oversight

FHFA's Oversight of Governance Risks Associated with Fannie Mae's Selection and Appointment of a New Chief Audit Executive

Published by the Federal Housing Finance Agency, Office of Inspector General on 2015-03-11.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

           Federal Housing Finance Agency
               Office of Inspector General




FHFA’s Oversight of Governance
     Risks Associated with
   Fannie Mae’s Selection and
Appointment of a New Chief Audit
           Executive




Evaluation Report  EVL-2015-004  March 11, 2015
                 Executive Summary

                 Why OIG Did This Report
                 As we have explained in prior reports, FHFA, as conservator for Fannie Mae
                 and Freddie Mac (collectively, the Enterprises), has delegated to each
                 Enterprise a significant portion of their day-to-day management and risk
                 controls. For this governance approach to succeed, FHFA must be confident
EVL-2015-004     that the Enterprises’ directors and committees are properly exercising the
                 powers they have been given and fulfilling their responsibilities. Otherwise,
March 11, 2015
                 there is a substantial risk that the Enterprises will operate in an unsafe and
                 unsound manner, suffer losses, and expose U.S. taxpayers to further financial
                 risks.

                 In 2012, FHFA delegated to the Enterprises the authority to hire executive
                 officers while retaining authority to review and approve the compensation of
                 those officers. Consequently, the Enterprises’ boards and board committees
                 assumed greater control over the selection of executive officers, and Agency
                 review of Enterprise appointments became less formal.

                 The purpose of this evaluation was to assess FHFA’s oversight of Fannie
                 Mae’s appointment of its Chief Audit Executive (CAE) in October 2013. The
                 CAE directs Fannie Mae’s Internal Audit Department (Internal Audit), which
                 is a critical element of Fannie Mae’s risk management controls. Pursuant to
                 the Sarbanes-Oxley Act of 2002 (Sarbanes-Oxley or the Act)1 and as expressly
                 codified in Fannie Mae’s governance documents, its Internal Audit function is
                 tasked with providing independent, objective assurance of the Enterprise’s
                 governance, risk management, and control processes.

                 What OIG Found
                 OIG found that the process used by Fannie Mae’s Audit Committee to select a
                 candidate to fill the important and challenging CAE position was haphazard, at
                 best. While the Audit Committee Chair and Fannie Mae’s CEO understood, in
                 the spring of 2013, that the CAE role would soon become vacant because of a
                 lateral move within Fannie Mae by the then-CAE, the Audit Committee first
                 began its discussion of a process to identify qualified candidates on September
                 19, 2013, once the vacancy officially occurred. The Audit Committee had the
                 benefit of significant work by the CEO and Chief Human Resources Officer
                 (CHRO) and external consultants, over a long period of time, to develop a
                 strategy to retain and develop key talent across the Enterprise. Fannie Mae’s

                 1
                  Sarbanes-Oxley Act, Pub. L. No. 107-204, 116 Stat. 745 (2002) (codified at 15 U.S.C.
                 §§ 7201-66 (2006)).
                 CEO and CHRO updated the Board’s Compensation Committee on the
                 implementation of that strategy and provided the Committee with a 24-page
                 “Leadership & Succession Planning” document (Succession Plan) that
                 summarized their efforts to date. Two members of the Audit Committee
                 attended that meeting. The Succession Plan found that there was no internal
                 candidate who was “ready now” for the CAE position and that a permanent
                 successor would require an “external” candidate.
EVL-2015-004     The Audit Committee, which was not bound by senior management’s
                 Succession Plan, determined on September 19, 2013, that it would limit its
March 11, 2015
                 search to internal candidates across the Enterprise, provided qualified
                 candidates could be found, because it had prior bad experiences with external
                 CAE hires. The lack of any prior planning by the Audit Committee led to a
                 scramble to identify a qualified candidate for the CAE position. After the
                 September 19, 2013 meeting, the Committee Chair asked Fannie Mae’s CHRO
                 to assemble a list of potential internal CAE candidates, even though the
                 Succession Plan developed under the leadership of the CEO and CHRO two
                 months earlier found that no internal candidates were “ready now” for the
                 position. Within six days, the CHRO identified and presented to the
                 Committee a list of nine potential internal candidates across Fannie Mae for
                 this vacancy. That list included the Chief Credit Officer (CCO) of Fannie
                 Mae’s largest business unit, the Single-Family Business Group (Single-
                 Family). Over the following week, two Audit Committee members
                 interviewed some candidates on this list and selected the CCO, even though:
                 (1) he had not been identified for the CAE role in senior management’s
                 Succession Plan; (2) his professional audit experience did not meet the audit
                 qualifications deemed “preferable” in the CAE Position Description; and
                 (3) he was burdened by significant conflicts because of his management
                 responsibilities in Single-Family.

                 Since no meeting of the Audit Committee was recorded in the corporate record
                 books before the Audit Committee Chair announced the CAE selection and
                 because there are no contemporaneous Audit Committee documents reflecting
                 the Committee’s deliberations, it is not possible to determine whether the
                 Committee: assessed the qualifications of the different candidates; evaluated
                 them against the CAE Position Description; articulated the reasons that the
                 CCO was the best candidate for the CAE position, notwithstanding his lack of
                 significant corporate audit experience; or recognized that the CCO was
                 burdened by significant conflicts that would need to be managed to preserve
                 the independence and objectivity of Internal Audit. Several senior FHFA
                 officials questioned the robustness of the hiring process among themselves but
                 elected not to discuss those deficiencies with the Audit Committee after being
                 informed of its selection or with the Fannie Mae Board before it approved the
                 selection. One senior FHFA official reported to us that he flagged concerns
                 about the conflicts that the CCO would bring to the CAE position, but nothing
                 in the record indicates that these concerns were raised directly with FHFA’s
                 then-Acting Director.2 Lacking complete information, FHFA’s Acting
                 Director approved the proposed compensation of the CAE candidate.

                 After the new CAE began work, FHFA officials reviewed Fannie Mae’s
                 assessment of the CAE’s conflicts and plan to manage those conflicts and
EVL-2015-004     determined that additional work was needed. From November 13, 2013,
                 through March 2014, FHFA requested the Audit Committee Chair and Fannie
March 11, 2015
                 Mae to thoroughly assess the scope of the CAE’s conflicts and put into place
                 appropriate controls to ensure that the independence and objectivity of Internal
                 Audit’s function would be maintained. Notwithstanding this clear direction,
                 neither the Audit Committee nor Fannie Mae management responded
                 adequately to FHFA’s requests. While Fannie Mae began work in March 2014
                 to improve its internal controls to protect the independence and objectivity of
                 its Internal Audit function, that work was not completed for many months. In
                 May 2014, six months after the new CAE began work, an outside audit and
                 advisory firm was retained to assess whether controls to manage the CAE’s
                 conflicts were sufficient to enable Internal Audit to conform to the professional
                 auditing standards for independence and objectivity. More than three months
                 later, in September 2014, that external review found that Fannie Mae’s existing
                 controls were not sufficient and, as a result, Fannie Mae’s Internal Audit
                 function was not in full conformance with professional auditing standards.
                 Fannie Mae adopted the firm’s detailed recommendations and, more than a
                 year after the CAE appointment, Fannie Mae continued to implement them.

                 What OIG Recommends
                 FHFA views operational risk management as an important financial safety and
                 soundness challenge facing the Enterprises. The Agency defines operational
                 risk as the risk of loss resulting from failed people, processes, or systems, or
                 from external events. We have previously identified a number of operational
                 risks in our reports3 and have shown that FHFA and its predecessor repeatedly

                 2
                   The then-Acting Director of FHFA stepped down in January 2014 upon the
                 appointment of Director Watt. References in this report to the Acting Director are to the
                 then-Acting Director during the relevant period. This report also refers to two former
                 senior FHFA officials – the Deputy Director of the Division of Enterprise Regulation and
                 the Deputy Director of the Office of Conservatorship Operations – who are no longer
                 Agency employees.
                 3
                   See, e.g., FHFA’s Oversight of Risks Associated with the Enterprises Relying on
                 Counterparties to Comply with Selling and Servicing Guidelines: AUD-2014-018
                 (September 26, 2014); FHFA’s Representation and Warranty Framework: AUD-2014-
                 016 (September 17, 2014); FHFA Oversight of Fannie Mae’s Collection of Funds from
                 Servicers that Closed Short Sales Below the Authorized Prices: AUD-2014-015 (August
                 found that Fannie Mae had not established an acceptable and effective
                 operational risk management program, despite requirements to do so.4
                 Effective corporate governance is one element of an acceptable operational
                 risk management program. Our current evaluation found numerous corporate
                 governance failures, both by Fannie Mae and by FHFA, which created a
                 weakness in Fannie Mae’s risk management structure. In view of these
                 significant lapses in corporate governance, we question whether the current
                 Fannie Mae Audit Committee appreciates its governance obligations in this
EVL-2015-004
                 environment and whether it is prudent for FHFA to continue to rely upon this
March 11, 2015   Committee to execute other delegated responsibilities, without adopting and
                 implementing the recommendations in this report.

                 The report sets forth the facts relevant to our evaluation, our findings, and
                 conclusions. It also contains a series of recommendations to FHFA to
                 remediate the corporate governance failures identified in this evaluation and
                 improve controls to manage operational risk.

