oversight

Directives from the Audit Committee of the Freddie Mac Board of Directors Caused Management to Improve its Reporting about Remediation of Serious Deficiencies from October 2015 through September 2016

Published by the Federal Housing Finance Agency, Office of Inspector General on 2017-03-22.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

              Federal Housing Finance Agency
                  Office of Inspector General




Directives from the Audit Committee of
  the Freddie Mac Board of Directors
  Caused Management to Improve its
Reporting about Remediation of Serious
Deficiencies from October 2015 through
            September 2016




Evaluation Survey Report • ESR-2017-003 • March 22, 2017
                                             March 22, 2017


TO:             Nina A. Nichols, Deputy Director of the Division of Enterprise Regulation


FROM:           Angela Choy, Assistant Inspector General for Evaluations


SUBJECT:        Directives from the Audit Committee of the Freddie Mac Board of Directors
                Caused Management to Improve its Reporting about Remediation of Serious
                Deficiencies from October 2015 through September 2016 (ESR-2017-003)


Summary

This memorandum closes our evaluation of the MRA-related information provided by the
management of Freddie Mac to the Freddie Mac Board of Directors (Freddie Mac Board)
from March 2013 to September 2016. We commenced this evaluation as a follow-up to an
Office of Inspector General (OIG) report issued in March 2016. In that report, we found that
the Federal Housing Finance Agency (FHFA), the federal regulator of Fannie Mae and
Freddie Mac (collectively, the Enterprises), which is tasked by statute with ensuring that the
Enterprises operate safely and soundly, relied on the management of the Enterprises to
communicate information about FHFA’s most serious supervisory findings, called Matters
Requiring Attention (MRAs), to the Enterprises’ respective boards. We noted that FHFA’s
practice was inconsistent with the guidance issued by other federal financial regulators and
created the risk that Enterprise management, whose actions or inactions gave rise to the
MRAs, would filter the MRA-related information it provided to the board, which could
constrain the board’s ability to oversee MRA remediation. 1

In this follow-up evaluation, we reviewed Freddie Mac management’s reporting on MRAs to
the Freddie Mac Board. We found that, from March 2013 through September 2015, Freddie
Mac management provided the Freddie Mac Board with quarterly remediation reports in
which information about MRAs was pooled with information about other deficient, unsafe, or
unsound practices giving rise to supervisory concern, making it quite difficult, if not

1
 See OIG, FHFA’s Supervisory Standards for Communication of Serious Deficiencies to Enterprise Boards
and for Board Oversight of Management’s Remediation Efforts are Inadequate (Mar. 31, 2016) (EVL-2016-
005) (online at www.fhfaoig.gov/Content/Files/EVL-2016-005.pdf).

                                 OIG • ESR-2017-003 • March 22, 2017
                                                     1
impossible, for the Board to identify the most serious supervisory matters and to oversee
management’s progress in remediating those deficiencies.

In October 2015, the same month we initiated our prior evaluation, the Audit Committee
of Freddie Mac’s Board of Directors asked management to include an itemized list of
deficiencies in the quarterly remediation report, allowing that committee to distinguish MRAs
from other audit concerns. The first remediation report to include that list, presented to the
Audit Committee in December 2015, contained a brief description of each deficiency, its
remediation deadline, and its most recent status. At the request of the Audit Committee of the
Freddie Mac Board, and after FHFA received a draft of our March 2016 evaluation, Freddie
Mac management began providing the Audit Committee with a standalone MRA report on a
quarterly basis, beginning in June 2016. The two MRA reports that we reviewed (June and
September 2016), which focused only on MRAs issued by FHFA to Freddie Mac, provided
the committee with detailed MRA-specific information isolated from other Enterprise audit
deficiencies for the first time. Both of these reports contained an itemized list of open MRAs,
which included a brief description of each MRA, its remediation deadline, and its most recent
status. Both reports also contained a section titled “Performance” that identified remediation
delays and MRAs at risk of missing a remediation target date. We found no evidence that
Freddie Mac management provided its remediation plan for each MRA to the Audit
Committee to enable the committee to track management’s actual remedial progress against
its plan. (FHFA has rejected our recommendation to provide accepted remediation plans to an
Enterprise board or board committee. 2)

