oversight

FHFA's Supervisory Planning Process for the Enterprises: Roughly Half of FHFA's 2014 and 2015 High-Priority Planned Targeted Examinations Did Not Trace to Risk Assessments and Most High-Priority Planned Examinations Were Not Completed

Published by the Federal Housing Finance Agency, Office of Inspector General on 2016-09-30.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

           Federal Housing Finance Agency
               Office of Inspector General




FHFA’s Supervisory Planning Process
         for the Enterprises:
Roughly Half of FHFA’s 2014 and 2015
   High-Priority Planned Targeted
   Examinations Did Not Trace to
     Risk Assessments and Most
 High-Priority Planned Examinations
        Were Not Completed




 Audit Report  AUD-2016-005  September 30, 2016
                Executive Summary
                The Federal Housing Finance Agency (FHFA or the Agency) is responsible
                for, among other things, ensuring that the Federal National Mortgage
                Association (Fannie Mae) and the Federal Home Loan Mortgage Corporation
                (Freddie Mac) (together, the Enterprises) operate in a safe and sound manner.

AUD-2016-005    Like other federal financial regulators, FHFA maintains that it uses a risk-
                based approach for its supervisory activities. Supervision by risk requires a
September 30,   comprehensive, risk-focused view of each regulated entity so that supervisory
    2016        activities can be tailored to the risks with the highest supervisory concerns.
                According to FHFA’s Examination Manual, risk assessments provide the
                critical foundation for developing annual supervisory plans for the entities
                it regulates. FHFA examiners are then able to leverage their resources by
                focusing their supervisory activities around the risks identified as posing the
                highest supervisory concerns in the risk assessments.

                FHFA’s Division of Enterprise Regulation (DER) is responsible for the
                supervision of the Enterprises. Led by an Examiner-in-Charge (EIC), a core
                team of DER examiners is assigned to conduct supervisory activities for
                each Enterprise. Each DER core team prepares a number of semiannual risk
                assessments for each Enterprise that, according to FHFA, should reflect an
                updated view of risk based upon supervisory activities conducted in the first
                half of the year and potentially other changes in risk caused by the external
                environment. Using these risk assessments, each DER core team should
                develop an annual supervisory plan for the respective Enterprise. The annual
                supervisory plan identifies all planned supervisory activities – ongoing
                monitoring and targeted examinations – of selected areas of high importance
                or risk.

                The FHFA Office of Inspector General’s (OIG) February 2016 Audit and
                Evaluation Plan identified FHFA’s supervision of its regulated entities as
                a significant risk area. Earlier this year, we compared the risk assessment
                requirements and guidance from three mature federal financial regulators to
                FHFA’s requirements and guidance and found that FHFA fell short of the
                standards used by other federal financial regulators. Among other things, we
                showed that FHFA’s “loosely defined parameters lack standardized measures
                of risks,” “do not define the risk measures that examiners must use,” and “do
                not require examiners to use a common format and common, defined measures
                of risk.” We further found:

                       [t]he absence of minimum required standards for risk
                       assessments combined with the broad discretion granted to
                       examiners-in-charge and exam managers to select and define
                       risk measures has resulted in a lack of consistency in defining
                       significant risks and identifying supervisory concerns in risk
                       assessments for an Enterprise over a period of years. The
                       significant variability in risk assessments for an Enterprise limits
                       their utility in development of a risk-based supervisory plan.

                In response to our recommendations to improve the preparation of risk
AUD-2016-005    assessments, DER issued internal guidance in May 2016 to improve
                consistency of definitions and use of key terms and risk measures and
September 30,   prescribed specific documentation and approval requirements to apply to mid-
    2016        year risk assessments. Further, FHFA senior leadership recently explained to
                us that FHFA plans to assess the effectiveness of the enhanced risk assessment
                procedures in the first quarter of 2017 before mid-year risk assessments for
                2017 are prepared.

                Beginning in October 2015, significantly prior to the issuance of DER’s
                internal guidance, we decided to build upon our evaluation work by conducting
                this audit to determine whether DER (1) supported its 2014 and 2015 high-
                priority planned targeted examinations identified in its annual supervisory
                plans with risk assessments and completed those planned high-priority
                examinations; (2) performed its planned targeted examinations for Fannie Mae
                from 2012 through 2015 and, if it did not, whether FHFA documented the
                deviations from its plan in accordance with policies and procedures; and
                (3) performed its planned targeted examinations for Freddie Mac from 2012
                through 2015 and, if it did not, whether FHFA documented the deviations
                from its plan in accordance with policies and procedures. We are issuing three
                reports from this audit today.

                This report, the first of three, analyzes whether the high-priority planned
                targeted examinations identified by DER in its annual supervisory plans for
                2014 and 2015 for each Enterprise were supported by risk assessments and
                whether those planned high-priority targeted examinations were completed.
                We found that 61 high-priority targeted examinations were planned for the
                Enterprises for 2014 and 2015. Of these, we were able to trace 32 to different
                DER risk assessments but were unable to trace the remaining 29, almost half
                of the total, to specific risks described in the underlying risk assessments. We
                asked the then-current EIC for each Enterprise to explain the reason that each
                high-priority planned targeted examination identified in the annual supervisory
                plans could not be traced to an underlying risk assessment. The EICs reported
                that they relied on information received from other sources in DER, FHFA
                employees outside of DER, and sources outside of FHFA, in addition to risk
                assessments to develop the annual supervisory plan for the Enterprise;
                however, neither EIC updated the risk assessments, as required by FHFA.
                Of the 61 high-priority targeted examinations planned for the 2014 and 2015
                supervisory cycles, DER examiners completed only 25 (41 percent) by
                June 17, 2016, when our fieldwork ended. Put another way, more than half
                of the planned high-priority examinations that FHFA identified as the highest
                risks to the Enterprises, were not completed. For the remaining 36 (59 percent)
                high-priority targeted examinations planned for those two years: 21 were not
                conducted (the examinations were either converted to ongoing monitoring,
AUD-2016-005    cancelled, or deferred), 8 were commenced but not completed, and DER
                did not provide any documentation for us to determine the disposition of the
September 30,
                other 7.
    2016
                Our review of DER’s documentation found that, as of the end of our fieldwork,
                DER did not conduct, commenced but did not complete, or failed to provide
                documentation to show what, if anything, was done for 36 planned high-
                priority targeted examinations, while DER examiners completed 6 medium-
                priority planned targeted examinations (1 of the 6 targeted examinations was
                re-prioritized from medium- to high-priority during the supervisory cycle). In
                light of FHFA’s commitment to risk-based supervision, it is incongruous that
                DER examiners completed medium-priority targeted examinations while not
                completing all planned high-priority examinations.

