United States Government Accountability Office Washington, DC 20548 May 16, 2012 Mr. Edward J. DeMarco Acting Director Federal Housing Finance Agency Subject: Management Report: Opportunities for Improvement in the Federal Housing Finance Agency’s Internal Controls Dear Mr. DeMarco: In November 2011, we issued our opinion on the Federal Housing Finance Agency’s (FHFA) fiscal years 2011 and 2010 financial statements. Our report also included our opinion on the effectiveness of FHFA’s internal control over financial reporting as of September 30, 2011, and our evaluation of FHFA’s compliance with provisions of selected laws and regulations for the fiscal year ended September 30, 2011. 1 The Housing and Economic Recovery Act of 2008 (HERA) created FHFA and assigned it responsibility for, among other things, the supervision and regulation of the Federal National Mortgage Association (Fannie Mae), the Federal Home Loan Mortgage Corporation (Freddie Mac), the 12 federal home loan banks, and the Office of Finance. 2 Specifically, FHFA was assigned responsibility for ensuring that the regulated entities operate in a fiscally safe and sound manner, including maintenance of adequate capital and internal controls, in carrying out their housing and community development finance mission. HERA requires FHFA to annually prepare financial statements, and requires GAO to audit these statements. The purpose of this report is to present additional information on the financial reporting-related internal control issue we identified during our audit of FHFA’s fiscal year 2011 financial statements and to provide our recommended action to address that issue. This report also discusses a continuing issue with respect to FHFA’s information security that resulted in new weaknesses in information security control areas. In addition, we are providing an update on the status of recommendations we made to address internal control issues identified during our audits of FHFA’s fiscal years 2010 and 2009 financial statements as reported in our related management 1 GAO, Financial Audit: Federal Housing Finance Agency’s Fiscal Years 2011 and 2010 Financial Statements, GAO-12-161 (Washington, D.C.: Nov. 15, 2011). 2 Pub. L. No. 110-289, 122 Stat. 2654 (July 30, 2008). GAO-12-499R Page 1 reports on internal controls and accounting procedures 3 and our fiscal year 2009 report on controls related to information security. 4 In addition, because of the sensitive nature of our findings related to FHFA information security, we will present our findings and recommendations setting out corrective actions to address the new issues we identified concerning FHFA’s internal control over information security in a separate letter to FHFA management with limited distribution. Results in Brief During our audit of FHFA’s fiscal years 2011 and 2010 financial statements, we identified one internal control issue and a continuing issue related to information systems controls that could adversely affect FHFA’s ability to meet its internal control objectives. We do not consider these issues to represent material weaknesses or significant deficiencies in relation to FHFA’s financial statements. 5 Nonetheless, we believe they warrant management’s attention and action. Specifically, we found: • FHFA did not establish effective controls to assess the risk of errors by its payroll service provider and determine if any compensating controls were necessary to ensure the accuracy of payroll calculations. • FHFA had not yet fully implemented its information security program, resulting in weaknesses in four information security control areas. These issues increase the risk to FHFA that 1) misstatements in its financial statements may not be promptly detected and corrected, 2) errors in the calculation of its payroll amounts may not be identified, 3) contractors or other users with privileged access could gain unauthorized access to or improperly use agency financial systems, applications, and information, and 4) unauthorized system changes could be implemented without FHFA’s knowledge. At the end of our discussion of the payroll issue, we present our recommendation for strengthening FHFA’s internal controls. Our recommendation is intended to improve 3 GAO, Management Report: Opportunities for Improvements in FHFA’s Internal Controls and Accounting Procedures, GAO-11-398R (Washington, D.C.: Apr. 29, 2011). GAO, Management Report: Opportunities for Improvements in FHFA’s Internal Controls and Accounting Procedures, GAO-10-587R (Washington, D.C.: June 3, 2010). 4 GAO, Information Security: Opportunities Exist for the Federal Housing Finance Agency to Improve Controls, GAO-10-528 (Washington, D.C.: Apr. 30, 2010). 