oversight

FHFA Requires the Enterprises' Internal Audit Functions to Validate Remediation of Serious Deficiencies but Provides No Guidance and Imposes No Preconditions on Examiners' Use of that Validation Work

Published by the Federal Housing Finance Agency, Office of Inspector General on 2018-03-28.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                            REDACTED

                     Federal Housing Finance Agency
                         Office of Inspector General




      FHFA Requires the Enterprises’
    Internal Audit Functions to Validate
    Remediation of Serious Deficiencies
       but Provides No Guidance and
        Imposes No Preconditions on
           Examiners’ Use of that
              Validation Work




This report contains redactions of information that is privileged or confidential.


    Evaluation Report • EVL-2018-002 • March 28, 2018
                 Executive Summary
                 FHFA is charged with ensuring that Fannie Mae and Freddie Mac
                 (collectively, the Enterprises) operate in a safe and sound manner. Within
                 FHFA, the Division of Enterprise Regulation (DER) is responsible for
                 supervising the Enterprises. When DER conducts supervisory activities,
                 it may identify significant deficiencies related to risk management, risk
EVL-2018-002     exposure, or violations of laws, regulations, or orders affecting the
                 performance or condition of a regulated entity. Among these “adverse
March 28, 2018   examination findings” are matters requiring attention (MRAs), which consist
                 of either “critical supervisory matters (the highest priority) which pose
                 substantial risk to the safety and soundness of the regulated entity” or
                 “deficiencies,” which if not corrected, could “escalate and potentially
                 negatively affect” the regulated entity.

                 FHFA expects the Enterprises to take corrective action to remediate MRAs,
                 and DER is responsible for monitoring the remediation process. When
                 Enterprise management determines that it has completed remediation of an
                 MRA, FHFA expects the Enterprise’s internal audit (IA) functions to review
                 the corrective action and “validate” that remediation has been fully
                 implemented as intended. The Enterprise then submits a closure package to
                 DER that contains documentation of IA’s validation work. Based on a review
                 of the closure package, and any other follow-up examination work that DER
                 may conduct, DER determines whether the MRA has been satisfactorily
                 addressed and notifies the Enterprise of its determination.

                 In a previous evaluation, we found that some DER examiners appeared to
                 have accepted MRA validation work conducted by the Enterprises’ IA
                 functions without evidence of independent analysis. Following on that work,
                 this evaluation reviews DER’s guidance and standards for reliance on the
                 Enterprises’ IA functions when examiners assess the remediation of MRAs.
                 A companion evaluation issued today reviews DER’s practices for a sample of
                 22 recent MRA closures. See FHFA’s Adoption of Clear Guidance on the
                 Review of the Enterprises’ Internal Audit Work When Assessing the
                 Sufficiency of Remediation of Serious Deficiencies Would Assist FHFA
                 Examiners, EVL-2018-003, available online at
                 www.fhfaoig.gov/reports/auditsandevaluations.

                 To conduct this evaluation, we compared FHFA guidance (including DER’s
                 guidance and standards) to guidance issued by the Office of the Comptroller
                 of the Currency (OCC) and the Board of Governors of the Federal Reserve
                 System (Federal Reserve), and interviewed DER officials and staff. Federal
                 Reserve and OCC guidance direct their respective examiners to periodically
                 assess and conclude on the overall effectiveness or strength of the IA
                 functions at their regulated financial institutions. Federal Reserve guidance
                 permits reliance on IA MRA follow-up only when the Federal Reserve has
                 rated the institution’s IA function as effective overall. We found, however,
                 that FHFA has not concluded on the overall effectiveness of the Enterprises’
                 IA functions and that DER has no present plans to do so. As a result, we
                 concluded that DER examiners lack assurance of the overall quality,
                 reliability, competency, and objectivity of the IA function when they use IA
EVL-2018-002     validation work.

March 28, 2018   In addition, we found that FHFA guidance does not address whether, or
                 the circumstances under which, FHFA examiners may rely on, accept, or
                 otherwise use information, analyses, or conclusions provided by an
                 Enterprise’s IA function when determining whether an Enterprise has
                 satisfactorily remediated an MRA. Accordingly, DER examiners are given
                 wide discretion to determine whether and to what extent to rely on, accept, or
                 otherwise use IA validation work as a basis to close MRAs. In our view, such
                 discretion to use IA validation work to close MRAs, without a predicate
                 supervisory conclusion on the overall effectiveness of the IA function, creates
                 the risk that DER’s assessment of the adequacy of Enterprise remediation will
                 be impaired.

                 We make three recommendations to FHFA to address these shortcomings.
                 FHFA agreed with one recommendation and disagreed with two.

                 This report was prepared by Howard Klein, Attorney-Advisor, and Minh-Tu
                 Greenburg, Investigative Counsel. We appreciate the cooperation of FHFA
                 staff, as well as the assistance of all those who contributed to the preparation
                 of this report.

                 This report has been distributed to Congress, the Office of Management and
                 Budget, and others and will be posted on our website, www.fhfaoig.gov.