                The second and third reports issued from this audit discuss our respective
                analyses of DER’s performance with regard to planned targeted examinations
                of Fannie Mae and Freddie Mac from 2012 through 2015: FHFA’s Targeted
                Examinations of Fannie Mae: Less than Half of the Targeted Examinations
                Planned for 2012 through 2015 Were Completed and No Examinations
                Planned for 2015 Were Completed Before the Report of Examination Issued
                (September 30, 2016) (AUD-2016-006), and FHFA’s Targeted Examinations
                of Freddie Mac: Just Over Half of the Targeted Examinations Planned for
                2012 through 2015 Were Completed (September 30, 2016) (AUD-2016-007).

                Our audit work was hampered by the lack of DER’s supervisory
                documentation, maintained in its official system of record. In our judgment,
                the lack of such documentation creates a significant risk exposure. This
                significant risk exposure, coupled with the other deficiencies identified in this
                audit, threatens FHFA’s ability to fulfill its statutory mission to ensure that the
                Enterprises operate in a safe and sound manner.

                We make five recommendations to address the findings identified in this
                report. In its written comments to our draft report, FHFA stated that it issued
                internal guidance in May 2016 that FHFA believes confirms its general
                agreement with four recommendations. FHFA disagreed with one
                recommendation. FHFA management’s comments and our response are
                provided in the body of this report.
                Key contributors to this report were Robert Taylor, Assistant Inspector General
                for Audits; Tara Lewis, Audit Director; Terese Blanchard, Senior Auditor;
                Pamela L. Williams, Auditor; and Julio Santos, Lead Auditor. We appreciate
                the cooperation of FHFA staff, as well as the assistance of all those who
                contributed to the preparation of this report.

                This report has been distributed to Congress, the Office of Management and
AUD-2016-005    Budget, and others and will be posted on our website, www.fhfaoig.gov.

September 30,
    2016
                /s/

                Marla A. Freedman
                Deputy Inspector General for Audits
TABLE OF CONTENTS ................................................................
EXECUTIVE SUMMARY .............................................................................................................2

ABBREVIATIONS .........................................................................................................................8

BACKGROUND .............................................................................................................................9
      Effective Supervision by FHFA Is Vital to Ensure the Enterprises’ Safety and
      Soundness .................................................................................................................................9

FACTS AND ANALYSIS.............................................................................................................10
      FHFA’s Requirements for Supervisory Planning ...................................................................10
             Critical Role of Risk Assessments in Planning Supervisory Activities .........................10
      Review of DER Risk Assessments for 2014 and 2015 Found that None Categorized
      the Components of the Identified Risks by Degree of Severity .............................................11
      DER’s Risk Assessments Did Not Trace to High-Priority Targeted Examinations
      Included in FHFA’s Supervisory Plans for 2014 and 2015 ....................................................12
      Over Half of the 2014 and 2015 High-Priority Planned Targeted Examinations for
      the Enterprises Were Not Completed Even Though Lower Priority Planned Targeted
      Examinations Were Completed ..............................................................................................14

FINDINGS .....................................................................................................................................17
      1. DER’s 2014 and 2015 high-priority planned targeted examinations identified in
      its annual supervisory plans did not trace to risk assessments. ..............................................17
      2. DER completed only 41 percent of the high-priority targeted examinations
      planned for the 2014 and 2015 supervisory cycles even though 6 lower priority
      planned targeted examinations were completed for the same cycles. ....................................17
      3. DER lacks written guidance for prioritizing planned targeted examinations, and
      DER examiners assign priorities to planned targeted examinations without
      identifying or explaining the degree of severity of the risks discussed in the
      underlying risk assessments. ...................................................................................................18
      4. DER’s official system of record for its supervision of the Enterprises is not
      complete and could not be relied upon; DER lacked documentation to account for all
      of its targeted examinations, from planning through completion. ..........................................18

CONCLUSION ..............................................................................................................................19


                                          OIG  AUD-2016-005  September 30, 2016                                                              6
      Significant Risk Exposure Regarding the Quality of DER’s Supervisory Records ...............19

RECOMMENDATIONS ...............................................................................................................21

FHFA COMMENTS AND OIG RESPONSE ...............................................................................22

OBJECTIVE, SCOPE, AND METHODOLOGY .........................................................................27

APPENDIX A ................................................................................................................................29
      FHFA’s Comments on OIG’s Findings and Recommendations ............................................29

ADDITIONAL INFORMATION AND COPIES .........................................................................32




                                         OIG  AUD-2016-005  September 30, 2016                                                           7
ABBREVIATIONS .......................................................................

DER                   Division of Enterprise Regulation

EIC                   Examiner-in-Charge

Enterprises           Fannie Mae and Freddie Mac

Fannie Mae            Federal National Mortgage Association

FHFA or Agency        Federal Housing Finance Agency

Freddie Mac           Federal Home Loan Mortgage Corporation

IMS                   Information Management System

OIG                   Federal Housing Finance Agency Office of Inspector General

OPB                   Operating Procedures Bulletin




                         OIG  AUD-2016-005  September 30, 2016                    8
BACKGROUND ..........................................................................

Effective Supervision by FHFA Is Vital to Ensure the Enterprises’ Safety and Soundness

FHFA, created by Congress in 2008, is charged by the Housing and Economic Recovery Act
of 2008 with, among other things, the supervision of the Enterprises and the Federal Home
Loan Banks. Its mission as a federal financial regulator includes ensuring the safety and
soundness of its regulated entities so that they serve as a reliable source of liquidity and
funding for housing finance and community investment. FHFA’s DER is responsible for
supervision of the Enterprises. DER has established a core team of examiners for each
Enterprise, led by an EIC.

To identify key risks facing the Enterprises, each DER core team prepares a number of
semiannual risk assessments for each Enterprise that, according to FHFA’s Examination
Manual, provides the foundation for DER’s annual supervisory plans and should reflect an
updated view of risk based upon supervisory activities conducted in the first half of the year
and potentially other changes in risk caused by the external environment. Using these risk
assessments, each DER core team develops an annual supervisory plan for the respective
Enterprise. The annual supervisory plan identifies all planned supervisory activities – ongoing
monitoring and targeted examinations – of selected areas of high importance or risk. Ongoing
monitoring activities are performed to analyze real-time information and to use those analyses
to identify Enterprise practices and changes in an Enterprise’s risk profile that may warrant
supervisory attention. Ongoing monitoring is also “used to determine the status of the
Enterprise’s compliance with supervisory guidance, MRAs [Matters Requiring Attention],
and conservatorship directives.” Targeted examinations complement ongoing monitoring:
they enable examiners to conduct “a deep or comprehensive assessment” of the areas found to
be of high importance or risk.