                 The report was prepared by David P. Bloch, Senior Counsel for Securitization
                 and Risk Management, and Alison C. Healey, Investigative Counsel, and has
                 been distributed to Congress, the Office of Management and Budget, and
                 others and will be posted on our website, www.fhfaoig.gov. We appreciate
                 the assistance of the officials from FHFA and Fannie Mae in completing this
                 evaluation.




                 Angela Choy
                 Acting Assistant Inspector General for Evaluations5




                 7, 2014); and FHFA Actions to Manage Enterprise Risks from Nonbank Servicers
                 Specializing in Troubled Mortgages: AUD-2014-014 (July 1, 2014).
                 4
                  Evaluation of FHFA’s Oversight of Fannie Mae’s Management of Operational Risk:
                 EVL-2011-004 (September 23, 2011).
                 5
                   Acting Deputy Inspector General for Evaluations Kyle Roberts recused himself from
                 the preparation of this report to avoid the appearance of a personal impairment under the
                 Quality Standards for Inspection and Evaluation (January 2012). While serving as
                 FHFA’s Associate Director for Examination Standards, Mr. Roberts drafted a
                 memorandum to his supervisor discussing the CAE’s appointment and compliance with
                 applicable professional auditing standards.
TABLE OF CONTENTS ................................................................
EXECUTIVE SUMMARY .............................................................................................................2

ABBREVIATIONS .........................................................................................................................8

CRITERIA .......................................................................................................................................9
      FHFA’s Delegation of Most Executive Appointment Authority to the Enterprises ................9
      Sarbanes-Oxley and the Increased Importance of the Audit Committee and the
      Internal Audit Function...........................................................................................................10
      The Standards Governing Internal Audit’s Activities Require Independence and
      Objectivity ..............................................................................................................................11

FACTS AND ANALYSIS.............................................................................................................13
      Fannie Mae’s Risk Management Structure.............................................................................13
      Selection of the Single-Family CCO to Be the CAE of Internal Audit ..................................14
              Fannie Mae Audit Committee’s Selection Process.........................................................14
              FHFA Review and Approval ..........................................................................................18
              Fannie Mae’s Initial Efforts to Manage the CAE’s Conflicts of Interest .......................20
      After the CAE Appointment, FHFA Pressed Fannie Mae and its Audit Committee to
      Thoroughly Assess the CAE’s Conflicts and Develop an Adequate Plan to Manage
      Them .......................................................................................................................................21
      FHFA Pressed Fannie Mae to Provide the Promised Assessment of the CAE’s
      Conflicts and Plan to Manage Them ......................................................................................21

FINDINGS .....................................................................................................................................26
      1. Fannie Mae Did Not Satisfy Its Obligations Pursuant to Its Delegated Authority
      from FHFA or the IIA Standards ...........................................................................................26
      2. FHFA’s Oversight of Fannie Mae’s Appointment of a New CAE Was
      Ineffective ...............................................................................................................................29
      3. FHFA’s Failure to Insist that Fannie Mae Thoroughly Assess the Scope of the
      CAE’s Conflicts and Develop an Adequate Plan to Manage Those Conflicts
      Immediately Upon the CAE’s Appointment Meant that Internal Audit’s
      Independence and Objectivity Was Called into Question for a Significant Period of
      Time ........................................................................................................................................29



                                             OIG  EVL-2015-004  March 11, 2015                                                                  6
CONCLUSION ..............................................................................................................................31

RECOMMENDATIONS ...............................................................................................................32

OBJECTIVE, SCOPE, AND METHODOLOGY .........................................................................33

APPENDIX A ................................................................................................................................34
      FHFA’s Comments on FHFA-OIG’s Findings and Recommendations .................................34

APPENDIX B ................................................................................................................................36
      FHFA-OIG’s Response to FHFA’s Comments ......................................................................36

ADDITIONAL INFORMATION AND COPIES .........................................................................37




                                           OIG  EVL-2015-004  March 11, 2015                                                             7
ABBREVIATIONS .......................................................................

CAE                Chief Audit Executive

CCO                Fannie Mae Chief Credit Officer of Single-Family

CEO                Chief Executive Officer

CHRO               Chief Human Resources Officer

DER                Division of Enterprise Regulation

Fannie Mae         Federal National Mortgage Association

Freddie Mac        Federal Home Loan Mortgage Corporation

FHFA or Agency     Federal Housing Finance Agency

Internal Audit     Fannie Mae Internal Audit Department

IIA                Institute of Internal Auditors

LOI                Letter of Instruction

NYSE               New York Stock Exchange

OCA                Office of the Chief Accountant

OCO                Office of Conservatorship Operations

OIG                Federal Housing Finance Agency Office of Inspector General

Sarbanes-Oxley     Sarbanes-Oxley Act of 2002

SEC                United States Securities and Exchange Commission

PCAOB              Public Company Accounting Oversight Board

PD                 Position Description

Single-Family      Fannie Mae Single-Family Business Group

Standards          International Standards for the Professional Practice of Internal Auditing

The Enterprises    Fannie Mae and Freddie Mac




                          OIG  EVL-2015-004  March 11, 2015                                   8
CRITERIA ..................................................................................

FHFA’s Delegation of Most Executive Appointment Authority to the Enterprises

On September 6, 2008, FHFA used its authorities to place the Enterprises into
conservatorship. As the Enterprises’ regulator and conservator, FHFA has considerable
discretion in defining its role and choosing its actions. FHFA determined that the most
efficient way to carry out its conservatorship responsibilities was to delegate normal corporate
governance functions to the Enterprises’ Boards of Directors while retaining authority to
review and approve critical matters. On November 24, 2008, FHFA’s Director issued to
the Board of each Enterprise a Letter of Instruction (LOI), which specified certain actions
requiring review and approval by FHFA and delegated other activities to the discretion of the
Enterprises’ boards and managers. Relevant to this evaluation, the 2008 LOIs stated that the
Enterprises must “consult with and obtain the approval of the Conservator before taking . . .
[a]ctions involving the hiring, compensation, and termination benefits of directors and officers
at the executive vice president level and above,” including their CAEs (collectively, executive
officers).6

Four years later, on November 15, 2012, FHFA’s Acting Director issued new LOIs to the
Enterprises.7 There were a number of differences between the 2008 and 2012 LOIs: the
noteworthy change for purposes of this evaluation was the elimination of FHFA’s review
and approval of the hiring of executive officers. The 2012 LOIs, which remain in effect, do
not require the Enterprises to seek Agency approval of their choices for executive officer
positions; rather, FHFA has limited its formal role to approving compensation arrangements
of the Enterprises’ candidates.8 However, FHFA retained its right and authority under the
2012 LOIs “to review and approve or to require review and approval of any transaction or
activity [of the Enterprises] at any time.”9


6
 When asked by OIG how many executive officers were hired under the 2008 LOIs’ approval process, Freddie
Mac provided data showing that fifteen executive officers were hired under the 2008 LOI. FHFA and Fannie
Mae advised us that such data was not easily or readily available.
7
 The 2012 LOIs explicitly superseded the November 2008 LOIs. FHFA’s Acting Director issued the
November 2012 LOIs to the Boards “in light of experience and practice under the Conservatorship.”
8
 When asked about FHFA’s role in the hiring process under the 2008 LOIs compared to the 2012 LOIs,
FHFA’s General Counsel advised OIG that the 2008 LOIs required more of a formalized, “back and forth”
process. However, he noted that, under the 2012 LOIs, FHFA remained involved in the process and still could
end the candidacy of an Enterprise’s selected executive.
9
 FHFA, Board of Directors and Senior Management, Version 1.0 (July 2013), at 31, available at
www.fhfa.gov/SupervisionRegulation/Documents/Board_of_Directors_and_Senior_Management_Oversight_
Module_Final_Version_1.0_508.pdf (last accessed March 7, 2015).



                                  OIG  EVL-2015-004  March 11, 2015                                         9
Sarbanes-Oxley and the Increased Importance of the Audit Committee and the
Internal Audit Function

Adopted more than a decade ago—following the corporate governance failures at Enron
and WorldCom—Sarbanes-Oxley “mandated a number of reforms to enhance corporate
responsibility, enhance financial disclosures and combat corporate and accounting fraud[.]”10
Among its key provisions, the Act requires corporate management to certify the accuracy of
financial disclosures and report on the effectiveness of internal controls.11 Sarbanes-Oxley
tasked audit committees of public companies with increased responsibilities respecting
oversight of financial reporting and internal controls, and those responsibilities were defined
in the implementing rules promulgated by the Securities and Exchange Commission (the
SEC).12 Assessing the effectiveness of internal controls has also led to an expanded role
for many internal audit departments, including Fannie Mae’s, which assumed regulatory
compliance duties in addition to traditional risk assessment functions.

