Federal Housing Finance Agency Office of Inspector General Directives from the Audit Committee of the Freddie Mac Board of Directors Caused Management to Improve its Reporting about Remediation of Serious Deficiencies from October 2015 through September 2016 Evaluation Survey Report • ESR-2017-003 • March 22, 2017 March 22, 2017 TO: Nina A. Nichols, Deputy Director of the Division of Enterprise Regulation FROM: Angela Choy, Assistant Inspector General for Evaluations SUBJECT: Directives from the Audit Committee of the Freddie Mac Board of Directors Caused Management to Improve its Reporting about Remediation of Serious Deficiencies from October 2015 through September 2016 (ESR-2017-003) Summary This memorandum closes our evaluation of the MRA-related information provided by the management of Freddie Mac to the Freddie Mac Board of Directors (Freddie Mac Board) from March 2013 to September 2016. We commenced this evaluation as a follow-up to an Office of Inspector General (OIG) report issued in March 2016. In that report, we found that the Federal Housing Finance Agency (FHFA), the federal regulator of Fannie Mae and Freddie Mac (collectively, the Enterprises), which is tasked by statute with ensuring that the Enterprises operate safely and soundly, relied on the management of the Enterprises to communicate information about FHFA’s most serious supervisory findings, called Matters Requiring Attention (MRAs), to the Enterprises’ respective boards. We noted that FHFA’s practice was inconsistent with the guidance issued by other federal financial regulators and created the risk that Enterprise management, whose actions or inactions gave rise to the MRAs, would filter the MRA-related information it provided to the board, which could constrain the board’s ability to oversee MRA remediation. 1 In this follow-up evaluation, we reviewed Freddie Mac management’s reporting on MRAs to the Freddie Mac Board. We found that, from March 2013 through September 2015, Freddie Mac management provided the Freddie Mac Board with quarterly remediation reports in which information about MRAs was pooled with information about other deficient, unsafe, or unsound practices giving rise to supervisory concern, making it quite difficult, if not 1 See OIG, FHFA’s Supervisory Standards for Communication of Serious Deficiencies to Enterprise Boards and for Board Oversight of Management’s Remediation Efforts are Inadequate (Mar. 31, 2016) (EVL-2016- 005) (online at www.fhfaoig.gov/Content/Files/EVL-2016-005.pdf). OIG • ESR-2017-003 • March 22, 2017 1 impossible, for the Board to identify the most serious supervisory matters and to oversee management’s progress in remediating those deficiencies. In October 2015, the same month we initiated our prior evaluation, the Audit Committee of Freddie Mac’s Board of Directors asked management to include an itemized list of deficiencies in the quarterly remediation report, allowing that committee to distinguish MRAs from other audit concerns. The first remediation report to include that list, presented to the Audit Committee in December 2015, contained a brief description of each deficiency, its remediation deadline, and its most recent status. At the request of the Audit Committee of the Freddie Mac Board, and after FHFA received a draft of our March 2016 evaluation, Freddie Mac management began providing the Audit Committee with a standalone MRA report on a quarterly basis, beginning in June 2016. The two MRA reports that we reviewed (June and September 2016), which focused only on MRAs issued by FHFA to Freddie Mac, provided the committee with detailed MRA-specific information isolated from other Enterprise audit deficiencies for the first time. Both of these reports contained an itemized list of open MRAs, which included a brief description of each MRA, its remediation deadline, and its most recent status. Both reports also contained a section titled “Performance” that identified remediation delays and MRAs at risk of missing a remediation target date. We found no evidence that Freddie Mac management provided its remediation plan for each MRA to the Audit Committee to enable the committee to track management’s actual remedial progress against its plan. (FHFA has rejected our recommendation to provide accepted remediation plans to an Enterprise board or board committee. 