Federal Housing Finance Agency Office of Inspector General FHFA Oversight of Freddie Mac’s Information Technology Investments Audit Report AUD-2014-017 September 25, 2014 September 25, 2014 TO: Nina Nichols, Deputy Director for Enterprise Regulation FROM: Russell A. Rau, Deputy Inspector General for Audits SUBJECT: FHFA Oversight of Freddie Mac’s Information Technology Investments Summary Freddie Mac annually makes substantial investments to maintain and improve its information technology (IT) infrastructure, which is vital to its mission of helping to provide liquidity, stability, and affordability in the nation’s housing market. In fact, Freddie Mac maintains an IT investment portfolio of over 250 individual projects.1 Large organizations making such substantial investments in IT should ensure that each investment decision is subjected to careful scrutiny to ensure, among other things, that the investment’s risks and returns have been evaluated and are understood; it aligns with the organization’s mission; it continues to meet mission needs at the expected levels of cost and risk; and its impact on mission performance is evaluated. In order to effectively scrutinize their investments, federal and industry organizations implement and enforce IT investment management processes. As conservator of Freddie Mac, FHFA is charged with preserving and conserving Freddie Mac’s assets and has broad responsibility for managing the Enterprise’s activities to fulfill its mission.2 FHFA fulfills this obligation in part through the exercise of its delegations of authority to review and approve Freddie Mac’s business decisions, and to review key documents, such as Freddie Mac’s annual operating budget. FHFA requires that Freddie Mac’s systems provide relevant, accurate, and timely information that is secure and supported by contingency arrangements.3 FHFA, under its supervisory and regulatory authorities regarding Freddie Mac, has a continuous examination program that encompasses Freddie Mac’s IT infrastructure. FHFA’s Office of 1 An IT investment portfolio is the combination of all IT assets, resources, and investments owned or planned by an organization in order to achieve its mission and strategic goals and objectives. 2 FHFA was appointed conservator for Freddie Mac in September 2008. 3 12 CFR Part 1236, Appendix—“Prudential Management and Operational Standards.” Federal Housing Finance Agency Office of Inspector General • AUD-2014-017 • September 25, 2014 2 Inspector General (OIG) conducted this audit to evaluate FHFA’s oversight of Freddie Mac’s IT investment management processes. Overall, OIG concluded that FHFA could improve its oversight of IT investments at Freddie Mac. Meeting Enterprise-wide business and user needs in a cost-effective and risk-based method can be enhanced by: (1) determining through examination whether Freddie Mac has implemented and is enforcing an effective IT investment management process; (2) issuing guidance on required objectives and controls in IT investment management processes, particularly at the portfolio level; and (3) and evaluating whether currently utilized Freddie Mac reports provide the information necessary to conduct effective supervisory monitoring of Freddie Mac’s portfolio of IT investments. As conservator, FHFA approves Freddie Mac’s annual operating budget but does not specifically review and approve the IT component of the budget, or review and approve individual IT projects unless an investment would constitute a significant change to Freddie Mac’s operations. Thus, supervisory review of Freddie Mac’s entire IT investment management process is even more important to protect FHFA’s interests as there is no corresponding conservatorship control to assess IT investments at the portfolio level. As a result, FHFA has limited assurance that Freddie Mac has implemented and enforces effective IT investment management practices and processes. Accordingly, OIG made recommendations to strengthen FHFA oversight, and the Agency generally agreed. Refer to Appendix B for the Agency’s comments and Appendix C for OIG’s evaluation of those comments. Background Fannie Mae and Freddie Mac are federally chartered to provide stability and liquidity in the home mortgage loan market. On July 30, 2008, the Housing and Economic Recovery Act of 2008 established FHFA as the Enterprises’ regulator. Among its responsibilities, the Agency oversees their safety and soundness, supervises their support of housing finance and affordable housing goals, and facilitates a stable and liquid mortgage market. On September 6, 2008, FHFA became the Enterprises’ conservator to help protect them—and therefore the wider financial market—from collapse. As conservator, FHFA is charged with preserving and conserving Enterprise assets, ensuring their focus on the housing mission, and preparing for the future of the housing market. Through supervision and regulation, FHFA helps to ensure that the Enterprises are operating in a safe and sound manner so that they can serve as a reliable source of liquidity and funding for housing finance and community investment. Freddie Mac is making substantial investments in IT in order to better support its operations and reduce risk. As reported in its 2013 annual financial statements, Freddie Mac recently completed a 3-year multimillion dollar project to move key legacy applications and infrastructure to more current technology. It is making investments to maintain technology, to standardize its technology portfolio, and to focus on emerging