                 Angela Choy
                 Assistant Inspector General for Evaluations
TABLE OF CONTENTS ................................................................
EXECUTIVE SUMMARY .............................................................................................................2

ABBREVIATIONS .........................................................................................................................6

BACKGROUND .............................................................................................................................7
      The Role of the Enterprises’ Internal Audit Functions .............................................................8

FACTS AND ANALYSIS.............................................................................................................10
      FHFA Guidance and Policies Governing the Respective Roles of Enterprise IA and
      FHFA Examination Staff in Assessing Whether MRAs Have Been Satisfactorily
      Remediated .............................................................................................................................10
             FHFA Prudential Management and Operations Standards .............................................10
             FHFA Examination Manual and the Internal and External Audit Module.....................10
             FHFA Advisory Bulletin 2016-05 ..................................................................................11
             DER Operating Procedures Bulletin 2017-03.2 .............................................................12
      Guidance of Other Federal Financial Regulatory Agencies Governing IA and the
      Assessment of MRA Remediation..........................................................................................13
             Federal Reserve...............................................................................................................14
             OCC ................................................................................................................................15
      Unlike the OCC and the Federal Reserve, Current FHFA Guidance Does Not
      Require FHFA Examiners to Conclude on the Overall Effectiveness or Strength of
      the Enterprises’ IA Function ...................................................................................................15
      According to DER Officials, DER Examiners “Leverage” the Validation Work of an
      Enterprise’s IA Function When Assessing the Adequacy Remediation ................................17

FINDINGS .....................................................................................................................................18
      1. FHFA has not concluded on the overall effectiveness of the Enterprises’ IA
      functions. ................................................................................................................................18
      2. FHFA guidance does not address whether, or the circumstances under which,
      FHFA examiners may rely on information, analyses, or conclusions provided by an
      Enterprise’s IA function when assessing the adequacy of MRA remediation. ......................18

CONCLUSION ..............................................................................................................................19




                                            OIG • EVL-2018-002 • March 28, 2018                                                                 4
RECOMMENDATIONS ...............................................................................................................19

FHFA COMMENTS AND OIG RESPONSE ...............................................................................20

OBJECTIVE, SCOPE, AND METHODOLOGY .........................................................................21

APPENDIX: FHFA MANAGEMENT RESPONSE ....................................................................22

ADDITIONAL INFORMATION AND COPIES .........................................................................24




                                       OIG • EVL-2018-002 • March 28, 2018                                                     5
ABBREVIATIONS .......................................................................

AB                    Advisory Bulletin

Basel Committee       Basel Committee on Banking Supervision

DER                   Division of Enterprise Regulation

EIC                   Examiner-in-charge

Enterprises           Fannie Mae and Freddie Mac, collectively

Federal Reserve       Board of Governors of the Federal Reserve System and Reserve Banks

FHLBank               Federal Home Loan Bank

FHFA or Agency        Federal Housing Finance Agency

IA                    Internal Audit

IIA                   Institute of Internal Auditors

IIA Standards         International Standards for the Professional Practice of Internal
                      Auditing

MRA                   Matter Requiring Attention

OCC                   Office of the Comptroller of the Currency

OIG                   Federal Housing Finance Agency Office of Inspector General

OPB                   Operating Procedures Bulletin




                          OIG • EVL-2018-002 • March 28, 2018                             6
BACKGROUND ..........................................................................

Since 2008, FHFA has operated as both regulator and conservator of the Enterprises and
regulator of the Federal Home Loan Banks (FHLBanks). DER is responsible for supervising
the Enterprises and does so through targeted examinations and ongoing monitoring activities.
According to FHFA, targeted examinations enable examiners to conduct a deep or
comprehensive assessment of selected areas of high importance or risk, while the purpose of
ongoing monitoring is to analyze real-time information and to use those analyses to identify
Enterprise practices and changes in an Enterprise’s risk profile that may warrant supervisory
attention. DER also conducts ongoing monitoring or targeted examinations to assess the
Enterprises’ remediation of serious deficiencies and the Enterprises’ adherence to supervisory
guidance and conservatorship directives. At the end of each annual supervisory cycle, DER
issues an annual report of examination to each Enterprise. 1

During an ongoing monitoring activity or a targeted examination, DER may identify
significant deficiencies related to risk management, risk exposure, or violations of laws,
regulations, or orders affecting the performance or condition of a regulated entity. These
identified deficiencies are known as “adverse examination findings.” FHFA classifies
adverse examination findings into one of three categories: (1) MRAs, (2) Violations, or (3)
Recommendations. FHFA has two categories of MRAs: (a) “critical supervisory matters (the
highest priority) which pose substantial risk to the safety and soundness of the regulated
entity” and (b) “deficiencies,” which if not corrected, could “escalate and potentially
negatively affect” the regulated entity. 2 The distinction between the two types of MRAs is
the “‘nature and severity of the issues requiring corrective action’ and the priority that
Enterprise management must give to remediation efforts.”