In this report, we assess whether DER’s 2014 and 2015 high-priority targeted examinations
identified in the annual supervisory plans for each Enterprise were supported by risk
assessments and whether those planned high-priority examinations were completed.




                            OIG  AUD-2016-005  September 30, 2016                               9
FACTS AND ANALYSIS ...............................................................

FHFA’s Requirements for Supervisory Planning

FHFA’s Examination Manual, adopted in December 2013, provides policies and guidance for
the Agency’s supervisory planning process. According to that Examination Manual, FHFA’s
supervisory activities are to be prioritized based on the risk a given practice poses to the
regulated entity’s safe and sound operations or its compliance with applicable laws and
regulations. In a February 2016 speech, FHFA Director Watt underscored the risk-based focus
of DER’s supervisory activities:

        Like other federal financial regulators, FHFA conducts safety and soundness
        supervision with a deliberate distance between FHFA and the Enterprises.
        Members of our supervision staff, many of whom are located onsite at Fannie
        Mae and Freddie Mac, conduct examinations that focus on areas of highest
        risk to the Enterprises. They produce reports of examination and make
        findings as to whether the Enterprises need to make corrective actions in
        particular areas.1

    Critical Role of Risk Assessments in Planning Supervisory Activities

FHFA’s Examination Manual stresses the critical role of risk assessments in planning
supervisory activities to focus supervisory attention on high-risk matters and develop an
annual supervisory strategy to address FHFA’s supervisory concerns. According to FHFA’s
Examination Manual, the goal of a risk assessment is to present “a comprehensive view of
the Enterprise.” As we discussed in our recent evaluation of FHFA’s risk assessments,
FHFA’s Examination Manual directs that a risk assessment should include a number of
elements, such as a description of the types of risk (credit, market, liquidity, reputational,
operational, model, legal) and their level (high, moderate, low) and direction (increasing,
stable, decreasing).2

FHFA directs that risk assessments should be prepared semiannually and reflect an updated
view of risk based upon supervisory activities conducted in the first half of the year and

1
  Melvin L. Watt, FHFA Director, Remarks before the Bipartisan Policy Center, Washington, D.C. (Feb. 18,
2016) (online at www.fhfa.gov/Media/PublicAffairs/Pages/Prepared-Remarks-Melvin-Watt-at-BPC.aspx)
(accessed June 24, 2016).
2
  OIG, Utility of FHFA’s Semi-Annual Risk Assessments Would Be Enhanced Through Adoption of Clear
Standards and Defined Measures of Risk Levels (Jan. 4, 2016) (EVL-2016-001) (online at
www.fhfaoig.gov/Content/Files/EVL-2016-001.pdf).


                                OIG  AUD-2016-005  September 30, 2016                                    10
potentially other changes in risk caused by the external environment. On September 24,
2013, DER issued an Operating Procedures Bulletin (OPB), Supervisory Planning Process
(2013-DER-OPB-03), which provided a three-page list of “risk category components and
evaluative factors.” That guidance was similar to guidance provided by the Office of the
Comptroller of the Currency, another federal financial regulator that employs a risk-based
approach to supervisory planning. Approximately one month after issuing 2013-DER-OPB-03,
DER issued a revised OPB, Supervisory Planning Process (2013-DER-OPB-03.1). The revised
OPB eliminated the detailed guidance on risk category components and evaluative factors that
were included in the earlier OPB, without explanation.

In a recent evaluation report, we reviewed a number of DER risk assessments and found that
the factors or measures cited in those risk assessments lacked common definition, resulting in
inconsistent and incomparable risk assessments.3 We noted that FHFA’s guidance did not
define each of the risk levels or the elements inherent in each risk level. In response to our
recommendations, DER issued Operating Procedures Bulletin, Enterprise Supervision: Mid-
Year Risk Assessments (DER-OPB-01) on May 25, 2016. DER-OPB-01 emphasized that
DER’s risk assessments are critical components of effective risk-based supervision of the
Enterprises. Among other things, the procedures set forth in the new OPB are intended to
improve consistency of definitions and use of key terms and risk measures. It also reiterated
that assessment of risk by supervision staff is an ongoing process, and prescribed specific
documentation and approval requirements to apply to mid-year risk assessments. According
to FHFA senior leadership, DER requires its examination staff to participate in mandatory
training on the new OPB. FHFA senior leadership further explained that FHFA plans to
assess the effectiveness of the new procedures in the OPB during the first quarter of 2017,
before the mid-year risk assessments for 2017 are prepared.

Review of DER Risk Assessments for 2014 and 2015 Found that None Categorized the
Components of the Identified Risks by Degree of Severity

Given FHFA’s recognition of the critical role of risk assessments in planning supervisory
activities to focus supervisory attention on high-risk matters and in light of the information
collected and analyzed by our Office of Evaluations for its report issued on January 4, 2016,
we began planning for this audit in October 2015. We first identified and collected the risk
assessments and supervisory plans prepared by DER for the 2014 and 2015 supervisory
cycles, using information gathered by our Office of Evaluations and supplemented by our
review of records maintained in FHFA’s Information Management System (IMS), FHFA’s

3
  OIG, Utility of FHFA’s Semi-Annual Risk Assessments Would Be Enhanced Through Adoption of Clear
Standards and Defined Measures of Risk Levels (Jan. 4, 2016) (EVL-2016-001) (online at
www.fhfaoig.gov/Content/Files/EVL-2016-001.pdf)


                               OIG  AUD-2016-005  September 30, 2016                              11
official system of record for examination-related materials. The scope of our audit, which
was set in December 2015, preceded the May 25, 2016, issuance of DER-OPB-01. Once we
assembled information from those sources, we asked DER, starting in December 2015, to
confirm on multiple occasions whether the information we had gathered was complete and
accurate and to provide us with any missing documentation.

During this audit, we reviewed 52 DER risk assessments and found that while a rating of
high, moderate, or low was assigned to the risk area, none identified the degree of severity
of the component risks discussed within each risk area. By way of example,




                                                               since none of the components
in this risk assessment were assigned a degree of risk severity, we found no basis in the
underlying risk assessment to support the high-priority designations assigned to both planned
targeted examinations.