information security risks.4 These investments 4 Federal Home Loan Mortgage Corporation, Form 10-K, Annual Report Pursuant to Section 13 or 15(d) of the Security Exchange Act of 1934, for the fiscal year ended December 31, 2013, http://www.freddiemac.com/investors/er/pdf/10k_022714.pdf. Accessed on July 30, 2014. Federal Housing Finance Agency Office of Inspector General • AUD-2014-017 • September 25 2014 3 are deemed by FHFA to be critical to Freddie Mac’s safety and soundness. A strong IT investment management process is critical to an organization such as Freddie Mac that is making such large IT investments.5 The process should help ensure that decisions on major IT expenditures are required and cost-effective, and that the investments, once funded, are regularly monitored and managed. Research suggests that the quality of investment decisions for IT projects can have a dramatic effect on an organization. One study published by the Massachusetts Institute of Technology found that investment in IT had a greater impact on an organization’s profitability than investments in advertising or research and development.6 Another study found that economic and competitive pressures can compel organizations to cut costs and force them to scrutinize their IT operating and capital budgets more carefully, thereby making correct IT investment decisions economic and competitive necessities. Further, failure in IT projects is partly attributable to a lack of solid management tools for evaluating, prioritizing, monitoring, and controlling IT investments.7 Federal agencies are required by the Clinger-Cohen Act to establish IT investment and capital planning processes and performance management.8 Additionally, the Office of Management and Budget has issued related directives and guidance. The Government Accountability Office (GAO) developed the IT Investment Management Maturity (ITIM) framework around the select/control/evaluate approach described in Clinger-Cohen.9 It provides a systematic method for federal agencies to minimize risk while maximizing the returns of IT investments. ITIM identifies and organizes processes critical for successful IT investment as an organization’s IT systems mature, which offers agencies a way to evaluate and assess how well they are selecting and managing their IT resources. GAO framed ITIM in terms of five stages of maturity, as shown in Figure 1. 5 IT investment is defined as the expenditure of resources on selected information technology or IT-related initiatives. The expectation is that the benefits from the expenditure will exceed the value of the resources expended. 6 Sunil Mithas et al., The Impact of IT Investments on Profits, MIT Sloan Management Review (Spring 2012), http://sloanreview.mit.edu/article/the-impact-of-it-investments-on-profits/. Accessed July 29, 2014. 7 A. Gunasekaran et al., A Model for Investment Justification in Information Technology Projects, International Journal of Information Management, at 349-64, (2001). http://www.umassd.edu/media/umassdartmouth/businessinnovationresearchcenter/publications/it_justification.pdf. Accessed July 28, 2014. 8 The Clinger-Cohn Act (also known as the “Information Technology Management Reform Act of 1996”), Pub. L. 104-106, Division E, codified at 40 U.S.C. Chapter 25. 9 GAO, Information Technology Investment Management: A Framework for Assessing and Improving Process Maturity, GAO-04-394G (March 1, 2004), http://www.gao.gov/products/GAO-04-394G. Accessed July 29, 2014. Federal Housing Finance Agency Office of Inspector General • AUD-2014-017 • September 25 2014 4 FIGURE 1: The Five Stages of Maturity within the ITIM Framework Maturity Description STAGE 5: The organization has mastered the selection, Leveraging IT for strategic outcomes. control, and evaluation processes and now seeks Enterprise to shape its strategic outcomes by benchmarking and its IT investment processes relative to other “best- Strategic in-class” organizations. Focus STAGE 4: The organization is focused on evaluation Improving the investment process. techniques to improve its IT investment processes and portfolio(s) while maintaining mature selection and control techniques. STAGE 3: The organization has developed a well-defined IT Developing a complete investment investment portfolio, using an investment process portfolio. that has sound selection criteria and maintains mature, evolving, and integrated selection, control, and evaluation processes. STAGE 2: Basic selection capabilities are being driven by Building the investment foundation. the development of project selection criteria, including benefit and risk criteria, and an awareness of organizational priorities when identifying projects for funding. Executive oversight is applied on a project-by-project basis. Project- STAGE 1: Ad hoc, unstructured, and unpredictable Centric investment processes characterize this stage. Creating investment awareness. Focus There is generally little relationship between the success or failure of one project and the success or failure of another project. Source: GAO, Information Technology Investment Management: A Framework for Assessing and Improving Process Maturity, GAO-04-394G (March 1, 2004). GAO defines the fundamental phases of the IT investment approach as follows:10 SELECT PHASE – the organization (1) identifies and analyzes each project’s risks and returns before committing significant funds to any project, and (2) selects those IT projects that will best support its mission needs. This process should be repeated each time funds are