After FHFA issues an MRA to Fannie Mae or Freddie Mac, the Enterprise is expected to
prepare and submit a written remediation plan to FHFA describing the proposed corrective
actions. DER then reviews and analyzes the remediation plan, and notifies the Enterprise in
writing of DER’s objection, nonobjection, or nonobjection with conditions to the plan. DER

1
  For more information on annual reports of examination, see OIG, FHFA’s Failure to Consistently Identify
Specific Deficiencies and Their Root Causes in Its Reports of Examination Constrains the Ability of the
Enterprise Boards to Exercise Effective Oversight of Management’s Remediation of Supervisory Concerns
(July 14, 2016) (EVL-2016-008) (online at www.fhfaoig.gov/Content/Files/EVL-2016-008.pdf) and OIG,
FHFA Failed to Consistently Deliver Timely Reports of Examination to the Enterprise Boards and Obtain
Written Responses from the Boards Regarding Remediation of Supervisory Concerns Identified in those
Reports (July 14, 2016) (EVL-2016-009) (online at www.fhfaoig.gov/Content/Files/EVL-2016-009.pdf).
2
  FHFA, Advisory Bulletin 2017-01, Classifications of Adverse Examination Findings, at 1-2 (Mar. 13, 2017)
(online at www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Classifications-of-Adverse-
Examination-Findings.aspx).




                                   OIG • EVL-2018-002 • March 28, 2018                                       7
examiners are expected to monitor the progress of remediation through ongoing monitoring or
targeted examinations. When Enterprise management determines that it has completed
remediation, the “Enterprise’s internal audit function or an independent third party reviews
and validates that the remediation plan has been fully implemented as intended.” 3 The
Enterprise then submits a closure package to DER that contains documentation of validation
work by its IA function. DER considers remediation of an MRA to be “validated” when the
Enterprise’s IA function determines that the proposed remediation plan has been implemented
and that the remedial actions are effective and sustainable.

After receipt of the closure package, DER examiners are expected to review its contents and
the “follow-up examination work done to monitor progress of corrective actions.” Examiners
are expected to document their assessments in an analysis memo, which is provided to the
examiner-in-charge (EIC). Based on the examiner’s work, the EIC determines whether the
MRA has been “satisfactorily addressed,” and communicates this determination in writing to
the Enterprise. DER has previously characterized its oversight role as confirming IA’s
validation.

The Role of the Enterprises’ Internal Audit Functions

The Enterprises manage risk using an industry standard “Three Lines of Defense” model. 4
The third line of defense for each Enterprise is its IA function, which reports independently to
the Audit Committee of the Board of Directors. 5 Internal auditing is:

         [A]n independent, objective assurance and consulting activity designed to add
         value and improve the organization’s operations. It helps an organization
         accomplish its objectives by bringing a systematic, disciplined approach to



3
  This process began in 2013, when DER changed its practice for assessing remediation and closing MRAs.
DER issued an operating procedures bulletin in April 2013 that called for an Enterprise’s IA function, or other
independent third party, to validate that management’s MRA remediation was complete and consistent with the
remediation plan. Under that operating procedure, DER examiners would assess the Enterprise’s remediation
activities through ongoing monitoring, including reviewing IA’s validation work. The 2013 operating
procedures bulletin was superseded in 2017, but the guidance governing the review and closure process did not
change materially.
4
 See Fannie Mae, 2016 Annual Report (Form 10-K), at 122 (online at
www.fanniemae.com/resources/file/ir/pdf/quarterly-annual-results/2016/10k_2016.pdf); Freddie Mac, 2016
Annual Report (Form 10-K), at 92-93 (online at
www.freddiemac.com/investors/financials/pdf/10k_021617.pdf).
5
  The first line of defense is the business unit that generates a particular risk. The second line of defense
includes groups, such as enterprise risk management, that are responsible for independent oversight and
monitoring of risk management. The second line of defense reports directly to management.




                                     OIG • EVL-2018-002 • March 28, 2018                                          8
            evaluate and improve the effectiveness of risk management, control, and
            governance processes.

The charter for each Enterprise’s IA function requires, and FHFA expects, that each
Enterprise’s IA function conform its practices to the Institute of Internal Auditors (IIA)
International Standards for the Professional Practice of Internal Auditing (IIA Standards). 6
The IIA Standards are principle-focused requirements that provide a framework for the
professional practice of internal auditing. According to the IIA Standards, an “internal audit
activity must be independent, and internal auditors must be objective in performing their
work.” 7

FHFA’s Internal and External Audit module (Audit Module), which is part of its Examination
Manual, states that the “internal audit function generally reviews transactions and decisions
after the fact, and therefore functions as a detective control to identify problems, weaknesses,
or errors after they occur.” 8 FHFA’s Audit Module further observes:

            The internal audit function has a broad scope and assesses topics such as the
            effectiveness of the organization’s operations, the reliability of financial
            reporting, fraud prevention and detection, safeguarding assets, and compliance
            with laws and regulations. The internal audit function should serve as a valuable
            resource for management, the board of directors, and the audit committee of the
            board of directors . . . . 9

According to an FHFA advisory bulletin, the IA function is expected to “provide timely
feedback to management and assurance to audit committees on the effectiveness of regulated
entities’ internal controls, risk management and governance. Timely and reliable information
about elevated risks and internal control systems are important so that management can make
prompt corrections.” FHFA’s Audit Module also provides that the IA function of each


6
  The IIA is a global, authoritative source of guidance for the internal audit profession. See IIA, Standards &
Guidance – International Professional Practices Framework (IPPF) (online at https://na.theiia.org/standards-
guidance/Pages/Standards-and-Guidance-IPPF.aspx). According to the IIA, conformance with the standards
“is essential in meeting the responsibilities of internal auditors and the internal audit activity.”
7
  Standard 1100 (Independence and Objectivity) of the IIA Standards. The IIA Standards devote a section to
independence and objectivity, with individual standards for organizational independence, the chief audit
executive’s interaction with management, auditors’ individual objectivity, and impairments to independence
and objectivity.
8
 FHFA, FHFA Examination Manual, Internal and External Audit, at 6 (Nov. 2013) (online at
www.fhfa.gov/SupervisionRegulation/Documents/Internal_and_External_Audit_Module_Final_Version_1_0-
508.pdf).
9
    Id. at 1-2.