After we completed our fieldwork and after management began providing the Audit
Committee with the requested MRA-specific remediation reports, FHFA issued an advisory
bulletin on “Internal Audit Governance and Function” to provide “an additional level of
detail on the responsibilities of [regulated entities’] audit committees in their oversight of the
[internal audit] function.” The advisory bulletin sets forth FHFA’s supervisory expectation
that each Enterprise’s audit committee “regularly receive clear, timely, and detailed reports”
on all open deficiencies, including MRAs, from each Enterprise’s Internal Audit division to
assist the committee in its oversight responsibilities.

This closing memorandum is intended to promote the Agency’s efficient supervision of
Enterprise remediation of supervisory deficiencies. We intend to monitor developments on
this issue.

Background

Since July 2008, FHFA has been the regulator of the Enterprises, responsible for ensuring that
they operate safely and soundly so that they serve as a reliable source of liquidity and funding
for housing finance and community investment. FHFA meets this responsibility, in part,

2
 FHFA’s Division of Enterprise Regulation (DER) has revised its supervisory guidance to require that a copy
of any remediation plan DER objected to be provided to the Chair of the Audit Committee.

                                   OIG • ESR-2017-003 • March 22, 2017
                                                        2
through its supervision program. FHFA’s Division of Enterprise Regulation (DER) maintains
that it supervises the Enterprises by: conducting regular assessments to identify the risks
posing the highest supervisory concerns, conducting annual examinations of each Enterprise
consisting of ongoing monitoring and targeted examinations into strategically selected areas
of high importance or risk, and communicating regularly with senior management of each
Enterprise throughout the supervisory cycle. 3

While performing supervisory activities, FHFA examiners may identify supervisory concerns
or deficiencies. FHFA assigns such supervisory concerns or deficiencies into one of three
categories: (1) MRAs, (2) Violations, or (3) Recommendations. According to FHFA, as of
the writing of this memo, only “the most serious supervisory matters” are categorized as
MRAs, 4 and FHFA will issue an MRA for such matters as “non-compliance with laws or
regulations that result or may result in significant risk of financial loss or damage,” “repeat
deficiencies that have escalated due to insufficient action or attention,” “unsafe or unsound
practices,” “matters that have resulted, or are likely to result, in a regulated entity being in an
unsafe or unsound condition,” and “breakdowns in risk management, significant control
weaknesses, or inappropriate risk-taking.” 5

          Oversight Responsibilities of a Board of Directors

As a matter of law, the board of directors of an organization—whether a publicly traded
company, a bank regulated by the Office of the Comptroller of the Currency or Federal
Reserve, or a financial institution regulated by FHFA—has a duty to oversee the business and
affairs of that organization. To discharge that duty, directors set policies and objectives and
oversee management’s implementation of them, establish expectations for senior management
and for the organization as a whole, and exercise appropriate oversight to ensure that those
expectations are met. For an entity subject to government regulation, the board is charged
with the responsibility to ensure that management corrects deficiencies found by its regulator
to bring the entity back into regulatory compliance. Supervisory guidance issued by FHFA
and other federal financial regulators holds directors responsible for oversight of the affairs of
a regulated entity and for its safety and soundness.




3
  OIG recently issued a report summarizing the various shortcomings we have identified in FHFA’s
supervisory program since June 2015. See OIG, Safe and Sound Operation of the Enterprises Cannot Be
Assumed Because of Significant Shortcomings in FHFA’s Supervision Program for the Enterprises (Dec. 15,
2016) (OIG-2017-003) (online at www.fhfaoig.gov/Content/Files/OIG-2017-003.pdf).
4
  FHFA, Advisory Bulletin 2012-01, Categories for Examination Findings, at 2 (Apr. 2, 2012); on March 13,
2017, FHFA issued Advisory Bulletin 2017-01, Classifications of Adverse Examination Findings, which
supersedes and rescinds Advisory Bulletin 2012-01.
5
    Id.