DER’s Risk Assessments Did Not Trace to High-Priority Targeted Examinations Included
in FHFA’s Supervisory Plans for 2014 and 2015

Using the semiannual risk assessments, each DER core team is tasked with developing
an annual supervisory plan, revised at mid-year, for each Enterprise. The supervisory
plan is supposed to identify all supervisory activities – ongoing monitoring and targeted
examinations – expected to be conducted during the year and assign a priority designation4
to each planned targeted examination. For 2014 and 2015, the supervisory plans for the
Enterprises identified a total of 98 targeted examinations for those supervisory cycles.5 DER


4
  FHFA guidance uses the terminology of “high, moderate, and low” when referring to the risk level by the
type of risk (e.g., market, operational, modeling, etc.). We found that DER, in practice, uses the terminology
“high, medium, and low” when referring to a priority assigned to a planned targeted examination.
5
 Of the 98 planned targeted examinations initially identified in the supervisory plans, we determined, from
documentation provided by DER that 31 were completed, 46 were not conducted, 11 were commenced but not
completed, and no documentation was provided for us to determine the disposition of the remaining 10. DER
guidance recognizes that supervisory planning is a continuous process. In this regard, during the 2014 and
2015 supervisory cycles, 20 targeted examinations were added to the supervisory plans. These 20 targeted
examinations were not included in the scope of our analysis.


                                  OIG  AUD-2016-005  September 30, 2016                                        12
officials advised us that DER examiners on each core team are responsible for assigning a
priority designation to each planned targeted examination.

We found that DER lacked written guidance or criteria for prioritizing planned targeted
examinations as high, medium, or low and did not require examiners to document the basis
for the prioritizations they assigned to the planned targeted examinations. Of the 98 planned
targeted examinations identified on the supervisory plans for both Enterprises in 2014 and
2015, DER examiners designated 61 as high-priority and 36 as medium- or low-priority. One
(1) planned targeted examination received no priority designation.

Given FHFA’s acknowledgement of the critical importance of risk assessments in planning
its supervisory activities, we then sought to determine whether the risks described in the risk
assessments could be traced to the 98 targeted examinations in DER’s supervisory plans for
2014 and 2015. However, we were not able to complete such tracing because the risk
assessments did not provide enough information for us to make a direct linkage between the
risks described in the risk assessment and all of the planned targeted examinations. Our
inability to complete such tracing reinforced one of our findings in the January 2016
evaluation: “The significant variability in risk assessments for an Enterprise limits their
utility in development of a risk-based supervisory plan.”

Having found that the risk assessments contained insufficient information to permit us
to determine whether the identified risks could be traced to the 98 planned targeted
examinations, we sought to work backwards and trace whether the 61 planned targeted
examinations designated as high-priority in the supervisory plans for 2014 and 2015 were
supported by underlying risk assessments.

We conducted this tracing effort by comparing the title, objective, and/or subject matter of the
planned targeted examination to the risk assessment narrative. Using this methodology, we
were able to trace just over half, 32 (52 percent) of the 61 high-priority planned targeted
examinations to the underlying risk assessments. By way of example,




                             OIG  AUD-2016-005  September 30, 2016                               13
                                    We found that the link between the planned targeted
examination and the underlying risk assessment in this instance was clear.

On the other hand, we found that 29 (48 percent) of the 61 high-priority planned targeted
examinations could not be traced to specific risks described in the underlying risk
assessments. For example,




Accordingly, we did not count this planned targeted examination as traceable to a risk
assessment.

During our audit, we provided DER officials with a detailed list of 2014 and 2015 high-
priority planned targeted examinations and identified the 29 high-priority planned targeted
examinations that could not be traced to specific risks described in the underlying risk
assessments. In response, these officials maintained that 27 of the 29 examinations were
added to the supervisory plans, based on additional information that was received by the EICs
from a number of different sources outside of the risk assessments.

FHFA directs that all risk assessments shall be updated semiannually as well as when
“significant changes to the risk profile occur.” Since each DER core team obtained
information outside of the documented risk assessments that was used to develop the annual
supervisory plans, FHFA required each core team to revise the existing risk assessments to
reflect such information. We found that DER examiners did not follow this requirement.

Over Half of the 2014 and 2015 High-Priority Planned Targeted Examinations for the
Enterprises Were Not Completed Even Though Lower Priority Planned Targeted
Examinations Were Completed

As of June 17, 2016, we found that only 25 (41 percent) of the 61 high-priority targeted
examinations planned for the 2014 and 2015 supervisory cycles were completed.7 For the

7
  For purposes of this audit, we considered a targeted examination to be “commenced” when DER issued a
request letter. We considered a targeted examination to be “completed” when DER issued a conclusion letter
to the Enterprises. We considered a targeted examination to be “not conducted” when FHFA documents



                                 OIG  AUD-2016-005  September 30, 2016                                     14
remaining 36 (59 percent) of the high-priority targeted examinations planned for those two
years, our review of DER documentation found that 21 were not conducted (because the
examinations were converted to ongoing monitoring, cancelled, or deferred) and 8 were
commenced but not completed. DER did not provide any documentation for us to determine
the disposition of the other 7 planned targeted high-priority examinations and our search of
FHFA’s IMS, its official system of record for examination-related materials, identified no
documentation to assist us in determining the disposition of these 7.

Our review of DER’s documentation found that, as of June 17, 2016, DER did not conduct,
commenced but did not complete, or failed to provide documentation to show what, if
anything, was done for 36 planned high-priority targeted examinations, while DER examiners
completed 6 planned targeted examinations that were initially designed medium-priority –
3 for Fannie Mae and 3 for Freddie Mac.8

We sought to understand the reasons why medium-priority examinations were completed
while high-priority examinations were not. Of the 3 medium-priority planned targeted
examinations for Fannie Mae, DER officials reported to us that 1 identified on the annual
supervisory plan as medium-priority was always considered by DER to be high-priority
and was reprioritized to high-priority at the mid-year update to the supervisory plan. For
the other 2, DER officials asserted that both were part of the operational risk area, and
were performed because all of the high-priority examinations within that risk area had
been completed or deferred. That assertion, however, is not supported by underlying DER
documentation for the 2014 supervisory cycle. DER’s records show that DER planned
5 high-priority targeted examinations for Fannie Mae in the operational risk area for 2014
and completed 3 examinations, did not complete 1 examination, and did not provide
documentation regarding the disposition of the other planned examination.

For the 3 medium-priority examinations completed for Freddie Mac, DER officials offered
separate explanations. For 1 of the 3, DER officials claimed that the attrition of two examiners
caused certain planned examination activities to be deferred or to be limited in scope and that

demonstrate that the status of that examination was changed to ongoing monitoring, cancelled, or deferred. We
considered a targeted examination to be “commenced but not completed” based on DER’s representation that
the examination was in progress in one of three phases: fieldwork, management review, or quality review,
absent any other conflicting documentation provided or discovered during our review of FHFA’s records. We
considered a targeted examination to be “disposition not documented” when DER did not provide any
documentation regarding the disposition of the targeted examination in response to our requests.
8
  Because risk assessments play a critical role in effective supervisory planning, DER issued OPB, Supervisory
Planning Process (2013-DER-OPB-03.1), effective January 1, 2014, which requires that any changes to the
supervisory plan must be risk-based, approved by the EIC, and documented in the workpapers. In the two
companion reports to this report, issued today, we assessed whether DER examiners provided risk-related
reasons for changes to the supervisory plans.


