT for strategic outcomes.       control, and evaluation processes and now seeks
Enterprise                                                    to shape its strategic outcomes by benchmarking
    and                                                       its IT investment processes relative to other “best-
 Strategic                                                    in-class” organizations.
   Focus
                  STAGE 4:                                    The organization is focused on evaluation
                  Improving the investment process.           techniques to improve its IT investment processes
                                                              and portfolio(s) while maintaining mature
                                                              selection and control techniques.
                  STAGE 3:                                    The organization has developed a well-defined IT
                  Developing a complete investment            investment portfolio, using an investment process
                  portfolio.                                  that has sound selection criteria and maintains
                                                              mature, evolving, and integrated selection,
                                                              control, and evaluation processes.
                  STAGE 2:                                    Basic selection capabilities are being driven by
                  Building the investment foundation.         the development of project selection criteria,
                                                              including benefit and risk criteria, and an
                                                              awareness of organizational priorities when
                                                              identifying projects for funding. Executive
                                                              oversight is applied on a project-by-project basis.
     Project-     STAGE 1:                                    Ad hoc, unstructured, and unpredictable
     Centric                                                  investment processes characterize this stage.
                  Creating investment awareness.
      Focus                                                   There is generally little relationship between the
                                                              success or failure of one project and the success or
                                                              failure of another project.
Source: GAO, Information Technology Investment Management: A Framework for Assessing and Improving
Process Maturity, GAO-04-394G (March 1, 2004).

GAO defines the fundamental phases of the IT investment approach as follows:10

          SELECT PHASE – the organization (1) identifies and analyzes each project’s risks
           and returns before committing significant funds to any project, and (2) selects those IT
           projects that will best support its mission needs. This process should be repeated each
           time funds are allocated to projects, reselecting even ongoing investments as described
           below.

          CONTROL PHASE – the organization ensures that as projects develop and
           investment expenditures continue, the project continues to meet mission needs at
           the expected levels of cost and risk. If the project is not meeting expectations or if
           problems have arisen, steps are quickly taken to address the deficiencies. If mission
10
     Id., at 8-9. Accessed July 30, 2014.


     Federal Housing Finance Agency Office of Inspector General • AUD-2014-017 • September 25 2014
                                                          5
       needs have changed, the organization is able to adjust its objectives for the project and
       appropriately modify expected project outcomes.

      EVALUATE PHASE – actual versus expected results are compared after a project
       has been fully implemented. This is done to (1) assess the project’s impact on mission
       performance, (2) identify any changes or modifications to the project that may be
       needed, and (3) revise the investment management process based on lessons learned.

The investment process does not end with the evaluation phase. A project can be active
concurrently in more than one phase of the select/control/evaluate model. After a project has
been designated for initial funding in the select phase, it becomes the subject of evaluation
throughout the control phase for the purposes of reselection. Reselection is an ongoing process
that continues for as long as a project is receiving funding. If a project is not meeting the goals
and objectives that were originally established when it was selected, or if the goals have been
modified to reflect changes in mission objectives—and corrective actions are not succeeding—a
decision must be made on whether to continue to fund the project. Ultimately, “deselection” can
be one of the most difficult steps to implement, but it is necessary if funds can be better utilized
elsewhere. Once projects are operating and being maintained, they remain under constant review
for reselection.

In addition to GAO’s ITIM, other IT investment management methodologies are used in the
industry as they are considered best practices. Freddie Mac is not legally bound by all the laws
and federal guidance for managing IT investments that relate to federal entities, and may choose
to follow commercial IT investment management best practices. Regardless, FHFA, as the
conservator and regulator of Freddie Mac, is responsible for ensuring that the Enterprises use
safe and sound practices to achieve efficiency and minimize losses on its operations. As such,
FHFA should recognize that IT investment management is a best practice that should be used by
Freddie Mac, given its current and planned IT expenditures.