Audit Committees of publicly traded companies, such as both Enterprises, must incorporate
specific responsibilities mandated by Sarbanes-Oxley and the SEC.13 The Charter for the
Fannie Mae Audit Committee states the Committee’s purpose is to:

          Oversee (a) the accounting, reporting, and financial practices of the Corporation
           and its subsidiaries, including the integrity of the Corporation’s financial statements
           and internal control over financial reporting, (b) the Corporation’s compliance with
           legal and regulatory requirements, (c) the external auditor’s qualifications and
           independence, (d) the performance of the Corporation’s internal audit function and the
           Corporation’s external auditor, and (e) the Corporation’s key information technology
           and operations controls; and




10
   U.S. Securities and Exchange Commission (SEC), The Laws That Govern the Securities Industry, available
at www.sec.gov/about/laws.shtml#sox2002 (last accessed December 11, 2014).
11
     See Sections 302 and 404 of Sarbanes-Oxley (codified at 15 U.S.C. §§ 7241 and 7262, respectively).
12
   See Exchange Act Rule 13a-14(a); Item 601(b)(31) of Regulation S-K; Item 9A of Form 10-K; Part I, Item 4
of Form 10-Q; Exchange Act Rule 13a-15(a); Exchange Act Rule 10A-3(b)(2), (3), (4) and (5).
See also NYSE Manual Section 303A.07(b)(i) and (iii) (requiring audit committees of companies listed on the
New York Stock Exchange (NYSE) to oversee the performance of the internal audit function). NYSE
standards and commentary are useful, but not dispositive, since Fannie Mae and Freddie Mac were delisted
from the NYSE at the direction of FHFA in 2010.
13
   See Exchange Act Rule 10A-3, NYSE Manual Section 303A.07. See also Institute of Internal Auditors, The
Audit Committee: Internal Audit Oversight, at 1, https://na.theiia.org/about-
ia/PublicDocuments/08775_QUALITY-AC_BROCHURE_1_FINAL.pdf; Deloitte, Optimizing the Role of
Internal Audit in the Sarbanes-Oxley Era (2005), at 1.



                                     OIG  EVL-2015-004  March 11, 2015                                      10
         Prepare the report required by the rules of the Securities and Exchange Commission
          (the “Commission”) to be included in the Corporation’s annual proxy statement.14

According to the Public Company Accounting Oversight Board (PCAOB),15 “Internal
auditors are responsible for providing analyses, evaluations, assurances, recommendations,
and other information to the entity’s management and board of directors[.] […] To fulfill
this responsibility, internal auditors maintain objectivity with respect to the activity being
audited.”16 Fannie Mae’s 2014 Form 10-K describes the broad scope of Internal Audit’s
work: “Internal audit activities are designed to provide reasonable assurance that resources
are safeguarded; that significant financial, managerial and operating information is complete,
accurate and reliable; and that employee actions comply with our policies and applicable laws
and regulations.”17

The Standards Governing Internal Audit’s Activities Require Independence and
Objectivity

Fannie Mae’s Internal Audit Charter mandates that Internal Audit conform its practices to the
Institute of Internal Auditors’ (IIA) International Standards for the Professional Practice of
Internal Auditing (Standards).18 The IIA is a global, authoritative source of guidance for the
internal audit profession.

The IIA defines internal auditing as “an independent, objective assurance and consulting
activity designed to add value and improve an organization’s operations.”19 When internal
audit activity is effective, it “helps an organization accomplish its objectives by bringing a

14
   Fannie Mae Audit Committee Charter (January 2011). The 2011 charter was in effect at the time of the of
the CAE’s appointment. The currently operative charter (last amended in November 2014), contains identical
language with the exception of the clause “in years in which Fannie Mae holds an Annual Meeting of
Stockholders and files a proxy statement” at the end of the second quoted bullet.
15
   The PCAOB is a nonprofit corporation established by Congress in Sarbanes-Oxley to oversee the activities
of the auditing profession. See Section 101 of the Act, Pub. L. No. 107-204, 116 Stat. 745 (2002) (codified at
15 U.S.C. § 7211 (2006)).
16
  PCAOB Auditing Standard (AU) Section 322.03: The Auditor’s Consideration of the Internal Audit
Function in an Audit of Financial Statements, Roles of the Auditor and the Internal Auditors.
17
     SEC, Fannie Mae Form 10-K for Fiscal Year 2014, at 112.
18
   The IIA emphasizes that conformance with the Standards “is essential in meeting the responsibilities of
internal auditors and the internal audit activity.” FHFA guidance confirms that Fannie Mae should comply
with the Standards. See, e.g., FHFA’s Examination Manual, Internal and External Audit, Version 1.0 (dated
November 2013), available at
www.fhfa.gov/SupervisionRegulation/Documents/Internal_and_External_Audit_Module_Final_Version_1_0-
508.pdf (last accessed December 10, 2014).
19
  The IIA Definition of Internal Auditing is available at https://na.theiia.org/standards-guidance/mandatory-
guidance/Pages/Definition-of-Internal-Auditing.aspx.



                                    OIG  EVL-2015-004  March 11, 2015                                          11
systematic, disciplined approach to evaluate and improve the effectiveness of risk
management, control, and governance processes.”20

The IIA Standards are principle-focused requirements that provide a framework for the
professional practice of internal auditing. According to the Standards, an “internal audit
activity must be independent, and internal auditors must be objective in performing their
work.”21

An internal audit activity’s independence or
objectivity is impaired when an auditor’s                               Independence is the freedom from
relationship to the area being audited gives rise to a                  conditions that threaten the ability
conflict of interest. Such conflicts can occur when                     of the internal audit activity to carry
                                                                        out internal audit responsibilities in
an internal auditor has a personal or professional
                                                                        an unbiased manner.
involvement or association with the area that is being
audited.22 A conflict of interest compromises an                        Objectivity is an unbiased mental
auditor’s ability to carry out his or her duties in an                  attitude that allows internal auditors
                                                                        to perform engagements in such a
impartial and unbiased manner. As set forth in the
                                                                        manner that they believe in their
Standards, “Internal auditors must refrain from                         work product and that no quality
assessing specific operations for which they were                       compromises are made.
previously responsible. Objectivity is presumed to
be impaired if an internal auditor provides assurance                   A Conflict of Interest is any
                                                                        relationship that is, or appears to
services for an activity for which the internal auditor
                                                                        be, not in the best interest of the
had responsibility within the previous year.”23                         organization. A conflict of interest
                                                                        would prejudice an individual’s
                                                                        ability to perform his or her duties
                                                                        and responsibilities objectively.

                                                                        Source: Standards




20
     Id.
21
   Standard 1100 (Independence and Objectivity) of the IIA Standards. The Standards devote a section to
independence and objectivity, with individual standards for organizational independence, the chief audit
executive’s interaction with management, auditors’ individual objectivity, and impairments to independence
and objectivity.
22
   The Standards specify that a conflict of interest exists merely because of an auditor’s involvement or
association with the area he or she is auditing, “even if no unethical or improper act results.” Standard 1120 –
Individual Objectivity, Interpretation, at 4. In such a case, the auditor’s connection to the audited area “can
create an appearance of impropriety that can undermine confidence in the internal auditor, the internal audit
activity, and the profession.” Id.
23
     Standard 1130.A1 of the Standards.



                                    OIG  EVL-2015-004  March 11, 2015                                            12
FACTS AND ANALYSIS ...............................................................

Fannie Mae’s Risk Management Structure

A critical component of corporate governance is managing risk. Fannie Mae’s 2014 Form
10-K states: “Our risk management framework and governance structure are intended to
provide comprehensive controls and ongoing management of the major risks inherent in our
business activities.” 24 It continues: “Our ability to identify, assess, mitigate and control, and
report and monitor risk is crucial to our safety and soundness.”25

Fannie Mae uses a “Three Lines of Defense” model to manage risk.26 The first line of
defense is the active management of risk by each of Fannie Mae’s three business units.27
Single-Family is the largest of Fannie Mae’s three business units.28 It posted a net income of
$8.5 billion in 2014, and its average guarantee book of business was valued at approximately
$2.87 trillion as of September 30, 2014. Single-Family acquires mortgages from lenders and
issues single-class Fannie Mae mortgage-backed securities. It also must manage the credit
risks and losses associated with its activities.

The CCO of Single-Family is directly responsible for risk management in Single-Family.
Specifically, the CCO oversees the establishment of Single-Family credit policy, underwriting
standards and pricing terms, quality control, and lender and mortgage insurer oversight.
Additionally, the CCO is a key decision-maker for many projects in Single-Family. For
example, the CCO makes recommendations and signs off on Single-Family products,
processes, and reported controls. The CCO also designs, drafts, and implements risk
management policies and procedures related to auditing, which are subject to review by
internal and external auditors. The Audit Committee Chair told us that he thought the CCO
was the most qualified person to lead Single-Family, should a vacancy occur.

The second line of Fannie Mae’s risk management defense consists of the Risk Management
and Compliance Divisions, which perform risk-control and compliance oversight.

The third line of defense is Fannie Mae Internal Audit (Internal Audit). Led by the CAE,
Internal Audit is responsible for providing independent and objective assurance of the

24
     Fannie Mae, Form 10-K for Fiscal Year 2014, at 104.
25
     Id.
26
     See id. at 111.
27
     See id.
28
     Fannie Mae’s other two businesses are Multifamily and Capital Markets.



                                     OIG  EVL-2015-004  March 11, 2015                             13
corporation’s governance, risk management, and control processes. Internal Audit examines
the design and execution of the Enterprise’s internal control system and produces a series
of audit reports each year. These reports may contain recommendations to Fannie Mae’s
management that are intended to remediate identified deficiencies and weaknesses in the
Enterprise’s risk management controls. Internal Audit reports directly to the Fannie Mae
Audit Committee.29

Selection of the Single-Family CCO to Be the CAE of Internal Audit

        Fannie Mae Audit Committee’s Selection Process

Pursuant to the operative Audit Committee Charter, the Audit Committee was responsible for
selecting a new CAE and for overseeing the work by Internal Audit. The Audit Committee
Chair reported to us that he was approached in early 2013 by the then-CAE to discuss the
potential for another opportunity within Fannie Mae. He explained to us that he relayed that
interest to Fannie Mae’s CEO, and together, they considered possible other positions in the
Enterprise that were suitable for the CAE. He advised us that they learned shortly thereafter
that the then-head of the Enterprise Project Management Office was leaving that role, perhaps
as early as May 2013, and they determined that the current CAE would be the best candidate
for that position, once the vacancy occurred. With the decision made to laterally transfer the
CAE into the Enterprise Project Management position, the Chair explained that they started to
look for candidates to fill the CAE position for the upcoming vacancy.