allocated to projects, reselecting even ongoing investments as described below. CONTROL PHASE – the organization ensures that as projects develop and investment expenditures continue, the project continues to meet mission needs at the expected levels of cost and risk. If the project is not meeting expectations or if problems have arisen, steps are quickly taken to address the deficiencies. If mission 10 Id., at 8-9. Accessed July 30, 2014. Federal Housing Finance Agency Office of Inspector General • AUD-2014-017 • September 25 2014 5 needs have changed, the organization is able to adjust its objectives for the project and appropriately modify expected project outcomes. EVALUATE PHASE – actual versus expected results are compared after a project has been fully implemented. This is done to (1) assess the project’s impact on mission performance, (2) identify any changes or modifications to the project that may be needed, and (3) revise the investment management process based on lessons learned. The investment process does not end with the evaluation phase. A project can be active concurrently in more than one phase of the select/control/evaluate model. After a project has been designated for initial funding in the select phase, it becomes the subject of evaluation throughout the control phase for the purposes of reselection. Reselection is an ongoing process that continues for as long as a project is receiving funding. If a project is not meeting the goals and objectives that were originally established when it was selected, or if the goals have been modified to reflect changes in mission objectives—and corrective actions are not succeeding—a decision must be made on whether to continue to fund the project. Ultimately, “deselection” can be one of the most difficult steps to implement, but it is necessary if funds can be better utilized elsewhere. Once projects are operating and being maintained, they remain under constant review for reselection. In addition to GAO’s ITIM, other IT investment management methodologies are used in the industry as they are considered best practices. Freddie Mac is not legally bound by all the laws and federal guidance for managing IT investments that relate to federal entities, and may choose to follow commercial IT investment management best practices. Regardless, FHFA, as the conservator and regulator of Freddie Mac, is responsible for ensuring that the Enterprises use safe and sound practices to achieve efficiency and minimize losses on its operations. As such, FHFA should recognize that IT investment management is a best practice that should be used by Freddie Mac, given its current and planned IT expenditures. Freddie Mac’s IT Budget and Expenditures Freddie Mac has acknowledged the need to improve its IT systems. For example, in its 2013 financial statements, Freddie Mac stated that its primary business processing and financial accounting systems lack sufficient flexibility to handle all the complexities of, and changes in, business transactions and related accounting policies and methods. This requires Freddie Mac to rely more extensively on spreadsheets and other end-user computing systems that could have a higher risk of operational failure and error. Freddie Mac’s planned IT expenditures over three years are expected to exceed $1 billion. In 2013, Freddie Mac officials stated that its current year expenditures support over 250 projects that align with its corporate strategic plan. Figure 2 shows the growth of Freddie Mac’s IT budget and expenditures since 2011. Federal Housing Finance Agency Office of Inspector General • AUD-2014-017 • September 25 2014 6 FIGURE 2: Freddie Mac IT Expenditures 2011-2014 – Budget to Actual ($ Millions) $600 533 $500 483 452 422 $ Millions $400 370 378 372 $300 $200 $100 $0 2011 2012 2013 2014 IT Budget IT Actual Source: Freddie Mac Freddie Mac’s IT projects result from both internal needs and those mandated by FHFA and others. However, according to FHFA officials, the Agency does not generally review and approve individual IT projects. Some of Freddie Mac’s projects have experienced significant cost increases. For example, one IT-related project under way is intended to address safety and soundness issues identified in an FHFA examination. In May 2013, Freddie Mac requested conservator approval to invest $198 million in this project over approximately five years. FHFA determined that approval of the IT project was within Freddie Mac’s delegated authority and did not review or render a decision on the project. Within six months of the request to FHFA, Freddie Mac recognized the need for a significant scope change that resulted in the need to allocate additional funding. This large, near-term scope modification calls into question the reasonableness of the initial and remaining cost, schedule, and performance parameters. In September 2013, Freddie Mac again requested FHFA approval, this time for the additional funding needed to address the scope change. However, FHFA did not review the project or render a decision. As such, FHFA did not assess the justification for the additional expenditures or the risk of future delays and cost increases given that over four years remained to complete the project. Freddie Mac has also reported other instances of cost overruns on IT projects. Given the level of delegation to the Enterprise, FHFA should ensure that Freddie Mac utilizes an effective process to manage its IT investments and that those investments achieve the best value for the Enterprise in fulfilling its