oversight

Management Report: Opportunities for Improvement in the Federal Housing Finance Agency's Internal Controls

Published by the Government Accountability Office on 2012-05-16.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

United States Government Accountability Office
Washington, DC 20548



           May 16, 2012


           Mr. Edward J. DeMarco
           Acting Director
           Federal Housing Finance Agency

           Subject: Management Report: Opportunities for Improvement in the Federal Housing
           Finance Agency’s Internal Controls

           Dear Mr. DeMarco:

           In November 2011, we issued our opinion on the Federal Housing Finance Agency’s
           (FHFA) fiscal years 2011 and 2010 financial statements. Our report also included
           our opinion on the effectiveness of FHFA’s internal control over financial reporting as
           of September 30, 2011, and our evaluation of FHFA’s compliance with provisions of
           selected laws and regulations for the fiscal year ended September 30, 2011. 1

           The Housing and Economic Recovery Act of 2008 (HERA) created FHFA and
           assigned it responsibility for, among other things, the supervision and regulation of
           the Federal National Mortgage Association (Fannie Mae), the Federal Home Loan
           Mortgage Corporation (Freddie Mac), the 12 federal home loan banks, and the
           Office of Finance. 2 Specifically, FHFA was assigned responsibility for ensuring that
           the regulated entities operate in a fiscally safe and sound manner, including
           maintenance of adequate capital and internal controls, in carrying out their housing
           and community development finance mission. HERA requires FHFA to annually
           prepare financial statements, and requires GAO to audit these statements.

           The purpose of this report is to present additional information on the financial
           reporting-related internal control issue we identified during our audit of FHFA’s fiscal
           year 2011 financial statements and to provide our recommended action to address
           that issue. This report also discusses a continuing issue with respect to FHFA’s
           information security that resulted in new weaknesses in information security control
           areas. In addition, we are providing an update on the status of recommendations we
           made to address internal control issues identified during our audits of FHFA’s fiscal
           years 2010 and 2009 financial statements as reported in our related management


           1
           GAO, Financial Audit: Federal Housing Finance Agency’s Fiscal Years 2011 and 2010 Financial Statements,
           GAO-12-161 (Washington, D.C.: Nov. 15, 2011).
           2
               Pub. L. No. 110-289, 122 Stat. 2654 (July 30, 2008).
                                                                                                      GAO-12-499R
           Page 1
reports on internal controls and accounting procedures 3 and our fiscal year 2009
report on controls related to information security. 4

In addition, because of the sensitive nature of our findings related to FHFA
information security, we will present our findings and recommendations setting out
corrective actions to address the new issues we identified concerning FHFA’s
internal control over information security in a separate letter to FHFA management
with limited distribution.

Results in Brief

During our audit of FHFA’s fiscal years 2011 and 2010 financial statements, we
identified one internal control issue and a continuing issue related to information
systems controls that could adversely affect FHFA’s ability to meet its internal
control objectives. We do not consider these issues to represent material
weaknesses or significant deficiencies in relation to FHFA’s financial statements. 5
Nonetheless, we believe they warrant management’s attention and action.

Specifically, we found:

      •      FHFA did not establish effective controls to assess the risk of errors by its
             payroll service provider and determine if any compensating controls were
             necessary to ensure the accuracy of payroll calculations.

      •      FHFA had not yet fully implemented its information security program, resulting
             in weaknesses in four information security control areas.

These issues increase the risk to FHFA that 1) misstatements in its financial
statements may not be promptly detected and corrected, 2) errors in the calculation
of its payroll amounts may not be identified, 3) contractors or other users with
privileged access could gain unauthorized access to or improperly use agency
financial systems, applications, and information, and 4) unauthorized system
changes could be implemented without FHFA’s knowledge.

At the end of our discussion of the payroll issue, we present our recommendation for
strengthening FHFA’s internal controls. Our recommendation is intended to improve


3
 GAO, Management Report: Opportunities for Improvements in FHFA’s Internal Controls and Accounting
Procedures, GAO-11-398R (Washington, D.C.: Apr. 29, 2011). GAO, Management Report: Opportunities for
Improvements in FHFA’s Internal Controls and Accounting Procedures, GAO-10-587R (Washington, D.C.: June
3, 2010).
4
GAO, Information Security: Opportunities Exist for the Federal Housing Finance Agency to Improve Controls,
GAO-10-528 (Washington, D.C.: Apr. 30, 2010).
5
 A material weakness is a deficiency, or a combination of deficiencies, in internal control such that there is a
reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or
detected and corrected on a timely basis. A significant deficiency is a deficiency, or combination of deficiencies,
in internal control that is less severe than a material weakness, yet important enough to merit attention by those
charged with governance. A deficiency in internal control exists when the design or operation of a control does
not allow management or employees, in the normal course of performing their assigned functions, to prevent, or
detect and correct, misstatements on a timely basis.