Historically, most public companies turned to career internal auditors or CPAs working in
external audit firms to fill CAE vacancies. A 2010 study, reporting on “a series of interviews
with high-profile CAEs in the United States and abroad,” found that an increasing number
of public companies have looked for CAE candidates across the organization with past
successful experience in “controllership, divisional finance, human resources, risk, and
compliance, or leadership positions in operations or other business units” because such
candidates have a clear understanding of the business and the risks.30

Fannie Mae’s Position Description (PD) for the CAE role, which Fannie Mae provided to
OIG as the position description used for the CAE search in 2013, is three single-spaced pages
in length. This PD identifies a number of desired “competencies” that are substantially

29
   The Audit Committee is one of six standing committees of the Fannie Mae Board of Directors. The CAE
reports to the Audit Committee Chair with a dotted line reporting relationship to the Fannie Mae Chief
Executive Officer (CEO).
30
  The Korn/Ferry Institute and The Institute of Internal Auditors Audit Executive Center, License to Lead:
Seven personal attributes that maximize the impact of the most successful chief audit executives (2010),
available at www.kornferryinstitute.com/reports-insights/license-lead-seven-personal-attributes-maximize-
impact-most-successful-chief-audit (last accessed February 27, 2015).



                                   OIG  EVL-2015-004  March 11, 2015                                       14
similar to the traits identified as essential to success in the 2010 study discussed above:
“understands the business;” “articulate, crisp and concise communicator;” “healthy level of
professional objectivity with a strong sense of independence;” “broad based knowledge of
industry policies, procedures, systems and best practices with respect to audit and controls
in a financial services firm;” “demonstrated ability to build a culture of teamwork and
collaboration that attracts, retains and develops top talent;” and “maintain the courage
of his/her convictions.” The PD, of course, is far more granular than the wish list of
competencies. As would be expected for the CAE position, many of the 16 “Key Job
Functions & Duties” in the PD relate directly to identifying key risks across the Enterprise
and developing audit measures to test the adequacy of controls to manage those risks.31
Accordingly, the PD identified 10 required professional qualifications for the CAE position,
including:

          “15+ years of experience, preferably with a background at a Big Four accounting
           firm and corporate audit experience in a highly sophisticated financial services
           environment.”

          “Notable experience leading and performing complex projects with a deep
           understanding of operations, finance, risk assessment and processes in conducting
           audits.”

          “Broad familiarity of key information technology risks and controls and available
           technology based audit techniques.”



31
     By way of example, these responsibilities include:
          “Conduct a thorough risk assessment and then seek continuous improvements to a comprehensive
           audit program that is responsive to the operational, financial, control and other risks within the
           company.”
          “Coordinate scope and coverage of the annual audit plan with the company’s independent external
           auditors and the company’s regulator.”
          “Present the annual audit plan to the Audit Committee and provide periodic updates of status and
           changes required in the plan as well as updates on the status of the overall operation of the Audit
           department.”
          “Determine that the company’s operating units are in compliance with corporate standard
           operating procedures and other operating policies, including compliance with corporate
           accounting policies.”
          “Determine the relative complexity, materiality, or significance of matters to which assurance
           procedures are applied, and provide guidance on the probability of significant errors, irregularities,
           noncompliance and the root cause analysis of the risks.”
          “Develop and maintain a quality assurance and improvement program that covers all aspects of the
           internal audit activity to ensure that internal audit activity is compliant with all professional and
           ethical standards.”



                                      OIG  EVL-2015-004  March 11, 2015                                           15
        “Experience working in a highly regulated environment, with a solid understanding of
         Sarbanes-Oxley requirements.”

        “C[ertified] I[nternal] A[uditor] or C[ertified] P[ublic] A[ccountant] required;
         advanced degree in accounting, finance, or other business-related field preferred.”

In the course of our review, Fannie Mae officials reported to us that this PD was never meant
to limit the pool of applicants to those who had “15+ years” of audit experience, whether at a
“Big Four accounting firm” or “corporate audit experience in a highly sophisticated financial
services environment.” While such experience would have been “preferable,” Fannie Mae
officials advised us that the PD, when read in its totality, sought candidates with strong
management skills in a large, highly regulated public company, regardless of whether those
candidates had 15+ years of audit experience.

During 2013, Fannie Mae’s senior leadership continued work on an Enterprise-wide strategy
to retain and develop key talent. Overseen by the Board’s Compensation Committee and that
Committee’s law firm, this effort had numerous elements and was developed by management
in concert with external talent and personnel consultants.32 On July 11, 2013, Fannie Mae’s
CEO and CHRO provided an update on the implementation of that strategy to the Board’s
Compensation Committee, a meeting attended by two members of the Audit Committee.
Their update, set forth in a 24-page Succession Plan, explained Fannie Mae’s ongoing efforts
to build bench strength to bolster its “succession bench” across the Enterprise in areas where
“successors [were] more than 12 months away from readiness through external hiring and
development of current employees.” Among other things, the Plan explained efforts to
develop talent among Fannie Mae vice presidents and management’s assessment of possible
successors to senior vice presidents across the Enterprise. For each position then held by a
senior vice president, senior management assessed: whether there was an internal candidate
who was “ready now” to assume the responsibilities; whether there was an internal candidate
who would be ready in 12 months; whether there was an internal candidate who would be
ready in 12-24 months; and whether there was an internal candidate who would be ready in
24+ months. That assessment was presented in a chart included in the Succession Plan. For
the CAE position, the Succession Plan identified three possible internal candidates, all from
Internal Audit, who would be ready in 12-24 months and, reported “External” in the column
marked “Ready Now.” In their written summary of these assessments, the CEO and CHRO
reported that eight of these senior vice president positions lacked a “ready now” successor for
which they proposed to “hire candidates externally.” One of these eight positions was the
CAE position. Fannie Mae urged us to disregard the assessments in this Succession Plan for a
number of reasons: the Plan focused primarily on the promotion of internal candidates within

32
 Minutes of the July 11, 2013 meeting of the Compensation Committee of the Board of Directors of Fannie
Mae.



                                  OIG  EVL-2015-004  March 11, 2015                                     16
different business units and only sometimes considered candidates outside the relevant unit; it
was generally geared to consideration of promotional candidates rather than lateral transfers;
and senior management did not purport to undertake a comprehensive Enterprise-wide
analysis of all possible candidates.

While the Chair was well aware by July 11, 2013, that the CAE position was expected to
become vacant and there were no internal candidates “ready now,” minutes for meetings of
Fannie Mae’s Audit Committee prior to September 19, 2013, contain no discussion of the
upcoming CAE vacancy or efforts to identify qualified candidates.33 Fannie Mae confirmed
to us that the Audit Committee sought to identify Enterprise-wide candidates only after the
then-CAE had been transferred and the CAE vacancy existed. Minutes for the September 19,
2013 Committee meeting show that the Committee met in executive session to identify
potential candidates for the CAE vacancy and schedule interviews with them. Fannie Mae’s
Audit Committee Chair told us that the Committee determined to limit its scope to
consideration of internal CAE candidates, provided qualified candidates could be identified,
because it had experienced prior problems with external hires.34 He further reported to us
that, at that time, he asked the CHRO for a list of possible internal candidates. The CHRO
developed a list of nine internal candidates across the organization, including the Single-
Family CCO, in less than six days and provided that list to the Chair on September 25, 2013.

The Audit Committee Chair and another member of the Fannie Mae Audit Committee
interviewed three of those candidates over the next eight days. On or about October 3, 2013,
the same two Audit Committee members selected the CCO of Single-Family as the CAE
candidate, subject to review and approval by the Fannie Mae Board. The Audit Committee
Chair advised us, in December 2014, that the Audit Committee’s review of internal candidates
focused on the breadth and depth of their experience in auditing, accounting principles, and
communication. However, the CCO of Single-Family lacked the “15+ years of experience,
preferably with a background at a Big Four accounting firm and corporate audit experience in
33
   FHFA recognizes the importance of succession planning in the risk management and corporate governance
structure for top management roles in addition to the CEO. FHFA’s Board of Directors and Senior
Management examination manual module states:
        The board of directors must also have a formal management succession plan to ensure that
        the regulated entity can continue operations without disruption in the event of the loss of
        the CEO or other key senior officers. The succession plan should provide for the transition
        in leadership by identifying individuals who have the qualifications to successfully fill top
        management roles on an interim and long-term basis. Once potential candidates are
        identified the management succession plan should provide for training opportunities to
        develop the candidate’s skills to effectively fulfill their new responsibilities at the time of
        transition (Emphasis added).
34
  FHFA’s Chief Accountant and a senior official from the Division of Enterprise Regulation (DER)
advised us that they would have preferred the Audit Committee to search for external CAE candidates, and
contemporaneous emails reflect that FHFA urged Fannie Mae’s CEO to select an external candidate for the
CAE position.