Freddie Mac’s IT Budget and Expenditures

Freddie Mac has acknowledged the need to improve its IT systems. For example, in its 2013
financial statements, Freddie Mac stated that its primary business processing and financial
accounting systems lack sufficient flexibility to handle all the complexities of, and changes in,
business transactions and related accounting policies and methods. This requires Freddie Mac to
rely more extensively on spreadsheets and other end-user computing systems that could have a
higher risk of operational failure and error. Freddie Mac’s planned IT expenditures over three
years are expected to exceed $1 billion. In 2013, Freddie Mac officials stated that its current year
expenditures support over 250 projects that align with its corporate strategic plan. Figure 2
shows the growth of Freddie Mac’s IT budget and expenditures since 2011.




 Federal Housing Finance Agency Office of Inspector General • AUD-2014-017 • September 25 2014
                                                 6
                     FIGURE 2: Freddie Mac IT Expenditures 2011-2014 – Budget to Actual ($ Millions)

              $600
                                                                                            533
              $500                                                             483
                            452
                                  422
 $ Millions




              $400                                370   378            372


              $300

              $200

              $100

                $0
                               2011                 2012                  2013                 2014

                                                    IT Budget      IT Actual

Source: Freddie Mac

Freddie Mac’s IT projects result from both internal needs and those mandated by FHFA and
others. However, according to FHFA officials, the Agency does not generally review and
approve individual IT projects. Some of Freddie Mac’s projects have experienced significant
cost increases. For example, one IT-related project under way is intended to address safety and
soundness issues identified in an FHFA examination. In May 2013, Freddie Mac requested
conservator approval to invest $198 million in this project over approximately five years. FHFA
determined that approval of the IT project was within Freddie Mac’s delegated authority and did
not review or render a decision on the project. Within six months of the request to FHFA,
Freddie Mac recognized the need for a significant scope change that resulted in the need to
allocate additional funding. This large, near-term scope modification calls into question the
reasonableness of the initial and remaining cost, schedule, and performance parameters. In
September 2013, Freddie Mac again requested FHFA approval, this time for the additional
funding needed to address the scope change. However, FHFA did not review the project or
render a decision. As such, FHFA did not assess the justification for the additional expenditures
or the risk of future delays and cost increases given that over four years remained to complete the
project. Freddie Mac has also reported other instances of cost overruns on IT projects.

Given the level of delegation to the Enterprise, FHFA should ensure that Freddie Mac utilizes an
effective process to manage its IT investments and that those investments achieve the best value
for the Enterprise in fulfilling its mission. An effective ITIM process adds confidence that a
proposed investment’s risks and returns have been evaluated using qualitative and quantitative
measures, that controls are in place to ensure that the project continues to meet mission needs at
the expected levels of cost and risk, and that adequate funds and resources are available for
project success.



  Federal Housing Finance Agency Office of Inspector General • AUD-2014-017 • September 25 2014
                                                              7
Conservator Review of Freddie Mac’s Budget

In 2008, FHFA issued instructions11 to Freddie Mac’s Board of Directors and senior
management detailing operational activities that require conservator approval versus those that
require conservator notification.12 As detailed in its instructions, FHFA approves Freddie Mac’s
annual operating budget, but Freddie Mac is only required to notify FHFA of any significant
changes (i.e., increases) to its annual budget. The Agency typically does not view changes in
Freddie Mac’s budget as an item that requires Conservator approval; the Agency considers
budget changes to be operational in nature and within Freddie Mac’s delegated authority to
approve. Further, the Agency does not separately approve components of Freddie Mac’s
operating budget, including IT. Lastly, the Agency would only consider review of budget
adjustments related to a significant change to Freddie Mac’s operations per its instructions or if
Freddie Mac requests FHFA’s review.