5 A material weakness is a deficiency, or a combination of deficiencies, in internal control such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected on a timely basis. A significant deficiency is a deficiency, or combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. Page 2 GAO-12-499R management’s oversight and controls and minimize the risk of misstatements in FHFA’s accounts and financial statements. As of the completion of our fiscal year 2011 audit, FHFA had taken action to fully address 11 of the 19 internal control-related recommendations from our prior reports. (See enclosure I for a summary of the status of our prior recommendations related to FHFA internal controls and accounting procedures and enclosure II for a summary of the status of our prior recommendations related to FHFA controls over information security.) Overall, while FHFA took action to address the four internal control and accounting procedures-related recommendations that remain open, more work is needed to fully resolve the underlying control issues. Similarly, with respect to internal control weaknesses over information security that resulted from FHFA’s inability to fully implement an overall information security program as we previously recommended, FHFA had actions in process. In commenting on a draft of this report, FHFA agreed with our recommendation and described actions it has taken, or plans to take, to address the payroll-related control issue described in this report. At the end of our discussion of the payroll-related issue that we identified, we have summarized FHFA’s related comments and corrective actions cited. We will evaluate the effectiveness of FHFA’s corrective actions as part of our fiscal year 2012 audit. We have also reprinted FHFA’s comments in their entirety in enclosure III. Scope and Methodology As part of our audit of FHFA’s fiscal years 2011 and 2010 financial statements, we evaluated FHFA’s internal controls and tested its compliance with selected provisions of laws and regulations. We designed our audit procedures to test relevant controls over financial reporting, including those designed to provide reasonable assurance that transactions are properly recorded, processed, and summarized to permit the preparation of FHFA’s financial statements in conformity with U.S. generally accepted accounting principles. We performed our audit of FHFA’s fiscal years 2011 and 2010 financial statements in accordance with U.S. generally accepted government auditing standards. We believe that our audit provided a reasonable basis for our conclusions in this report. Further details on our audit methodology are presented in enclosure IV. Payroll Calculations During our testing of payroll expense transactions conducted as part of our fiscal year 2011 audit, we found that FHFA did not have controls in place to ensure the integrity of payroll information processed by the U.S. Department of Agriculture’s National Finance Center (NFC), FHFA’s service provider for its payroll processing. Specifically, FHFA had not identified that NFC was not withholding Medicare taxes to be paid for FHFA employees’ salaries during a portion of fiscal year 2011. `3 Page GAO-12-499R NFC performs payroll/personnel processing for FHFA under the terms of an interagency agreement. Under the agreement, NFC is to (1) provide accurate and timely salary payments, (2) receive, review, and correct error conditions on submitted time and attendance (T&A) records and contact the agency if required to obtain necessary information, (3) record and maintain an official "system of record" for payroll and personnel data for all FHFA employees, (4) support and operate the interface with the Office of Personnel Management (OPM) to update the Central Personnel Data File and Enterprise Human Resources Integration Warehouse with personnel data for all of FHFA’s employees, 6 (5) design, develop, and implement program development services to ensure compliance with mandated regulations, enhancements, and modifications (i.e., annual pay raise, tax law changes, among others), and (6) receive, assign, monitor, and complete the processing of manual transactions initiated by FHFA within a specified timeframe based on complexity. Beginning in pay period 11 of 2011 (May 22 through June 4, 2011) and continuing through pay period 21 (October 9 through October 22, 2011), as the result of an issue with NFC’s Special Payroll Processing System (SPPS), certain manual payments, such as wellness reimbursements, processed by SPPS, were not included in the calculation of the amount of Medicare tax to be withheld for FHFA employees who had met their annual Federal Insurance Contributions Act (FICA) maximum. 7 As a result, NFC did not withhold any Medicare taxes, either the employee or employer portion, on the manual payments to those FHFA employees during these 2011 pay periods. FHFA was unaware of this issue until we identified it during our audit testing. Standards for Internal Control in the Federal Government states that management needs to comprehensively identify risks, considering all significant interactions between the entity and service providers at both the entity wide and activity level, and based upon the significance of the risk, decide what actions to take to manage the risk. In addition, the Office of Management and Budget’s (OMB) Circular A-123 (A-123) and its related implementation guide require agencies to annually assess the effectiveness of their internal control over financial reporting and to provide a statement of assurance attesting to whether these internal controls are effective. The A-123 guide requires agencies to develop and document a thorough understanding of their financial reporting operations and how these operations are supported by automated systems. This includes determining which specific systems 6 The Central Personnel Data File is an automated information system containing individual records for most Federal civilian employees. The system's primary objective is to provide a readily accessible database for meeting the workforce information needs of the White House, the Congress, OPM, other Federal agencies, and the public. OPM’s Enterprise Human Resources Integration (EHRI) Program's Data Warehouse is the Government's premier source for integrated Federal workforce information. The system currently collects, integrates, and publishes data for 2.0 million Executive Branch employees on a bi-weekly basis, supporting agency and governmentwide analytics. 