                                    OIG  EVL-2015-004  March 11, 2015                                    17
a highly sophisticated financial services environment” sought in the PD; while a CPA, he
spent less than seven years as an auditor, in the years immediately after his graduation from
college from 1985 to 1992 (the last four of which were at Fannie Mae), and then worked at
Fannie Mae in different management roles outside of Internal Audit. According to the Chair,
the CCO was selected for the CAE vacancy for several reasons: the CCO worked for a
number of years in the internal audit function at BB&T Bank (which the Chair then amended
to be a smaller bank that was later acquired by BB&T); was knowledgeable of the company’s
biggest risk area, Single-Family; and could hit the ground running.

There is no corporate record that the Audit Committee formally met, either in person or by
phone, to discuss the qualifications of the different candidates and to make its selection.
Further, we found no contemporaneous document prepared by the Audit Committee in
October 2013 that explains: (1) its rationale for limiting the scope of its search to internal
candidates when the Succession Plan prepared by the CEO and CHRO reported two months
earlier that no internal candidates were “ready now” for the CAE position; (2) the reasons
for selecting a candidate whose audit experience fell short of the audit qualifications deemed
“preferable” in the CAE PD; (3) its understanding that the CCO would be burdened with
significant conflicts if he became the CAE; (4) the basis for its conclusion that the CCO was
the best qualified candidate for the CAE position, notwithstanding his lack of significant audit
experience (and no audit experience in the prior 20 years) and his conflicts; and (5) its plan of
action to assess the scope of the CCO’s conflicts and develop appropriate controls to manage
those conflicts.

In a November 5, 2013 memorandum prepared by the Chief Accountant and two Office of the
Chief Accountant (OCA) officials to a senior official in the Division of Enterprise Regulation
(DER), they characterized the Audit Committee’s process as “abridged [and] limited in
scope” and concluded that it was “indicative of a lack of engagement by the Audit Committee
[which] gives cause for concern that aspects of the governance process may have a propensity
to be ineffective.”

        FHFA Review and Approval

On October 4, 2013, the Audit Committee Chair informed FHFA’s Chief Accountant that
the Committee had selected the CCO of Single-Family to become the CAE. In response, the
Chief Accountant asked for the candidate’s résumé and a meeting with the nominee. The
Audit Committee Chair agreed to both requests by email that same day but commented, “the
decision is the Audit Committees [sic].”35



35
   The operative Audit Committee Charter stated that the hiring of a CAE, called the “Chief Internal Auditor”
in the Charter, was the responsibility of the Committee, subject to the Conservator’s approval. That Charter


                                   OIG  EVL-2015-004  March 11, 2015                                          18
On October 10, 2013, FHFA’s Chief Accountant and a senior DER official met with the CAE
candidate. The next day, the Chief Accountant and the DER official told Fannie Mae and
Audit Committee representatives that they had no issues with the board members proceeding
with the process of selecting the new CAE.

However, internal emails within FHFA written on October 11, 2013, reflect that a number
of FHFA officials discussed two governance concerns about this CAE appointment: (1) the
CCO’s qualifications to serve as CAE; and (2) the Audit Committee’s insistence on an
abridged search process involving only internal candidates, even though a key responsibility
of the Audit Committee was the selection and oversight of the CAE. The Chief Accountant
recalled to us that he spoke to the Office of Conservatorship Operations (OCO) and DER
Deputy Directors more than once about three issues he had with the CAE appointment: the
two articulated in the above-mentioned internal FHFA emails and a third, management of the
pervasive conflicts that would be created when the CCO of Single-Family moved into the
CAE position. We, however, found no contemporaneous documents reflecting discussions on
the conflicts issues between the Chief Accountant and the OCO Deputy Director and DER
Deputy Director or any document in which either Deputy Director advised the Acting FHFA
Director of such concerns. The Deputy Directors of OCO and DER at that time have since
left FHFA and both declined to speak with us.

Fannie Mae, in its email request to FHFA to approve compensation for the CAE candidate,
explained that the “Audit Committee selected the [CAE candidate] based on his: (ii)[sic] prior
audit experience; (iii)[sic] strong understanding of operations and credit risk within the single
family business and his ability to articulate a vision for the Audit function.” On October 14,
2013, FHFA’s Acting Director informed the Deputy Directors of OCO and DER via email
that the Agency had received a formal request from Fannie Mae regarding compensation for
the CAE candidate, and asked if there were any outstanding issues or concerns regarding the
appointment.

We found no email response from OCO’s Deputy Director to this email. The Chief
Accountant told us that he did not raise his concerns with the Acting Director because his
practice was only to escalate concerns involving financial reporting to the Director. DER’s
Deputy Director responded by email. He advised that FHFA officials had interviewed the
CAE candidate and let the Audit Committee know that they did not have any significant
issues from a safety and soundness perspective, and told the Acting Director that the only
concern was that the candidate had not been a chief auditor or senior audit person in a large
institution.



does not reflect FHFA’s 2012 LOI delegation of responsibility for all aspects of the executive hiring decision
except for compensation.



                                    OIG  EVL-2015-004  March 11, 2015                                          19
FHFA’s Acting Director told us that he did not recall hearing about any particular issues with
respect to the CAE candidate. He expected that the candidate would be vetted by Fannie
Mae’s Board and then reviewed by the Agency, likely FHFA’s OCO, and there would be
some discussion regarding the candidate’s qualifications. FHFA’s Acting Director reported to
us that he would have assumed that the Audit Committee selected a CAE candidate who had
the professional experience needed for the CAE position and that Fannie Mae would provide
any additional training needed for the position. FHFA’s Acting Director approved the
proposed compensation for the CAE candidate.

On October 14, 2013, Fannie Mae’s CEO provided the Board with an email update on the
CAE search. He reported that the Audit Committee interviewed a “number of internal
candidates put forward by management” and selected the CCO of Single-Family. He
explained that the Committee’s selection of the CCO “was based on his prior audit experience
(he began his career at Fannie Mae in Internal Audit), his familiarity with financial matters
(he is a CPA), his strong understanding of operations and credit risk within the Single-Family
business, . . . his steady demeanor and his ability to articulate a clear and strong vision for the
Internal Audit function.” Fannie Mae’s Board of Directors approved the selection of the CAE
candidate by unanimous written consent.

       Fannie Mae’s Initial Efforts to Manage the CAE’s Conflicts of Interest

As discussed earlier, the IIA Standards require internal audit activity to be independent and
internal auditors to be objective in performing their work. While we were advised that FHFA
officials internally discussed the CAE’s inherent conflict of interest, we found no evidence
that anyone at FHFA took any action to ensure that Fannie Mae put adequate controls in place
to address this conflict before the CCO assumed his new role as CAE on November 4, 2013.

The Fannie Mae Internal Audit Charter, in compliance with the IIA Standards, requires that
Internal Audit conduct an independence analysis for all internal employee transfers and create
a screen to wall them off from audit activities involving their prior work. The employees
must refrain from engaging in audit activity for one year for any areas deemed to create a
conflict of interest. A few days before the CCO began work as the CAE, Internal Audit’s
Chief of Staff completed an independence assessment to determine the scope of activities
from which the CAE should be recused during his one-year cooling-off period (from
November 4, 2013, until November 3, 2014). That assessment was provided to the CAE on
November 4, 2013, and he acknowledged in writing his “clear independence issue in regard to
any audits of areas in which I previously worked.” Although Internal Audit’s Chief of Staff
found that the CAE, when he served as the Single-Family CCO, had a “broad scope” of
responsibilities, she concluded that the CAE’s conflicts of interest (and thus, any Internal
Audit independence and objectivity problems) were limited to two audits in 2013 and one
potential audit activity in 2014. The Audit Committee Chair advised the Audit Committee at


                               OIG  EVL-2015-004  March 11, 2015                                    20
its September 17, 2014 meeting that he “had reviewed the approach initially taken by Internal
Audit to preserve the CAE’s independence and had found it to be logical and reasonable.”36

After the CAE Appointment, FHFA Pressed Fannie Mae and its Audit Committee to
Thoroughly Assess the CAE’s Conflicts and Develop an Adequate Plan to Manage Them

On November 13, 2013, FHFA’s Chief Accountant and a DER examiner met with members
of Fannie Mae’s Audit Committee “to discuss, among other things, the implications of the
hiring of [the CCO] as Fannie Mae’s CAE.” They knew, from a prior conversation with
the incoming CAE, that Fannie Mae had determined to wall off the CAE from three audit
activities during the one-year recusal period. These FHFA officials advised us that FHFA
wanted additional work done by Fannie Mae to assess the scope of the CAE’s conflicts
and the breadth of his recusal. They reported that they asked the Audit Committee Chair
at this meeting to ensure that Fannie Mae prepared a written analysis demonstrating full
consideration of the CAE’s potential conflicts and developed a proposal to manage those
conflicts. They further recalled that they specifically requested the Audit Committee
to actively monitor compliance with the written analysis and conflicts proposal so that
independence and objectivity would be maintained during the new CAE’s one-year recusal
period. FHFA officials recalled to us that they understood that the Chair committed at this
meeting to follow up on a plan to identify and manage the CAE’s conflicts.

Minutes for an Audit Committee meeting on November 14, 2013, provide a high level
summary of the intended outcome of the required Fannie Mae assessment and expected
controls: “to maintain independence, [the new CAE] will not audit areas where he previously
had management responsibility, including single-family risk management, seller oversight,
and the new representation and warranty model” and “a committee of Internal Audit officers
will review all audits and work-papers for these areas.”