Separately, FHFA issues an annual conservatorship scorecard, which outlines specific objectives
and milestones that Freddie Mac must achieve as part of its operations.13 Within these objectives
are supporting investments, which may have underlying IT components that are monitored by
FHFA’s Office of Strategic Initiatives (OSI). On a quarterly basis, OSI assesses Freddie Mac’s
progress in achieving the conservatorship scorecard objectives and milestones, which includes
the assessment of any IT investments that support scorecard objectives. OSI does not, however,
assess Freddie Mac’s progress in meeting objectives and milestones for its non-scorecard-related
projects. Freddie Mac expended 21% of its IT budget for scorecard-related projects that were
monitored by OSI and expended the remaining 79% on IT for non-scorecard-related projects,
which were not specifically monitored at a project level by OSI.14

Supervisory and Regulatory Oversight of Freddie Mac’s IT Investment Management Process

The Federal Housing Enterprises Financial Safety and Soundness Act of 1992, as amended,
grants FHFA supervisory and oversight responsibilities for the Enterprises.15 FHFA is required,
by statute, to examine Freddie Mac at least annually to ensure its safety and soundness. FHFA
may also conduct targeted examinations, ongoing monitoring, or compliance reviews, as part of

11
    In November 2008, FHFA issued an order to Freddie Mac outlining functions, responsibilities, and authorities of
its Board of Directors. FHFA also issued a Letter of Instruction to the Board elaborating on the order and providing
direction regarding implementation. In November 2012, FHFA issued a document holding its original orders in
place, while revising and replacing the November 2008 Letter of Instruction in light of experience and practice
under the conservatorship. The revised document provided greater specificity on the respective roles and
responsibilities of FHFA, the Board, and management in relation to the conservatorship.
12
  For notification, FHFA requires that Freddie Mac timely inform the Agency of any planned changes in its
business processes or operations.
13
  The most current scorecard is contained in FHFA’s 2014 Scorecard for Fannie Mae, Freddie Mac and Common
Securitization Solutions (May 2014).
14
   According to Freddie Mac officials, the Enterprise conducts periodic meetings with other offices within FHFA
regarding its overall IT operations, which may at times include discussions about the status of individual IT projects.
15
     Public Law No. 102-550.


     Federal Housing Finance Agency Office of Inspector General • AUD-2014-017 • September 25 2014
                                                          8
its supervision and oversight. FHFA’s Division of Enterprise Regulation (DER) is responsible
for these supervisory and regulatory duties. In addition, FHFA issues formal guidance to Freddie
Mac in the form of advisory bulletins designed to communicate guidance, including IT, and to
help achieve mission-critical goals and objectives.

FHFA’s examination program uses a risk-based approach to determine which supervisory
activities it will employ to assess the Enterprises’ safety and soundness. Beginning in 2010,
FHFA determined that Freddie Mac’s IT governance infrastructure represented significant risk to
its operations.16 In fact, in its 2013 Report to Congress (June 13, 2014), FHFA concluded that
additional Freddie Mac management attention was required related to operational risk, including
information technology, to reduce the risk profile to acceptable levels. As such, FHFA conducted
ongoing monitoring procedures that identified several weaknesses in Freddie Mac’s IT
governance processes. FHFA considered these weaknesses to be of “critical concern,” which
prompted two subsequent targeted examinations and a special review in addition to continued
ongoing monitoring.

Finding: Additional Supervisory Review and Guidance is Needed to Determine Whether
         Freddie Mac Has Implemented a Complete and Effective IT Investment
         Management Process

FHFA has not determined through examination or other activity whether Freddie Mac has
implemented a complete and effective IT investment management process. Further, FHFA has
not issued formal requirements or guidance to Freddie Mac on IT investment management.
FHFA examination efforts and recent guidance focused on project-level controls for IT systems
and did not address portfolio-level controls, such as aligning IT investment with strategic goals
and developing an overall IT infrastructure to support current and planned business operations.
Additional focus on these areas can help strengthen the management of IT investments.

