Federal Housing Finance Agency Office of Inspector General FHFA’s Oversight of Governance Risks Associated with Fannie Mae’s Selection and Appointment of a New Chief Audit Executive Evaluation Report EVL-2015-004 March 11, 2015 Executive Summary Why OIG Did This Report As we have explained in prior reports, FHFA, as conservator for Fannie Mae and Freddie Mac (collectively, the Enterprises), has delegated to each Enterprise a significant portion of their day-to-day management and risk controls. For this governance approach to succeed, FHFA must be confident EVL-2015-004 that the Enterprises’ directors and committees are properly exercising the powers they have been given and fulfilling their responsibilities. Otherwise, March 11, 2015 there is a substantial risk that the Enterprises will operate in an unsafe and unsound manner, suffer losses, and expose U.S. taxpayers to further financial risks. In 2012, FHFA delegated to the Enterprises the authority to hire executive officers while retaining authority to review and approve the compensation of those officers. Consequently, the Enterprises’ boards and board committees assumed greater control over the selection of executive officers, and Agency review of Enterprise appointments became less formal. The purpose of this evaluation was to assess FHFA’s oversight of Fannie Mae’s appointment of its Chief Audit Executive (CAE) in October 2013. The CAE directs Fannie Mae’s Internal Audit Department (Internal Audit), which is a critical element of Fannie Mae’s risk management controls. Pursuant to the Sarbanes-Oxley Act of 2002 (Sarbanes-Oxley or the Act)1 and as expressly codified in Fannie Mae’s governance documents, its Internal Audit function is tasked with providing independent, objective assurance of the Enterprise’s governance, risk management, and control processes. What OIG Found OIG found that the process used by Fannie Mae’s Audit Committee to select a candidate to fill the important and challenging CAE position was haphazard, at best. While the Audit Committee Chair and Fannie Mae’s CEO understood, in the spring of 2013, that the CAE role would soon become vacant because of a lateral move within Fannie Mae by the then-CAE, the Audit Committee first began its discussion of a process to identify qualified candidates on September 19, 2013, once the vacancy officially occurred. The Audit Committee had the benefit of significant work by the CEO and Chief Human Resources Officer (CHRO) and external consultants, over a long period of time, to develop a strategy to retain and develop key talent across the Enterprise. Fannie Mae’s 1 Sarbanes-Oxley Act, Pub. L. No. 107-204, 116 Stat. 745 (2002) (codified at 15 U.S.C. §§ 7201-66 (2006)). CEO and CHRO updated the Board’s Compensation Committee on the implementation of that strategy and provided the Committee with a 24-page “Leadership & Succession Planning” document (Succession Plan) that summarized their efforts to date. Two members of the Audit Committee attended that meeting. The Succession Plan found that there was no internal candidate who was “ready now” for the CAE position and that a permanent successor would require an “external” candidate. EVL-2015-004 The Audit Committee, which was not bound by senior management’s Succession Plan, determined on September 19, 2013, that it would limit its March 11, 2015 search to internal candidates across the Enterprise, provided qualified candidates could be found, because it had prior bad experiences with external CAE hires. The lack of any prior planning by the Audit Committee led to a scramble to identify a qualified candidate for the CAE position. After the September 19, 2013 meeting, the Committee Chair asked Fannie Mae’s CHRO to assemble a list of potential internal CAE candidates, even though the Succession Plan developed under the leadership of the CEO and CHRO two months earlier found that no internal candidates were “ready now” for the position. Within six days, the CHRO identified and presented to the Committee a list of nine potential internal candidates across Fannie Mae for this vacancy. That list included the Chief Credit Officer (CCO) of Fannie Mae’s largest business unit, the Single-Family Business Group (Single- Family). Over the following week, two Audit Committee members interviewed some candidates on this list and selected the CCO, even though: (1) he had not been identified for the CAE role in senior management’s Succession Plan; (2) his professional audit experience did not meet the audit qualifications deemed “preferable” in the CAE Position Description; and (3) he was burdened by significant conflicts because of his management responsibilities in Single-Family. Since no meeting of the Audit Committee was recorded in the corporate record books before the Audit Committee Chair announced the CAE selection and because there are no contemporaneous Audit Committee documents reflecting the Committee’s deliberations, it is not possible to determine whether the Committee: assessed the qualifications of the different candidates; evaluated them against the CAE Position Description; articulated the reasons that the CCO was the best candidate for the CAE position, notwithstanding his lack of significant corporate audit experience; or recognized that the CCO was burdened by significant conflicts that would need to be managed to preserve the independence and objectivity of Internal Audit. Several senior FHFA officials questioned the robustness of the hiring process among themselves but elected not to discuss those deficiencies with the Audit Committee after being informed of its selection or with the Fannie Mae Board before it approved the selection. One senior FHFA official reported to us that he flagged concerns about the conflicts that the CCO would bring to the CAE position, but nothing in the record indicates that these concerns were raised directly with FHFA’s then-Acting Director.2 Lacking complete information, FHFA’s Acting Director approved the proposed compensation of the CAE candidate. After the new CAE began work, FHFA officials reviewed Fannie Mae’s assessment of the CAE’s conflicts and plan to manage those conflicts and EVL-2015-004 determined that additional work was needed. From November 13, 2013, through March 2014, FHFA requested the Audit Committee Chair and Fannie March 11, 2015 Mae to thoroughly assess the scope of the CAE’s conflicts and put into place appropriate controls to ensure that the independence and objectivity of Internal Audit’s function would be maintained. Notwithstanding this clear direction, neither the Audit Committee nor Fannie Mae management responded adequately to FHFA’s requests. While Fannie Mae began work in March 2014 to improve its internal controls to protect the independence and objectivity of its Internal Audit function, that work was not completed for many months. In May 2014, six months after the new CAE began work, an outside audit and advisory firm was retained to assess whether controls to manage the CAE’s conflicts were sufficient to enable Internal Audit to conform to the professional auditing standards for independence and objectivity. More than three months later, in September 2014, that external review found that Fannie Mae’s existing controls were not sufficient and, as a result, Fannie Mae’s Internal Audit function was not in full conformance with professional auditing standards. Fannie Mae adopted the firm’s detailed recommendations and, more than a year after the CAE appointment, Fannie Mae continued to implement them. What OIG Recommends FHFA views operational risk management as an important financial safety and soundness challenge facing the Enterprises. The Agency defines operational risk as the risk of loss resulting from failed people, processes, or systems, or from external events. We have previously identified a number of operational risks in our reports3 and have shown that FHFA and its predecessor repeatedly 2 The then-Acting Director of FHFA stepped down in January 2014 upon the appointment of Director Watt. References in this report to the Acting Director are to the then-Acting Director during the relevant period. This report also refers to two former senior FHFA officials – the Deputy Director of the Division of Enterprise Regulation and the Deputy Director of the Office of Conservatorship Operations – who are no longer Agency employees. 3 See, e.g., FHFA’s Oversight of Risks Associated with the Enterprises Relying on Counterparties to Comply with Selling and Servicing Guidelines: AUD-2014-018 (September 26, 2014); FHFA’s Representation and Warranty Framework: AUD-2014- 016 (September 17, 2014); FHFA Oversight of Fannie Mae’s Collection of Funds from Servicers that Closed Short Sales Below the Authorized Prices: AUD-2014-015 (August found that Fannie Mae had not established an acceptable and effective operational risk management program, despite requirements to do so.4 Effective corporate governance is one element of an acceptable operational risk management program. Our current evaluation found numerous corporate governance failures, both by Fannie Mae and by FHFA, which created a weakness in Fannie Mae’s risk management structure. In view of these significant lapses in corporate governance, we question whether the current Fannie Mae Audit Committee appreciates its governance obligations in this EVL-2015-004 environment and whether it is prudent for FHFA to continue to rely upon this March 11, 2015 Committee to execute other delegated responsibilities, without adopting and implementing the recommendations in this report. The report sets forth the facts relevant to our evaluation, our findings, and conclusions. It also contains a series of recommendations to FHFA to remediate the corporate governance failures identified in this evaluation and improve controls to manage operational risk. The report was prepared by David P. Bloch, Senior Counsel for Securitization and Risk Management, and Alison C. Healey, Investigative Counsel, and has been distributed to Congress, the Office of Management and Budget, and others and will be posted on our website, www.fhfaoig.gov. We appreciate the assistance of the officials from FHFA and Fannie Mae in completing this evaluation. Angela Choy Acting Assistant Inspector General for Evaluations5 7, 2014); and FHFA Actions to Manage Enterprise Risks from Nonbank Servicers Specializing in Troubled Mortgages: AUD-2014-014 (July 1, 2014). 4 Evaluation of FHFA’s Oversight of Fannie Mae’s Management of Operational Risk: EVL-2011-004 (September 23, 2011). 5 Acting Deputy Inspector General for Evaluations Kyle Roberts recused himself from the preparation of this report to avoid the appearance of a personal impairment under the Quality Standards for Inspection and Evaluation (January 2012). While serving as FHFA’s Associate Director for Examination Standards, Mr. Roberts drafted a memorandum to his supervisor discussing the CAE’s appointment and compliance with applicable professional auditing standards. TABLE OF CONTENTS ................................................................ EXECUTIVE SUMMARY .............................................................................................................2 ABBREVIATIONS .........................................................................................................................8 CRITERIA .......................................................................................................................................9 FHFA’s Delegation of Most Executive Appointment Authority to the Enterprises ................9 Sarbanes-Oxley and the Increased Importance of the Audit Committee and the Internal Audit Function...........................................................................................................10 The Standards Governing Internal Audit’s Activities Require Independence and Objectivity ..............................................................................................................................11 FACTS AND ANALYSIS.............................................................................................................13 Fannie Mae’s Risk Management Structure.............................................................................13 Selection of the Single-Family CCO to Be the CAE of Internal Audit ..................................14 Fannie Mae Audit Committee’s Selection Process.........................................................14 FHFA Review and Approval ..........................................................................................18 Fannie Mae’s Initial Efforts to Manage the CAE’s Conflicts of Interest .......................20 After the CAE Appointment, FHFA Pressed Fannie Mae and its Audit Committee to Thoroughly Assess the CAE’s Conflicts and Develop an Adequate Plan to Manage Them .......................................................................................................................................21 FHFA Pressed Fannie Mae to Provide the Promised Assessment of the CAE’s Conflicts and Plan to Manage Them ......................................................................................21 FINDINGS .....................................................................................................................................26 1. Fannie Mae Did Not Satisfy Its Obligations Pursuant to Its Delegated Authority from FHFA or the IIA Standards ...........................................................................................26 2. FHFA’s Oversight of Fannie Mae’s Appointment of a New CAE Was Ineffective ...............................................................................................................................29 3. FHFA’s Failure to Insist that Fannie Mae Thoroughly Assess the Scope of the CAE’s Conflicts and Develop an Adequate Plan to Manage Those Conflicts Immediately Upon the CAE’s Appointment Meant that Internal Audit’s Independence and Objectivity Was Called into Question for a Significant Period of Time ........................................................................................................................................29 OIG EVL-2015-004 March 11, 2015 6 CONCLUSION ..............................................................................................................................31 RECOMMENDATIONS ...............................................................................................................32 OBJECTIVE, SCOPE, AND METHODOLOGY .........................................................................33 APPENDIX A ................................................................................................................................34 FHFA’s Comments on FHFA-OIG’s Findings and Recommendations .................................34 APPENDIX B ................................................................................................................................36 FHFA-OIG’s Response to FHFA’s Comments ......................................................................36 ADDITIONAL INFORMATION AND COPIES .........................................................................37 OIG EVL-2015-004 March 11, 2015 7 ABBREVIATIONS ....................................................................... CAE Chief Audit Executive CCO Fannie Mae Chief Credit Officer of Single-Family CEO Chief Executive Officer CHRO Chief Human Resources Officer DER Division of Enterprise Regulation Fannie Mae Federal National Mortgage Association Freddie Mac Federal Home Loan Mortgage Corporation FHFA or Agency Federal Housing Finance Agency Internal Audit Fannie Mae Internal Audit Department IIA Institute of Internal Auditors LOI Letter of Instruction NYSE New York Stock Exchange OCA Office of the Chief Accountant OCO Office of Conservatorship Operations OIG Federal Housing Finance Agency Office of Inspector General Sarbanes-Oxley Sarbanes-Oxley Act of 2002 SEC United States Securities and Exchange Commission PCAOB Public Company Accounting Oversight Board PD Position Description Single-Family Fannie Mae Single-Family Business Group Standards International Standards for the Professional Practice of Internal Auditing The Enterprises Fannie Mae and Freddie Mac OIG EVL-2015-004 March 11, 2015 8 CRITERIA .................................................................................. FHFA’s Delegation of Most Executive Appointment Authority to the Enterprises On September 6, 2008, FHFA used its authorities to place the Enterprises into conservatorship. As the Enterprises’ regulator and conservator, FHFA has considerable discretion in defining its role and choosing its actions. FHFA determined that the most efficient way to carry out its conservatorship responsibilities was to delegate normal corporate governance functions to the Enterprises’ Boards of Directors while retaining authority to review and approve critical matters. On November 24, 2008, FHFA’s Director issued to the Board of each Enterprise a Letter of Instruction (LOI), which specified certain actions requiring review and approval by FHFA and delegated other activities to the discretion of the Enterprises’ boards and managers. Relevant to this evaluation, the 2008 LOIs stated that the Enterprises must “consult with and obtain the approval of the Conservator before taking . . . [a]ctions involving the hiring, compensation, and termination benefits of directors and officers at the executive vice president level and above,” including their CAEs (collectively, executive officers).6 Four years later, on November 15, 2012, FHFA’s Acting Director issued new LOIs to the Enterprises.7 There were a number of differences between the 2008 and 2012 LOIs: the noteworthy change for purposes of this evaluation was the elimination of FHFA’s review and approval of the hiring of executive officers. The 2012 LOIs, which remain in effect, do not require the Enterprises to seek Agency approval of their choices for executive officer positions; rather, FHFA has limited its formal role to approving compensation arrangements of the Enterprises’ candidates.8 However, FHFA retained its right and authority under the 2012 LOIs “to review and approve or to require review and approval of any transaction or activity [of the Enterprises] at any time.”9 6 When asked by OIG how many executive officers were hired under the 2008 LOIs’ approval process, Freddie Mac provided data showing that fifteen executive officers were hired under the 2008 LOI. FHFA and Fannie Mae advised us that such data was not easily or readily available. 7 The 2012 LOIs explicitly superseded the November 2008 LOIs. FHFA’s Acting Director issued the November 2012 LOIs to the Boards “in light of experience and practice under the Conservatorship.” 8 When asked about FHFA’s role in the hiring process under the 2008 LOIs compared to the 2012 LOIs, FHFA’s General Counsel advised OIG that the 2008 LOIs required more of a formalized, “back and forth” process. However, he noted that, under the 2012 LOIs, FHFA remained involved in the process and still could end the candidacy of an Enterprise’s selected executive. 9 FHFA, Board of Directors and Senior Management, Version 1.0 (July 2013), at 31, available at www.fhfa.gov/SupervisionRegulation/Documents/Board_of_Directors_and_Senior_Management_Oversight_ Module_Final_Version_1.0_508.pdf (last accessed March 7, 2015). OIG EVL-2015-004 March 11, 2015 9 Sarbanes-Oxley and the Increased Importance of the Audit Committee and the Internal Audit Function Adopted more than a decade ago—following the corporate governance failures at Enron and WorldCom—Sarbanes-Oxley “mandated a number of reforms to enhance corporate responsibility, enhance financial disclosures and combat corporate and accounting fraud[.]”10 Among its key provisions, the Act requires corporate management to certify the accuracy of financial disclosures and report on the effectiveness of internal controls.11 Sarbanes-Oxley tasked audit committees of public companies with increased responsibilities respecting oversight of financial reporting and internal controls, and those responsibilities were defined in the implementing rules promulgated by the Securities and Exchange Commission (the SEC).12 Assessing the effectiveness of internal controls has also led to an expanded role for many internal audit departments, including Fannie Mae’s, which assumed regulatory compliance duties in addition to traditional risk assessment functions. Audit Committees of publicly traded companies, such as both Enterprises, must incorporate specific responsibilities mandated by Sarbanes-Oxley and the SEC.13 The Charter for the Fannie Mae Audit Committee states the Committee’s purpose is to: Oversee (a) the accounting, reporting, and financial practices of the Corporation and its subsidiaries, including the integrity of the Corporation’s financial statements and internal control over financial reporting, (b) the Corporation’s compliance with legal and regulatory requirements, (c) the external auditor’s qualifications and independence, (d) the performance of the Corporation’s internal audit function and the Corporation’s external auditor, and (e) the Corporation’s key information technology and operations controls; and 10 U.S. Securities and Exchange Commission (SEC), The Laws That Govern the Securities Industry, available at www.sec.gov/about/laws.shtml#sox2002 (last accessed December 11, 2014). 11 See Sections 302 and 404 of Sarbanes-Oxley (codified at 15 U.S.C. §§ 7241 and 7262, respectively). 12 See Exchange Act Rule 13a-14(a); Item 601(b)(31) of Regulation S-K; Item 9A of Form 10-K; Part I, Item 4 of Form 10-Q; Exchange Act Rule 13a-15(a); Exchange Act Rule 10A-3(b)(2), (3), (4) and (5). See also NYSE Manual Section 303A.07(b)(i) and (iii) (requiring audit committees of companies listed on the New York Stock Exchange (NYSE) to oversee the performance of the internal audit function). NYSE standards and commentary are useful, but not dispositive, since Fannie Mae and Freddie Mac were delisted from the NYSE at the direction of FHFA in 2010. 