2) After we completed our fieldwork and after management began providing the Audit Committee with the requested MRA-specific remediation reports, FHFA issued an advisory bulletin on “Internal Audit Governance and Function” to provide “an additional level of detail on the responsibilities of [regulated entities’] audit committees in their oversight of the [internal audit] function.” The advisory bulletin sets forth FHFA’s supervisory expectation that each Enterprise’s audit committee “regularly receive clear, timely, and detailed reports” on all open deficiencies, including MRAs, from each Enterprise’s Internal Audit division to assist the committee in its oversight responsibilities. This closing memorandum is intended to promote the Agency’s efficient supervision of Enterprise remediation of supervisory deficiencies. We intend to monitor developments on this issue. Background Since July 2008, FHFA has been the regulator of the Enterprises, responsible for ensuring that they operate safely and soundly so that they serve as a reliable source of liquidity and funding for housing finance and community investment. FHFA meets this responsibility, in part, 2 FHFA’s Division of Enterprise Regulation (DER) has revised its supervisory guidance to require that a copy of any remediation plan DER objected to be provided to the Chair of the Audit Committee. OIG • ESR-2017-003 • March 22, 2017 2 through its supervision program. FHFA’s Division of Enterprise Regulation (DER) maintains that it supervises the Enterprises by: conducting regular assessments to identify the risks posing the highest supervisory concerns, conducting annual examinations of each Enterprise consisting of ongoing monitoring and targeted examinations into strategically selected areas of high importance or risk, and communicating regularly with senior management of each Enterprise throughout the supervisory cycle. 3 While performing supervisory activities, FHFA examiners may identify supervisory concerns or deficiencies. FHFA assigns such supervisory concerns or deficiencies into one of three categories: (1) MRAs, (2) Violations, or (3) Recommendations. According to FHFA, as of the writing of this memo, only “the most serious supervisory matters” are categorized as MRAs, 4 and FHFA will issue an MRA for such matters as “non-compliance with laws or regulations that result or may result in significant risk of financial loss or damage,” “repeat deficiencies that have escalated due to insufficient action or attention,” “unsafe or unsound practices,” “matters that have resulted, or are likely to result, in a regulated entity being in an unsafe or unsound condition,” and “breakdowns in risk management, significant control weaknesses, or inappropriate risk-taking.” 5 Oversight Responsibilities of a Board of Directors As a matter of law, the board of directors of an organization—whether a publicly traded company, a bank regulated by the Office of the Comptroller of the Currency or Federal Reserve, or a financial institution regulated by FHFA—has a duty to oversee the business and affairs of that organization. To discharge that duty, directors set policies and objectives and oversee management’s implementation of them, establish expectations for senior management and for the organization as a whole, and exercise appropriate oversight to ensure that those expectations are met. For an entity subject to government regulation, the board is charged with the responsibility to ensure that management corrects deficiencies found by its regulator to bring the entity back into regulatory compliance. Supervisory guidance issued by FHFA and other federal financial regulators holds directors responsible for oversight of the affairs of a regulated entity and for its safety and soundness. 3 OIG recently issued a report summarizing the various shortcomings we have identified in FHFA’s supervisory program since June 2015. See OIG, Safe and Sound Operation of the Enterprises Cannot Be Assumed Because of Significant Shortcomings in FHFA’s Supervision Program for the Enterprises (Dec. 15, 2016) (OIG-2017-003) (online at www.fhfaoig.gov/Content/Files/OIG-2017-003.pdf). 4 FHFA, Advisory Bulletin 2012-01, Categories for Examination Findings, at 2 (Apr. 2, 2012); on March 13, 2017, FHFA issued Advisory Bulletin 2017-01, Classifications of Adverse Examination Findings, which supersedes and rescinds Advisory Bulletin 2012-01. 5 Id. OIG • ESR-2017-003 • March 22, 2017 3 FHFA Guidance Related to Board Oversight of MRA Remediation After FHFA placed the Enterprises into conservatorships in September 2008, it delegated to the board of each Enterprise responsibility for overseeing general corporate matters. In its corporate governance regulation, FHFA directed that the board of a regulated entity is responsible for having policies in place to assure oversight of the Enterprise’s risk management program and of “[t]he responsiveness of executive officers…in addressing all supervisory concerns of FHFA in a timely and appropriate manner.” 