FHFA Pressed Fannie Mae to Provide the Promised Assessment of the CAE’s Conflicts
and Plan to Manage Them

In light of FHFA’s November 13, 2013 direction to the Audit Committee, FHFA officials
reported to us that they expected to receive a written conflicts assessment and proposed
controls to mitigate the conflicts. During the next two months, no such materials were
forthcoming. Both the Audit Committee Chair and Fannie Mae’s Chief Compliance Officer


36
   We were advised by partners in the external audit firm that the external audit team made inquiries about the
plan to manage the CAE’s conflict resulting from the internal transfer and was told by Fannie Mae that there
was a plan. The external audit team accepted Fannie Mae’s representations that a plan was in place to manage
the CAE’s conflict.




                                    OIG  EVL-2015-004  March 11, 2015                                           21
told us that they thought that Fannie Mae had complied with FHFA’s instructions with the
summary presented at the November 14, 2013 Audit Committee Meeting, which FHFA’s
Chief Accountant and the OCO Deputy Director attended. The summary provided no
additional information about the CAE’s conflicts or the controls to manage those conflicts
beyond the independence assessment that had been completed by Internal Audit’s Chief of
Staff.

On January 9, 2014, a DER official reached out to Fannie Mae’s Chief Compliance Officer
by email and asked her to “liaise with” the Audit Committee Chair to obtain the materials
requested from the Chair in November 2013. By way of background, the email explained
that FHFA officials met with the Chair in early November 2013 and “conveyed [FHFA’s]
expectation that the Audit Committee [would] have considerable involvement in providing
the oversight necessary to ensure that independence and objectivity is maintained both in
appearance and in fact” for Internal Audit during the new CAE’s one-year recusal period.
The email reported that FHFA officials, in that November meeting, asked the Audit
Committee Chair to provide FHFA with a document:

        [t]hat demonstrates thoughtful consideration of potential conflict of interests,
        and outlines the potential conflicts, plans to address the potential conflicts,
        and how the Audit Committee will actively monitor compliance with the
        expectations outlined in the document.

The email explained that FHFA had “not received a response to this request” and asked for
“assistance in obtaining this document . . . as soon as possible.” In response, Fannie Mae
produced the independence assessment completed by Internal Audit’s Chief of Staff
during the first week of November 2013 and the acknowledgement signed by the CAE on
November 4, 2013.

Based on its review of these materials, FHFA was unable to conclude that the conflicts
assessment by Fannie Mae was sufficient and that the existing conflicts controls would enable
Internal Audit to meet the IIA Standards for independence and objectivity. In March 2014,
FHFA issued a Supervisory Expectation Letter seeking additional information about Fannie
Mae’s processes to identify, address, and monitor the CAE’s conflicts.37 FHFA officials were
particularly concerned whether Internal Audit was conforming to the IIA Standards, both in
appearance and in fact, given the scope of the CAE’s former and current responsibilities.38 In
response, Fannie Mae’s Chief Compliance Officer provided an expanded set of controls and

37
   In spring 2014, FHFA communicated to Fannie Mae its concerns regarding the potential impairment of
Internal Audit’s objectivity and independence because of the CAE’s conflicts that FHFA raised previously
with Fannie Mae in November 2013, January 2014, and early March 2014.




                                   OIG  EVL-2015-004  March 11, 2015                                     22
advised that Fannie Mae would retain a consultant to assess the adequacy of those controls,
if the Audit Committee or FHFA requested that review. FHFA responded with a written
recommendation that Fannie Mae seek an external assessment of the CAE’s conflicts and
review of existing controls. On April 3, 2014, Fannie Mae’s Audit Committee Chair wrote to
FHFA, noting, “We share your concerns and are committed to resolving all issues surround
[sic] Chief Audit Executive indpendence [sic].” He advised that, “at the previous request
of the Audit Committee, and consistent with your request, engagement of a qualified
independent third party to conduct an assessment of all relevant matters is underway.” The
Audit Committee Chair committed in his letter that the third-party review would be complete
before Fannie Mae’s May 2014 Board of Directors meeting.

On April 21, 2014, the Audit Committee passed by unanimous consent a resolution to engage
Grant Thornton, an audit and advisory firm, to conduct a “CAE Independence Review.” That
resolution provides:

       WHEREAS, the Federal Housing Finance Agency (“FHFA”) has directed the
       Audit Committee of the Fannie Mae Board of Directors (the “Committee”)
       to engage an independent third-party to assess the Chief Audit Executive’s
       independence and to ensure that his activities are in compliance with the
       Institute of Internal Auditors (“IIA”) standard regarding independence and
       objectivity in light of his prior role as Chief Credit Officer for the Company's
       Single-Family business (the “CAE Independence Review”);

       WHEREAS, the Committee desires to engage Grant Thornton LLP (“Grant
       Thornton”) to conduct the CAE Independence Review[.]

By letter dated May 7, 2014, Grant Thornton confirmed its engagement by the Fannie Mae
Audit Committee. Work by Grant Thornton commenced and the firm issued a preliminary
draft report in mid-July 2014, which it revised after considering comments from Fannie Mae
and FHFA. After a second round of comments, the firm issued its final report on September
5, 2014. Grant Thornton found that Fannie Mae’s initial analysis of the CAE’s potential
conflicts was incomplete for several reasons, including:

      The analysis did not specifically include the CCO’s relationships or bias that may have
       existed based on his prior role in Single-Family;

      The analysis looked only at a sampling of audits and assumed that all other audits
       posed no independence or objectivity concerns; and

      The analysis did not consider the CAE’s potential conflicts of interest for all audit
       activities, such as open matters that Internal Audit was monitoring and responsible for
       resolving.


                              OIG  EVL-2015-004  March 11, 2015                                23
The Grant Thornton report recommended adoption of 11 additional controls to bring Internal
Audit into conformance with the Standards for independence and objectivity, one of which
had been adopted by Fannie Mae in March 2014 and others of which were in the process of
being implemented. Based on the findings in its review, Grant Thornton concluded: “It is
our overall opinion that the procedures established by Fannie Mae partially conform to the
Standards and Code of Ethics.”39 Informed by the Grant Thornton review and by
enhancements made by Fannie Mae to bolster independence controls, Internal Audit revised
its policy regarding independence and objectivity.40 Grant Thornton opined that Fannie’s
Mae’s “Partial Conformance” to the Standards and Code of Ethics would be upgraded to
“Generally Conforms” when the revised Internal Audit policy was followed and supported
by proper documentation. Fannie Mae’s Chief Compliance Officer updated the Audit
Committee, at its September 17, 2014 meeting, on Grant Thornton’s conclusion that the
procedures established by Fannie Mae partially conformed to the Standards. She reported
that “management has accepted the Grant Thornton recommendations and the majority should
be implemented by November; however, a few recommendations may require until January
2015 to implement.”

In accordance with Grant Thornton’s recommendations and Fannie Mae’s September 17,
2014 Internal Audit Independence and Objectivity Policy, Internal Audit performed a revised
assessment in September 2014 of the audit activities from which the CAE should be recused.
Ten months after the initial determination by the Chief of Staff for Internal Audit that the
CAE would be recused from only three audit areas during his one-year cooling off period,
Internal Audit added 17 additional audit activities from which the CAE should be recused.

In late October 2014, FHFA informed us that it was monitoring Fannie Mae’s implementation
of the Internal Audit Independence and Objectivity Policy and would continue to do so
through DER examination work. A senior DER official advised us that work related to
monitoring Internal Audit’s controls to address the CAE’s conflict in the 2014 examination
plan might not be completed by year end. Fannie Mae updated its policy again on November
19, 2014, more than one year after the CAE appointment. FHFA advised OIG that its
concerns about the independence and objectivity of Internal Audit would be resolved when it
was satisfied that the new Internal Audit Independence and Objectivity Policy had been fully

39
   Grant Thornton used the three-tier rating system (i.e., Generally Conforms/Partially Conforms/Does Not
Conform) from the IIA’s Quality Assessment Manual to reach its conclusion. As defined by the IIA, “Partially
Conforms” means that the internal audit activity is making good-faith efforts to comply with the requirements
of the individual Standards or element of the Code of Ethics, section, and major category, but has fallen
short of achieving some of the major objectives. Pursuant to that rating, there will usually be significant
opportunities for improvement in effectively applying the Standards or Code of Ethics and/or achieving their
objectives.
40
  See Minutes of the Audit Committee for September 17, 2014, adopting Internal Audit Independence and
Objectivity Policy (effective September 17, 2014).



                                   OIG  EVL-2015-004  March 11, 2015                                          24
implemented and followed. Grant Thornton started its follow-up fieldwork on December 16,
2014. In February 2015—fifteen months after the CAE assumed his new position, and five
months after Fannie Mae received Grant Thornton’s report and recommendations—Grant
Thornton issued its assessment: “It is our overall opinion that the procedures established
by Fannie Mae generally conform to the Standards and Code of Ethics.” It observed that
“[o]verall, the I[nternal] A[udit] process for maintaining independence and objectivity has
been strengthened by the increased oversight and monitoring provided by those outside the
internal audit function, particularly the Audit Committee and Chief Compliance Officer, and
the increase in the supporting documentation that validates those conclusions.”




                             OIG  EVL-2015-004  March 11, 2015                              25
FINDINGS .................................................................................