                                 OIG  AUD-2016-005  September 30, 2016                                         15
the medium-priority examination performed “did not require the same level [of] technical
expertise and so was more easily accomplished.” For another, DER officials maintained
that this examination should have been classified as a high-priority examination. Unlike the
Fannie Mae core team who re-prioritized a medium-priority examination at the mid-year
to a high-priority, the Freddie Mac core team did not re-prioritize this medium-priority
examination to high-priority at the mid-year update to the supervisory plan. Further, we first
learned of the May 2016 completion of the third medium-priority Freddie Mac targeted
examination from FHFA’s technical comments to this draft report on July 29, 2016,
notwithstanding our prior data requests for such information. FHFA provided no explanation
why DER examiners completed this medium-priority targeted examination in lieu of a high-
priority targeted examination.

Figure 1 below presents summary totals for FHFA’s planned targeted examinations for the
2014 and 2015 supervisory cycles, by priority, and the completion of those examinations as of
June 17, 2016.

          FIGURE 1. SUMMARY OF PLANNED TARGETED EXAMINATIONS FOR THE ENTERPRISES
                             2014 AND 2015, AS OF JUNE 17, 2016
                                Fannie Mae                  Freddie Mac                Total Enterprises
                          Planned      Completed       Planned      Completed       Planned      Completed
     Total                    55            13            43             18             98a/          31
     Priority
      High                    36            10            25             15            61             25
      Medium                  15             3b/          12              3            27              6b/
      Low                      4             0             5              0             9              0
     Not Prioritized           0             0             1              0             1              0
a/
  As of June 17, 2016, 46 of the 98 targeted examinations identified in the 2014 and 2015 supervisory plans
were not conducted (because the examinations were converted to ongoing monitoring, cancelled, or deferred);
11 were commenced but not completed; and DER did not provide any documentation for us to determine the
disposition for 10 planned targeted examination.
b/
  DER officials reported to us that, while the supervisory plan identified 1 planned targeted examination of
Fannie Mae to be medium-priority, they always considered this examination to be high-priority and it was re-
prioritized to high-priority at the mid-year update to the supervisory plan.




                                   OIG  AUD-2016-005  September 30, 2016                                     16
FINDINGS .................................................................................

    1. DER’s 2014 and 2015 high-priority planned targeted examinations identified in
       its annual supervisory plans did not trace to risk assessments.

While our earlier evaluation report found that “significant variability in risk assessments for
an Enterprise limits their utility in development of a risk-based supervisory plan,” we made no
effort in that evaluation to quantify these limitations. In this audit, we were able to trace only 32
of the 61 planned high-priority targeted examinations for the Enterprises for 2014 and 2015 to
DER risk assessments and were unable to trace the remaining 29 – almost half of the total.

The then-current EIC for each Enterprise explained that our inability to trace 27 of the 29
planned high-priority examinations to the underlying risk assessments was driven by the
use of information outside of the risk assessments when the annual supervisory plans were
developed. Neither core team, however, revised the risk assessments at mid-year to reflect
information learned from these other sources, as required by FHFA.

According to FHFA, risk assessments provide the critical foundation for developing annual
supervisory plans for the Enterprises and FHFA requires all risk assessments to be updated
semiannually and “as significant changes to the risk profile occur.” FHFA contemplates
that examiners can leverage resources by focusing supervisory activities around the risks
identified in the risk assessments as posing the highest supervisory concerns to the
Enterprises. Our tracing efforts, combined with the acknowledgements by each EIC that the
supervisory plans were developed from information outside the risk assessments, demonstrate
that DER risk assessments did not provide the critical foundation for high-priority targeted
examinations planned for the 2014 and 2015 supervisory cycles.

    2. DER completed only 41 percent of the high-priority targeted examinations
       planned for the 2014 and 2015 supervisory cycles even though 6 lower priority
       planned targeted examinations were completed for the same cycles.

We found that DER examiners completed only 25 (41 percent) of the 61 high-priority targeted
examinations planned for the 2014 and 2015 supervisory cycles. Put another way, 36 (59
percent) of the planned high-priority examinations that FHFA identified as involving the
highest risks to the Enterprises were not completed. Of these 36, our review of DER
documentation found that 21 were not conducted (because the examinations were converted
to ongoing monitoring, cancelled, or deferred) and 8 were commenced but not completed.
DER provided no documentation for us to determine the disposition of the other 7.


                              OIG  AUD-2016-005  September 30, 2016                                   17
For the same supervisory cycles, however, DER examiners completed 6 planned targeted
examinations initially designated as medium-priority. While 1 of these 6 targeted
examinations was later reprioritized as high-priority, the other 5 remained medium-priority
and were completed. In light of FHFA’s commitment to risk-based supervision, there is no
sound basis for DER examiners to complete lesser priority targeted examinations while not
completing high-priority examinations.

   3. DER lacks written guidance for prioritizing planned targeted examinations, and
      DER examiners assign priorities to planned targeted examinations without
      identifying or explaining the degree of severity of the risks discussed in the
      underlying risk assessments.

DER lacks written guidance for prioritizing planned targeted examinations as high, medium,
or low within each supervisory plan, and does not require examiners to document the basis
for the prioritizations they assign to the planned targeted examinations. As discussed above,
because DER’s risk assessments are supposed to be the foundation for its supervisory plans,
we attempted to determine whether the 61 high-priority planned targeted examinations
identified by DER in its annual supervisory plans for 2014 and 2015 were supported by risk
assessments. However, we found that none of FHFA’s underlying risk assessments identified
or explained the severity of the risks discussed within the risk assessments. As a consequence,
the risk assessments did not support, or link to, the priority assigned to the planned targeted
examinations.

   4. DER’s official system of record for its supervision of the Enterprises is not
      complete and could not be relied upon; DER lacked documentation to account
      for all of its targeted examinations, from planning through completion.

According to its operating procedures, DER is to ensure that the supervisory planning is
documented and incorporated into official agency records. IMS is DER’s official system of
record for materials relating to its supervision of the Enterprises.

Our efforts to track the status of each of the 61 planned high-priority targeted examinations
were hampered by the lack of supervisory documentation maintained in IMS. We needed to
make multiple information requests to DER for documentation related to DER’s execution of
its supervisory plans because complete documentation was not retained in IMS. Although
DER located some documentation outside IMS, it found no documentation to explain the
disposition of 7 of the 61 high-priority targeted examinations planned for the 2014 and 2015
supervisory cycles (11 percent).