6 Further, FHFA’s Examination Manual states that the board “is ultimately responsible for ensuring that the conditions and practices that gave rise to examination findings are corrected in a timely manner.” 7 Facts The Freddie Mac Board currently consists of 13 directors that meet, in person or telephonically, at least eight times each year. The board holds its in-person meetings at Freddie Mac headquarters on a quarterly basis in March, June, September, and December. Freddie Mac’s Corporate Governance Guidelines, which were adopted by the board and are reviewed annually, assist the board in exercising its responsibilities. These guidelines state that, pursuant to FHFA’s governance regulations, the board is responsible for “directing its conduct and affairs in furtherance of its safe and sound operation.” 8 The guidelines also allow the board to “delegate some of its responsibilities to a Committee.” The Audit Committee, one of the board’s five standing committees, is composed of five directors and, like the board, meets in person on a quarterly basis. The Freddie Mac Board has charged its Audit Committee with assisting the board in “oversight of Freddie Mac’s compliance with legal and regulatory requirements and written supervisory guidance, including by . . . reviewing with the Chief Compliance Officer Freddie Mac’s compliance with legal and regulatory requirements[.]” 9 6 12 C.F.R. § 1239.4(c)(1), (3). 7 FHFA, FHFA Examination Manual, at 23 (Dec. 19, 2013) (online at www.fhfa.gov/SupervisionRegulation/Documents/ExaminationProgramOverview.pdf). 8 Freddie Mac, Corporate Governance Guidelines, at 2 (June 9, 2016) (online at www.freddiemac.com/governance/pdf/gov_guidelines.pdf). 9 Freddie Mac, Audit Committee Charter, at 4-5 (Jan. 26, 2017) (online at www.freddiemac.com/governance/pdf/audit_committee_charter.pdf). OIG • ESR-2017-003 • March 22, 2017 4 MRA Information Reported to the Freddie Mac Board from March 2013 through September 2015 When we launched this review in May 2016, FHFA had issued no supervisory guidance on the information that Enterprise management was expected to provide to an Enterprise board regarding supervisory deficiencies. 10 Instead, FHFA placed responsibility on an Enterprise board to ensure that its directions to management, and the materials received from management, enabled it to exercise oversight of the Enterprise’s risk management program, including remediation of supervisory deficiencies. For those reasons, we sought to assess the adequacy of the information in the quarterly remediation reports provided by Freddie Mac management to the Audit Committee. From March 2013 through September 2015, Freddie Mac’s chief compliance officer presented the Audit Open-Active Issues include: Committee with a quarterly Enterprise Remediation • MRAs issued by FHFA; Update that provided a high-level summary of Freddie Mac’s remediation of all Open-Active Issues, including • Significant deficiencies and MRAs. 11 MRA information in these updates was often material weaknesses issued embedded in, and difficult to extract from, compiled data by Freddie Mac’s third- encompassing all Open-Active Issues. party auditor; and • Critical and major findings From our review of all quarterly Enterprise Remediation issued by Freddie Mac’s Updates presented to the Audit Committee during this Internal Audit division. period, we found that none of the updates contained an itemized list of individual MRAs or details related to MRA remediation plans, timelines, or missed deadlines. 12 Instead, the quarterly updates 10 In a previous evaluation report, we recommended that FHFA review its existing requirements, guidance, and processes regarding MRAs against the requirements, guidance, and processes adopted by the OCC, Federal Reserve, and other federal financial regulators. FHFA rejected this recommendation stating that reviewing other agencies’ guidance would be “unduly burdensome” and that the costs of conducting such a review “would far outweigh the benefits.” FHFA did not support its conclusions, which are inconsistent with other Agency representations, with either facts or analysis. OIG, FHFA’s Examiners Did Not Meet Requirements and Guidance for Oversight of an Enterprise's Remediation of Serious Deficiencies, at 25, 29-30 (Mar. 29, 2016) (EVL-2016-004) (online at www.fhfaoig.gov/Content/Files/EVL-2016-004.pdf). 