13 See Exchange Act Rule 10A-3, NYSE Manual Section 303A.07. See also Institute of Internal Auditors, The Audit Committee: Internal Audit Oversight, at 1, https://na.theiia.org/about- ia/PublicDocuments/08775_QUALITY-AC_BROCHURE_1_FINAL.pdf; Deloitte, Optimizing the Role of Internal Audit in the Sarbanes-Oxley Era (2005), at 1. OIG EVL-2015-004 March 11, 2015 10 Prepare the report required by the rules of the Securities and Exchange Commission (the “Commission”) to be included in the Corporation’s annual proxy statement.14 According to the Public Company Accounting Oversight Board (PCAOB),15 “Internal auditors are responsible for providing analyses, evaluations, assurances, recommendations, and other information to the entity’s management and board of directors[.] […] To fulfill this responsibility, internal auditors maintain objectivity with respect to the activity being audited.”16 Fannie Mae’s 2014 Form 10-K describes the broad scope of Internal Audit’s work: “Internal audit activities are designed to provide reasonable assurance that resources are safeguarded; that significant financial, managerial and operating information is complete, accurate and reliable; and that employee actions comply with our policies and applicable laws and regulations.”17 The Standards Governing Internal Audit’s Activities Require Independence and Objectivity Fannie Mae’s Internal Audit Charter mandates that Internal Audit conform its practices to the Institute of Internal Auditors’ (IIA) International Standards for the Professional Practice of Internal Auditing (Standards).18 The IIA is a global, authoritative source of guidance for the internal audit profession. The IIA defines internal auditing as “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.”19 When internal audit activity is effective, it “helps an organization accomplish its objectives by bringing a 14 Fannie Mae Audit Committee Charter (January 2011). The 2011 charter was in effect at the time of the of the CAE’s appointment. The currently operative charter (last amended in November 2014), contains identical language with the exception of the clause “in years in which Fannie Mae holds an Annual Meeting of Stockholders and files a proxy statement” at the end of the second quoted bullet. 15 The PCAOB is a nonprofit corporation established by Congress in Sarbanes-Oxley to oversee the activities of the auditing profession. See Section 101 of the Act, Pub. L. No. 107-204, 116 Stat. 745 (2002) (codified at 15 U.S.C. § 7211 (2006)). 16 PCAOB Auditing Standard (AU) Section 322.03: The Auditor’s Consideration of the Internal Audit Function in an Audit of Financial Statements, Roles of the Auditor and the Internal Auditors. 17 SEC, Fannie Mae Form 10-K for Fiscal Year 2014, at 112. 18 The IIA emphasizes that conformance with the Standards “is essential in meeting the responsibilities of internal auditors and the internal audit activity.” FHFA guidance confirms that Fannie Mae should comply with the Standards. See, e.g., FHFA’s Examination Manual, Internal and External Audit, Version 1.0 (dated November 2013), available at www.fhfa.gov/SupervisionRegulation/Documents/Internal_and_External_Audit_Module_Final_Version_1_0- 508.pdf (last accessed December 10, 2014). 19 The IIA Definition of Internal Auditing is available at https://na.theiia.org/standards-guidance/mandatory- guidance/Pages/Definition-of-Internal-Auditing.aspx. OIG EVL-2015-004 March 11, 2015 11 systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”20 The IIA Standards are principle-focused requirements that provide a framework for the professional practice of internal auditing. According to the Standards, an “internal audit activity must be independent, and internal auditors must be objective in performing their work.”21 An internal audit activity’s independence or objectivity is impaired when an auditor’s Independence is the freedom from relationship to the area being audited gives rise to a conditions that threaten the ability conflict of interest. Such conflicts can occur when of the internal audit activity to carry out internal audit responsibilities in an internal auditor has a personal or professional an unbiased manner. involvement or association with the area that is being audited.22 A conflict of interest compromises an Objectivity is an unbiased mental auditor’s ability to carry out his or her duties in an attitude that allows internal auditors to perform engagements in such a impartial and unbiased manner. As set forth in the manner that they believe in their Standards, “Internal auditors must refrain from work product and that no quality assessing specific operations for which they were compromises are made. previously responsible. Objectivity is presumed to be impaired if an internal auditor provides assurance A Conflict of Interest is any relationship that is, or appears to services for an activity for which the internal auditor be, not in the best interest of the had responsibility within the previous year.”23 organization. A conflict of interest would prejudice an individual’s ability to perform his or her duties and responsibilities objectively. Source: Standards 20 Id. 21 Standard 1100 (Independence and Objectivity) of the IIA Standards. The Standards devote a section to independence and objectivity, with individual standards for organizational independence, the chief audit executive’s interaction with management, auditors’ individual objectivity, and impairments to independence and objectivity. 22 The Standards specify that a conflict of interest exists merely because of an auditor’s involvement or association with the area he or she is auditing, “even if no unethical or improper act results.” Standard 1120 – Individual Objectivity, Interpretation, at 4. In such a case, the auditor’s connection to the audited area “can create an appearance of impropriety that can undermine confidence in the internal auditor, the internal audit activity, and the profession.” Id. 23 Standard 1130.A1 of the Standards. OIG EVL-2015-004 March 11, 2015 12 FACTS AND ANALYSIS ............................................................... Fannie Mae’s Risk Management Structure A critical component of corporate governance is managing risk. Fannie Mae’s 2014 Form 10-K states: “Our risk management framework and governance structure are intended to provide comprehensive controls and ongoing management of the major risks inherent in our business activities.” 24 It continues: “Our ability to identify, assess, mitigate and control, and report and monitor risk is crucial to our safety and soundness.”25 Fannie Mae uses a “Three Lines of Defense” model to manage risk.26 The first line of defense is the active management of risk by each of Fannie Mae’s three business units.27 Single-Family is the largest of Fannie Mae’s three business units.28 It posted a net income of $8.5 billion in 2014, and its average guarantee book of business was valued at approximately $2.87 trillion as of September 30, 2014. Single-Family acquires mortgages from lenders and issues single-class Fannie Mae mortgage-backed securities. It also must manage the credit risks and losses associated with its activities. The CCO of Single-Family is directly responsible for risk management in Single-Family. Specifically, the CCO oversees the establishment of Single-Family credit policy, underwriting standards and pricing terms, quality control, and lender and mortgage insurer oversight. Additionally, the CCO is a key decision-maker for many projects in Single-Family. For example, the CCO makes recommendations and signs off on Single-Family products, processes, and reported controls. The CCO also designs, drafts, and implements risk management policies and procedures related to auditing, which are subject to review by internal and external auditors. The Audit Committee Chair told us that he thought the CCO was the most qualified person to lead Single-Family, should a vacancy occur. The second line of Fannie Mae’s risk management defense consists of the Risk Management and Compliance Divisions, which perform risk-control and compliance oversight. The third line of defense is Fannie Mae Internal Audit (Internal Audit). Led by the CAE, Internal Audit is responsible for providing independent and objective assurance of the 24 Fannie Mae, Form 10-K for Fiscal Year 2014, at 104. 25 Id. 26 See id. at 111. 27 See id. 28 Fannie Mae’s other two businesses are Multifamily and Capital Markets. OIG EVL-2015-004 March 11, 2015 13 corporation’s governance, risk management, and control processes. Internal Audit examines the design and execution of the Enterprise’s internal control system and produces a series of audit reports each year. These reports may contain recommendations to Fannie Mae’s management that are intended to remediate identified deficiencies and weaknesses in the Enterprise’s risk management controls. Internal Audit reports directly to the Fannie Mae Audit Committee.29 Selection of the Single-Family CCO to Be the CAE of Internal Audit Fannie Mae Audit Committee’s Selection Process Pursuant to the operative Audit Committee Charter, the Audit Committee was responsible for selecting a new CAE and for overseeing the work by Internal Audit. The Audit Committee Chair reported to us that he was approached in early 2013 by the then-CAE to discuss the potential for another opportunity within Fannie Mae. He explained to us that he relayed that interest to Fannie Mae’s CEO, and together, they considered possible other positions in the Enterprise that were suitable for the CAE. He advised us that they learned shortly thereafter that the then-head of the Enterprise Project Management Office was leaving that role, perhaps as early as May 2013, and they determined that the current CAE would be the best candidate for that position, once the vacancy occurred. With the decision made to laterally transfer the CAE into the Enterprise Project Management position, the Chair explained that they started to look for candidates to fill the CAE position for the upcoming vacancy. Historically, most public companies turned to career internal auditors or CPAs working in external audit firms to fill CAE vacancies. A 2010 study, reporting on “a series of interviews with high-profile CAEs in the United States and abroad,” found that an increasing number of public companies have looked for CAE candidates across the organization with past successful experience in “controllership, divisional finance, human resources, risk, and compliance, or leadership positions in operations or other business units” because such candidates have a clear understanding of the business and the risks.30 Fannie Mae’s Position Description (PD) for the CAE role, which Fannie Mae provided to OIG as the position description used for the CAE search in 2013, is three single-spaced pages in length. This PD identifies a number of desired “competencies” that are substantially 29 The Audit Committee is one of six standing committees of the Fannie Mae Board of Directors. The CAE reports to the Audit Committee Chair with a dotted line reporting relationship to the Fannie Mae Chief Executive Officer (CEO). 