mission. An effective ITIM process adds confidence that a proposed investment’s risks and returns have been evaluated using qualitative and quantitative measures, that controls are in place to ensure that the project continues to meet mission needs at the expected levels of cost and risk, and that adequate funds and resources are available for project success. Federal Housing Finance Agency Office of Inspector General • AUD-2014-017 • September 25 2014 7 Conservator Review of Freddie Mac’s Budget In 2008, FHFA issued instructions11 to Freddie Mac’s Board of Directors and senior management detailing operational activities that require conservator approval versus those that require conservator notification.12 As detailed in its instructions, FHFA approves Freddie Mac’s annual operating budget, but Freddie Mac is only required to notify FHFA of any significant changes (i.e., increases) to its annual budget. The Agency typically does not view changes in Freddie Mac’s budget as an item that requires Conservator approval; the Agency considers budget changes to be operational in nature and within Freddie Mac’s delegated authority to approve. Further, the Agency does not separately approve components of Freddie Mac’s operating budget, including IT. Lastly, the Agency would only consider review of budget adjustments related to a significant change to Freddie Mac’s operations per its instructions or if Freddie Mac requests FHFA’s review. Separately, FHFA issues an annual conservatorship scorecard, which outlines specific objectives and milestones that Freddie Mac must achieve as part of its operations.13 Within these objectives are supporting investments, which may have underlying IT components that are monitored by FHFA’s Office of Strategic Initiatives (OSI). On a quarterly basis, OSI assesses Freddie Mac’s progress in achieving the conservatorship scorecard objectives and milestones, which includes the assessment of any IT investments that support scorecard objectives. OSI does not, however, assess Freddie Mac’s progress in meeting objectives and milestones for its non-scorecard-related projects. Freddie Mac expended 21% of its IT budget for scorecard-related projects that were monitored by OSI and expended the remaining 79% on IT for non-scorecard-related projects, which were not specifically monitored at a project level by OSI.14 Supervisory and Regulatory Oversight of Freddie Mac’s IT Investment Management Process The Federal Housing Enterprises Financial Safety and Soundness Act of 1992, as amended, grants FHFA supervisory and oversight responsibilities for the Enterprises.15 FHFA is required, by statute, to examine Freddie Mac at least annually to ensure its safety and soundness. FHFA may also conduct targeted examinations, ongoing monitoring, or compliance reviews, as part of 11 In November 2008, FHFA issued an order to Freddie Mac outlining functions, responsibilities, and authorities of its Board of Directors. FHFA also issued a Letter of Instruction to the Board elaborating on the order and providing direction regarding implementation. In November 2012, FHFA issued a document holding its original orders in place, while revising and replacing the November 2008 Letter of Instruction in light of experience and practice under the conservatorship. The revised document provided greater specificity on the respective roles and responsibilities of FHFA, the Board, and management in relation to the conservatorship. 12 For notification, FHFA requires that Freddie Mac timely inform the Agency of any planned changes in its business processes or operations. 13 The most current scorecard is contained in FHFA’s 2014 Scorecard for Fannie Mae, Freddie Mac and Common Securitization Solutions (May 2014). 14 According to Freddie Mac officials, the Enterprise conducts periodic meetings with other offices within FHFA regarding its overall IT operations, which may at times include discussions about the status of individual IT projects. 15 Public Law No. 102-550. Federal Housing Finance Agency Office of Inspector General • AUD-2014-017 • September 25 2014 8 its supervision and oversight. FHFA’s Division of Enterprise Regulation (DER) is responsible for these supervisory and regulatory duties. In addition, FHFA issues formal guidance to Freddie Mac in the form of advisory bulletins designed to communicate guidance, including IT, and to help achieve mission-critical goals and objectives. FHFA’s examination program uses a risk-based approach to determine which supervisory activities it will employ to assess the Enterprises’ safety and soundness. Beginning in 2010, FHFA determined that Freddie Mac’s IT governance infrastructure represented significant risk to its operations.16 In fact, in its 2013 Report to Congress (June 13, 2014), FHFA concluded that additional Freddie Mac management attention was required related to operational risk, including information technology, to reduce the risk profile to acceptable levels. As such, FHFA conducted ongoing monitoring procedures that identified several weaknesses in Freddie Mac’s IT governance processes. FHFA considered these weaknesses to be of “critical concern,” which prompted two subsequent targeted examinations and a special review in addition to continued ongoing monitoring. Finding: Additional Supervisory Review and Guidance is Needed to Determine Whether Freddie Mac Has Implemented a Complete and Effective IT Investment Management Process FHFA has not determined through examination or other activity whether Freddie Mac has implemented a complete and