                                    OIG • ESR-2017-003 • March 22, 2017
                                                       3
      FHFA Guidance Related to Board Oversight of MRA Remediation

After FHFA placed the Enterprises into conservatorships in September 2008, it delegated to
the board of each Enterprise responsibility for overseeing general corporate matters. In its
corporate governance regulation, FHFA directed that the board of a regulated entity is
responsible for having policies in place to assure oversight of the Enterprise’s risk
management program and of “[t]he responsiveness of executive officers…in addressing all
supervisory concerns of FHFA in a timely and appropriate manner.” 6 Further, FHFA’s
Examination Manual states that the board “is ultimately responsible for ensuring that the
conditions and practices that gave rise to examination findings are corrected in a timely
manner.” 7

Facts

The Freddie Mac Board currently consists of 13 directors that meet, in person or
telephonically, at least eight times each year. The board holds its in-person meetings at
Freddie Mac headquarters on a quarterly basis in March, June, September, and December.
Freddie Mac’s Corporate Governance Guidelines, which were adopted by the board and are
reviewed annually, assist the board in exercising its responsibilities. These guidelines state
that, pursuant to FHFA’s governance regulations, the board is responsible for “directing its
conduct and affairs in furtherance of its safe and sound operation.” 8 The guidelines also
allow the board to “delegate some of its responsibilities to a Committee.”

The Audit Committee, one of the board’s five standing committees, is composed of five
directors and, like the board, meets in person on a quarterly basis. The Freddie Mac Board
has charged its Audit Committee with assisting the board in “oversight of Freddie Mac’s
compliance with legal and regulatory requirements and written supervisory guidance,
including by . . . reviewing with the Chief Compliance Officer Freddie Mac’s compliance
with legal and regulatory requirements[.]” 9




6
    12 C.F.R. § 1239.4(c)(1), (3).
7
 FHFA, FHFA Examination Manual, at 23 (Dec. 19, 2013) (online at
www.fhfa.gov/SupervisionRegulation/Documents/ExaminationProgramOverview.pdf).
8
 Freddie Mac, Corporate Governance Guidelines, at 2 (June 9, 2016) (online at
www.freddiemac.com/governance/pdf/gov_guidelines.pdf).
9
 Freddie Mac, Audit Committee Charter, at 4-5 (Jan. 26, 2017) (online at
www.freddiemac.com/governance/pdf/audit_committee_charter.pdf).


                                     OIG • ESR-2017-003 • March 22, 2017
                                                        4
     MRA Information Reported to the Freddie Mac Board from March 2013 through September
     2015

When we launched this review in May 2016, FHFA had issued no supervisory guidance on
the information that Enterprise management was expected to provide to an Enterprise board
regarding supervisory deficiencies. 10 Instead, FHFA placed responsibility on an Enterprise
board to ensure that its directions to management, and the materials received from
management, enabled it to exercise oversight of the Enterprise’s risk management program,
including remediation of supervisory deficiencies. For those reasons, we sought to assess the
adequacy of the information in the quarterly remediation reports provided by Freddie Mac
management to the Audit Committee.

From March 2013 through September 2015, Freddie
Mac’s chief compliance officer presented the Audit                           Open-Active Issues include:
Committee with a quarterly Enterprise Remediation
                                                                              • MRAs issued by FHFA;
Update that provided a high-level summary of Freddie
Mac’s remediation of all Open-Active Issues, including                        • Significant deficiencies and
MRAs. 11 MRA information in these updates was often                             material weaknesses issued
embedded in, and difficult to extract from, compiled data                       by Freddie Mac’s third-
encompassing all Open-Active Issues.                                            party auditor; and

                                                                              • Critical and major findings
From our review of all quarterly Enterprise Remediation
                                                                  issued by Freddie Mac’s
Updates presented to the Audit Committee during this              Internal Audit division.
period, we found that none of the updates contained an
itemized list of individual MRAs or details related to
MRA remediation plans, timelines, or missed deadlines. 12 Instead, the quarterly updates