Lack of Comprehensive Assessment of IT Investment Management Process

Between 2010 and 2013, FHFA conducted two examinations, a supervisory review, and ongoing
monitoring that assessed Freddie Mac’s IT governance structure (including Board and committee
responsibilities, and executive reporting) and its IT project management processes. According to
FHFA officials, the Agency focused on Freddie Mac’s IT governance because it presented a
critical concern to Freddie Mac’s IT operations.17 Specifically, Freddie Mac’s IT infrastructure
(policy, procedures, and senior management) was evolving as it went through four



16
   IT governance includes the processes that ensure the effective and efficient use of IT in enabling an organization
to achieve its goals. Organizations need a strong governance model in place to align IT investments with business
requirements.. In contrast, ITIM is an integrated process (framework) focused on achieving desired business
outcomes through the continuous selection, control, and evaluation of IT initiatives. The establishment of an IT
governance structure is one of several processes that make up a successful ITIM framework.
17
  In 2010, FHFA examiners found that the governance and control framework for Freddie Mac’s IT infrastructure
was inadequate. The existing governance and control framework lacked policy and controls needed to sustain and
operate an adequate IT environment.


     Federal Housing Finance Agency Office of Inspector General • AUD-2014-017 • September 25 2014
                                                          9
reorganizations. As a result, FHFA’s examinations and review understandably focused on
Freddie Mac’s IT governance issues.

While assessing Freddie Mac’s IT governance, FHFA’s examiners also observed that Freddie
Mac was experiencing other increased IT operational risks, such as issues with outdated systems,
inadequate funding of existing projects, and the cancellation of an IT project after a significant
outlay of resources over multiple years. From 2010-2012, Freddie Mac spent over $200 million
on a company-wide initiative to enhance its current business processes and address outdated
infrastructure issues. However, the project was not completed, and during 2012, portions of the
initiative were either cancelled with no benefit to Freddie Mac or broken out into smaller
projects. Although FHFA issued three Matters Requiring Attention (MRAs) regarding Freddie
Mac’s IT infrastructure (outdated systems, IT governance and budget allocation) in 2010, FHFA
did not adjust its supervisory approach to identify the underlying causes of this project’s failure
(e.g., what critical processes of ITIM had not been implemented or were ineffective). As noted
above, research suggests that IT project failures and increased project costs can be partially
attributed to a lack of solid management tools for evaluating, prioritizing, monitoring, and
controlling IT investments from a portfolio perspective.

Although FHFA did not adjust its examination plan, OIG noted that FHFA’s examinations and
special review assessed some of the critical processes of an effective ITIM framework.18
Appendix A contains the results of the OIG analysis. However, FHFA’s supervisory strategy
from August 2010 through December 2013 did not include an overall assessment of whether
Freddie Mac has implemented a complete and effective IT investment management framework.
Without assessing the existence and effectiveness of critical ITIM processes, FHFA is unable to
determine the level of maturity of Freddie Mac’s ITIM framework, identify weaknesses or risks
that could negatively impact Freddie Mac’s IT budget and operations, or offer recommendations
for improvement. As a result, Freddie Mac’s current and future planned IT projects may
experience uncertainty regarding requirements, escalating costs, slippages in project schedules,
and inconsistent project outcomes.

Formal IT Investment Management Guidance Not Issued to Freddie Mac

FHFA has not published formal requirements or guidance specifically governing Enterprise IT
investment management. FHFA is authorized to issue prudential management and operations
standards under the Federal Housing Enterprises Financial Safety and Soundness Act, as well as
provide direction to the Enterprises through various other authorities.19 Such guidance is
essential for the Enterprises to use in managing investments in their overall portfolio of IT
systems as well as developing and maintaining individual information systems. Additionally, the
guidance is needed as part of the Agency’s Information Technology Risk Management Program
already provided to FHFA examiners to assess those investment programs. For example, the
Federal Financial Institution Examination Council (FFIEC) has published the Information
18
   OIG analyzed FHFA’s two examinations and a special review to determine which, if any, of the critical processes
of ITIM were covered in the examination/review. OIG used GAO’s ITIM framework as the basis for evaluating
FHFA’s supervision of Freddie Mac’s IT investment process.
19
     12 U.S.C. 4513.