30 The Korn/Ferry Institute and The Institute of Internal Auditors Audit Executive Center, License to Lead: Seven personal attributes that maximize the impact of the most successful chief audit executives (2010), available at www.kornferryinstitute.com/reports-insights/license-lead-seven-personal-attributes-maximize- impact-most-successful-chief-audit (last accessed February 27, 2015). OIG EVL-2015-004 March 11, 2015 14 similar to the traits identified as essential to success in the 2010 study discussed above: “understands the business;” “articulate, crisp and concise communicator;” “healthy level of professional objectivity with a strong sense of independence;” “broad based knowledge of industry policies, procedures, systems and best practices with respect to audit and controls in a financial services firm;” “demonstrated ability to build a culture of teamwork and collaboration that attracts, retains and develops top talent;” and “maintain the courage of his/her convictions.” The PD, of course, is far more granular than the wish list of competencies. As would be expected for the CAE position, many of the 16 “Key Job Functions & Duties” in the PD relate directly to identifying key risks across the Enterprise and developing audit measures to test the adequacy of controls to manage those risks.31 Accordingly, the PD identified 10 required professional qualifications for the CAE position, including: “15+ years of experience, preferably with a background at a Big Four accounting firm and corporate audit experience in a highly sophisticated financial services environment.” “Notable experience leading and performing complex projects with a deep understanding of operations, finance, risk assessment and processes in conducting audits.” “Broad familiarity of key information technology risks and controls and available technology based audit techniques.” 31 By way of example, these responsibilities include: “Conduct a thorough risk assessment and then seek continuous improvements to a comprehensive audit program that is responsive to the operational, financial, control and other risks within the company.” “Coordinate scope and coverage of the annual audit plan with the company’s independent external auditors and the company’s regulator.” “Present the annual audit plan to the Audit Committee and provide periodic updates of status and changes required in the plan as well as updates on the status of the overall operation of the Audit department.” “Determine that the company’s operating units are in compliance with corporate standard operating procedures and other operating policies, including compliance with corporate accounting policies.” “Determine the relative complexity, materiality, or significance of matters to which assurance procedures are applied, and provide guidance on the probability of significant errors, irregularities, noncompliance and the root cause analysis of the risks.” “Develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity to ensure that internal audit activity is compliant with all professional and ethical standards.” OIG EVL-2015-004 March 11, 2015 15 “Experience working in a highly regulated environment, with a solid understanding of Sarbanes-Oxley requirements.” “C[ertified] I[nternal] A[uditor] or C[ertified] P[ublic] A[ccountant] required; advanced degree in accounting, finance, or other business-related field preferred.” In the course of our review, Fannie Mae officials reported to us that this PD was never meant to limit the pool of applicants to those who had “15+ years” of audit experience, whether at a “Big Four accounting firm” or “corporate audit experience in a highly sophisticated financial services environment.” While such experience would have been “preferable,” Fannie Mae officials advised us that the PD, when read in its totality, sought candidates with strong management skills in a large, highly regulated public company, regardless of whether those candidates had 15+ years of audit experience. During 2013, Fannie Mae’s senior leadership continued work on an Enterprise-wide strategy to retain and develop key talent. Overseen by the Board’s Compensation Committee and that Committee’s law firm, this effort had numerous elements and was developed by management in concert with external talent and personnel consultants.32 On July 11, 2013, Fannie Mae’s CEO and CHRO provided an update on the implementation of that strategy to the Board’s Compensation Committee, a meeting attended by two members of the Audit Committee. Their update, set forth in a 24-page Succession Plan, explained Fannie Mae’s ongoing efforts to build bench strength to bolster its “succession bench” across the Enterprise in areas where “successors [were] more than 12 months away from readiness through external hiring and development of current employees.” Among other things, the Plan explained efforts to develop talent among Fannie Mae vice presidents and management’s assessment of possible successors to senior vice presidents across the Enterprise. For each position then held by a senior vice president, senior management assessed: whether there was an internal candidate who was “ready now” to assume the responsibilities; whether there was an internal candidate who would be ready in 12 months; whether there was an internal candidate who would be ready in 12-24 months; and whether there was an internal candidate who would be ready in 24+ months. That assessment was presented in a chart included in the Succession Plan. For the CAE position, the Succession Plan identified three possible internal candidates, all from Internal Audit, who would be ready in 12-24 months and, reported “External” in the column marked “Ready Now.” In their written summary of these assessments, the CEO and CHRO reported that eight of these senior vice president positions lacked a “ready now” successor for which they proposed to “hire candidates externally.” One of these eight positions was the CAE position. Fannie Mae urged us to disregard the assessments in this Succession Plan for a number of reasons: the Plan focused primarily on the promotion of internal candidates within 32 Minutes of the July 11, 2013 meeting of the Compensation Committee of the Board of Directors of Fannie Mae. OIG EVL-2015-004 March 11, 2015 16 different business units and only sometimes considered candidates outside the relevant unit; it was generally geared to consideration of promotional candidates rather than lateral transfers; and senior management did not purport to undertake a comprehensive Enterprise-wide analysis of all possible candidates. While the Chair was well aware by July 11, 2013, that the CAE position was expected to become vacant and there were no internal candidates “ready now,” minutes for meetings of Fannie Mae’s Audit Committee prior to September 19, 2013, contain no discussion of the upcoming CAE vacancy or efforts to identify qualified candidates.33 Fannie Mae confirmed to us that the Audit Committee sought to identify Enterprise-wide candidates only after the then-CAE had been transferred and the CAE vacancy existed. Minutes for the September 19, 2013 Committee meeting show that the Committee met in executive session to identify potential candidates for the CAE vacancy and schedule interviews with them. Fannie Mae’s Audit Committee Chair told us that the Committee determined to limit its scope to consideration of internal CAE candidates, provided qualified candidates could be identified, because it had experienced prior problems with external hires.34 He further reported to us that, at that time, he asked the CHRO for a list of possible internal candidates. The CHRO developed a list of nine internal candidates across the organization, including the Single- Family CCO, in less than six days and provided that list to the Chair on September 25, 2013. The Audit Committee Chair and another member of the Fannie Mae Audit Committee interviewed three of those candidates over the next eight days. On or about October 3, 2013, the same two Audit Committee members selected the CCO of Single-Family as the CAE candidate, subject to review and approval by the Fannie Mae Board. The Audit Committee Chair advised us, in December 2014, that the Audit Committee’s review of internal candidates focused on the breadth and depth of their experience in auditing, accounting principles, and communication. However, the CCO of Single-Family lacked the “15+ years of experience, preferably with a background at a Big Four accounting firm and corporate audit experience in 33 FHFA recognizes the importance of succession planning in the risk management and corporate governance structure for top management roles in addition to the CEO. FHFA’s Board of Directors and Senior Management examination manual module states: The board of directors must also have a formal management succession plan to ensure that the regulated entity can continue operations without disruption in the event of the loss of the CEO or other key senior officers. The succession plan should provide for the transition in leadership by identifying individuals who have the qualifications to successfully fill top management roles on an interim and long-term basis. Once potential candidates are identified the management succession plan should provide for training opportunities to develop the candidate’s skills to effectively fulfill their new responsibilities at the time of transition (Emphasis added). 