7 Federal Insurance Contributions Act (FICA) taxes are comprised of social security and Medicare taxes. Most employees and employers each pay a specified percentage (in 2011 social security tax rate was 4.2 percent and Medicare was 1.45 percent) of payroll wages for social security and Medicare taxes. The social security tax is only applied on an employee’s salary up to a maximum amount. When an employee reaches the maximum payment, social security taxes are no longer deducted until the next calendar year. However, there is no maximum amount for earnings subject to the Medicare taxes portion of FICA. Page 4 GAO-12-499R are involved in the financial reporting process, whether classes of transactions identified are significant to the financial reporting process, and determining whether each system is controlled by the agency or by an external service provider. For those systems that are controlled by an external service provider, agencies are to coordinate with the service provider to obtain an annual assurance statement that highlights key controls and the results of annual testing, and if available, to review the most recent report on the service provider’s internal controls prepared in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16. 8 For its financial reporting process, FHFA places extensive reliance on systems that are controlled by external service providers, including the processing of its payroll by NFC. The A-123 guide specifies that such systems are considered part of an entity’s information system, and should therefore be considered in making an assessment of the effectiveness of the entity’s internal control over financial reporting. The A-123 guide describes the nature of the procedures which could be used to monitor internal control over such service providers: 1. Perform tests of entity internal control over the activities of the service provider, 2. Perform tests of internal control at the service provider, or 3. Review reports prepared on the service provider in accordance with applicable standards. While NFC is responsible for maintaining adequate controls to ensure the accuracy and completeness of the payroll transactions it processes for its customer agencies (including FHFA), it is important that customer agencies gain an understanding of NFC’s control environment, assess the risk of errors occurring in that environment, and establish compensating controls to address those risks. In reviewing FHFA’s A- 123 assessment documentation for fiscal year 2011, we did not find that FHFA performed any of the procedures noted above in assessing the effectiveness of NFC’s internal controls. In addition, FHFA did not have procedures in place that would have enabled it to detect the errors that resulted from the systemic problem with NFC’s SPPS. Without an assessment of the risk of errors in the financial information provided to FHFA by NFC and compensating controls to identify and correct any errors, the risk is increased that such errors could go undetected and result in misstatements to amounts reported for expenditures and accrued liabilities in FHFA’s financial statements. 8 SSAE 16 reports refer to reports typically prepared by an independent auditor based on a review of the controls relevant to user entities’ internal control over financial reporting as discussed in the American Institute of Certified Public Accountants’ Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization. A service organization provides services to the entity whose financial statements are being audited. `5 Page GAO-12-499R Recommendation To identify and address any NFC errors in processing FHFA payroll, we recommend that you direct the Chief Financial Officer to develop and implement a process to assess and address the risk to FHFA from any internal control issues at NFC including, as appropriate, any compensating controls commensurate with any identified risk. FHFA Comments and Our Evaluation In its May 9, 2012, comments on our draft report, FHFA agreed with the recommendation and cited actions it has taken, or intends to take, to address the payroll-related internal control issue we identified. For example, FHFA stated that it had instituted a formal quality control process to verify withholdings on all SPPS payments prior to release in the NFC system. In addition, FHFA stated that it will include a review of payroll calculations as part of its annual review for compliance with OMB A-123. FHFA’s stated actions, if effectively implemented, should reduce the risk of payroll-processing errors occurring and going undetected by FHFA. We will more fully evaluate the effectiveness of the agency’s corrective actions during our fiscal year 2012 financial audit. Information Security Program During