     Federal Housing Finance Agency Office of Inspector General • AUD-2014-017 • September 25 2014
                                                       10
Technology Examination Handbook to guide examiners in the performance of examinations of
financial institutions in such critical areas as the development and acquisition of new systems.20
In one section of the FFIEC guidance concerning planning for IT operations and investment, it
states:

Financial institution boards and management should implement an IT planning process that:

          Aligns IT with the corporate-wide strategic plan;

          Aligns IT strategically and operationally with business units;

          Maintains an IT infrastructure to support current and planned business operations;

          Integrates IT spending into the budgeting process and weighs direct and indirect
           benefits against the total cost of ownership of the technology; and

          Ensures the identification and assessment of risk before changes or new investment in
           technology.

This guidance addresses the portfolio-level issue that should be considered in the management
of information technology, such as overall portfolio alignment with strategic objectives. Another
key aspect of IT investment management is measuring and monitoring performance. Again,
FFIEC has laid out examination guidance for outcome-based measurement, establishment of
performance benchmarks, and quality control functions in the IT environment. As such, the
FFIEC guidance captures important responsibilities associated with IT investment management.
Since FHFA has not issued similar portfolio-level guidance regarding Freddie Mac’s IT
investment portfolio, it is challenged to determine whether Freddie Mac has implemented an
effective ITIM process.

Other parts of the FFIEC guidance address project-level development. To its credit, in late 2013,
FHFA issued its FHFA Examination Manual that includes a section entitled “Information
Technology Risk Management Program.” The section addresses project-level development
activities, stating that the Enterprises must have clearly identified project management
methodologies that are commensurate with a project’s characteristics and risks. According to
FHFA’s guidance, project management methodologies should include:

           1. Management sponsorship and commitment;

           2. Project plans;

           3. Definitions of project requirements and expectations;

20
   FFIEC is a formal interagency body empowered to prescribe uniform principles, standards, and report forms
for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System, the
Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of
the Currency, and the Consumer Financial Protection Bureau, and to make recommendations to promote uniformity
in the supervision of financial institutions.


     Federal Housing Finance Agency Office of Inspector General • AUD-2014-017 • September 25 2014
                                                        11
       4. Project management standards and procedures;

       5. Quality assurance and risk management standards and procedures;

       6. Definitions of project roles and responsibilities;

       7. Approval authorities and procedures;

       8. Involvement by all affected parties;

       9. Project communication techniques; and

       10. Validation of project execution

In OIG’s opinion, FHFA’s project-level guidance in its Information Technology Risk
Management Program could readily be supplemented with portfolio-level guidance on
Enterprise-wide IT investment management. Such guidance would help ensure FHFA can place
some level of reliance on Freddie Mac’s process given the delegations in place.

Incomplete Evaluation of Investment Information Provided by Freddie Mac

According to GAO, an organization must be able to acquire pertinent information (e.g., project
owner, project category, current life cycle phase, costs to date, and anticipated costs) about each
IT project in its portfolio and store that information in a retrievable format (i.e., a report) to be
used in future investment decisions. The same information should be useful to FHFA examiners
in evaluating and monitoring Freddie Mac’s IT investments. FHFA’s examination and ongoing
monitoring procedures require that examiners review multiple reports and other artifacts that
support Freddie Mac’s IT budget and projects.

One of the primary reports used by FHFA examiners to monitor Freddie Mac’s IT operations is
the monthly IT Monthly Management Report (MMR). According to Freddie Mac officials, the
intent and purpose of the IT MMR is not to provide a comprehensive update on all IT projects,
but rather an executive rollup view of top programs or projects and their current status. OIG
found that the IT MMR does not contain all of the pertinent information recommended by GAO.
In fact, the IT MMR provides current-year budget information and project end dates for only 16
IT projects (budgeted to cost approximately $102 million). For example, the IT MMR did not
provide details regarding the Multifamily Pricing and Securitization Platform program, such as
the original budget, number of missed milestones, and what actions, if any, were taken by
Freddie Mac to address issues associated with this program.