34 FHFA’s Chief Accountant and a senior official from the Division of Enterprise Regulation (DER) advised us that they would have preferred the Audit Committee to search for external CAE candidates, and contemporaneous emails reflect that FHFA urged Fannie Mae’s CEO to select an external candidate for the CAE position. OIG EVL-2015-004 March 11, 2015 17 a highly sophisticated financial services environment” sought in the PD; while a CPA, he spent less than seven years as an auditor, in the years immediately after his graduation from college from 1985 to 1992 (the last four of which were at Fannie Mae), and then worked at Fannie Mae in different management roles outside of Internal Audit. According to the Chair, the CCO was selected for the CAE vacancy for several reasons: the CCO worked for a number of years in the internal audit function at BB&T Bank (which the Chair then amended to be a smaller bank that was later acquired by BB&T); was knowledgeable of the company’s biggest risk area, Single-Family; and could hit the ground running. There is no corporate record that the Audit Committee formally met, either in person or by phone, to discuss the qualifications of the different candidates and to make its selection. Further, we found no contemporaneous document prepared by the Audit Committee in October 2013 that explains: (1) its rationale for limiting the scope of its search to internal candidates when the Succession Plan prepared by the CEO and CHRO reported two months earlier that no internal candidates were “ready now” for the CAE position; (2) the reasons for selecting a candidate whose audit experience fell short of the audit qualifications deemed “preferable” in the CAE PD; (3) its understanding that the CCO would be burdened with significant conflicts if he became the CAE; (4) the basis for its conclusion that the CCO was the best qualified candidate for the CAE position, notwithstanding his lack of significant audit experience (and no audit experience in the prior 20 years) and his conflicts; and (5) its plan of action to assess the scope of the CCO’s conflicts and develop appropriate controls to manage those conflicts. In a November 5, 2013 memorandum prepared by the Chief Accountant and two Office of the Chief Accountant (OCA) officials to a senior official in the Division of Enterprise Regulation (DER), they characterized the Audit Committee’s process as “abridged [and] limited in scope” and concluded that it was “indicative of a lack of engagement by the Audit Committee [which] gives cause for concern that aspects of the governance process may have a propensity to be ineffective.” FHFA Review and Approval On October 4, 2013, the Audit Committee Chair informed FHFA’s Chief Accountant that the Committee had selected the CCO of Single-Family to become the CAE. In response, the Chief Accountant asked for the candidate’s résumé and a meeting with the nominee. The Audit Committee Chair agreed to both requests by email that same day but commented, “the decision is the Audit Committees [sic].”35 35 The operative Audit Committee Charter stated that the hiring of a CAE, called the “Chief Internal Auditor” in the Charter, was the responsibility of the Committee, subject to the Conservator’s approval. That Charter OIG EVL-2015-004 March 11, 2015 18 On October 10, 2013, FHFA’s Chief Accountant and a senior DER official met with the CAE candidate. The next day, the Chief Accountant and the DER official told Fannie Mae and Audit Committee representatives that they had no issues with the board members proceeding with the process of selecting the new CAE. However, internal emails within FHFA written on October 11, 2013, reflect that a number of FHFA officials discussed two governance concerns about this CAE appointment: (1) the CCO’s qualifications to serve as CAE; and (2) the Audit Committee’s insistence on an abridged search process involving only internal candidates, even though a key responsibility of the Audit Committee was the selection and oversight of the CAE. The Chief Accountant recalled to us that he spoke to the Office of Conservatorship Operations (OCO) and DER Deputy Directors more than once about three issues he had with the CAE appointment: the two articulated in the above-mentioned internal FHFA emails and a third, management of the pervasive conflicts that would be created when the CCO of Single-Family moved into the CAE position. We, however, found no contemporaneous documents reflecting discussions on the conflicts issues between the Chief Accountant and the OCO Deputy Director and DER Deputy Director or any document in which either Deputy Director advised the Acting FHFA Director of such concerns. The Deputy Directors of OCO and DER at that time have since left FHFA and both declined to speak with us. Fannie Mae, in its email request to FHFA to approve compensation for the CAE candidate, explained that the “Audit Committee selected the [CAE candidate] based on his: (ii)[sic] prior audit experience; (iii)[sic] strong understanding of operations and credit risk within the single family business and his ability to articulate a vision for the Audit function.” On October 14, 2013, FHFA’s Acting Director informed the Deputy Directors of OCO and DER via email that the Agency had received a formal request from Fannie Mae regarding compensation for the CAE candidate, and asked if there were any outstanding issues or concerns regarding the appointment. We found no email response from OCO’s Deputy Director to this email. The Chief Accountant told us that he did not raise his concerns with the Acting Director because his practice was only to escalate concerns involving financial reporting to the Director. DER’s Deputy Director responded by email. He advised that FHFA officials had interviewed the CAE candidate and let the Audit Committee know that they did not have any significant issues from a safety and soundness perspective, and told the Acting Director that the only concern was that the candidate had not been a chief auditor or senior audit person in a large institution. does not reflect FHFA’s 2012 LOI delegation of responsibility for all aspects of the executive hiring decision except for compensation. OIG EVL-2015-004 March 11, 2015 19 FHFA’s Acting Director told us that he did not recall hearing about any particular issues with respect to the CAE candidate. He expected that the candidate would be vetted by Fannie Mae’s Board and then reviewed by the Agency, likely FHFA’s OCO, and there would be some discussion regarding the candidate’s qualifications. FHFA’s Acting Director reported to us that he would have assumed that the Audit Committee selected a CAE candidate who had the professional experience needed for the CAE position and that Fannie Mae would provide any additional training needed for the position. FHFA’s Acting Director approved the proposed compensation for the CAE candidate. On October 14, 2013, Fannie Mae’s CEO provided the Board with an email update on the CAE search. He reported that the Audit Committee interviewed a “number of internal candidates put forward by management” and selected the CCO of Single-Family. He explained that the Committee’s selection of the CCO “was based on his prior audit experience (he began his career at Fannie Mae in Internal Audit), his familiarity with financial matters (he is a CPA), his strong understanding of operations and credit risk within the Single-Family business, . . . his steady demeanor and his ability to articulate a clear and strong vision for the Internal Audit function.” Fannie Mae’s Board of Directors approved the selection of the CAE candidate by unanimous written consent. Fannie Mae’s Initial Efforts to Manage the CAE’s Conflicts of Interest As discussed earlier, the IIA Standards require internal audit activity to be independent and internal auditors to be objective in performing their work. While we were advised that FHFA officials internally discussed the CAE’s inherent conflict of interest, we found no evidence that anyone at FHFA took any action to ensure that Fannie Mae put adequate controls in place to address this conflict before the CCO assumed his new role as CAE on November 4, 2013. The Fannie Mae Internal Audit Charter, in compliance with the IIA Standards, requires that Internal Audit conduct an independence analysis for all internal employee transfers and create a screen to wall them off from audit activities involving their prior work. The employees must refrain from engaging in audit activity for one year for any areas deemed to create a conflict of interest. A few days before the CCO began work as the CAE, Internal Audit’s Chief of Staff completed an independence assessment to determine the scope of activities from which the CAE should be recused during his one-year cooling-off period (from November 4, 2013, until November 3, 2014). That assessment was provided to the CAE on November 4, 2013, and he acknowledged in writing his “clear independence issue in regard to any audits of areas in which I previously worked.” Although Internal Audit’s Chief of Staff found that the CAE, when he served as the Single-Family CCO, had a “broad scope” of responsibilities, she concluded that the CAE’s conflicts of interest (and thus, any Internal Audit independence and objectivity problems) were limited to two audits in 2013 and one potential audit activity in 2014. The Audit Committee Chair advised the Audit Committee at OIG EVL-2015-004 March 11, 2015 20 its September 17, 2014 meeting that he “had reviewed the approach initially taken by Internal Audit to preserve the CAE’s independence and had found it to be logical and reasonable.”36 After the CAE Appointment, FHFA Pressed Fannie Mae and its Audit Committee to Thoroughly Assess the CAE’s Conflicts and Develop an Adequate Plan to Manage Them On November 13, 2013, FHFA’s Chief Accountant and a DER examiner met with members of Fannie Mae’s Audit Committee “to discuss, among other things, the implications of the hiring of [the CCO] as Fannie Mae’s CAE.” They knew, from a prior conversation with the incoming CAE, that Fannie Mae had determined to wall off the CAE from three audit activities during the one-year recusal period. These FHFA officials advised us that FHFA wanted additional work done by Fannie Mae to assess the scope of the CAE’s conflicts and the breadth of his recusal. They reported that they asked the Audit Committee Chair at this meeting to ensure that Fannie Mae prepared a written analysis demonstrating full consideration of the CAE’s potential conflicts and developed a proposal to manage those conflicts. They further recalled that they specifically requested the Audit Committee to actively monitor compliance with the written analysis and conflicts proposal so that independence and objectivity would be maintained during the new CAE’s one-year recusal period. FHFA officials recalled to us that they understood that the Chair committed at this meeting to follow up on a plan to identify and manage the CAE’s conflicts. Minutes for an Audit Committee meeting on November 14, 2013, provide a high level summary of the intended outcome of the required Fannie Mae assessment and expected controls: “to maintain independence, [the new CAE] will not audit areas where he previously had management responsibility, including single-family risk management, seller oversight, and the new representation and warranty model” and “a committee of Internal Audit officers will review all audits and work-papers for these areas.” FHFA Pressed Fannie Mae to Provide the Promised Assessment of the CAE’s Conflicts and Plan to Manage Them In light of FHFA’s November 13, 2013 direction to the Audit Committee, FHFA officials reported to us that they expected to receive a written conflicts assessment and proposed controls to mitigate the conflicts. During the next two months, no such materials were forthcoming. Both the Audit