                                    OIG • EVL-2018-002 • March 28, 2018                                           9
Enterprise is responsible for “determin[ing] whether corrective action has been effectively
implemented” to remediate the deficiencies identified by FHFA, including MRAs.


FACTS AND ANALYSIS ...............................................................

FHFA Guidance and Policies Governing the Respective Roles of Enterprise IA and FHFA
Examination Staff in Assessing Whether MRAs Have Been Satisfactorily Remediated

      FHFA Prudential Management and Operations Standards

FHFA’s Prudential Management and Operations Standards establish performance standards
for the Enterprises and the FHLBanks, and include a standard governing the IA function. 10
Paragraph 10 of that standard directs that an “internal audit department should determine
whether violations, findings, weaknesses, and other issues reported by regulators, external
auditors, and others have been promptly addressed.” 11 Because the purpose of the Prudential
Management and Operations Standards is to set forth standards for the Enterprises and the
FHLBanks, they do not address whether, or the circumstances under which, FHFA examiners
may rely on, accept, or otherwise use information, analyses, or conclusions provided by an
Enterprise’s IA function to determine whether an Enterprise has satisfactorily remediated an
MRA.

      FHFA Examination Manual and the Internal and External Audit Module

The FHFA Examination Manual, a public document, is divided into two parts. Part I
describes FHFA’s examination program and provides an overview of the Agency’s
examination policies. Part II contains 26 individual examination “modules,” one of which is
the Audit Module. Examination modules are detailed examination guidance for examiners
pertaining to specific topics. The Audit Module contains detailed guidance and work steps for
FHFA staff responsible for examining the IA functions. It also describes the roles and
responsibilities of internal and external audit at the Enterprises and the FHLBanks.

FHFA’s Audit Module reflects the Agency’s expectation that the IA function of each
regulated entity will play a role in assessing whether the entity has remediated an outstanding
MRA and whether that remediation is effective. It states that the head of each IA function:




10
     12 C.F.R. § 1236 Appendix (Standard 2).
11
     12 C.F.R. § 1236 Appendix (Standard 2, paragraph 10).



                                    OIG • EVL-2018-002 • March 28, 2018                           10
           [M]ust establish a process to monitor and follow-up on the findings to determine
           whether corrective action has been effectively implemented . . . . In addition, the
           internal audit department should determine whether violations, findings,
           weaknesses, and other issues reported by regulators (including FHFA), external
           auditors, and others have been promptly addressed.

The Audit Module provides general guidance that FHFA “staff should understand the
principles of sound internal and external audit in order to assess to what extent they can rely
on these functions when examining operations of Fannie Mae, Freddie Mac, the Federal
Home Loan Banks (FHLBanks), and the Office of Finance (OF)” (italics added). However, it
identifies no conditions that must be met before examiners may rely on IA’s work, provides
no specific guidelines on the extent of such reliance, and does not address the use of IA work
to assist examiners in determining whether MRAs have been satisfactorily remediated. 12

      FHFA Advisory Bulletin 2016-05

Advisory Bulletin (AB) 2016-05, Internal Audit Governance and Function, which FHFA
issued on October 7, 2016, 13 communicates detailed supervisory expectations to the entities it
regulates on the roles and responsibilities of their IA functions. 14 The AB sets forth FHFA’s
expectations that IA assess and validate management’s remediation of deficiencies, including
MRAs:

           IA should establish standards for performing timely and appropriately rigorous
           validation work once management asserts that remediation of significant audit
           issues (to include MRAs) has occurred. When management or the board indicates
           that they have performed the required remediation, IA should validate that revised
           processes and controls are in place, operating, and sustainable before closing the
           issue. The level of validation work that IA should perform to close an issue will
           vary based on the issue’s risk, complexity, and associated interdependencies. For
           higher-risk issues, IA should verify that sufficient testing is performed over an
           appropriate period of time to validate that the issue is sustainably resolved.




12
  FHFA’s Chief Accountant informed us that his office is working on a revision to the Audit Module that will
omit any reference to reliance on IA.
13
     AB 2016-05’s effective date was January 1, 2017.
14
     AB 2016-05 supersedes three prior advisory bulletins on this subject.



                                      OIG • EVL-2018-002 • March 28, 2018                                      11
     DER Operating Procedures Bulletin 2017-03.2

In a 2016 evaluation, we assessed DER examiners’ reliance on Enterprise IA validation of
MRA remediation. 15 In that evaluation, we identified some instances where DER examiners
appeared to have accepted validation work from an Enterprise’s IA function without
documented evidence of independent review of the adequacy of remediation. We
recommended that FHFA “[r]equire DER, when evaluating whether to close an MRA, to
conduct and document . . . an independent analysis of . . . the adequacy of the Enterprise’s
internal audit validation work . . . .” DER agreed with our recommendation and committed to
“amend its internal guidance to provide that examiners should assess any . . . closure package,
or internal audit validation of remediation activity and should include in the summary
memorandum the results of that assessment.”