Alternatively, the Enterprise Initiatives Report, a newly developed internal Freddie Mac report,
provides information on Freddie Mac’s current portfolio of over 250 projects. However, this
report, just like the IT MMR, only provides current-year budgeted costs for those projects. Given
its reliance on Freddie Mac documentation to evaluate the Enterprise’s operations, FHFA should
assess whether enough information is provided in the IT MMR or other IT project reports (i.e.,
Enterprise Initiative Report) to conduct its ongoing monitoring activities of Freddie Mac’s IT
investment process and portfolio of IT projects.


 Federal Housing Finance Agency Office of Inspector General • AUD-2014-017 • September 25 2014
                                                  12
FHFA confirmed that its examiners had not evaluated the accuracy of information contained in
the IT MMR, the methodology by which Freddie Mac selected the IT projects presented in the
report. Without accurate, complete, and relevant portfolio and project-level data, FHFA loses
the ability to timely identify and question the status of troubled, over-budget, and/or
underperforming IT investments. Information contained in the MMR does not allow FHFA to
determine whether Freddie Mac is addressing troubled investments in a timely manner, or
whether the troubled investment will continue to provide its initially determined value.

An effective ITIM process adds confidence that a proposed investment’s risks and returns have
been evaluated using qualitative and quantitative measures, that controls are in place to ensure
that the project continues to meet mission needs at the expected levels of cost and risk, and that
adequate funds and resources are available for its success. FHFA has the responsibility to ensure
that Freddie Mac utilizes safe and sound practices, such as ITIM, to manage its IT investments.

Recommendations

OIG recommends that FHFA:

   1. Conduct a comprehensive examination to determine whether Freddie Mac has
      implemented and enforces an effective information technology investment management
      process.

   2. Develop and issue Enterprise information technology investment management guidance.

   3. Evaluate whether Freddie Mac reports currently used by FHFA examiners provide the
      information necessary to conduct effective supervisory monitoring of Freddie Mac’s
      portfolio of IT investments.

Objective, Scope, and Methodology

The overall objective of this audit was to assess FHFA’s oversight of Freddie Mac’s IT
investment management process. Specifically, OIG sought to review the extent and effectiveness
of FHFA’s oversight of Freddie Mac’s ITIM processes.

In order to accomplish this objective, OIG:

      Researched ITIM federal laws and regulations and best practices used in both the
       federal government and private industry;

      Interviewed FHFA officials from the Division of Conservatorship Operations and
       DER;

      Interviewed Freddie Mac Budget and Financial Planning and Enterprise Risk
       Management Personnel;

      Obtained documentation from FHFA staff in DER and the Office of Conservatorship
       Operations about the Agency’s oversight, supervision and guidance of Freddie Mac’s
       IT investment;

 Federal Housing Finance Agency Office of Inspector General • AUD-2014-017 • September 25 2014
                                                13
         Obtained documentation from Freddie Mac staff in the Budget and Financial Planning
          Group within the Division of Finance;

         Analyzed FHFA supervisory activities regarding IT governance;

         Discussed potential fraud issues with FHFA; and

         Assessed internal control within FHFA’s oversight process.

OIG did not review and is not expressing an opinion on Freddie Mac’s IT investment
management processes.

OIG conducted work for this audit from January 2014 through June 2014 at FHFA’s
headquarters in Washington, D.C., and Freddie Mac’s corporate offices in McLean, VA. OIG
conducted its audit in accordance with generally accepted government auditing standards. Those
standards require that OIG plan and perform audits to obtain sufficient, appropriate evidence to
provide a reasonable basis for the findings and conclusions based on the audit objective. OIG
believes that the evidence obtained provides a reasonable basis for the findings and conclusions
included herein, based on the audit objective. OIG considers its findings to be significant in the
context of the audit objective.