effective IT investment management process. Further, FHFA has not issued formal requirements or guidance to Freddie Mac on IT investment management. FHFA examination efforts and recent guidance focused on project-level controls for IT systems and did not address portfolio-level controls, such as aligning IT investment with strategic goals and developing an overall IT infrastructure to support current and planned business operations. Additional focus on these areas can help strengthen the management of IT investments. Lack of Comprehensive Assessment of IT Investment Management Process Between 2010 and 2013, FHFA conducted two examinations, a supervisory review, and ongoing monitoring that assessed Freddie Mac’s IT governance structure (including Board and committee responsibilities, and executive reporting) and its IT project management processes. According to FHFA officials, the Agency focused on Freddie Mac’s IT governance because it presented a critical concern to Freddie Mac’s IT operations.17 Specifically, Freddie Mac’s IT infrastructure (policy, procedures, and senior management) was evolving as it went through four 16 IT governance includes the processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals. Organizations need a strong governance model in place to align IT investments with business requirements.. In contrast, ITIM is an integrated process (framework) focused on achieving desired business outcomes through the continuous selection, control, and evaluation of IT initiatives. The establishment of an IT governance structure is one of several processes that make up a successful ITIM framework. 17 In 2010, FHFA examiners found that the governance and control framework for Freddie Mac’s IT infrastructure was inadequate. The existing governance and control framework lacked policy and controls needed to sustain and operate an adequate IT environment. Federal Housing Finance Agency Office of Inspector General • AUD-2014-017 • September 25 2014 9 reorganizations. As a result, FHFA’s examinations and review understandably focused on Freddie Mac’s IT governance issues. While assessing Freddie Mac’s IT governance, FHFA’s examiners also observed that Freddie Mac was experiencing other increased IT operational risks, such as issues with outdated systems, inadequate funding of existing projects, and the cancellation of an IT project after a significant outlay of resources over multiple years. From 2010-2012, Freddie Mac spent over $200 million on a company-wide initiative to enhance its current business processes and address outdated infrastructure issues. However, the project was not completed, and during 2012, portions of the initiative were either cancelled with no benefit to Freddie Mac or broken out into smaller projects. Although FHFA issued three Matters Requiring Attention (MRAs) regarding Freddie Mac’s IT infrastructure (outdated systems, IT governance and budget allocation) in 2010, FHFA did not adjust its supervisory approach to identify the underlying causes of this project’s failure (e.g., what critical processes of ITIM had not been implemented or were ineffective). As noted above, research suggests that IT project failures and increased project costs can be partially attributed to a lack of solid management tools for evaluating, prioritizing, monitoring, and controlling IT investments from a portfolio perspective. Although FHFA did not adjust its examination plan, OIG noted that FHFA’s examinations and special review assessed some of the critical processes of an effective ITIM framework.18 Appendix A contains the results of the OIG analysis. However, FHFA’s supervisory strategy from August 2010 through December 2013 did not include an overall assessment of whether Freddie Mac has implemented a complete and effective IT investment management framework. Without assessing the existence and effectiveness of critical ITIM processes, FHFA is unable to determine the level of maturity of Freddie Mac’s ITIM framework, identify weaknesses or risks that could negatively impact Freddie Mac’s IT budget and operations, or offer recommendations for improvement. As a result, Freddie Mac’s current and future planned IT projects may experience uncertainty regarding requirements, escalating costs, slippages in project schedules, and inconsistent project outcomes. Formal IT Investment Management Guidance Not Issued to Freddie Mac FHFA has not published formal requirements or guidance specifically governing Enterprise IT investment management. FHFA is authorized to issue prudential management and operations standards under the Federal Housing Enterprises Financial Safety and Soundness Act, as well as provide direction to the Enterprises through various other authorities.19 Such guidance is essential for the Enterprises to use in managing investments in their overall portfolio of IT systems as well as developing and maintaining individual information systems. Additionally, the guidance is needed as part of the Agency’s Information Technology Risk Management Program already provided to FHFA examiners to assess those investment programs. For example, the Federal Financial Institution Examination Council (FFIEC) has published the Information 18 OIG analyzed FHFA’s two examinations and a special review to determine which, if any, of the critical processes of ITIM were covered in the examination/review. OIG used GAO’s ITIM framework as the basis for evaluating FHFA’s supervision of Freddie Mac’s IT investment process. 