From time to time, DER issues internal operating procedures bulletins (OPBs) to provide its
examiners with guidance and instructions on supervisory issues. In response to our 2016
recommendation, DER issued OPB-2017-03.2, Adverse Examination Findings Issuance and
Follow-up, on June 21, 2017, which superseded two prior DER OPBs, both of which
concerned the role of internal audit in the issuance or remediation of MRAs. OPB-2017-03.2
updated DER’s examination procedures for developing and issuing adverse findings,
reviewing and acting on MRA remediation plans, monitoring the progress of remediation, and
closing MRAs after remediation is completed:

        Following Enterprise management’s determination that planned remediation
        actions are complete, the Enterprise’s internal audit function or an independent
        third party reviews and validates that the remediation plan has been fully
        implemented as intended. DER examination staff should direct the Enterprise to
        submit an MRA closure package that includes documentation of the independent
        validation work performed.

        DER examiners should review the closure package, as well as follow-up
        examination work done to monitor progress of corrective actions. Examination
        staff should summarize and document their conclusions in an analysis memo. . ..
        Based on review of examiner work, the EIC determines whether the MRA
        has been satisfactorily addressed. The results of DER’s assessment are
        communicated in a remediation letter . . . approved by the EIC and the DER
        Deputy Director.



15
   See OIG, FHFA’s Inconsistent Practices in Assessing Enterprise Remediation of Serious Deficiencies and
Weaknesses in its Tracking Systems Limit the Effectiveness of FHFA’s Supervision of the Enterprises, at 17-21
(July 14, 2016) (EVL-2016-007) (online at www.fhfaoig.gov/Content/Files/EVL-2016-007.pdf).



                                   OIG • EVL-2018-002 • March 28, 2018                                          12
This OPB, which is the only current OPB issued by DER on MRA follow-up, does not
provide guidance to examiners on what they must do, or the conditions that must exist, in
order to rely on, accept, or otherwise use the data, analyses, or conclusions contained in IA’s
validation work. When this OPB issued, we reminded DER officials that our
recommendation, with which DER agreed, was that DER would require examiners to perform
independent analyses of the Enterprises’ internal audit validation work, and we noted that the
OPB did not contain such a provision. DER officials responded that provisions of FHFA’s
Examination Manual, when read in conjunction with this OPB, require examiners to perform
and document independent assessments of MRA closure packages. 16

FHFA’s Chief Accountant, whose office is within DER, advised us that, in his view, this
OPB does not provide clear guidance on whether DER examiners can rely on Enterprise IA
validation of MRA remediation and suggested that DER should issue clarifying guidance on
the subject in a supplemental technical practice or operating procedure bulletin.

An Associate Director of DER advised us that some DER examiners apprised him of their
concerns regarding the clarity of DER guidance on the issue of reliance on the validation
work of an Enterprise’s IA function. However, the Deputy Director of DER reported to us
that she was unaware of such concerns. She acknowledged that the current OPB provided
“sparse” guidance on the use of IA validation work by DER examiners. She stressed that the
EIC, not individual DER examiners, determines whether an MRA has been satisfactorily
remediated, based on review of the examiners’ workpapers. In the event that the workpapers
lack evidence of examiner work to support closure of the MRA, the Deputy Director advised
that she expects the EIC to send the closure request back to the examiner.

Guidance of Other Federal Financial Regulatory Agencies Governing IA and the
Assessment of MRA Remediation

Because FHFA regularly asserts that its supervisory authority over its regulated entities “is
virtually identical to—and clearly modeled on—Federal bank regulators’ supervision of
banks,” we looked to the guidance and standards issued by these federal bank regulators
regarding their use of IA work product to assess whether a regulated entity has fully
remediated MRAs and their assessments of the overall adequacy of the IA function.

According to the Basel Committee on Banking Supervision (Basel Committee) (of which
OCC and the Federal Reserve are members), “[b]ecause of the crucial role played by internal
audit in assessing the effectiveness of a bank’s overall control systems and processes,


16
   See FHFA, FHFA Examination Manual, Performing and Documenting Examination Activities, at 22 (Dec.
2013) (“Examiners support their conclusions through testing and independent analysis of Enterprise
information, data, documents, and other materials obtained from management or other sources.”).



                                OIG • EVL-2018-002 • March 28, 2018                                    13
supervisors should assess the internal audit function. This will influence their overall
assessment of the bank and enable them to determine the extent to which they will use the
work of the internal audit function.” The Basel Committee is a global standard setter for the
prudential regulation of banks.

     Federal Reserve

The Board of Governors of the Federal Reserve System (Federal Reserve) 17 provides the
following guidance on the MRA follow-up process to its examiners:

        The Reserve Bank must follow-up on MRAs to assess progress and verify
        satisfactory completion. The timeframe for follow-up should correspond with
        the timeframe during which actions are to be completed. . .. The means of
        supervisory follow-up may vary based upon the nature and severity of the matter
        for which corrective action is expected. Follow-up may take the form of a
        subsequent examination, targeted review, continuous monitoring, reliance on
        validation work conducted by an internal audit function, reliance on the results of
        examinations conducted by other supervisors, or any other supervisory activity
        deemed suitable for evaluating the issue at hand . . . . In all instances, examiners
        are expected to exercise judgment regarding the supervisory activities best suited
        for evaluating a particular issue. Once follow-up is complete, examiners are
        expected to clearly and fully document the rationale for their decision to close any
        issue.