our audit of FHFA’s fiscal year 2011 financial statements, we found that FHFA had not fully implemented its information security program as we have recommended in previous reports, and this lack resulted in several new information systems vulnerabilities during the fiscal year. 9 Specifically, as discussed in greater detail in the following sections, we found that FHFA had not consistently or fully implemented controls for (1) identifying and authenticating users, (2) authorizing access to resources, (3) managing system configurations, and (4) protecting system and network boundaries on information systems owned and operated by FHFA or on behalf of FHFA by service provider organizations. FISMA requires each agency to develop, document, and implement an agencywide information security program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. 10 In our review we found the following vulnerabilities. 9 GAO, Information Security: Opportunities Exist for the Federal Housing Finance Agency to Improve Controls, GAO-10-528 (Washington, D.C.: April 30, 2010). 10 Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction in order to provide (1) integrity, which means guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity; (2) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and (3) availability, which means ensuring timely and reliable access to and use of information. Page 6 GAO-12-499R Identification and Authentication of Users A computer system needs to be able to identify and authenticate each user so that activities on the system can be linked and traced to a specific individual. An organization does this by assigning a unique user account to each user, and in so doing, the system is able to distinguish one user from another—a process called identification. The system also needs to establish the validity of a user’s claimed identity by requesting some kind of information, such as a password, that is known only by the user—a process known as authentication. The combination of identification and authentication—such as user account-password combinations— provides the basis for establishing individual accountability and for controlling access to the system. However, our 2011 review found FHFA did not ensure that appropriate password management controls were implemented on key systems we reviewed at both FHFA and an FHFA service provider. In addition, FHFA did not enforce disabling of inactive user accounts on one of its systems. As a result, an increased risk exists that FHFA accounts could be compromised and used by unauthorized individuals to access sensitive information. Authorization Controls Authorization is the process of granting or denying access rights and permissions to a protected resource, such as a network, a system, an application, a function, or a file. A key component of granting or denying access rights is the concept of “least privilege.” Least privilege is a basic principle for securing computer resources and data that means that users are granted only those access rights and permissions that they need to perform their official duties. However, our 2011 review found both FHFA and an FHFA service provider granted users excessive levels of access privileges and permissions that were not required to perform their job. As a result, FHFA data could be inappropriately modified, either inadvertently or deliberately. Configuration Management Configuration management involves, among other things, (1) verifying the correctness of the security settings in the operating systems, applications, or computing and network devices and (2) obtaining reasonable assurance that systems are configured and operating securely and as intended. Patch management, a component of configuration management, is an important element in mitigating the risks associated with software vulnerabilities. When a software vulnerability is discovered, the software vendor may develop and distribute a patch or work-around to mitigate the vulnerability. Without the patch, an attacker can exploit a software vulnerability to read, modify, or delete sensitive information; disrupt operations; or launch attacks against systems at another organization. Nevertheless, servers for systems used by FHFA had not been consistently patched in a timely manner. In addition, FHFA devices were not always securely configured. Specifically, FHFA did not properly configure a test server, and network vulnerabilities existed on multiple network devices. Failing to apply critical patches and the appropriate configuration settings for systems and network devices increases the risk of exposing systems to vulnerabilities that could be exploited. `7 Page GAO-12-499R Boundary Protection Boundary protection involves the protection of a logical or physical boundary around a set of information resources and implementation of measures to prevent unauthorized information exchange across the boundary in either direction. Firewall devices represent the most common boundary protection technology at the network level. However, during our 2011 review, we found FHFA service-provider network firewalls did not sufficiently log network traffic across the devices. In addition, controls were insufficient to ensure firewalls operating on systems that we reviewed appropriately restricted access to the systems. These