Committee Chair and Fannie Mae’s Chief Compliance Officer 36 We were advised by partners in the external audit firm that the external audit team made inquiries about the plan to manage the CAE’s conflict resulting from the internal transfer and was told by Fannie Mae that there was a plan. The external audit team accepted Fannie Mae’s representations that a plan was in place to manage the CAE’s conflict. OIG EVL-2015-004 March 11, 2015 21 told us that they thought that Fannie Mae had complied with FHFA’s instructions with the summary presented at the November 14, 2013 Audit Committee Meeting, which FHFA’s Chief Accountant and the OCO Deputy Director attended. The summary provided no additional information about the CAE’s conflicts or the controls to manage those conflicts beyond the independence assessment that had been completed by Internal Audit’s Chief of Staff. On January 9, 2014, a DER official reached out to Fannie Mae’s Chief Compliance Officer by email and asked her to “liaise with” the Audit Committee Chair to obtain the materials requested from the Chair in November 2013. By way of background, the email explained that FHFA officials met with the Chair in early November 2013 and “conveyed [FHFA’s] expectation that the Audit Committee [would] have considerable involvement in providing the oversight necessary to ensure that independence and objectivity is maintained both in appearance and in fact” for Internal Audit during the new CAE’s one-year recusal period. The email reported that FHFA officials, in that November meeting, asked the Audit Committee Chair to provide FHFA with a document: [t]hat demonstrates thoughtful consideration of potential conflict of interests, and outlines the potential conflicts, plans to address the potential conflicts, and how the Audit Committee will actively monitor compliance with the expectations outlined in the document. The email explained that FHFA had “not received a response to this request” and asked for “assistance in obtaining this document . . . as soon as possible.” In response, Fannie Mae produced the independence assessment completed by Internal Audit’s Chief of Staff during the first week of November 2013 and the acknowledgement signed by the CAE on November 4, 2013. Based on its review of these materials, FHFA was unable to conclude that the conflicts assessment by Fannie Mae was sufficient and that the existing conflicts controls would enable Internal Audit to meet the IIA Standards for independence and objectivity. In March 2014, FHFA issued a Supervisory Expectation Letter seeking additional information about Fannie Mae’s processes to identify, address, and monitor the CAE’s conflicts.37 FHFA officials were particularly concerned whether Internal Audit was conforming to the IIA Standards, both in appearance and in fact, given the scope of the CAE’s former and current responsibilities.38 In response, Fannie Mae’s Chief Compliance Officer provided an expanded set of controls and 37 In spring 2014, FHFA communicated to Fannie Mae its concerns regarding the potential impairment of Internal Audit’s objectivity and independence because of the CAE’s conflicts that FHFA raised previously with Fannie Mae in November 2013, January 2014, and early March 2014. OIG EVL-2015-004 March 11, 2015 22 advised that Fannie Mae would retain a consultant to assess the adequacy of those controls, if the Audit Committee or FHFA requested that review. FHFA responded with a written recommendation that Fannie Mae seek an external assessment of the CAE’s conflicts and review of existing controls. On April 3, 2014, Fannie Mae’s Audit Committee Chair wrote to FHFA, noting, “We share your concerns and are committed to resolving all issues surround [sic] Chief Audit Executive indpendence [sic].” He advised that, “at the previous request of the Audit Committee, and consistent with your request, engagement of a qualified independent third party to conduct an assessment of all relevant matters is underway.” The Audit Committee Chair committed in his letter that the third-party review would be complete before Fannie Mae’s May 2014 Board of Directors meeting. On April 21, 2014, the Audit Committee passed by unanimous consent a resolution to engage Grant Thornton, an audit and advisory firm, to conduct a “CAE Independence Review.” That resolution provides: WHEREAS, the Federal Housing Finance Agency (“FHFA”) has directed the Audit Committee of the Fannie Mae Board of Directors (the “Committee”) to engage an independent third-party to assess the Chief Audit Executive’s independence and to ensure that his activities are in compliance with the Institute of Internal Auditors (“IIA”) standard regarding independence and objectivity in light of his prior role as Chief Credit Officer for the Company's Single-Family business (the “CAE Independence Review”); WHEREAS, the Committee desires to engage Grant Thornton LLP (“Grant Thornton”) to conduct the CAE Independence Review[.] By letter dated May 7, 2014, Grant Thornton confirmed its engagement by the Fannie Mae Audit Committee. Work by Grant Thornton commenced and the firm issued a preliminary draft report in mid-July 2014, which it revised after considering comments from Fannie Mae and FHFA. After a second round of comments, the firm issued its final report on September 5, 2014. Grant Thornton found that Fannie Mae’s initial analysis of the CAE’s potential conflicts was incomplete for several reasons, including: The analysis did not specifically include the CCO’s relationships or bias that may have existed based on his prior role in Single-Family; The analysis looked only at a sampling of audits and assumed that all other audits posed no independence or objectivity concerns; and The analysis did not consider the CAE’s potential conflicts of interest for all audit activities, such as open matters that Internal Audit was monitoring and responsible for resolving. OIG EVL-2015-004 March 11, 2015 23 The Grant Thornton report recommended adoption of 11 additional controls to bring Internal Audit into conformance with the Standards for independence and objectivity, one of which had been adopted by Fannie Mae in March 2014 and others of which were in the process of being implemented. Based on the findings in its review, Grant Thornton concluded: “It is our overall opinion that the procedures established by Fannie Mae partially conform to the Standards and Code of Ethics.”39 Informed by the Grant Thornton review and by enhancements made by Fannie Mae to bolster independence controls, Internal Audit revised its policy regarding independence and objectivity.40 Grant Thornton opined that Fannie’s Mae’s “Partial Conformance” to the Standards and Code of Ethics would be upgraded to “Generally Conforms” when the revised Internal Audit policy was followed and supported by proper documentation. Fannie Mae’s Chief Compliance Officer updated the Audit Committee, at its September 17, 2014 meeting, on Grant Thornton’s conclusion that the procedures established by Fannie Mae partially conformed to the Standards. She reported that “management has accepted the Grant Thornton recommendations and the majority should be implemented by November; however, a few recommendations may require until January 2015 to implement.” In accordance with Grant Thornton’s recommendations and Fannie Mae’s September 17, 2014 Internal Audit Independence and Objectivity Policy, Internal Audit performed a revised assessment in September 2014 of the audit activities from which the CAE should be recused. Ten months after the initial determination by the Chief of Staff for Internal Audit that the CAE would be recused from only three audit areas during his one-year cooling off period, Internal Audit added 17 additional audit activities from which the CAE should be recused. In late October 2014, FHFA informed us that it was monitoring Fannie Mae’s implementation of the Internal Audit Independence and Objectivity Policy and would continue to do so through DER examination work. A senior DER official advised us that work related to monitoring Internal Audit’s controls to address the CAE’s conflict in the 2014 examination plan might not be completed by year end. Fannie Mae updated its policy again on November 19, 2014, more than one year after the CAE appointment. FHFA advised OIG that its concerns about the independence and objectivity of Internal Audit would be resolved when it was satisfied that the new Internal Audit Independence and Objectivity Policy had been fully 39 Grant Thornton used the three-tier rating system (i.e., Generally Conforms/Partially Conforms/Does Not Conform) from the IIA’s Quality Assessment Manual to reach its conclusion. As defined by the IIA, “Partially Conforms” means that the internal audit activity is making good-faith efforts to comply with the requirements of the individual Standards or element of the Code of Ethics, section, and major category, but has fallen short of achieving some of the major objectives. Pursuant to that rating, there will usually be significant opportunities for improvement in effectively applying the Standards or Code of Ethics and/or achieving their objectives. 40 See Minutes of the Audit Committee for September 17, 2014, adopting Internal Audit Independence and Objectivity Policy (effective September 17, 2014). OIG EVL-2015-004 March 11, 2015 24 implemented and followed. Grant Thornton started its follow-up fieldwork on December 16, 2014. In February 2015—fifteen months after the CAE assumed his new position, and five months after Fannie Mae received Grant Thornton’s report and recommendations—Grant Thornton issued its assessment: “It is our overall opinion that the procedures established by Fannie Mae generally conform to the Standards and Code of Ethics.” It observed that “[o]verall, the I[nternal] A[udit] process for maintaining independence and objectivity has been strengthened by the increased oversight and monitoring provided by those outside the internal audit function, particularly the Audit Committee and Chief Compliance Officer, and the increase in the supporting documentation that validates those conclusions.” OIG EVL-2015-004 March 11, 2015 25 FINDINGS ................................................................................. 