Federal Reserve guidance permits Federal Reserve examiners to “rely on the work of internal
audit” in following up on MRA remediation if the IA function has been rated “effective” in
the most recent examination of IA. That guidance aligns with the principles issued by the
Basel Committee. When relying on IA, the Federal Reserve guidance directs examiners “to
review the relevant work papers and, when necessary, meet with internal audit staff who
documented the resolution of the issue.” If an institution’s IA function is ineffective,
examiners may not rely on it.

Because Federal Reserve examiners may rely on IA only when it is rated effective, we
reviewed the Federal Reserve’s guidance and policies for examining and rating the IA
function. According to Federal Reserve guidance, Federal Reserve examiners are required to
make an “overall determination as to whether the internal audit function and its processes are

17
   The Federal Reserve’s Board of Governors establishes examination standards, and the Reserve Banks are
responsible for supervising bank holding companies, Federal Reserve System member banks, foreign branches
of member banks, and other related entities to ensure safe and sound banking practices and compliance with
applicable laws and regulations. For purposes of this report, any reference to the “Federal Reserve” includes
the Reserve Banks.



                                   OIG • EVL-2018-002 • March 28, 2018                                          14
effective or ineffective.” Federal Reserve examiners are expected to review certain “key
elements” of the IA function annually, so as to obtain sufficient information to re-affirm the
prior determination regarding the effectiveness of IA.

      OCC

The Office of the Comptroller of the Currency (OCC) provides detailed guidance for its
examiners on the issuance, follow-up, and closure of MRAs. 18 With respect to remediation of
MRAs, OCC expects its examiners to verify that banks implement the corrective actions and
validate that the actions are both effective and sustainable. 19

Like the Federal Reserve, OCC also expects its examiners to assess, conclude, rate, and report
on the overall strength of the IA function of each regulated entity. During each supervisory
cycle, OCC uses the following four categories to rate the overall strength of the IA function of
a regulated entity: strong, satisfactory, insufficient, or weak. Each category is defined in OCC
guidance.

Unlike the OCC and the Federal Reserve, Current FHFA Guidance Does Not Require
FHFA Examiners to Conclude on the Overall Effectiveness or Strength of the
Enterprises’ IA Function

As discussed, the Federal Reserve guidance permits Federal Reserve examiners to rely on
MRA follow-up work performed by the IA function of a regulated entity, provided that prior
examination work has rated the entity’s internal audit program as “effective.” FHFA
guidance, however, imposes no comparable condition on DER examiners when they review
IA validation work to assess MRA remediation. In fact, unlike the Federal Reserve and the
OCC, FHFA does not require its examiners to reach conclusions on the overall strength or
effectiveness of either Enterprise’s IA function. To be sure, FHFA’s Audit Module contains
detailed work steps for examining the IA functions of the regulated entities, and requires
examiners to prepare written memoranda containing conclusions regarding IA based on the
examination work performed; however, the Audit Module imposes no expectation that
examiners conclude on the overall strength, adequacy, or effectiveness of IA. 20 DER’s
Deputy Director confirmed that DER does not require examiners to conclude on overall




18
   OCC charters, regulates, and supervises all national banks, federal savings associations, and federal
branches of foreign banks.
19
     OCC has issued nonpublic, internal guidance addressing examiner use of IA MRA follow-up work.
20
  When conducting an examination of IA, examiners are not required to perform all of the work steps in the
Audit Module.



                                    OIG • EVL-2018-002 • March 28, 2018                                      15
effectiveness of the Enterprises’ IA function. When we interviewed her in January 2018, she
informed us that DER had no plan to do so.

FHFA’s Office of Chief Accountant, which is part of DER, is charged with the primary
responsibility for examining the Enterprise’s IA functions. The Chief Accountant reported to
us that he could not recall an instance in which FHFA concluded on the overall effectiveness
of the Enterprises. While he advised us that he is not aware of any formal or informal FHFA
policy that bars examiners from reaching such a conclusion, he observed that DER examiners
have not conducted sufficient examination work to conclude on the overall effectiveness of
the IA function for either Enterprise. 21 Because DER has not concluded on the overall
effectiveness or strength of either Enterprise’s IA functions, its examiners may lack a
sufficient basis “to determine the extent to which they will use the work of the internal audit
function” in assessing the adequacy of MRA remediation by an Enterprise.

According to FHFA’s Chief Accountant, a supervisory conclusion on the overall effectiveness
of an IA function of an Enterprise, based on sufficient examination work, would be a worthy
goal. He stressed, however, that the amount of examination work necessary to reach a
conclusion of effectiveness would be “a high bar.” He reported that FHFA is working to
enhance its supervisory assessments of the Enterprises’ IA functions, but the Agency is not
yet in a position to conclude on the overall effectiveness of those functions. When we
interviewed the Chief Accountant in November and December 2017, he reported to us that
FHFA did not intend to conclude on the overall effectiveness of either Enterprise’s IA
function for the 2017 examination cycle.