1. Fannie Mae Did Not Satisfy Its Obligations Pursuant to Its Delegated Authority
   from FHFA or the IIA Standards

The Fannie Mae Audit Committee, like audit committees for other public companies, has
critical governance responsibilities that go beyond oversight of financial reporting and
internal controls to oversight of the effectiveness of Enterprise risk management, the external
audit firm, programs and policies to prevent and identify fraud, and establishment of
procedures for the receipt, investigation, and resolution of complaints regarding accounting,
internal accounting controls, or auditing matters. Among the many critical responsibilities
with which Fannie Mae Audit Committee is tasked is the oversight of the Internal Audit
function. Fannie Mae’s Internal Audit Charter mandates that Internal Audit conform its
practices to the IIA Standards. These Standards require that Internal Audit avoid all conflicts
of interest because “[a] conflict can create an appearance of impropriety that can undermine
confidence in the internal auditor, the internal audit activity, and the profession.”41 The
Standards make clear that a conflict of interest will be created when an auditor has been
involved in an area or line of business that he or she is auditing.

Based on these governance documents, Fannie Mae and its Audit Committee knew, or should
have known, that the applicable IIA Standards required independence and objectivity of
Internal Audit. According to the Audit Committee Chair, he and the CEO determined, as
early as the spring of 2013, to laterally move the then-CAE into a different position as soon
as it became vacant, and the Audit Committee recognized the need to identify qualified
candidates for the upcoming CAE vacancy. The relevant CAE PD, in the view of Fannie
Mae, was never intended to limit the pool of qualified candidates to only those who had at
least 15 years of significant audit experience. As the July 2013 Succession Plan makes clear,
the retention and development of key talent was a priority of Fannie Mae’s senior leadership
team and its Board. Both senior management and the Board’s Compensation Committee
retained external consultants to assist in the formulation and implementation of the strategy
and senior management recognized that the Enterprise would be vulnerable if qualified
candidates were not ready when vacancies arose. In light of the CEO’s knowledge of the
anticipated CAE vacancy, understanding that the CAE PD was not limited to candidates with
15+ years of significant audit experience, and recognition that the succession planning could
reach across the Enterprise, it was incumbent on senior management to identify and evaluate
qualified candidates across the Enterprise for the July 2013 Succession Plan.



41
     IIA Standards, Standard 1120 – Individual Objectivity, Interpretation, at p.4.



                                      OIG  EVL-2015-004  March 11, 2015                         26
Whatever the limitations of senior management’s assessment, the Audit Committee, and not
senior management, was tasked with hiring a qualified CAE candidate and was not bound by
management’s identification of possible candidates. There is no evidence to show that the
Audit Committee made any efforts itself to identify qualified candidates, whether internal or
external, after the Chair knew that the CAE position would become vacant as early as spring
of 2013. The record developed during this evaluation shows that the Audit Committee first
considered the need to identify qualified candidates at its September 19, 2013 meeting. The
Committee’s lack of prior planning left it without any possible candidates once the vacancy
occurred. After the meeting, the Chair asked the CHRO to identify qualified internal
candidates, even though the assessment that he and the CEO produced in July 2013 found no
candidates were currently qualified for the position. While Fannie Mae insisted that senior
management had not undertaken a comprehensive Enterprise-wide analysis of possible
candidates for the Succession Plan, even for a position that the CEO knew would soon
become vacant, the CHRO identified nine potentially qualified internal candidates across the
Enterprise for the CAE position within six days. Little more than a week later, two Audit
Committee members interviewed three of these internal candidates and selected the CCO of
Single-Family as the next CAE, even though his audit experience fell short of the 15+ years
of senior audit experience deemed preferable in the CAE PD. Moreover, he was burdened by
a clear conflict of interest.

OIG takes no position on whether the selected CAE candidate had the professional skills
and experience demanded by this position in the complex, sophisticated financial services
environment at Fannie Mae. However, because there was no meeting of the Audit Committee
recorded in the corporate record books before the Audit Committee Chair announced the CAE
selection and because there are no contemporaneous Audit Committee documents reflecting
the Committee’s deliberations, it is not possible to determine whether the Committee
conducted appropriate due diligence and assessed the qualifications of the different
candidates, evaluated them against the CAE PD, recognized that the CCO was burdened by
significant conflicts, articulated the reasons that the CCO was the best candidate for the CAE
position, or discussed the need to manage the CCO’s conflicts to avoid any impairment to the
objectivity and independence of Internal Audit.

Not only is there no contemporaneous written explanation by the Audit Committee of its
rationale in making this selection, but also there is no written plan from the Committee to
assess the conflicts of its CAE candidate and develop comprehensive controls to address
those conflicts. The Board approved the selection without requiring the adoption and
implementation of such a plan.

As we have shown, the Audit Committee Charter requires it to oversee “the performance
of the Corporation’s internal audit function” to ensure, among other things, that the
independence and objectivity of Internal Audit is maintained. Following the selection of the


                              OIG  EVL-2015-004  March 11, 2015                                27
conflicted CAE candidate, the Audit Committee took no action to ensure that the CAE’s
conflicts would be assessed and sufficient controls put into place before his appointment.
Instead, the Audit Committee relied upon Internal Audit to assess the CAE’s conflict and to
develop and implement a plan to protect the independence and objectivity of Internal Audit.
Internal Audit evaluated the CAE’s conflicts no differently from its evaluation of the potential
conflicts of any internal candidate transferring into Internal Audit. Additionally, the Audit
Committee Chair found no shortcomings with this limited analysis: he advised the Committee
at its September 17, 2014 meeting that he “had reviewed the approach initially taken by
Internal Audit to preserve the CAE’s independence and had found it to be logical and
reasonable.” FHFA and then Grant Thornton determined that this analysis was perfunctory
and insufficient to assess the conflicts created when the CCO of Fannie Mae’s largest
business group was promoted to CAE.

FHFA officials informed us that they asked the Audit Committee Chair in mid-November
2013 to ensure that Fannie Mae prepared a detailed analysis of the CAE’s potential conflicts
and developed a proposal to manage those conflicts, and the Chair agreed to this request.
Both the Audit Committee and Fannie Mae maintained to us that no additional work was
needed after the November 14, 2013 Audit Committee Meeting. Assuming there was some
misunderstanding between FHFA, on the one hand, and Fannie Mae and its Audit Committee,
on the other, regarding the deliverables sought by FHFA, any misunderstanding should have
been resolved by FHFA’s email of January 9, 2014, to Fannie Mae in which FHFA reiterated
its expectations for a thorough conflicts assessment and a plan to address the CAE’s conflicts,
either by the Audit Committee or by Fannie Mae under the supervision of the Audit
Committee. In response, Fannie Mae provided the same analysis that was available in early
November 2013, which FHFA previously advised was inadequate. Once again, the Audit
Committee took no action to either prepare the requested analysis or direct Fannie Mae to
prepare the analysis, and to prepare a conflict management plan.

Only after FHFA sought additional information about Fannie Mae’s processes to identify,
address, and monitor the CAE’s conflicts in March 2014 did the Audit Committee take any
action. Then, it retained an external consultant, which it acknowledged was at FHFA’s
direction, and promised FHFA that the consultant’s work would be completed before Fannie
Mae’s May 2014 Board of Directors meeting. That commitment was not met; the consultant
did not finish its fieldwork until July 2014 and did not issue its report until September 2014.

Sarbanes-Oxley, implementing SEC regulations, the 2012 LOI, the Charter of Fannie Mae’s
Audit Committee, and the IIA Standards impose governance obligations on Fannie Mae
and its Audit Committee and those obligations were not lessened or eliminated by FHFA’s
acquiescence to the Audit Committee’s process and selection of the CAE. Based on the facts
found in this evaluation, we conclude that neither Fannie Mae nor its Audit Committee
fulfilled their corporate governance responsibilities in connection with the search for and


                              OIG  EVL-2015-004  March 11, 2015                                  28
selection of the CAE and management of his conflicts to protect the independence and
objectivity of Internal Audit and ensure its compliance with the IIA Standards.

2. FHFA’s Oversight of Fannie Mae’s Appointment of a New CAE Was Ineffective

Invoking the 2012 LOI, FHFA officials asserted to us that Conservator approval was limited
to approval of proposed compensation for an executive officer candidate.42 While FHFA has
delegated hiring authority, save compensation, to Fannie Mae, it consults with Fannie Mae
throughout the decisional process, as the record here shows. Yet, we found no evidence that
FHFA officials—who discussed concerns about the Audit Committee’s abbreviated process
to identify and select a qualified CAE candidate, the qualifications of the candidate, and the
CAE’s conflicts that could compromise the independence and objectivity of Internal Audit—
raised their concerns with the Acting Director or recommended that he refrain from approving
the CAE’s proposed compensation.

Although the Chief Accountant maintained to us that he repeatedly flagged concerns within
FHFA regarding the conflicted CAE candidate, neither he nor anyone else at FHFA urged
Fannie Mae to identify and consider conflict-free CAE candidates. Nor did any FHFA
official require Fannie Mae to assess the scope of the CAE candidate’s conflicts and put into
place appropriate controls before the CCO began work as the CAE.

We find that there is a critical need to improve communication channels—both within
FHFA and between FHFA and the Enterprises—so that FHFA can properly exercise its
responsibilities. It is essential for the FHFA Director to be informed about significant risks
identified by senior FHFA officials and for FHFA officials to share their concerns with the
Enterprise before decisions are made. Breakdowns in communication lead to flawed
decisions that must be remedied after the fact, as the record here demonstrates.