OIG appreciates the cooperation of everyone who contributed to this audit, including officials at
FHFA and Freddie Mac. This audit was led by Brent Melson, Audit Director, who was assisted
by Joseph Nelson, Audit Manager, Joi Neal, Senior Auditor, and Andrew Gegor, Senior Auditor.



cc:       Melvin L. Watt, Director
          Eric Stein, Chief of Staff
          Larry Stauffer, Acting Chief Operating Officer
          Robert Ryan, Special Advisor
          Mark Kinsey, Chief Financial Officer
          John Major, Internal Controls and Audit Follow-up Manager

Appendix
      Appendix A:         OIG’s Analysis of FHFA’s Supervision Activities
      Appendix B:         FHFA’s Comments
      Appendix C:         OIG’s Response to FHFA’s Comments
      Appendix D:         Summary of Management’s Comments on the Recommendations




 Federal Housing Finance Agency Office of Inspector General • AUD-2014-017 • September 25 2014
                                                 14
Appendix A

OIG’s Analysis of FHFA’s Supervision Activities

The results of OIG’s analysis of FHFA’s supervision are detailed below:

                                       August 2010           July 2011          August 2012          August 2013
                                         Ongoing              Targeted            Targeted           Supervisory
     ITIM Critical Processes           Monitoring           Examination         Examination            Review
 IT Strategic Planning21              Not Addressed        Evaluated           Not Addressed        Not Addressed
 Instituting Investment Board/
                                      Evaluated            Evaluated           Not Addressed        Not Addressed
 Committees
 Establishing Investment
                                                                               Partially
 Management Standards                 Not Addressed        Not Addressed                            Not Addressed
                                                                               Evaluated
 (meeting business needs)
 Selection of IT Investment           Not Addressed        Not Addressed       Not Addressed        Not Addressed
 Capturing Investment
                                                           Partially           Partially            Partially
 Information (Data and                Not Addressed
                                                           Evaluated           Evaluated            Evaluated
 Reporting)
                                      Partially            Partially
 Investment Oversight                                                          Evaluated            Evaluated
                                      Evaluated            Evaluated
 Defining the Investment
                                      Not Addressed        Not Addressed       Not Addressed        Not Addressed
 Portfolio
 Creating the Investment
                                      Not Addressed        Not Addressed       Not Addressed        Not Addressed
 Portfolio
 Evaluating the Investment                                                                          Partially
                                      Not Addressed        Not Addressed       Not Addressed
 Portfolio                                                                                          Evaluated
 Conducting Post-
 Implementation (Quality              Not Addressed        Not Addressed       Not Addressed        Not Addressed
 Assurance Reviews)


OIG used GAO’s ITIM Framework as the basis for evaluating FHFA’s supervision of Freddie
Mac’s IT investment processes. OIG determined that Freddie Mac’s IT investment processes
mirror Stage 2, “Building the Investment Foundation,” and Stage 3, “Developing a Complete
Investment Portfolio.” OIG recognizes that in addition to Stages 2 and 3, Freddie Mac may
be implementing additional critical processes associated with higher maturity stages in GAO’s
framework.



21
   GAO’s ITIM Framework does not evaluate an organization’s strategic planning process. However, OIG,
recognizing the importance of strategic planning in determining the selection of IT projects, used it as a critical
process in reviewing FHFA’s examination activities.


     Federal Housing Finance Agency Office of Inspector General • AUD-2014-017 • September 25 2014
                                                           15
Appendix B

FHFA’s Comments




 Federal Housing Finance Agency Office of Inspector General • AUD-2014-017 • September 25 2014
                                              16
Federal Housing Finance Agency Office of Inspector General • AUD-2014-017 • September 25 2014
                                             17
Appendix C

OIG’s Response to FHFA’s Comments

On September 12, 2014, FHFA provided comments to a draft of this report, mostly agreeing with
OIG’s recommendations and identifying specific actions to address them. FHFA partially agreed
with recommendation 1 and agreed with recommendations 2 and 3.