The Chief Accountant and other FHFA officials have reported to us that the Agency intends
to issue an updated Audit Module in 2018, and the updating effort is being led by the Chief
Accountant’s office. In December 2017, the Chief Accountant advised us that he expects the
revised Audit Module to contain a work program sufficient to permit examiners to reach a
conclusion as to the overall effectiveness of IA. He also anticipates that the revised Audit
Module will not address whether examiners can rely on the validation work conducted by an
IA function of a regulated entity.

Finally, the Chief Accountant explained to us that examiners, on an ad hoc basis, provide their
feedback on the quality of the IA validation work for MRA remediation. We observe that
FHFA’s examination of the Enterprises’ IA functions may benefit from formal feedback on


21
   While DER’s reports of examination for 2014, 2015, and 2016 for each of the Enterprises contain statements
about the adequacy of IA’s work, the Chief Accountant and the EIC of one of the Enterprises advised us that
these statements did not constitute a determination about the overall effectiveness of their IA functions.
Significantly, in each of the 2014, 2015, and 2016 Fannie Mae reports of examination, DER
           department, and in 2015, DER




                                   OIG • EVL-2018-002 • March 28, 2018                                          16
the quality of IA validation work from all examiners engaged in MRA closure
determinations.

According to DER Officials, DER Examiners “Leverage” the Validation Work of an
Enterprise’s IA Function When Assessing the Adequacy Remediation

During our fieldwork for this evaluation, DER officials stated in writing that DER examiners
“[g]enerally . . . [do] not accept or rely [on] IA’s assessments of MRA remediation without
independent examiner work to support conclusions.” Most of the DER examination mangers
with whom we spoke reported that DER examiners are not permitted to – and do not – rely
on the validation work performed by an Enterprise’s IA function. However, these same
examination managers stated that DER examiners are permitted to – and do – “leverage” IA
validation work, including IA validation testing, to assist DER in determining whether MRAs
have been satisfactorily remediated.

When asked, the Chief Accountant and one examination manager defined reliance on IA work
as the substitution of IA’s work for that of DER examiners and explained that leveraging IA
work meant using that work as part of their examination activities. In a companion
evaluation, we review DER’s practices related to the closure of a sample of 22 MRAs,
including the extent to which examiners accepted, relied on, or otherwise used IA’s validation
work in their assessment of the adequacy of MRA remediation and whether they conducted
independent assessments of the adequacy of the remediation. We found that where DER
examiners reported in their workpapers that testing was conducted for the MRAs in our
sample, examiners generally relied on the validation testing conducted by the Enterprises’ IA
functions instead of performing their own testing.




                             OIG • EVL-2018-002 • March 28, 2018                                 17
FINDINGS .................................................................................

   1. FHFA has not concluded on the overall effectiveness of the Enterprises’ IA
      functions.

Unlike the OCC and the Federal Reserve, FHFA does not expect its examiners to conclude on
the overall effectiveness of the IA functions at the financial institutions it supervises. DER’s
Deputy Director confirmed that DER has not required its examiners to conclude on the overall
effectiveness of the Enterprises’ IA function and that DER has no plans to do so. FHFA’s
Chief Accountant, whose office is primarily responsible for examining the Enterprise’s IA
functions, advised us that FHFA has not concluded on the overall effectiveness of the IA
function at Fannie Mae or Freddie Mac since 2008, when FHFA was established and assumed
responsibility for their supervision.

   2. FHFA guidance does not address whether, or the circumstances under which,
      FHFA examiners may rely on information, analyses, or conclusions provided by
      an Enterprise’s IA function when assessing the adequacy of MRA remediation.

Although DER examiners are expected to “review” validation work conducted by the
Enterprises’ IA function when assessing whether MRAs have been adequately addressed,
FHFA guidance does not address the extent to which – if at all – DER may rely on, accept,
or otherwise use that IA work product. As a result, DER examiners have wide discretion to
determine whether and to what extent to rely on, accept, or otherwise use IA validation work
as a basis to close MRAs. In our view, such discretion to use IA validation work to close
MRAs, without a predicate supervisory conclusion on the overall effectiveness of the IA
function, creates the risk that DER’s assessment of the adequacy of Enterprise remediation
will be impaired.




                              OIG • EVL-2018-002 • March 28, 2018                                  18
CONCLUSION ............................................................................

Federal Reserve and OCC guidance direct their respective examiners to periodically assess
and conclude on the overall effectiveness or strength of the IA functions at their regulated
financial institutions. Federal Reserve guidance permits reliance on IA MRA follow-up only
when the Federal Reserve has rated the institution’s IA function as effective overall. We
found, however, that FHFA has not concluded on the overall effectiveness of the Enterprises’
IA functions and that DER has no present plans to do so. As a result, when using IA
validation work, examiners lack assurance of the overall quality, reliability, competency, and
objectivity of the IA function.

In addition, we found that FHFA guidance does not address whether, or the circumstances
under which, FHFA examiners may rely on, accept, or otherwise use information, analyses, or
conclusions provided by an Enterprise’s IA function when determining whether an Enterprise
has satisfactorily remediated an MRA. Accordingly, DER examiners are given wide
discretion to determine whether and to what extent to rely on, accept, or otherwise use IA
validation work as a basis to close MRAs. In our view, such discretion to use IA validation
work to close MRAs, without a predicate supervisory conclusion on the overall effectiveness
of the IA function, creates the risk that DER’s assessment of the adequacy of Enterprise
remediation will be impaired.