weaknesses increase the risk that malicious activity could occur and escape detection. The underlying cause of the vulnerabilities we identified in fiscal year 2011 is that FHFA has not fully implemented our previous recommendations related to FHFA’s information security program. For example, we have previously reported that FHFA did not always effectively monitor its systems. This lack of monitoring contributes, in part, to the new control issues we identified in our 2011 review. These new and continuing control issues increase the risk that (1) contractors or other users with privileged access could gain unauthorized access to or improperly use agency financial systems, applications, and information, and (2) unauthorized system changes could be implemented. Until FHFA mitigates its control deficiencies by fully implementing an effective information security program, increased risk exists that its financial and support systems and the information they contain will be subject to unauthorized access, use, disclosure, disruption, modification, or destruction. Status of Prior Years’ Audit Recommendations At the beginning of our fiscal year 2011 financial audit, 19 recommendations to improve FHFA’s financial operations from our prior audits remained open and therefore required corrective action by FHFA. In the course of performing our fiscal year 2011 financial audit, we identified numerous actions taken by FHFA to address many of the internal control issues related to these recommendations. On the basis of our 2011 review of FHFA’s actions, we closed 11 of our prior years’ audit recommendations. Specifically, at the beginning of our 2011 audit, six recommendations related to accounting procedures remained open. As of the completion of our 2011 audit, FHFA had taken action to fully address two of the six recommendations. (See enclosure I.) However, more work is needed to fully resolve the underlying control issues for the remaining four accounting procedures related recommendations. The four recommendations that remained open as of the completion date of our fiscal year 2011 financial audit relate to invoice payment procedures, undelivered orders, and expense accruals. Although FHFA updated its Administrative Accounting Manual and developed additional documented procedures and training materials in response to our recommendations on invoice payment procedures and the calculation of undelivered orders balances and accruals, we continued to find problems during our audit testing with the mathematical accuracy of invoices, accurate reporting of undelivered order balances, and the calculation of year-end accruals. The errors we identified in our 2011 audit were not material to the fiscal Page 8 GAO-12-499R year 2011 financial statements, but the continuation of such errors indicates that further efforts are needed to routinely enforce procedures related to these areas. In addition, at the beginning of our fiscal year 2011 audit, 13 recommendations related to information systems controls remained open. As of the completion of our audit, FHFA had taken action to fully address 9 of the 13 recommendations. (See enclosure II.) FHFA continues to take actions to establish an overall information security management program. However, more work is needed to fully resolve the control issues for the remaining four recommendations related to information systems controls. Specifically, the recommendations that remained open at the close of the fiscal year 2011 audit relate to logical access controls and FHFA’s information security program. Although FHFA has made progress in addressing these recommendations, additional work is required before these issues are fully resolved. For example, FHFA completed continuous monitoring reports that summarize monitoring activities by the agency; however, it had not yet developed policies and procedures for monitoring third party service organization staff and contractors. In addition, FHFA had developed procedures for an annual risk assessment of FHFA contractor systems, but the procedures did not specifically address the assessment of security reviews and plans of action and milestones developed by BPD and contractors. 11 During our fiscal year 2012 audit, we will assess the implementation of any new procedures developed by FHFA to address our recommendations related to information systems controls. _______ This report contains recommendations to you. The head of a federal agency is required by 31 U.S.C. § 720 to submit a written statement on actions taken on these recommendations. You should submit your statement to the Senate Committee on Homeland Security and Governmental Affairs and the House Committee on Oversight and Government Reform within 60 days of the date of this report. A written statement must also be sent to the House and Senate Committees on Appropriations with the agency’s first request for appropriations made more than 60 days after the date of this report. This report is intended for use by FHFA management. We are sending copies of this report to the Chairman and Ranking Member of the Senate Committee on Banking, Housing, and Urban Affairs; the Chairman and Ranking Member of the House Committee on Financial Services; the Chairman of the Federal Housing Finance Oversight Board; the Secretary of the Treasury; the