19 12 U.S.C. 4513. Federal Housing Finance Agency Office of Inspector General • AUD-2014-017 • September 25 2014 10 Technology Examination Handbook to guide examiners in the performance of examinations of financial institutions in such critical areas as the development and acquisition of new systems.20 In one section of the FFIEC guidance concerning planning for IT operations and investment, it states: Financial institution boards and management should implement an IT planning process that: Aligns IT with the corporate-wide strategic plan; Aligns IT strategically and operationally with business units; Maintains an IT infrastructure to support current and planned business operations; Integrates IT spending into the budgeting process and weighs direct and indirect benefits against the total cost of ownership of the technology; and Ensures the identification and assessment of risk before changes or new investment in technology. This guidance addresses the portfolio-level issue that should be considered in the management of information technology, such as overall portfolio alignment with strategic objectives. Another key aspect of IT investment management is measuring and monitoring performance. Again, FFIEC has laid out examination guidance for outcome-based measurement, establishment of performance benchmarks, and quality control functions in the IT environment. As such, the FFIEC guidance captures important responsibilities associated with IT investment management. Since FHFA has not issued similar portfolio-level guidance regarding Freddie Mac’s IT investment portfolio, it is challenged to determine whether Freddie Mac has implemented an effective ITIM process. Other parts of the FFIEC guidance address project-level development. To its credit, in late 2013, FHFA issued its FHFA Examination Manual that includes a section entitled “Information Technology Risk Management Program.” The section addresses project-level development activities, stating that the Enterprises must have clearly identified project management methodologies that are commensurate with a project’s characteristics and risks. According to FHFA’s guidance, project management methodologies should include: 1. Management sponsorship and commitment; 2. Project plans; 3. Definitions of project requirements and expectations; 20 FFIEC is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Consumer Financial Protection Bureau, and to make recommendations to promote uniformity in the supervision of financial institutions. Federal Housing Finance Agency Office of Inspector General • AUD-2014-017 • September 25 2014 11 4. Project management standards and procedures; 5. Quality assurance and risk management standards and procedures; 6. Definitions of project roles and responsibilities; 7. Approval authorities and procedures; 8. Involvement by all affected parties; 9. Project communication techniques; and 10. Validation of project execution In OIG’s opinion, FHFA’s project-level guidance in its Information Technology Risk Management Program could readily be supplemented with portfolio-level guidance on Enterprise-wide IT investment management. Such guidance would help ensure FHFA can place some level of reliance on Freddie Mac’s process given the delegations in place. Incomplete Evaluation of Investment Information Provided by Freddie Mac According to GAO, an organization must be able to acquire pertinent information (e.g., project owner, project category, current life cycle phase, costs to date, and anticipated costs) about each IT project in its portfolio and store that information in a retrievable format (i.e., a report) to be used in future investment decisions. The same information should be useful to FHFA examiners in evaluating and monitoring Freddie Mac’s IT investments. FHFA’s examination and ongoing monitoring procedures require that examiners review multiple reports and other artifacts that support Freddie Mac’s IT budget and projects. One of the primary reports used by FHFA examiners to monitor Freddie Mac’s IT operations is the monthly IT Monthly Management Report (MMR). According to Freddie Mac officials, the intent and purpose of the IT MMR is not to provide a comprehensive update on all IT projects, but rather an executive rollup view of top programs or projects and their current status. OIG found that the IT MMR does not contain all of the pertinent information recommended by GAO. In fact, the IT MMR provides current-year budget information and project end dates for only 16 IT projects (budgeted to cost approximately $102 million). For example, the IT MMR did not provide details regarding the Multifamily Pricing and Securitization Platform program, such as the original budget, number of missed milestones, and what actions, if any, were taken by Freddie Mac to address issues associated with this program. Alternatively, the Enterprise Initiatives Report, a newly developed internal Freddie Mac report, provides information on Freddie Mac’s current portfolio of over 250 projects. However, this report, just like the IT MMR, only provides current-year budgeted costs for those projects. Given its reliance on Freddie Mac documentation to evaluate the Enterprise’s operations, FHFA should assess whether enough information is provided in the IT MMR or other IT project reports (i.e., Enterprise Initiative Report) to conduct its ongoing monitoring activities of Freddie Mac’s IT investment process and portfolio of IT projects. Federal Housing Finance Agency Office of Inspector General • AUD-2014-017 • September 25 2014 12 FHFA confirmed that its examiners had not evaluated the