FHFA partially agreed with Recommendation 1 and will include a review of Freddie Mac's IT
investment management process in its 2015 examination activities. FHFA stated that the timing
and nature of examination work to be performed by its examiners over Freddie Mac’s IT
investment process will be determined by its risk-based annual supervision planning process.
OIG considers FHFA’s response to recommendation 1 to be sufficient to resolve the
recommendation. However, the recommendation will remain open until OIG reviews both the
2015 examination planning documentation and related supervision activities executed over
Freddie Mac’s IT investment management process.

FHFA agreed with Recommendation 2 and will issue an advisory bulletin by September 30,
2015, that communicates the supervisory expectation regarding information technology
investment management at both Enterprises.

FHFA also agreed with Recommendation 3. By September 30, 2015, FHFA will evaluate the
reports, data, and other information provided by Freddie Mac and the use of these items by
FHFA examiners in assessing Freddie Mac’s management of its information technology
resources and its ability to meet business needs.

OIG considers the planned actions sufficient to resolve these recommendations, which will
remain open until OIG determines that the agreed upon corrective actions are completed. OIG
considered the Agency’s full response (attached as Appendix B) along with technical comments
in finalizing this report. Appendix D provides a summary of management’s comments on the
recommendations and the status of agreed-upon corrective actions.




 Federal Housing Finance Agency Office of Inspector General • AUD-2014-017 • September 25 2014
                                              18
Appendix D

Summary of Management’s Comments on the Recommendations

This table presents management’s response to the recommendations in OIG’s report and the
status of the recommendations as of when the report was issued.

                                                 Expected        Monetary
Rec.        Corrective Action: Taken or         Completion        Benefits      Resolved:         Open or
No.                  Planned                       Date         ($ Millions)    Yes or No a       Closed b
1.       FHFA will include a review of          1/15/2015       $0              Yes             Open
         Freddie Mac’s IT investment
         management process in its 2015
         examination activities.
2.       FHFA will issue an Advisory            9/30/2015       $0              Yes             Open
         Bulletin that articulates
         supervisory expectations for
         information technology
         investment management by the
         Enterprises.
3.       FHFA will review the reports,          9/30/2015       $0              Yes             Open
         data, and information provided
         to FHFA examiners by Freddie
         Mac and the use of these
         reports by examiners in
         assessing how effectively
         Freddie Mac manages its
         information technology
         resources and meets Enterprise-
         wide information needs.
Total                                                           $0

a
 Resolved means: (1) Management concurs with the recommendation, and the planned, ongoing, and completed
corrective action is consistent with the recommendation; (2) Management does not concur with the recommendation,
but alternative action meets the intent of the recommendation; or (3) Management agrees to the OIG monetary
benefits, a different amount, or no amount ($0). Monetary benefits are considered resolved as long as management
provides an amount.
b
  Once OIG determines that the agreed-upon corrective actions have been completed and are responsive, the
recommendations can be closed.




    Federal Housing Finance Agency Office of Inspector General • AUD-2014-017 • September 25 2014
                                                       19
Additional Information and Copies

For additional copies of this report:

      Call: 202-730-0880

      Fax: 202-318-0239

      Visit: www.fhfaoig.gov



To report potential fraud, waste, abuse, mismanagement, or any other kind of criminal or
noncriminal misconduct relative to FHFA’s programs or operations:

      Call: 1-800-793-7724

      Fax: 202-318-0358

      Visit: www.fhfaoig.gov/ReportFraud

      Write:

                FHFA Office of Inspector General
                Attn: Office of Investigation – Hotline
                400 Seventh Street, S.W.
                Washington, DC 20024




 Federal Housing Finance Agency Office of Inspector General • AUD-2014-017 • September 25 2014
                                                20