                            OIG  AUD-2016-005  September 30, 2016                               18
CONCLUSION ............................................................................

As the federal financial regulator for the Enterprises, FHFA asserts that it uses a risk-based
approach to plan and execute its supervisory activities. Supervision by risk requires a
comprehensive, risk-focused view of each regulated entity so that supervisory activities can
be tailored to the risks with the highest supervisory concerns. DER has acknowledged that
assessments of risk in key areas are fundamental to its examination planning process for the
Enterprises. The risk assessments should highlight both the strengths and vulnerabilities of an
Enterprise and provide a foundation for preparing the supervisory strategy and determining
the supervisory activities to be conducted. In other words, risk assessments are supposed to
present a comprehensive view of the Enterprises and drive supervisory activities toward the
highest risks of the Enterprises.

We found, in this audit, that FHFA’s risk assessments are not meeting their stated purpose.
DER’s risk assessments do not provide a sufficient foundation for planning DER’s high-
priority targeted examinations and the risk priorities assigned by DER examiners to targeted
examinations bear no relation to the risk assessments. As a consequence, FHFA lacks
sufficient assurance that DER’s supervisory resources are devoted to examining the highest
risks of the Enterprises.

Significant Risk Exposure Regarding the Quality of DER’s Supervisory Records

We consider the lack of DER’s documentation supporting its supervisory activities, as it
relates to this audit, to create a significant risk exposure. This condition impacted the
objectives of this report as well as those in its two companion reports, which were also issued
today.9

According to DER’s operating procedures, DER is to ensure that the supervisory planning is
documented and incorporated into official agency records. IMS is DER’s official system of
record for documentation of its supervisory activities. Our efforts to track documentation of
the planning and execution of DER’s supervisory activities through IMS were not successful
because a significant amount of documentation was not retained in IMS. During our audit, we
needed to make multiple information requests to DER for basic documentation relating to
supervisory plans and their execution because such documentation was not always found in

9
  OIG, FHFA’s Targeted Examinations of Fannie Mae: Less than Half of the Targeted Examinations Planned
for 2012 through 2015 Were Completed and No Examinations Planned for 2015 Were Completed Before the
Report the Report of Examination Issued (Sept. 30, 2016) (AUD-2016-006), and OIG, FHFA’s Targeted
Examinations of Freddie Mac: Just Over Half of the Targeted Examinations Planned for 2012 through 2015
Were Completed (Sept. 30, 2016) (AUD-2016-007).


                               OIG  AUD-2016-005  September 30, 2016                                   19
DER’s official system of record. Although DER located some documentation outside the
official system of record, it was not able to find all requested documentation.

DER often relied on the recollections of the then-current EICs to explain the universe of
planned targeted examinations and the disposition of those planned targeted examinations
for the supervisory cycles within the review period of this audit (2012-2015), which, at times,
were later found to be inaccurate. DER’s inability to retrieve all supervisory documentation
from its official system of record, its difficulty in finding documentation outside its official
system of record, and its significant reliance on the imperfect individual recollections of
personnel delayed us from the timely and efficient completion of our work.

DER officials maintained to us that a significant shift in DER’s senior management and
managers led to the lack of proper and complete documentation in IMS supporting its
supervisory activities. That explanation surprises us. FHFA, which was created in 2008, took
over the supervision of the Enterprises from its predecessor agency that had been operating
since 1992, and it is not credible that a federal financial regulator, charged with supervision
of the Enterprises, would be so impacted by a shift in senior management and managers.

That explanation, however, is the only one offered by DER. If it is taken at face value, DER’s
haphazard approach to creating and retaining complete documentation for its supervisory
activities creates enormous risk. This risk, coupled with the other deficiencies identified in
this audit, threatens FHFA’s ability to fulfill its statutory mission.

In our judgment, deliberate urgency and resolute commitment by FHFA management to
resolve these collective deficiencies, and to implement the recommendations in this report and
its two companion reports, is required.




                             OIG  AUD-2016-005  September 30, 2016                               20
RECOMMENDATIONS ...............................................................

We make five recommendations to address the deficiencies identified in this report and ensure
that FHFA’s supervisory resources are used efficiently to examine the highest risks of the
Enterprises.

Specifically, we recommend that FHFA:

   1. Ensure that risk assessments support the supervisory plans in terms of the targeted
      examinations included in those supervisory plans and the priority assigned to those
      targeted examinations.

   2. Reinforce and hold the EICs accountable to meet FHFA’s requirement for risk
      assessments to be updated semiannually, and as additional information is learned
      that causes significant changes to the risk profile, such information, from whatever
      sources, should be factored into the risk assessment during the next update.

   3. Direct DER to develop and implement controls to ensure that high-priority planned
      targeted examinations are completed before lower priority targeted examinations,
      unless the reason(s) for performing a lower priority targeted examination in lieu of a
      higher priority planned targeted examination is documented and risk based (e.g.,
      change in process, delay in implementation).

   4. Enhance DER guidance to provide a common definition for the priority assigned to
      targeted examinations and require examiners to document the basis of the priority
      assigned to targeted examinations.

   5. Revise existing guidance to require examiners to prepare complete documentation of
      supervisory activities and maintain such documentation in the official system of
      record, and train DER examiners on this guidance.




                            OIG  AUD-2016-005  September 30, 2016                             21
FHFA COMMENTS AND OIG RESPONSE .....................................

OIG provided FHFA an opportunity to respond to a draft report of this audit. FHFA
provided technical comments that we incorporated into this final report, as appropriate. On
September 22, 2016, FHFA provided its management response, which is provided in
Appendix A. In its response, FHFA provided three general comments to our draft report. In
addition, FHFA stated that it issued internal guidance that FHFA believed confirmed its
general agreement with recommendations 1, 2, 3, and 4. FHFA disagreed with
recommendation 5. FHFA’s comments and our responses are below.

     FHFA General Comment

     We believe that the report and several of its recommendations are redundant in light of
     ongoing changes and commitments that FHFA has already made, and is in the process of
     implementing, in response to the OIG report dated January 4, 2016.10 As the new report
     acknowledges, “DER issued internal guidance in May 2016 to improve the consistency of
     definitions and use of key terms and risk measures and prescribed specific documentation
     and approval requirements to apply to mid-year risk assessments.” The report also does
     not appear to consider additional activities that DER conducts that assist in aligning risk
     assessments of the Enterprises with DER’s schedule of targeted examinations: its mid-
     year and year-end planning meetings, discussions and documentation of examination work
     and risk assessments, and vetting of proposed changes to the examination plan for each
     Enterprise. Taken together, the revised guidance and these activities will result in an
     effective risk assessment and examination planning process that assures that supervisory
     resources focus on and conclude reviews of the highest risks at the Enterprises. Because
     the risk assessment changes were recently made in May 2016, there were no results to be
     reviewed in the OIG fieldwork for this Report.