accuracy of information contained in the IT MMR, the methodology by which Freddie Mac selected the IT projects presented in the report. Without accurate, complete, and relevant portfolio and project-level data, FHFA loses the ability to timely identify and question the status of troubled, over-budget, and/or underperforming IT investments. Information contained in the MMR does not allow FHFA to determine whether Freddie Mac is addressing troubled investments in a timely manner, or whether the troubled investment will continue to provide its initially determined value. An effective ITIM process adds confidence that a proposed investment’s risks and returns have been evaluated using qualitative and quantitative measures, that controls are in place to ensure that the project continues to meet mission needs at the expected levels of cost and risk, and that adequate funds and resources are available for its success. FHFA has the responsibility to ensure that Freddie Mac utilizes safe and sound practices, such as ITIM, to manage its IT investments. Recommendations OIG recommends that FHFA: 1. Conduct a comprehensive examination to determine whether Freddie Mac has implemented and enforces an effective information technology investment management process. 2. Develop and issue Enterprise information technology investment management guidance. 3. Evaluate whether Freddie Mac reports currently used by FHFA examiners provide the information necessary to conduct effective supervisory monitoring of Freddie Mac’s portfolio of IT investments. Objective, Scope, and Methodology The overall objective of this audit was to assess FHFA’s oversight of Freddie Mac’s IT investment management process. Specifically, OIG sought to review the extent and effectiveness of FHFA’s oversight of Freddie Mac’s ITIM processes. In order to accomplish this objective, OIG: Researched ITIM federal laws and regulations and best practices used in both the federal government and private industry; Interviewed FHFA officials from the Division of Conservatorship Operations and DER; Interviewed Freddie Mac Budget and Financial Planning and Enterprise Risk Management Personnel; Obtained documentation from FHFA staff in DER and the Office of Conservatorship Operations about the Agency’s oversight, supervision and guidance of Freddie Mac’s IT investment; Federal Housing Finance Agency Office of Inspector General • AUD-2014-017 • September 25 2014 13 Obtained documentation from Freddie Mac staff in the Budget and Financial Planning Group within the Division of Finance; Analyzed FHFA supervisory activities regarding IT governance; Discussed potential fraud issues with FHFA; and Assessed internal control within FHFA’s oversight process. OIG did not review and is not expressing an opinion on Freddie Mac’s IT investment management processes. OIG conducted work for this audit from January 2014 through June 2014 at FHFA’s headquarters in Washington, D.C., and Freddie Mac’s corporate offices in McLean, VA. OIG conducted its audit in accordance with generally accepted government auditing standards. Those standards require that OIG plan and perform audits to obtain sufficient, appropriate evidence to provide a reasonable basis for the findings and conclusions based on the audit objective. OIG believes that the evidence obtained provides a reasonable basis for the findings and conclusions included herein, based on the audit objective. OIG considers its findings to be significant in the context of the audit objective. OIG appreciates the cooperation of everyone who contributed to this audit, including officials at FHFA and Freddie Mac. This audit was led by Brent Melson, Audit Director, who was assisted by Joseph Nelson, Audit Manager, Joi Neal, Senior Auditor, and Andrew Gegor, Senior Auditor. cc: Melvin L. Watt, Director Eric Stein, Chief of Staff Larry Stauffer, Acting Chief Operating Officer Robert Ryan, Special Advisor Mark Kinsey, Chief Financial Officer John Major, Internal Controls and Audit Follow-up Manager Appendix Appendix A: OIG’s Analysis of FHFA’s Supervision Activities Appendix B: FHFA’s Comments Appendix C: OIG’s Response to FHFA’s Comments Appendix D: Summary of Management’s Comments on the Recommendations Federal Housing Finance Agency Office of Inspector General • AUD-2014-017 • September 25 2014 14 Appendix A OIG’s Analysis of FHFA’s Supervision Activities The results of OIG’s analysis of FHFA’s supervision are detailed below: August 2010 July 2011 August 2012 August 2013 Ongoing Targeted Targeted Supervisory ITIM Critical Processes Monitoring Examination Examination Review IT Strategic Planning21 Not Addressed Evaluated Not Addressed Not Addressed Instituting Investment Board/ Evaluated Evaluated Not Addressed Not Addressed Committees Establishing Investment Partially Management Standards Not Addressed Not Addressed Not Addressed Evaluated (meeting business needs) Selection of IT Investment Not Addressed Not Addressed Not Addressed Not Addressed Capturing Investment Partially Partially Partially Information (Data and Not Addressed Evaluated Evaluated Evaluated Reporting) Partially Partially Investment Oversight Evaluated Evaluated Evaluated Evaluated Defining the Investment Not Addressed Not Addressed Not Addressed Not Addressed Portfolio Creating the Investment Not Addressed Not Addressed Not Addressed Not Addressed Portfolio Evaluating the Investment Partially Not Addressed Not Addressed Not Addressed Portfolio Evaluated Conducting Post- Implementation (Quality Not Addressed Not Addressed Not Addressed Not Addressed Assurance Reviews) OIG used GAO’s ITIM Framework as the basis for evaluating FHFA’s supervision of Freddie Mac’s IT investment processes. OIG determined that Freddie Mac’s IT investment processes mirror Stage 2, “Building the Investment Foundation,” and Stage 3, “Developing a Complete Investment Portfolio.” OIG recognizes that in addition to Stages 2 and 3, Freddie Mac may be implementing additional critical processes associated with higher maturity stages in GAO’s framework. 