1. Fannie Mae Did Not Satisfy Its Obligations Pursuant to Its Delegated Authority from FHFA or the IIA Standards The Fannie Mae Audit Committee, like audit committees for other public companies, has critical governance responsibilities that go beyond oversight of financial reporting and internal controls to oversight of the effectiveness of Enterprise risk management, the external audit firm, programs and policies to prevent and identify fraud, and establishment of procedures for the receipt, investigation, and resolution of complaints regarding accounting, internal accounting controls, or auditing matters. Among the many critical responsibilities with which Fannie Mae Audit Committee is tasked is the oversight of the Internal Audit function. Fannie Mae’s Internal Audit Charter mandates that Internal Audit conform its practices to the IIA Standards. These Standards require that Internal Audit avoid all conflicts of interest because “[a] conflict can create an appearance of impropriety that can undermine confidence in the internal auditor, the internal audit activity, and the profession.”41 The Standards make clear that a conflict of interest will be created when an auditor has been involved in an area or line of business that he or she is auditing. Based on these governance documents, Fannie Mae and its Audit Committee knew, or should have known, that the applicable IIA Standards required independence and objectivity of Internal Audit. According to the Audit Committee Chair, he and the CEO determined, as early as the spring of 2013, to laterally move the then-CAE into a different position as soon as it became vacant, and the Audit Committee recognized the need to identify qualified candidates for the upcoming CAE vacancy. The relevant CAE PD, in the view of Fannie Mae, was never intended to limit the pool of qualified candidates to only those who had at least 15 years of significant audit experience. As the July 2013 Succession Plan makes clear, the retention and development of key talent was a priority of Fannie Mae’s senior leadership team and its Board. Both senior management and the Board’s Compensation Committee retained external consultants to assist in the formulation and implementation of the strategy and senior management recognized that the Enterprise would be vulnerable if qualified candidates were not ready when vacancies arose. In light of the CEO’s knowledge of the anticipated CAE vacancy, understanding that the CAE PD was not limited to candidates with 15+ years of significant audit experience, and recognition that the succession planning could reach across the Enterprise, it was incumbent on senior management to identify and evaluate qualified candidates across the Enterprise for the July 2013 Succession Plan. 41 IIA Standards, Standard 1120 – Individual Objectivity, Interpretation, at p.4. OIG EVL-2015-004 March 11, 2015 26 Whatever the limitations of senior management’s assessment, the Audit Committee, and not senior management, was tasked with hiring a qualified CAE candidate and was not bound by management’s identification of possible candidates. There is no evidence to show that the Audit Committee made any efforts itself to identify qualified candidates, whether internal or external, after the Chair knew that the CAE position would become vacant as early as spring of 2013. The record developed during this evaluation shows that the Audit Committee first considered the need to identify qualified candidates at its September 19, 2013 meeting. The Committee’s lack of prior planning left it without any possible candidates once the vacancy occurred. After the meeting, the Chair asked the CHRO to identify qualified internal candidates, even though the assessment that he and the CEO produced in July 2013 found no candidates were currently qualified for the position. While Fannie Mae insisted that senior management had not undertaken a comprehensive Enterprise-wide analysis of possible candidates for the Succession Plan, even for a position that the CEO knew would soon become vacant, the CHRO identified nine potentially qualified internal candidates across the Enterprise for the CAE position within six days. Little more than a week later, two Audit Committee members interviewed three of these internal candidates and selected the CCO of Single-Family as the next CAE, even though his audit experience fell short of the 15+ years of senior audit experience deemed preferable in the CAE PD. Moreover, he was burdened by a clear conflict of interest. OIG takes no position on whether the selected CAE candidate had the professional skills and experience demanded by this position in the complex, sophisticated financial services environment at Fannie Mae. However, because there was no meeting of the Audit Committee recorded in the corporate record books before the Audit Committee Chair announced the CAE selection and because there are no contemporaneous Audit Committee documents reflecting the Committee’s deliberations, it is not possible to determine whether the Committee conducted appropriate due diligence and assessed the qualifications of the different candidates, evaluated them against the CAE PD, recognized that the CCO was burdened by significant conflicts, articulated the reasons that the CCO was the best candidate for the CAE position, or discussed the need to manage the CCO’s conflicts to avoid any impairment to the objectivity and independence of Internal Audit. Not only is there no contemporaneous written explanation by the Audit Committee of its rationale in making this selection, but also there is no written plan from the Committee to assess the conflicts of its CAE candidate and develop comprehensive controls to address those conflicts. The Board approved the selection without requiring the adoption and implementation of such a plan. As we have shown, the Audit Committee Charter requires it to oversee “the performance of the Corporation’s internal audit function” to ensure, among other things, that the independence and objectivity of Internal Audit is maintained. Following the selection of the OIG EVL-2015-004 March 11, 2015 27 conflicted CAE candidate, the Audit Committee took no action to ensure that the CAE’s conflicts would be assessed and sufficient controls put into place before his appointment. Instead, the Audit Committee relied upon Internal Audit to assess the CAE’s conflict and to develop and implement a plan to protect the independence and objectivity of Internal Audit. Internal Audit evaluated the CAE’s conflicts no differently from its evaluation of the potential conflicts of any internal candidate transferring into Internal Audit. Additionally, the Audit Committee Chair found no shortcomings with this limited analysis: he advised the Committee at its September 17, 2014 meeting that he “had reviewed the approach initially taken by Internal Audit to preserve the CAE’s independence and had found it to be logical and reasonable.” FHFA and then Grant Thornton determined that this analysis was perfunctory and insufficient to assess the conflicts created when the CCO of Fannie Mae’s largest business group was promoted to CAE. FHFA officials informed us that they asked the Audit Committee Chair in mid-November 2013 to ensure that Fannie Mae prepared a detailed analysis of the CAE’s potential conflicts and developed a proposal to manage those conflicts, and the Chair agreed to this request. Both the Audit Committee and Fannie Mae maintained to us that no additional work was needed after the November 14, 2013 Audit Committee Meeting. Assuming there was some misunderstanding between FHFA, on the one hand, and Fannie Mae and its Audit Committee, on the other, regarding the deliverables sought by FHFA, any misunderstanding should have been resolved by FHFA’s email of January 9, 2014, to Fannie Mae in which FHFA reiterated its expectations for a thorough conflicts assessment and a plan to address the CAE’s conflicts, either by the Audit Committee or by Fannie Mae under the supervision of the Audit Committee. In response, Fannie Mae provided the same analysis that was available in early November 2013, which FHFA previously advised was inadequate. Once again, the Audit Committee took no action to either prepare the requested analysis or direct Fannie Mae to prepare the analysis, and to prepare a conflict management plan. Only after FHFA sought additional information about Fannie Mae’s processes to identify, address, and monitor the CAE’s conflicts in March 2014 did the Audit Committee take any action. Then, it retained an external consultant, which it acknowledged was at FHFA’s direction, and promised FHFA that the consultant’s work would be completed before Fannie Mae’s May 2014 Board of Directors meeting. That commitment was not met; the consultant did not finish its fieldwork until July 2014 and did not issue its report until September 2014. Sarbanes-Oxley, implementing SEC regulations, the 2012 LOI, the Charter of Fannie Mae’s Audit Committee, and the IIA Standards impose governance obligations on Fannie Mae and its Audit Committee and those obligations were not lessened or eliminated by FHFA’s acquiescence to the Audit Committee’s process and selection of the CAE. Based on the facts found in this evaluation, we conclude that neither Fannie Mae nor its Audit Committee fulfilled their corporate governance responsibilities in connection with the search for and OIG EVL-2015-004 March 11, 2015 28 selection of the CAE and management of his conflicts to protect the independence and objectivity of Internal Audit and ensure its compliance with the IIA Standards. 2. FHFA’s Oversight of Fannie Mae’s Appointment of a New CAE Was Ineffective Invoking the 2012 LOI, FHFA officials asserted to us that Conservator approval was limited to approval of proposed compensation for an executive officer candidate.42 While FHFA has delegated hiring authority, save compensation, to Fannie Mae, it consults with Fannie Mae throughout the decisional process, as the record here shows. Yet, we found no evidence that FHFA officials—who discussed concerns about the Audit Committee’s abbreviated process to identify and select a qualified CAE candidate, the qualifications of the candidate, and the CAE’s conflicts that could compromise the independence and objectivity of Internal Audit— raised their concerns with the Acting Director or recommended that he refrain from approving the CAE’s proposed compensation. Although the Chief Accountant maintained to us that he repeatedly flagged concerns within FHFA regarding the conflicted CAE candidate, neither he nor anyone else at FHFA urged Fannie Mae to identify and consider conflict-free CAE candidates. Nor did any FHFA official require Fannie Mae to assess the scope of the CAE candidate’s conflicts and put into place appropriate controls before the CCO began work as the CAE. We find that there is a critical need to improve communication channels—both within FHFA and between FHFA and the Enterprises—so that FHFA can properly exercise its responsibilities. It is essential for the FHFA Director to be informed about significant risks identified by senior FHFA officials and for FHFA officials to share their concerns with the Enterprise before decisions are made. Breakdowns in communication lead to flawed decisions that must be remedied after the fact, as the record here demonstrates. 