10
   In a previous evaluation report, we recommended that FHFA review its existing requirements, guidance, and
processes regarding MRAs against the requirements, guidance, and processes adopted by the OCC, Federal
Reserve, and other federal financial regulators. FHFA rejected this recommendation stating that reviewing
other agencies’ guidance would be “unduly burdensome” and that the costs of conducting such a review
“would far outweigh the benefits.” FHFA did not support its conclusions, which are inconsistent with other
Agency representations, with either facts or analysis. OIG, FHFA’s Examiners Did Not Meet Requirements
and Guidance for Oversight of an Enterprise's Remediation of Serious Deficiencies, at 25, 29-30 (Mar. 29,
2016) (EVL-2016-004) (online at www.fhfaoig.gov/Content/Files/EVL-2016-004.pdf).
11
  A June 2014 Freddie Mac training manual instructs management to report on the progress of its efforts to
remediate supervisory deficiencies to the Audit Committee on a quarterly basis. It identifies three areas of
focus for the quarterly remediation reports: volume and trends, significant issues with a missed target date or
being at risk of missing a target date, and key remediation metrics.
12
   In addition to the quarterly Enterprise Remediation Updates, the Audit Committee and Freddie Mac Board
occasionally received other reports that mention MRA remediation during this time period. However, none of
these reports contained more comprehensive MRA remediation information than that found in the quarterly
Enterprise Remediation Updates. Freddie Mac also reported that the Audit Committee may request status
updates from management on MRAs that are determined to merit heightened attention. After management
completes remediation of an MRA, the Audit Committee relies on independent validation conducted by


                                    OIG • ESR-2017-003 • March 22, 2017
                                                          5
reported the current volume and quarter-over-quarter trends in volume of MRAs. They
provided several remediation metrics, such as the percentage of Open-Active Issues
remediated on schedule and the percentage of Open-Active Issues with a remediation plan
longer than 18 months. However, these metrics encompassed all Open-Active Issues, pooling
MRAs and other deficiencies into a single category. Accordingly, it was not possible for the
Audit Committee to extract MRA-specific information from that related to the other types of
Open-Active Issues when reviewing these metrics.

    Management Began to Provide Enhanced Reporting on Open MRAs and MRA Remediation
    in December 2015 to the Freddie Mac Audit Committee to Satisfy the Committee’s Request

We initiated our prior evaluation on FHFA’s monitoring of oversight by Enterprise boards of
MRA remediation in October 2015. That same month, Freddie Mac’s Audit Committee asked
management to provide, for the first time in our review period, an itemized list of all Open-
Active Issues, including MRAs, in the Enterprise Remediation Update. The first Enterprise
Remediation Update to include that list, which contained a brief description of each
deficiency, its remediation deadline, and its most recent status, was presented to the Audit
Committee in December 2015.

In February 2016, OIG transmitted a draft of its first evaluation report on MRA oversight
to FHFA; the draft found deficiencies in FHFA’s standards for board oversight of MRA
remediation. The final report, published in March 2016, made four recommendations to
FHFA, including that the Agency revise its supervisory guidance to require DER to provide
the Chair of the Audit Committee with each conclusion letter setting forth an MRA as well as
each remediation plan submitted by Enterprise management to remediate an MRA.

At the request of the Audit Committee of the Freddie Mac Board, and after FHFA received a
draft of our March 2016 evaluation, the Freddie Mac Audit Committee asked management to
provide a regular, standalone report on MRA remediation, separate from management’s
reporting on all Open-Active Issues. That committee highlighted its need for regular updates
regarding remediation plans, timelines, and progress for open MRAs.

    June and September 2016 MRA Remediation Reports Presented Additional Information to
    the Audit Committee

The first standalone MRA Remediation Report was provided to the Audit Committee on
June 8, 2016. This report separated MRA information from Open-Active Issues and increased
the amount of MRA information presented to the board. This June 2016 MRA Remediation
Report included an itemized list of all open MRAs, which contained a brief description of
each MRA, its remediation deadline, and its most recent status. For example, the list
identified one MRA that required a timeline extension and three MRAs whose remediation

Freddie Mac’s Internal Audit division for reasonable assurance that remediation has been completed as
intended.

                                   OIG • ESR-2017-003 • March 22, 2017
                                                        6
plans required revision in order to gain FHFA approval. Additionally, that June 2016 report,
in a section titled “Performance,” identified MRA-related metrics, including: MRA volume,
MRAs that required an extension, MRAs that needed increased oversight, 13 and MRAs that
passed or failed validation of remediation by Internal Audit.