21 GAO’s ITIM Framework does not evaluate an organization’s strategic planning process. However, OIG, recognizing the importance of strategic planning in determining the selection of IT projects, used it as a critical process in reviewing FHFA’s examination activities. Federal Housing Finance Agency Office of Inspector General • AUD-2014-017 • September 25 2014 15 Appendix B FHFA’s Comments Federal Housing Finance Agency Office of Inspector General • AUD-2014-017 • September 25 2014 16 Federal Housing Finance Agency Office of Inspector General • AUD-2014-017 • September 25 2014 17 Appendix C OIG’s Response to FHFA’s Comments On September 12, 2014, FHFA provided comments to a draft of this report, mostly agreeing with OIG’s recommendations and identifying specific actions to address them. FHFA partially agreed with recommendation 1 and agreed with recommendations 2 and 3. FHFA partially agreed with Recommendation 1 and will include a review of Freddie Mac's IT investment management process in its 2015 examination activities. FHFA stated that the timing and nature of examination work to be performed by its examiners over Freddie Mac’s IT investment process will be determined by its risk-based annual supervision planning process. OIG considers FHFA’s response to recommendation 1 to be sufficient to resolve the recommendation. However, the recommendation will remain open until OIG reviews both the 2015 examination planning documentation and related supervision activities executed over Freddie Mac’s IT investment management process. FHFA agreed with Recommendation 2 and will issue an advisory bulletin by September 30, 2015, that communicates the supervisory expectation regarding information technology investment management at both Enterprises. FHFA also agreed with Recommendation 3. By September 30, 2015, FHFA will evaluate the reports, data, and other information provided by Freddie Mac and the use of these items by FHFA examiners in assessing Freddie Mac’s management of its information technology resources and its ability to meet business needs. OIG considers the planned actions sufficient to resolve these recommendations, which will remain open until OIG determines that the agreed upon corrective actions are completed. OIG considered the Agency’s full response (attached as Appendix B) along with technical comments in finalizing this report. Appendix D provides a summary of management’s comments on the recommendations and the status of agreed-upon corrective actions. Federal Housing Finance Agency Office of Inspector General • AUD-2014-017 • September 25 2014 18 Appendix D Summary of Management’s Comments on the Recommendations This table presents management’s response to the recommendations in OIG’s report and the status of the recommendations as of when the report was issued. Expected Monetary Rec. Corrective Action: Taken or Completion Benefits Resolved: Open or No. Planned Date ($ Millions) Yes or No a Closed b 1. FHFA will include a review of 1/15/2015 $0 Yes Open Freddie Mac’s IT investment management process in its 2015 examination activities. 2. FHFA will issue an Advisory 9/30/2015 $0 Yes Open Bulletin that articulates supervisory expectations for information technology investment management by the Enterprises. 3. FHFA will review the reports, 9/30/2015 $0 Yes Open data, and information provided to FHFA examiners by Freddie Mac and the use of these reports by examiners in assessing how effectively Freddie Mac manages its information technology resources and meets Enterprise- wide information needs. Total $0 a Resolved means: (1) Management concurs with the recommendation, and the planned, ongoing, and completed corrective action is consistent with the recommendation; (2) Management does not concur with the recommendation, but alternative action meets the intent of the recommendation; or (3) Management agrees to the OIG monetary benefits, a different amount, or no amount ($0). Monetary benefits are considered resolved as long as management provides an amount. b Once OIG determines that the agreed-upon corrective actions have been completed and are responsive, the recommendations can be closed. Federal Housing Finance Agency Office of Inspector General • AUD-2014-017 • September 25 2014 19 Additional Information and Copies For additional copies of this report: Call: 202-730-0880 Fax: 202-318-0239 Visit: www.fhfaoig.gov To report potential fraud, waste, abuse, mismanagement, or any other kind of criminal or noncriminal misconduct relative to FHFA’s programs or operations: Call: 1-800-793-7724 Fax: 202-318-0358 Visit: www.fhfaoig.gov/ReportFraud Write: FHFA Office of Inspector General Attn: Office of Investigation – Hotline 400 Seventh Street, S.W. Washington, DC 20024 Federal Housing Finance Agency Office of Inspector General • AUD-2014-017 • September 25 2014 20
FHFA Oversight of Freddie Mac's Information Technology Investments
Published by the Federal Housing Finance Agency, Office of Inspector General on 2014-09-25.
Below is a raw (and likely hideous) rendition of the original report. (PDF)