     OIG Response to FHFA General Comment. As stated in this report, beginning in October
     2015, we decided to build upon our evaluation work by conducting this audit to determine
     whether high-priority planned targeted examinations were supported by risk assessments
     and whether those examinations were completed. That is not the same objective as our prior
     evaluation report, which evaluated DER’s 2013 and 2014 processes for identifying high risk




10
   OIG, Utility of FHFA’s Semi-Annual Risk Assessments Would Be Enhanced Through Adoption of Clear
Standards and Defined Measures of Risk Levels (Jan. 4, 2016) (EVL-2016-001) (online at
www.fhfaoig.gov/Content/Files/EVL-2016-001.pdf).


                               OIG  AUD-2016-005  September 30, 2016                               22
areas. The recommendations included in this report are a direct result of work performed
during this audit and are not redundant.

FHFA General Comment

FHFA disagrees with the report’s premise or implication that examination work may not
be considered risk-based unless the title and objective of each examination can be traced
to the language of a particular risk assessment. DER subject matter experts prepare risk
assessments to record the focus and general objectives for review of Enterprise operations
and risk management rather than to enable external reviewers to trace connections among
supervision documents. DER believes that its risk assessments are useful in guiding
examination work and that risk assessments, examination documentation, and
communications to the Enterprises reflect a solid understanding and thoughtful analysis
of relevant risks and risk management.

OIG Response to FHFA General Comment. FHFA’s Examination Manual states that risk
assessments provide the critical foundation for developing the annual supervisory plans
for each Enterprise. Using the semiannual risk assessments, each DER core team is tasked
with developing the annual supervisory plan. Given the critical role assigned by FHFA to
risk assessments, there should be a logical link between the planned targeted examinations
in the annual supervisory plan and the underlying risk assessments. Confronted with a
lack of compliance by DER examiners with existing requirements, FHFA’s response to
this report – that risk assessments “record the focus and general objectives for review of
Enterprise operations” – diminishes significantly the value of risk assessments from the
foundational role described in its Examination Manual. As this report details, the then-
current EICs recognized that our inability to trace 27 of the 61 high priority targeted
examinations back to the risk assessments was caused by the simple fact that the
information on which these examinations were planned was not included in the risk
assessments, and that the risk assessments were not updated to reflect this newly obtained
information, as required by FHFA.

FHFA General Comment

FHFA disagrees with the report’s finding that DER’s documentation of supervisory
activities is lacking or of poor quality. While DER’s documentation recording the basis
for changes to examination plans has been inconsistent at times, the report’s conclusions
and recommendations are not limited to that type of documentation but refer generally to
“supervisory documentation.” FHFA specifically notes that FHFA OIG observed in a
2014 report that DER maintained complete examination documentation for 2013 targeted



                        OIG  AUD-2016-005  September 30, 2016                              23
     examinations.11 That OIG report states “We reviewed DER’s workpapers for 28 targeted
     examinations conducted by the Fannie Mae and Freddie Mac Core Teams (together, the
     Core Teams) in 2013. We found that in each of these cases DER staff complied with the
     Agency’s recordkeeping policies and procedures.” Since that report was issued, DER has
     put in place an enhanced quality control review function that will help to ensure that the
     official records of examination activities are complete and maintained appropriately.

     OIG Response to FHFA General Comment. FHFA’s reliance on our 2014 report is
     inapposite. There, we reviewed the examination workpapers for 28 completed targeted
     examinations and found that DER examiners complied with the Agency’s recordkeeping
     policies and procedures. In this audit, other than to look for the presence of the request letter
     and conclusion letter, we did not review examination workpapers for completed targeted
     examinations and made no findings about the quality of those workpapers. While FHFA
     takes credit for DER’s quality control process, we note: (1) that this process was only put
     into place in July 2015, after we completed fieldwork for an evaluation which found that
     DER had reneged on its commitments to put such a process into place for the prior four
     years;12 and (2) that the quality control process only reviews documentation maintained for
     examination work products.

     This audit had an entirely different focus: whether DER examiners created and maintained
     records to document the annual supervisory cycle, from planning through execution. As this
     audit found, DER was unable to provide any documentation for the disposition of 18 targeted
     examinations for both Enterprises – 10 for Fannie Mae and 8 for Freddie Mac – during the
     four supervisory cycles in our review period, notwithstanding our multiple requests.

     Our 2014 report, on which FHFA relies in its comment, also states:

        …we also found that DER’s recordkeeping practices have limitations that
        impede the efficient retrieval of these workpapers by FHFA examiners, other
        FHFA personnel, and outside oversight entities such as the OIG.

     Almost two years later, these limitations have not been addressed by FHFA and hampered
     our work on this audit. FHFA’s inability to provide documentation to show the disposition of



11
  OIG, Evaluation of the Division of Enterprise Regulation’s 2013 Examination Records: Successes and
Opportunities (Oct. 6, 2014) (EVL-2015-001) (online at https://www.fhfaoig.gov/Content/Files/EVL-2015-
001.pdf).
12
  OIG, Intermittent Efforts Over Almost Four Years to Develop a Quality Control Review Process Deprived
FHFA of Assurance of the Adequacy and Quality of Enterprise Examinations (Sept. 30, 2015)
(EVL-2015-007) (online at https://www.fhfaoig.gov/Content/Files/EVL-2015-007.pdf).


                                OIG  AUD-2016-005  September 30, 2016                                   24
18 planned targeted examinations during the four supervisory cycles reviewed in this audit –
roughly 10 percent of the total planned – creates a significant risk exposure.

FHFA Comments to Recommendations 1, 2, 3, and 4

On May 25, 2016, FHFA issued internal guidance that FHFA believes confirms its general
agreement with these recommendations. During the first quarter of 2017 FHFA will assess
the effectiveness of the enhanced risk assessment procedures outlined in the guidance and
determine whether any revisions are needed before the mid-year risk assessment process
commences in 2017. To the extent that recommendations 1 to 4 of the report contemplate
steps other than those to which FHFA has previously agreed and is implementing in
response to the OIG’s January 4, 2016 report, we disagree with the recommendations at
this time, but will consider them as part of our 2017 assessment.

OIG Response to FHFA Comments to Recommendations 1, 2, 3, and 4. Since FHFA is
committed to implementing recommendations 1, 2, 3, and 4, either through its
implementation of its May 25, 2016 internal guidance or as part of its 2017 assessment,
we consider FHFA’s response to these recommendations to be an agreement. After FHFA
performs its 2017 planned mid-year assessment of the implementation of the May 2016
guidance, we plan to review the results of that assessment. To the extent that FHFA’s
assessment finds that OIG’s recommendations 1, 2, 3, and 4 are not fully implemented by
that guidance, we expect FHFA to take additional corrective actions.