3. FHFA’s Failure to Insist that Fannie Mae Thoroughly Assess the Scope of the CAE’s
   Conflicts and Develop an Adequate Plan to Manage Those Conflicts Immediately
   Upon the CAE’s Appointment Meant that Internal Audit’s Independence and
   Objectivity Was Called into Question for a Significant Period of Time

As we have shown, FHFA officials advised the Audit Committee Chair on November 13,
2013—more than a week after the CCO began work as the CAE—that a thorough assessment
of the CAE’s conflicts and appropriate controls to manage those conflicts was required. They
reiterated their request on January 9, 2014, and twice in March 2014, but imposed no


42
   Reliance on that provision ignores another section of the 2012 LOI in which FHFA reserves “authority to
review and approve or to require review and approval of any transaction or activity [of the Enterprises] at any
time.”



                                    OIG  EVL-2015-004  March 11, 2015                                           29
consequences on Fannie Mae when it failed to produce the requested assessment and
proposed controls. For more than one year after the conflicted CAE began work, Fannie
Mae’s Internal Audit was not in full conformance with the IIA Standards.




                            OIG  EVL-2015-004  March 11, 2015                         30
CONCLUSION ............................................................................

FHFA has established a delegated approach to managing the Enterprises’ operations. For this
governance model to succeed, FHFA must be confident that the Enterprises’ directors and
board committees are fulfilling their delegated responsibilities.

Effective corporate governance is a critical element of operational risk management. Fannie
Mae’s Audit Committee has front-line governance responsibilities, which include oversight
of the internal audit function. While Internal Audit’s function is a key mechanism in Fannie
Mae’s internal control function and the CAE leads that function and sets the tone, the Audit
Committee’s search for the best candidate was far from diligent. It delayed any efforts to
develop a process to identify qualified candidates for months and then relied on the CHRO
to pull together, in six days, a list of nine possible candidates across the Enterprise. Then, in
little more than a week, two Audit Committee members interviewed three of these candidates
and selected one, but created no record of the rationale for their selection or of their
knowledge of the conflicts that burdened their candidate.

Pursuant to the governing IIA Standards, “internal audit activity must be independent, and
internal auditors must be objective in performing their work.” Once the Audit Committee
selected a CAE candidate with significant conflicts, it took no action to assess the scope of
his conflicts nor did it insist upon comprehensive controls to protect the independence and
objectivity of Fannie Mae’s Internal Audit function, its critical third line of defense to manage
risk, before the new CAE began work. Instead, it delegated that work to the Chief of Staff of
Internal Audit, who performed a perfunctory assessment and put inadequate controls into
place, efforts, which—contrary to the appraisals by FHFA and then Grant Thornton—the
Audit Committee Chair concluded, were “logical and reasonable.”

FHFA has consistently viewed operational risk management as an important financial safety
and soundness challenge facing Fannie Mae and Freddie Mac. FHFA and its predecessor
agency repeatedly found, from 2006 into 2011, that Fannie Mae had not established an
acceptable and effective operational risk management program despite requirements to do so.
This report identifies another weakness in Fannie Mae’s operational risk management. Fannie
Mae’s Audit Committee failed to adequately fulfill its delegated responsibilities to select a
CAE. The numerous governance failures of the Fannie Mae Audit Committee with respect to
the CAE selection and management of his conflicts call into question whether this Committee
sufficiently understands its governance obligations under the law and the conservatorship and
is prepared to responsibly exercise its fiduciary duties. Absent diligence and commitment by
all members of the Audit Committee to exercise their delegated oversight responsibilities,
FHFA’s continued reliance on this Committee shall remain in question.



                               OIG  EVL-2015-004  March 11, 2015                                  31
RECOMMENDATIONS ...............................................................

We recommend that FHFA:

   1. Implement a sufficiently robust internal communications process to ensure that the
      FHFA Director is informed of significant issues and concerns by FHFA staff on all
      conservatorship and supervisory matters that require the Director’s decision.

   2. Given the importance of the Audit Committee’s oversight over Fannie Mae’s financial
      reporting and risk management and the breadth of its responsibilities, require the
      Fannie Mae Audit Committee to hold meetings relating to its oversight responsibilities
      and to fully document, in meeting minutes, its discussions, deliberations, and actions
      at each meeting to ensure an effective flow of information among directors, senior
      management, and risk managers and to satisfy FHFA of the adequacy of the
      Committee’s risk oversight function.

   3. Conduct a comprehensive evaluation of the Audit Committee’s effectiveness,
      which should include: whether all members of the Committee are independent
      from management; whether the Committee’s responsibilities are clearly articulated;
      whether each Committee member understands what is expected of him/her under
      the Committee’s Charter and regulatory requirements; whether the Committee’s
      interactions with Fannie Mae’s financial executives, Internal Audit, and the external
      audit firm are robust and occur regularly; whether the Committee raises critical
      questions with management and the CAE, including questions that indicate the
      Committee’s understanding of key accounting policies and judgments and that
      challenge management’s judgments and conclusions; whether the Committee has
      been responsive to issues raised by the external auditor; and whether the Committee
      periodically assesses the list of top risks and determines responsibility for management
      of each risk.

   4. Direct the Audit Committee to align its meetings to address priority issues and risks
      so that standard reports and informational materials are provided to the Committee in
      advance of the meetings and may not need to be included on the meeting agenda for
      discussion and so that the Committee has sufficient time at each meeting to enable it
      to focus on the most critical issues and risks.

   5. Assess the adequacy of the criteria and processes used by the Enterprise’s Board
      of Directors to populate each committee of the Board and to rotate committee
      membership to ensure that the members of each committee have the commitment to
      be effective.



                             OIG  EVL-2015-004  March 11, 2015                                 32
OBJECTIVE, SCOPE, AND METHODOLOGY .................................

The objective of this report was to assess FHFA’s oversight of Fannie Mae’s plans to
maintain independence and objectivity of its Internal Audit.

To achieve this objective, we interviewed officials from FHFA’s accounting and examination
divisions (OCA and DER, respectively). We also met with Agency executives from the
Office of the Director.

We reviewed the Agency’s 2008 and 2012 LOIs to the Enterprises, internal documents from
OCA, DER, and OCO; FHFA Advisory Bulletins and DER Operating Procedure Bulletins;
the Sarbanes-Oxley Act of 2002; and the Prudential Management and Operations Standards,
12 CFR Part 1236, Standard 2: Independence and Adequacy of Internal Audit Systems
(effective August 7, 2012). We analyzed the International Standards for the Professional
Practice of Internal Auditing, the International Professional Practices Framework, IIA
Position Papers and Practice Guides, Fannie Mae’s Forms 10-Q and 8-K for the years 2013
and 2014, Form 10-K for 2014, as well as a number of academic and industry papers on
internal auditing and risk management.

Our work was conducted under the authority of the Inspector General Act and in accordance
with the Council of the Inspectors General on Integrity and Efficiency’s Quality Standards for
Inspection and Evaluation (January 2012). These standards require us to plan and perform an
evaluation based upon evidence sufficient to provide reasonable bases to support its findings
and recommendations. We believe that the findings and recommendations discussed in this
report meet these standards.

The performance period for this evaluation was between July 2014 and February 2015.




                             OIG  EVL-2015-004  March 11, 2015                                 33
APPENDIX A .............................................................................

FHFA’s Comments on FHFA-OIG’s Findings and Recommendations




                           OIG  EVL-2015-004  March 11, 2015                       34
OIG  EVL-2015-004  March 11, 2015   35
APPENDIX B..............................................................................

FHFA-OIG’s Response to FHFA’s Comments

On March 7, 2015, FHFA provided comments to a draft of this report, agreeing with OIG’s
recommendations and identifying specific actions it will take to address them.

FHFA agreed with Recommendation 1 and will review and make any necessary changes
to its governance documents by May 29, 2015, and enhance its use of conservatorship and
regulatory structures to ensure that significant concerns relevant to matters requiring the
FHFA Director’s decision are brought to the Director’s attention.

FHFA agreed with Recommendations 2 and 4 and will communicate to Fannie Mae its
expectations for enhancements to the Audit Committee process by May 29, 2015.

FHFA agreed with Recommendation 3 and will issue a directive to Fannie Mae for retaining
an independent third party to evaluate the Audit Committee’s effectiveness.

FHFA agreed to Recommendation 5 and will perform examination work to assess the criteria
and processes Fannie Mae uses to select and rotate members of the committees of the Board
of Directors. The Agency expects to complete this work by February 29, 2016.

OIG considered FHFA’s full response in finalizing this report. See Appendix A. We
consider the planned actions sufficient to resolve the recommendations, which will remain
open until OIG determines that the agreed-upon corrective actions are completed and
responsive to the recommendations.




                              OIG  EVL-2015-004  March 11, 2015                             36
ADDITIONAL INFORMATION AND COPIES .................................


For additional copies of this report:

      Call: 202-730-0880

      Fax: 202-318-0239

      Visit: www.fhfaoig.gov



To report potential fraud, waste, abuse, mismanagement, or any other kind of criminal or
noncriminal misconduct relative to FHFA’s programs or operations:

      Call: 1-800-793-7724

      Fax: 202-318-0358

      Visit: www.fhfaoig.gov/ReportFraud

      Write:

                FHFA Office of Inspector General
                Attn: Office of Investigation – Hotline
                400 Seventh Street, S.W.
                Washington, DC 20024




                               OIG  EVL-2015-004  March 11, 2015                         37