Freddie Mac management issued its second standalone MRA Status Report to the Audit
Committee in September 2016. In this report, management used a format similar to that of its
June 2016 report, with two enhancements. First, the September report added year-over-year
MRA trend information. Second, it included a dedicated table summarizing MRAs that were
delayed or at risk of being delayed, allowing the committee to more easily identify those
MRAs for which additional oversight of management’s remediation could be warranted.

     FHFA Issues New Advisory Bulletin

In October 2016, after we completed field work for this review, FHFA issued an advisory
bulletin on “Internal Audit Governance and Function” to provide “an additional level of
detail on the responsibilities of [regulated entities’] audit committees in their oversight of the
[internal audit] function” 14 The advisory bulletin set forth FHFA’s supervisory expectation
that each Enterprise’s Audit Committee “regularly receive clear, timely, and detailed reports”
on significant open deficiencies—including all MRAs—from each Enterprise’s Internal Audit
division, to assist each committee in its oversight responsibilities. The bulletin also notes that
the “reports should include key information about open remediation plans and associated
timetables agreed on by stakeholders.”

Conclusion

This memorandum closes our evaluation of the MRA-related information provided by the
management of Freddie Mac to the Freddie Mac Board from March 2013 to September 2016.
We intend to monitor developments on this issue.

Objective, Scope, and Methodology

The objective of this evaluation was to review Freddie Mac management’s reporting on
MRAs to the Freddie Mac Board, as a follow up to an earlier OIG report issued in March
2016. In the earlier report, we found that FHFA relied on the management of the Enterprises
to communicate information about MRAs to the Enterprises’ respective boards. We noted
that FHFA’s practice was inconsistent with the guidance issued by other federal financial
regulators and created the risk that Enterprise management, whose actions or inactions gave

13
   The report highlighted two MRAs whose remediation plans were considered complex and “long-tail” (i.e.,
their remediation deadlines are longer than 24 months), requiring additional management and board oversight.
14
  FHFA, Advisory Bulletin 2016-05, Internal Audit Governance and Function, at 3 (Oct. 7, 2016) (online at
www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Internal-Audit-Governance-and-
Function.aspx).

                                   OIG • ESR-2017-003 • March 22, 2017
                                                        7
rise to the MRAs, would filter the MRA-related information it provided to the board, which
could constrain the board’s ability to oversee MRA remediation.

This review was conducted under the authority of the Inspector General Act in accordance
with the Quality Standards for Inspection and Evaluation (January 2012), which was
promulgated by the Council of the Inspectors General on Integrity and Efficiency. These
standards require OIG to plan and perform an evaluation that obtains evidence sufficient to
provide a reasonable basis to support its conclusions. OIG believes that this review meets
these standards.

A draft of this memorandum was sent to FHFA.

This review was led by Brian Harris, Investigative Counsel, with the assistance of Philip
Noyovitz, Senior Auditor, and Moira Roberts, Special Counsel. Our field work was
conducted from May 2016 through October 2016. We reviewed materials dating from March
2013 through October 2016.

We appreciate the cooperation of FHFA and Freddie Mac and the assistance of all those who
contributed to the preparation of this report. It has been distributed to Congress, the Office of
Management and Budget, and others and will be posted on OIG’s website, www.fhfaoig.gov.



cc: The Honorable Melvin L. Watt, FHFA Director




                               OIG • ESR-2017-003 • March 22, 2017
                                                 8
Additional Information and Copies

For additional copies of this report:

   •   Call: 202-730-0880
   •   Fax: 202-318-0239
   •   Visit: www.fhfaoig.gov


To report potential fraud, waste, abuse, mismanagement, or any other kind of criminal or
noncriminal misconduct relative to FHFA’s programs or operations:

   •   Call: 1-800-793-7724
   •   Fax: 202-318-0358
   •   Visit: www.fhfaoig.gov/ReportFraud
   •   Write:
                FHFA Office of Inspector General
                Attn: Office of Investigations – Hotline
                400 Seventh Street SW
                Washington, DC 20219




                               OIG • ESR-2017-003 • March 22, 2017
                                                 9