11 A June 2014 Freddie Mac training manual instructs management to report on the progress of its efforts to remediate supervisory deficiencies to the Audit Committee on a quarterly basis. It identifies three areas of focus for the quarterly remediation reports: volume and trends, significant issues with a missed target date or being at risk of missing a target date, and key remediation metrics. 12 In addition to the quarterly Enterprise Remediation Updates, the Audit Committee and Freddie Mac Board occasionally received other reports that mention MRA remediation during this time period. However, none of these reports contained more comprehensive MRA remediation information than that found in the quarterly Enterprise Remediation Updates. Freddie Mac also reported that the Audit Committee may request status updates from management on MRAs that are determined to merit heightened attention. After management completes remediation of an MRA, the Audit Committee relies on independent validation conducted by OIG • ESR-2017-003 • March 22, 2017 5 reported the current volume and quarter-over-quarter trends in volume of MRAs. They provided several remediation metrics, such as the percentage of Open-Active Issues remediated on schedule and the percentage of Open-Active Issues with a remediation plan longer than 18 months. However, these metrics encompassed all Open-Active Issues, pooling MRAs and other deficiencies into a single category. Accordingly, it was not possible for the Audit Committee to extract MRA-specific information from that related to the other types of Open-Active Issues when reviewing these metrics. Management Began to Provide Enhanced Reporting on Open MRAs and MRA Remediation in December 2015 to the Freddie Mac Audit Committee to Satisfy the Committee’s Request We initiated our prior evaluation on FHFA’s monitoring of oversight by Enterprise boards of MRA remediation in October 2015. That same month, Freddie Mac’s Audit Committee asked management to provide, for the first time in our review period, an itemized list of all Open- Active Issues, including MRAs, in the Enterprise Remediation Update. The first Enterprise Remediation Update to include that list, which contained a brief description of each deficiency, its remediation deadline, and its most recent status, was presented to the Audit Committee in December 2015. In February 2016, OIG transmitted a draft of its first evaluation report on MRA oversight to FHFA; the draft found deficiencies in FHFA’s standards for board oversight of MRA remediation. The final report, published in March 2016, made four recommendations to FHFA, including that the Agency revise its supervisory guidance to require DER to provide the Chair of the Audit Committee with each conclusion letter setting forth an MRA as well as each remediation plan submitted by Enterprise management to remediate an MRA. At the request of the Audit Committee of the Freddie Mac Board, and after FHFA received a draft of our March 2016 evaluation, the Freddie Mac Audit Committee asked management to provide a regular, standalone report on MRA remediation, separate from management’s reporting on all Open-Active Issues. That committee highlighted its need for regular updates regarding remediation plans, timelines, and progress for open MRAs. June and September 2016 MRA Remediation Reports Presented Additional Information to the Audit Committee The first standalone MRA Remediation Report was provided to the Audit Committee on June 8, 2016. This report separated MRA information from Open-Active Issues and increased the amount of MRA information presented to the board. This June 2016 MRA Remediation Report included an itemized list of all open MRAs, which contained a brief description of each MRA, its remediation deadline, and its most recent status. For example, the list identified one MRA that required a timeline extension and three MRAs whose remediation Freddie Mac’s Internal Audit division for reasonable assurance that remediation has been completed as intended. OIG • ESR-2017-003 • March 22, 2017 6 plans required revision in order to gain FHFA approval. Additionally, that June 2016 report, in a section titled “Performance,” identified MRA-related metrics, including: MRA volume, MRAs that required an extension, MRAs that needed increased oversight, 13 and MRAs that passed or failed validation of remediation by Internal Audit. Freddie Mac management issued its second standalone MRA Status Report to the Audit Committee in September 2016. In this report, management used a format similar to that of its June 2016 report, with two