3. FHFA’s Failure to Insist that Fannie Mae Thoroughly Assess the Scope of the CAE’s Conflicts and Develop an Adequate Plan to Manage Those Conflicts Immediately Upon the CAE’s Appointment Meant that Internal Audit’s Independence and Objectivity Was Called into Question for a Significant Period of Time As we have shown, FHFA officials advised the Audit Committee Chair on November 13, 2013—more than a week after the CCO began work as the CAE—that a thorough assessment of the CAE’s conflicts and appropriate controls to manage those conflicts was required. They reiterated their request on January 9, 2014, and twice in March 2014, but imposed no 42 Reliance on that provision ignores another section of the 2012 LOI in which FHFA reserves “authority to review and approve or to require review and approval of any transaction or activity [of the Enterprises] at any time.” OIG EVL-2015-004 March 11, 2015 29 consequences on Fannie Mae when it failed to produce the requested assessment and proposed controls. For more than one year after the conflicted CAE began work, Fannie Mae’s Internal Audit was not in full conformance with the IIA Standards. OIG EVL-2015-004 March 11, 2015 30 CONCLUSION ............................................................................ FHFA has established a delegated approach to managing the Enterprises’ operations. For this governance model to succeed, FHFA must be confident that the Enterprises’ directors and board committees are fulfilling their delegated responsibilities. Effective corporate governance is a critical element of operational risk management. Fannie Mae’s Audit Committee has front-line governance responsibilities, which include oversight of the internal audit function. While Internal Audit’s function is a key mechanism in Fannie Mae’s internal control function and the CAE leads that function and sets the tone, the Audit Committee’s search for the best candidate was far from diligent. It delayed any efforts to develop a process to identify qualified candidates for months and then relied on the CHRO to pull together, in six days, a list of nine possible candidates across the Enterprise. Then, in little more than a week, two Audit Committee members interviewed three of these candidates and selected one, but created no record of the rationale for their selection or of their knowledge of the conflicts that burdened their candidate. Pursuant to the governing IIA Standards, “internal audit activity must be independent, and internal auditors must be objective in performing their work.” Once the Audit Committee selected a CAE candidate with significant conflicts, it took no action to assess the scope of his conflicts nor did it insist upon comprehensive controls to protect the independence and objectivity of Fannie Mae’s Internal Audit function, its critical third line of defense to manage risk, before the new CAE began work. Instead, it delegated that work to the Chief of Staff of Internal Audit, who performed a perfunctory assessment and put inadequate controls into place, efforts, which—contrary to the appraisals by FHFA and then Grant Thornton—the Audit Committee Chair concluded, were “logical and reasonable.” FHFA has consistently viewed operational risk management as an important financial safety and soundness challenge facing Fannie Mae and Freddie Mac. FHFA and its predecessor agency repeatedly found, from 2006 into 2011, that Fannie Mae had not established an acceptable and effective operational risk management program despite requirements to do so. This report identifies another weakness in Fannie Mae’s operational risk management. Fannie Mae’s Audit Committee failed to adequately fulfill its delegated responsibilities to select a CAE. The numerous governance failures of the Fannie Mae Audit Committee with respect to the CAE selection and management of his conflicts call into question whether this Committee sufficiently understands its governance obligations under the law and the conservatorship and is prepared to responsibly exercise its fiduciary duties. Absent diligence and commitment by all members of the Audit Committee to exercise their delegated oversight responsibilities, FHFA’s continued reliance on this Committee shall remain in question. OIG EVL-2015-004 March 11, 2015 31 RECOMMENDATIONS ............................................................... We recommend that FHFA: 1. Implement a sufficiently robust internal communications process to ensure that the FHFA Director is informed of significant issues and concerns by FHFA staff on all conservatorship and supervisory matters that require the Director’s decision. 2. Given the importance of the Audit Committee’s oversight over Fannie Mae’s financial reporting and risk management and the breadth of its responsibilities, require the Fannie Mae Audit Committee to hold meetings relating to its oversight responsibilities and to fully document, in meeting minutes, its discussions, deliberations, and actions at each meeting to ensure an effective flow of information among directors, senior management, and risk managers and to satisfy FHFA of the adequacy of the Committee’s risk oversight function. 3. Conduct a comprehensive evaluation of the Audit Committee’s effectiveness, which should include: whether all members of the Committee are independent from management; whether the Committee’s responsibilities are clearly articulated; whether each Committee member understands what is expected of him/her under the Committee’s Charter and regulatory requirements; whether the Committee’s interactions with Fannie Mae’s financial executives, Internal Audit, and the external audit firm are robust and occur regularly; whether the Committee raises critical questions with management and the CAE, including questions that indicate the Committee’s understanding of key accounting policies and judgments and that challenge management’s judgments and conclusions; whether the Committee has been responsive to issues raised by the external auditor; and whether the Committee periodically assesses the list of top risks and determines responsibility for management of each risk. 4. Direct the Audit Committee to align its meetings to address priority issues and risks so that standard reports and informational materials are provided to the Committee in advance of the meetings and may not need to be included on the meeting agenda for discussion and so that the Committee has sufficient time at each meeting to enable it to focus on the most critical issues and risks. 5. Assess the adequacy of the criteria and processes used by the Enterprise’s Board of Directors to populate each committee of the Board and to rotate committee membership to ensure that the members of each committee have the commitment to be effective. OIG EVL-2015-004 March 11, 2015 32 OBJECTIVE, SCOPE, AND METHODOLOGY ................................. The objective of this report was to assess FHFA’s oversight of Fannie Mae’s plans to maintain independence and objectivity of its Internal Audit. To achieve this objective, we interviewed officials from FHFA’s accounting and examination divisions (OCA and DER, respectively). We also met with Agency executives from the Office of the Director. We reviewed the Agency’s 2008 and 2012 LOIs to the Enterprises, internal documents from OCA, DER, and OCO; FHFA Advisory Bulletins and DER Operating Procedure Bulletins; the Sarbanes-Oxley Act of 2002; and the Prudential Management and Operations Standards, 12 CFR Part 1236, Standard 2: Independence and Adequacy of Internal Audit Systems (effective August 7, 2012). We analyzed the International Standards for the Professional Practice of Internal Auditing, the International Professional Practices Framework, IIA Position Papers and Practice Guides, Fannie Mae’s Forms 10-Q and 8-K for the years 2013 and 2014, Form 10-K for 2014, as well as a number of academic and industry papers on internal auditing and risk management. Our work was conducted under the authority of the Inspector General Act and in accordance with the Council of the Inspectors General on Integrity and Efficiency’s Quality Standards for Inspection and Evaluation (January 2012). These standards require us to plan and perform an evaluation based upon evidence sufficient to provide reasonable bases to support its findings and recommendations. We believe that the findings and recommendations discussed in this report meet these standards. The performance period for this evaluation was between July 2014 and February 2015. OIG EVL-2015-004 March 11, 2015 33 APPENDIX A ............................................................................. FHFA’s Comments on FHFA-OIG’s Findings and Recommendations OIG EVL-2015-004 March 11, 2015 34 OIG EVL-2015-004 March 11, 2015 35 APPENDIX B.............................................................................. FHFA-OIG’s Response to FHFA’s Comments On March 7, 2015, FHFA provided comments to a draft of this report, agreeing with OIG’s recommendations and identifying specific actions it will take to address them. FHFA agreed with Recommendation 1 and will review and make any necessary changes to its governance documents by May 29, 2015, and enhance its use of conservatorship and regulatory structures to ensure that significant concerns relevant to matters requiring the FHFA Director’s decision are brought to the Director’s attention. FHFA agreed with Recommendations 2 and 4 and will communicate to Fannie Mae its expectations for enhancements to the Audit Committee process by May 29, 2015. FHFA agreed with Recommendation 3 and will issue a directive to Fannie Mae for retaining an independent third party to evaluate the Audit Committee’s effectiveness. FHFA agreed to Recommendation 5 and will perform examination work to assess the criteria and processes Fannie Mae uses to select and rotate members of the committees of the Board of Directors. The Agency expects to complete this work by February 29, 2016. OIG considered FHFA’s full response in finalizing this report. See Appendix A. We consider the planned actions sufficient to resolve the recommendations, which will remain open until OIG determines that the agreed-upon corrective actions are completed and responsive to the recommendations. OIG EVL-2015-004 March 11, 2015 36 ADDITIONAL INFORMATION AND COPIES ................................. For additional copies of this report: Call: 202-730-0880 Fax: 202-318-0239 Visit: www.fhfaoig.gov To report potential fraud, waste, abuse, mismanagement, or any other kind of criminal or noncriminal misconduct relative to FHFA’s programs or operations: Call: 1-800-793-7724 Fax: 202-318-0358 Visit: www.fhfaoig.gov/ReportFraud Write: FHFA Office of Inspector General Attn: Office of Investigation – Hotline 400 Seventh Street, S.W. Washington, DC 20024 OIG EVL-2015-004 March 11, 2015 37
FHFA's Oversight of Governance Risks Associated with Fannie Mae's Selection and Appointment of a New Chief Audit Executive
Published by the Federal Housing Finance Agency, Office of Inspector General on 2015-03-11.
Below is a raw (and likely hideous) rendition of the original report. (PDF)