FHFA Comments to Recommendation 5

FHFA disagrees with this recommendation. DER has sufficient guidance in place for
documentation of supervisory activities. Moreover, in mid-2015, DER put in place an
enhanced quality control function that provides an independent review of targeted
examination work products to assess whether written communications to the Enterprises
are supported by documentation of examination work that meets DER standards and
applicable FHFA guidance for preparation of written products. DER believes that existing
internal guidance and the quality control reviews now being performed are effective to
ensure that the official records of examination activities are complete and maintained
appropriately. To the extent that this recommendation refers to documentation of risk-
based changes to examination plans, this issue will be addressed in the course of
implementing the May 2016 guidance referenced above and in enhancements to DER’s
mechanisms for tracking changes to examination plans.

OIG Response to FHFA Comments to Recommendation 5. As discussed in this report as
well as in two companion reports issued today, DER’s operating procedures direct that


                        OIG  AUD-2016-005  September 30, 2016                             25
     supervisory planning is documented and incorporated into official agency records.13
     As we explained in detail, our efforts to track the planning and execution of DER’s
     supervisory activities through documentation maintained in IMS were not successful
     because a significant amount of documentation was not retained in IMS.

     FHFA’s suggestion that DER’s enhanced quality control reviews will remedy these
     problems is unfounded. In accordance with DER’s quality control review process, put in
     place in July 2015, these reviews are focused on documentation for completed targeted
     examinations. This audit found lack of documentation supporting the planning and
     execution of supervisory activities. Of the 18 targeted examinations planned during the
     four supervisory cycles in our review for which DER provide no documentation to show
     their disposition, 3 were planned for the 2015 supervisory cycle, after the 2015 quality
     control reviews were put into place. DER’s inability to produce documentation to show
     the disposition of 3 targeted examinations planned for the 2015 supervisory cycle
     demonstrates that DER’s current quality control reviews are either not working as FHFA
     expected they would or working as intended but do not address this deficiency.

     As we explained in the companion reports, DER has required, since January 1, 2014, that
     all changes to supervisory plans be risk-based, documented in writing, and approved. The
     reports issued today demonstrate widespread non-compliance with that requirement.
     Instead of addressing that deficiency, FHFA promises that documentation of risk-based
     changes to supervisory plans will be addressed in the course of implementing the May
     2016 guidance and in enhancements to DER’s mechanisms for tracking changes to
     supervisory plans but does not explain how it intends to change examiner behavior.
     Simply reiterating an existing requirement that has not been followed is unlikely to
     increase compliance.




13
   OIG, FHFA’s Targeted Examinations of Fannie Mae: Less than Half of the Targeted Examinations Planned
for 2012 through 2015 Were Completed and No Examinations Planned for 2015 Were Completed Before the
Report the Report of Examination Issued (Sept. 30, 2016) (AUD-2016-006), and OIG, FHFA’s Targeted
Examinations of Freddie Mac: Just Over Half of the Targeted Examinations Planned for 2012 through 2015
Were Completed (Sept. 30, 2016) (AUD-2016-007).


                               OIG  AUD-2016-005  September 30, 2016                                    26
OBJECTIVE, SCOPE, AND METHODOLOGY .................................

We conducted this audit to determine whether FHFA (1) supported its 2014 and 2015 high-
priority planned targeted examinations with risk assessments and completed those planned
high-priority examinations; (2) performed its planned targeted examinations for Fannie Mae
from 2012 through 2015 and, if it did not, whether FHFA documented the deviations from
its plan in accordance with policies and procedures; and (3) performed its planned targeted
examinations for Freddie Mac from 2012 through 2015 and, if it did not, whether FHFA
documented the deviations from its plan in accordance with policies and procedures.

This report addresses the first objective – tracing high-priority planned targeted examinations
to risk assessments and determining whether those examinations were completed. We
conducted this audit from December 2015 through June 2016 at FHFA’s headquarters in
Washington, D.C.

To accomplish the audit objective, we:

      Reviewed FHFA’s Examination Manual; DER’s OPB, Supervisory Planning Process
       (2013-DER-OPB-03.1); DER’s OPB, Supervisory Planning Process (2013-DER-
       OPB-03); and DER’s OPB, Enterprise Supervision: Mid-Year Risk Assessment (DER-
       OPB-01);

      Reviewed FHFA’s supervisory plans for 2014 and 2015, as of the beginning of the
       year, and identified planned targeted examinations;

      Traced FHFA’s high-priority planned targeted examinations for 2014 and 2015, as of
       the beginning of the year, to FHFA’s risk assessments based on the title, objective,
       and/or subject matter of each examination;

      Compared the number of planned targeted examinations for the Enterprises included
       in the supervisory plans, as of the beginning of the year, to the targeted examination
       request letters, conclusion letters, and other relevant documentation in order to
       determine the disposition of the examinations;

      Reviewed FHFA’s Information Management System in an effort to confirm and
       identify the universe of high-priority planned targeted examinations and their
       disposition;

      Reviewed FHFA’s risk assessments for 2013 and 2014 for the categorization for
       component risks; and,


                             OIG  AUD-2016-005  September 30, 2016                              27
      Interviewed FHFA DER officials regarding their development of the 2014 and 2015
       supervisory plans, as of the beginning of the year.

We held an exit conference with FHFA officials on September 12, 2016.

We conducted this performance audit in accordance with generally accepted government
auditing standards. Those standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for the findings and conclusions
based on our audit objectives. We believe that the evidence obtained provides a reasonable
basis for our findings and conclusions based on our audit objectives.




                            OIG  AUD-2016-005  September 30, 2016                               28
APPENDIX A .............................................................................

FHFA’s Comments on OIG’s Findings and Recommendations




                         OIG  AUD-2016-005  September 30, 2016                     29
OIG  AUD-2016-005  September 30, 2016   30
OIG  AUD-2016-005  September 30, 2016   31
ADDITIONAL INFORMATION AND COPIES .................................

For additional copies of this report:

      Call: 202-730-0880

      Fax: 202-318-0239

      Visit: www.fhfaoig.gov



To report potential fraud, waste, abuse, mismanagement, or any other kind of criminal or
noncriminal misconduct relative to FHFA’s programs or operations:

      Call: 1-800-793-7724

      Fax: 202-318-0358

      Visit: www.fhfaoig.gov/ReportFraud

      Write:

                FHFA Office of Inspector General
                Attn: Office of Investigations – Hotline
                400 Seventh Street SW
                Washington, DC 20219




                             OIG  AUD-2016-005  September 30, 2016                       32