enhancements. First, the September report added year-over-year MRA trend information. Second, it included a dedicated table summarizing MRAs that were delayed or at risk of being delayed, allowing the committee to more easily identify those MRAs for which additional oversight of management’s remediation could be warranted. FHFA Issues New Advisory Bulletin In October 2016, after we completed field work for this review, FHFA issued an advisory bulletin on “Internal Audit Governance and Function” to provide “an additional level of detail on the responsibilities of [regulated entities’] audit committees in their oversight of the [internal audit] function” 14 The advisory bulletin set forth FHFA’s supervisory expectation that each Enterprise’s Audit Committee “regularly receive clear, timely, and detailed reports” on significant open deficiencies—including all MRAs—from each Enterprise’s Internal Audit division, to assist each committee in its oversight responsibilities. The bulletin also notes that the “reports should include key information about open remediation plans and associated timetables agreed on by stakeholders.” Conclusion This memorandum closes our evaluation of the MRA-related information provided by the management of Freddie Mac to the Freddie Mac Board from March 2013 to September 2016. We intend to monitor developments on this issue. Objective, Scope, and Methodology The objective of this evaluation was to review Freddie Mac management’s reporting on MRAs to the Freddie Mac Board, as a follow up to an earlier OIG report issued in March 2016. In the earlier report, we found that FHFA relied on the management of the Enterprises to communicate information about MRAs to the Enterprises’ respective boards. We noted that FHFA’s practice was inconsistent with the guidance issued by other federal financial regulators and created the risk that Enterprise management, whose actions or inactions gave 13 The report highlighted two MRAs whose remediation plans were considered complex and “long-tail” (i.e., their remediation deadlines are longer than 24 months), requiring additional management and board oversight. 14 FHFA, Advisory Bulletin 2016-05, Internal Audit Governance and Function, at 3 (Oct. 7, 2016) (online at www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Internal-Audit-Governance-and- Function.aspx). OIG • ESR-2017-003 • March 22, 2017 7 rise to the MRAs, would filter the MRA-related information it provided to the board, which could constrain the board’s ability to oversee MRA remediation. This review was conducted under the authority of the Inspector General Act in accordance with the Quality Standards for Inspection and Evaluation (January 2012), which was promulgated by the Council of the Inspectors General on Integrity and Efficiency. These standards require OIG to plan and perform an evaluation that obtains evidence sufficient to provide a reasonable basis to support its conclusions. OIG believes that this review meets these standards. A draft of this memorandum was sent to FHFA. This review was led by Brian Harris, Investigative Counsel, with the assistance of Philip Noyovitz, Senior Auditor, and Moira Roberts, Special Counsel. Our field work was conducted from May 2016 through October 2016. We reviewed materials dating from March 2013 through October 2016. We appreciate the cooperation of FHFA and Freddie Mac and the assistance of all those who contributed to the preparation of this report. It has been distributed to Congress, the Office of Management and Budget, and others and will be posted on OIG’s website, www.fhfaoig.gov. cc: The Honorable Melvin L. Watt, FHFA Director OIG • ESR-2017-003 • March 22, 2017 8 Additional Information and Copies For additional copies of this report: • Call: 202-730-0880 • Fax: 202-318-0239 • Visit: www.fhfaoig.gov To report potential fraud, waste, abuse, mismanagement, or any other kind of criminal or noncriminal misconduct relative to FHFA’s programs or operations: • Call: 1-800-793-7724 • Fax: 202-318-0358 • Visit: www.fhfaoig.gov/ReportFraud • Write: FHFA Office of Inspector General Attn: Office of Investigations – Hotline 400 Seventh Street SW Washington, DC 20219 OIG • ESR-2017-003 • March 22, 2017 9
Directives from the Audit Committee of the Freddie Mac Board of Directors Caused Management to Improve its Reporting about Remediation of Serious Deficiencies from October 2015 through September 2016
Published by the Federal Housing Finance Agency, Office of Inspector General on 2017-03-22.
Below is a raw (and likely hideous) rendition of the original report. (PDF)