Secretary of Housing and Urban Development; the Chairman of the Securities and Exchange Commission; the Director of the Office of Management and Budget; and other interested parties. In addition, this report will be available at no charge on GAO’s web site at http://www.gao.gov. 11 FHFA outsources its financial management services to the Department of the Treasury Bureau of the Public Debt Administrative Resource Center. Oracle Corporation staff serve as database and systems administrators and provide backup and recovery services for FHFA’s financial information. `9 Page GAO-12-499R We acknowledge and appreciate the cooperation and assistance provided by FHFA management and staff during our audit of FHFA’s fiscal years 2011 and 2010 financial statements. If you have any questions about this report or need assistance in addressing these issues, please contact Steven Sebastian at (202) 512-3406 or firstname.lastname@example.org or Gregory Wilshusen at (202) 512-6244 or email@example.com. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this report are Peggy Smith, Assistant Director (FMA); Vijay D’Sousa, Assistant Director (IT); William E. Brown, Senior Analyst; and Shaunyce Wallace, Senior Analyst. Sincerely yours, Steven J. Sebastian Managing Director Financial Management and Assurance Gregory C. Wilshusen Director Information Security Issues Enclosures – 4 Page 10 GAO-12-499R Enclosure I: Status of Prior Recommendations This enclosure presents the status of the six remaining open recommendations initially reported in GAO's April 29, 2011 and June 3, 2010 management reports. 12 The recommendations are grouped according to deficiency areas specified in the management reports. Table 1: Status of Recommendations from GAO's 2010 and 2009 Management Reports at the end of GAO's Audit of the Federal Housing Finance Agency's (FHFA) Fiscal Year 2011 Financial Statements. Status of corrective action Year In Audit area initially Completed progress reported Disposal of capitalized property and equipment 1. Establish a mechanism to monitor compliance with policies and procedures surrounding the proper disposal of capitalized 2010 X property and equipment. 2. Update the Property Management Policy to include procedures for how to properly document approval before X 2010 disposal of FHFA assets. Invoice payment procedures 3. Enhance FHFA’s Invoice and Payment Desktop Procedures to include detailed instructions on how to verify the accuracy of 2010 X invoice amounts prior to payment. Undelivered orders 4.Enhance the Administrative Accounting Manual by incorporating specific, detailed steps for the contracting officer X technical representatives (COTR) review of contract balances, 2009 including the use of the open obligations report provided by the Bureau of the Public Debt in the COTR review process. 5. Enhance the Administrative Accounting Manual by including specific, detailed steps on when and how to properly account 2009 X for obligating and deobligating contract amounts. Expense accruals 6. Enhance training materials related to accruals to include examples of expenses that should and should not be accrued X 2009 at the end of an accounting period. Source: GAO analysis of FHFA data. 12 GAO, Management Report: Opportunities for Improvements in FHFA’s Internal Controls and Accounting Procedures, GAO-11-398R (Washington, D.C.: Apr. 29, 2011). GAO, Management Report: Opportunities for Improvements in FHFA’s Internal Controls and Accounting Procedures, GAO-10-587R (Washington, D.C.: June 3, 2010). ` 11 Page GAO-12-499R Enclosure II: Status of Prior Recommendations from GAO's Fiscal Year 2009 Information Security Management Report This enclosure presents the status of the 13 remaining open recommendations initially reported in GAO's April 30, 2010 information security management report. 13 The recommendations are grouped according to deficiency areas specified in that management report. (Please see next page.) 13 GAO, Information Security: Opportunities Exist for the Federal Housing Finance Agency to Improve Controls, GAO-10-528 (Washington, D.C.: Apr. 30, 2010). Page 12 GAO-12-499R Table 2: Status of Recommendations from GAO's 2009 Information Security Management Report at the end of GAO's Audit of the Federal Housing Finance Agency's (FHFA) Fiscal Year 2010 Financial Statements. Status of corrective Year action initially In reported Completed progress Audit Area Logical access controls 1. Maintain network access authorizations for every agency network 2009 X user. 2. Review current access to network files and directories containing X 2009 confidential information and restrict access to personnel with an authorized need to access that information. Controls over physical access 3. Secure areas that contain information technology equipment and 2009 X sensitive information. 4. Complete sufficient physical security policies to address protection of agency assets, including incident response, access 2009 X authorizations, and environmental safety controls. 5. Perform physical security risk assessments at key facilities. 2009 X 6. Develop, document, and implement monitoring procedures to ensure that physical access authorizations to secure areas 2009 X containing sensitive computer resources, including server rooms and sensitive information, are current and controlled. 