RECOMMENDATIONS ...............................................................

We recommend that FHFA:

   1. Periodically conclude, based upon sufficient examination work, on the overall
      effectiveness of the IA functions at Fannie Mae and Freddie Mac; and

   2. Revise its guidance to provide clear direction to examiners on whether, or the
      circumstances under which, its examiners may rely on information, analyses, or
      conclusions provided by an Enterprise’s IA function when assessing the adequacy of
      MRA remediation.

   3. Direct that examiners can use IA work to assess the adequacy of MRA remediation
      only if FHFA has concluded that the IA function is effective overall.




                              OIG • EVL-2018-002 • March 28, 2018                                19
FHFA COMMENTS AND OIG RESPONSE .....................................

OIG provided FHFA an opportunity to respond to a draft report of this evaluation. FHFA
provided technical comments that we incorporated into the report, as appropriate. On March
8, 2018, FHFA provided its formal response to our recommendations, which is attached in its
entirety in the Appendix. In its response, FHFA agreed with recommendation 2 and disagreed
with recommendations 1 and 3. As discussed below, OIG urges FHFA to reconsider its
position and to fully implement our recommendations.

Recommendation 1 proposed that FHFA periodically conclude on the overall effectiveness of
the Enterprises’ IA functions. In recommendation 3, we proposed that FHFA condition
examiners’ use of IA work on a supervisory conclusion, after sufficient examination work,
that the IA function is effective overall. FHFA rejected both recommendations in part
because of concerns that examiners might rely exclusively on IA work in deciding whether to
close an MRA where FHFA had reached a supervisory conclusion on the overall effectiveness
or strength of the IA function. We did not recommend (and our recommendations should not
be understood to imply) that FHFA should authorize its examiners to substitute IA validation
work for independent assessments of the sufficiency of MRA remediation in the event that
FHFA reached a supervisory conclusion of overall effectiveness of IA.

Adoption and implementation of these two recommendations would align FHFA’s guidance
and practice with that of the Federal Reserve and the OCC, which expect their respective
examiners to periodically conclude on the overall effectiveness or strength of the IA functions
at their regulated financial institutions. Notably, FHFA’s Chief Accountant agreed that a
conclusion on the overall effectiveness of the Enterprises’ IA functions – the Enterprises’
third line of defense – is a worthy goal and he informed us that a forthcoming revised Audit
Module is expected to contain sufficient procedures to reach such a conclusion. In our view,
examiners may lack a sufficient basis on which to determine whether, and how, they can
leverage the IA work when FHFA has reached no conclusion on the overall effectiveness of
the IA function.




                              OIG • EVL-2018-002 • March 28, 2018                                 20
OBJECTIVE, SCOPE, AND METHODOLOGY .................................

The objective of this report was to evaluate DER’s policies, guidance, and standards
governing its acceptance of, reliance on, or use of work conducted by the Enterprises’ IA
functions when DER assesses whether MRAs have been satisfactorily remediated. Based on
information that came to our attention during this evaluation, we also sought to determine the
extent to which DER concludes on the overall effectiveness of the Enterprises’ IA functions.

To achieve this objective, we requested and reviewed FHFA guidance pertaining to MRA
remediation and IA. We also reviewed OCC and Federal Reserve guidance on MRA
remediation and IA, as well as IIA standards and guidance issued by the Institute of Internal
Auditors. Additional materials reviewed include prior OIG evaluation reports and supporting
materials, IA charters of Fannie Mae and Freddie Mac, correspondence with DER, and reports
of examination for Fannie Mae and Freddie Mac.

In addition to our document review, we interviewed the DER Deputy Director, FHFA’s
Chief Accountant, the DER examiners-in-charge of Fannie Mae and Freddie Mac, and DER
examination managers.

The field work for this report was completed between October 2017 and January 2018.

This evaluation was conducted under the authority of the Inspector General Act and in
accordance with the Council of the Inspectors General on Integrity and Efficiency’s Quality
Standards for Inspection and Evaluation (January 2012). These standards require us to plan
and perform an evaluation based upon evidence sufficient to provide a reasonable basis to
support its findings and recommendations. We believe that the findings and
recommendations discussed in this report meet those standards.




                              OIG • EVL-2018-002 • March 28, 2018                                21
APPENDIX: FHFA MANAGEMENT RESPONSE .............................




                   OIG • EVL-2018-002 • March 28, 2018        22
OIG • EVL-2018-002 • March 28, 2018   23
ADDITIONAL INFORMATION AND COPIES .................................


For additional copies of this report:

   •   Call: 202-730-0880

   •   Fax: 202-318-0239

   •   Visit: www.fhfaoig.gov



To report potential fraud, waste, abuse, mismanagement, or any other kind of criminal or
noncriminal misconduct relative to FHFA’s programs or operations:

   •   Call: 1-800-793-7724

   •   Fax: 202-318-0358

   •   Visit: www.fhfaoig.gov/ReportFraud

   •   Write:

                FHFA Office of Inspector General
                Attn: Office of Investigations – Hotline
                400 Seventh Street SW
                Washington, DC 20219




                               OIG • EVL-2018-002 • March 28, 2018                         24