7. Develop, document, and implement monitoring procedures and install appropriate equipment to ensure that FHFA can detect and 2009 X respond to potential physical security incidents. 8. Increase employees' awareness of the need to enforce physical 2009 X security safeguards. Improvements to FHFA's information security program 9. Develop, document, and implement procedures enforcing 2009 X separation of incompatible duties among personnel. 10. Finalize, approve, and implement configuration management 2009 X policies and procedures. 11. Approve and test continuity of operations and disaster recovery 2009 X plans. 12. Develop, document, and implement procedures to monitor access X to agency financial information by the Bureau of the Public Debt 2009 (BPD) and Oracle Corporation staff and contractors. 13. Develop, document, and implement procedures to assess all X security reviews and plans of action and milestones developed by 2009 BPD and Oracle Corporation staff and contractors. Source: GAO analysis of FHFA data. ` 13 Page GAO-12-499R Enclosure III: Comments from the Federal Housing Finance Agency Page 14 GAO-12-499R ` 15 Page GAO-12-499R Enclosure IV: Audit Scope and Methodology To fulfill our responsibilities as auditor of the financial statements of the Federal Housing Finance Agency (FHFA), our audit work included the following: • examined, on a test basis, evidence supporting the amounts and disclosures in the financial statements; • assessed the accounting principles used and significant estimates made by FHFA management; • evaluated the overall presentation of the financial statements; • obtained an understanding of the entity and its operations, including its internal control over financial reporting; • considered FHFA’s process for evaluating and reporting on internal control over financial reporting that FHFA is required to perform by 31 U.S.C. § 3512 (c), (d), commonly known as the Federal Managers’ Financial Integrity Act of 1982; • assessed the risk that a material misstatement exists in the financial statements and the risk that a material weakness exists in internal control over financial reporting; • evaluated the design and operating effectiveness of internal control over financial reporting based on the assessed risk; • tested relevant internal control over financial reporting; • tested compliance with selected provisions of the following laws and their related regulations: 31 U.S.C. § 3902 (a), (b), (f) – Interest penalties under the Prompt Payment Act; 31 U.S.C. § 3904 – Limitations on Discount Payments Under the Prompt Payment Act; 5 U.S.C. § 5313 – Positions at level II; 12 U.S.C. § 4515 – Personnel; 12 U.S.C. § 4517(h) – Appointment of accountants, economists, and examiners; Continuing Appropriations Act, 2011, as amended by Continuing Appropriations and Surface Transportation Extensions Act, 2011; Presidential Memorandum on Freezing Federal Employee Pay Schedules and Rates That Are Set by Administrative Discretion, 75 Fed. Reg. 81829 (Dec. 29, 2010); Federal Employees' Retirement System Act of 1986, as amended; Social Security Act of 1935, as amended; Federal Employees Health Benefits Act of 1959, as amended; 12 C.F.R. Part 1206 – Assessments; and Federal Housing Enterprises Financial Safety and Soundness Act of 1992, as amended by the Housing and Economic Recovery Act of 2008; and Page 16 GAO-12-499R • evaluated information security controls based on our Federal Information System Controls Audit Manual14 which contains guidance for reviewing information systems. (196256) 14 GAO, Federal Information System Controls Audit Manual (FISCAM), GAO-09-232G (Washington, D.C.: February 2009). ` 17 Page GAO-12-499R This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. The Government Accountability Office, the audit, evaluation, and GAO’s Mission investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability. The fastest and easiest way to obtain copies of GAO documents at no Obtaining Copies of cost is through GAO’s website (www.gao.gov). Each weekday afternoon, GAO Reports and GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, Testimony go to www.gao.gov and select “E-mail Updates.” Order by Phone The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, http://www.gao.gov/ordering.htm. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO on Facebook, Flickr, Twitter, and YouTube. Connect with GAO Subscribe to our RSS Feeds or E-mail Updates. Listen to our Podcasts. Visit GAO on the web at www.gao.gov. Contact: To Report Fraud, Waste, and Abuse in Website: www.gao.gov/fraudnet/fraudnet.htm E-mail: firstname.lastname@example.org Federal Programs Automated answering system: (800) 424-5454 or (202) 512-7470 Katherine Siggerud, Managing Director, email@example.com, (202) 512- Congressional 4400, U.S. Government Accountability Office, 441 G Street NW, Room Relations 7125, Washington, DC 20548 Chuck Young, Managing Director, firstname.lastname@example.org, (202) 512-4800 Public Affairs U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, DC 20548 Please Print on Recycled Paper.
Management Report: Opportunities for Improvement in the Federal Housing Finance Agency's Internal Controls
Published by the Government Accountability Office on 2012-05-16.
Below is a raw (and likely hideous) rendition of the original report. (PDF)