    Page 2                                                                                         GAO-12-499R
management’s oversight and controls and minimize the risk of misstatements in
FHFA’s accounts and financial statements.

As of the completion of our fiscal year 2011 audit, FHFA had taken action to fully
address 11 of the 19 internal control-related recommendations from our prior
reports. (See enclosure I for a summary of the status of our prior recommendations
related to FHFA internal controls and accounting procedures and enclosure II for a
summary of the status of our prior recommendations related to FHFA controls over
information security.) Overall, while FHFA took action to address the four internal
control and accounting procedures-related recommendations that remain open,
more work is needed to fully resolve the underlying control issues. Similarly, with
respect to internal control weaknesses over information security that resulted from
FHFA’s inability to fully implement an overall information security program as we
previously recommended, FHFA had actions in process.

In commenting on a draft of this report, FHFA agreed with our recommendation and
described actions it has taken, or plans to take, to address the payroll-related control
issue described in this report. At the end of our discussion of the payroll-related
issue that we identified, we have summarized FHFA’s related comments and
corrective actions cited. We will evaluate the effectiveness of FHFA’s corrective
actions as part of our fiscal year 2012 audit. We have also reprinted FHFA’s
comments in their entirety in enclosure III.

Scope and Methodology

As part of our audit of FHFA’s fiscal years 2011 and 2010 financial statements, we
evaluated FHFA’s internal controls and tested its compliance with selected
provisions of laws and regulations. We designed our audit procedures to test
relevant controls over financial reporting, including those designed to provide
reasonable assurance that transactions are properly recorded, processed, and
summarized to permit the preparation of FHFA’s financial statements in conformity
with U.S. generally accepted accounting principles.

We performed our audit of FHFA’s fiscal years 2011 and 2010 financial statements
in accordance with U.S. generally accepted government auditing standards. We
believe that our audit provided a reasonable basis for our conclusions in this report.
Further details on our audit methodology are presented in enclosure IV.

Payroll Calculations

During our testing of payroll expense transactions conducted as part of our fiscal
year 2011 audit, we found that FHFA did not have controls in place to ensure the
integrity of payroll information processed by the U.S. Department of Agriculture’s
National Finance Center (NFC), FHFA’s service provider for its payroll processing.
Specifically, FHFA had not identified that NFC was not withholding Medicare taxes
to be paid for FHFA employees’ salaries during a portion of fiscal year 2011.




   `3
Page                                                                       GAO-12-499R
 NFC performs payroll/personnel processing for FHFA under the terms of an
interagency agreement. Under the agreement, NFC is to (1) provide accurate and
timely salary payments, (2) receive, review, and correct error conditions on
submitted time and attendance (T&A) records and contact the agency if required to
obtain necessary information, (3) record and maintain an official "system of record"
for payroll and personnel data for all FHFA employees, (4) support and operate the
interface with the Office of Personnel Management (OPM) to update the Central
Personnel Data File and Enterprise Human Resources Integration Warehouse with
personnel data for all of FHFA’s employees, 6 (5) design, develop, and implement
program development services to ensure compliance with mandated regulations,
enhancements, and modifications (i.e., annual pay raise, tax law changes, among
others), and (6) receive, assign, monitor, and complete the processing of manual
transactions initiated by FHFA within a specified timeframe based on complexity.
Beginning in pay period 11 of 2011 (May 22 through June 4, 2011) and continuing
through pay period 21 (October 9 through October 22, 2011), as the result of an
issue with NFC’s Special Payroll Processing System (SPPS), certain manual
payments, such as wellness reimbursements, processed by SPPS, were not
included in the calculation of the amount of Medicare tax to be withheld for FHFA
employees who had met their annual Federal Insurance Contributions Act (FICA)
maximum. 7 As a result, NFC did not withhold any Medicare taxes, either the
employee or employer portion, on the manual payments to those FHFA employees
during these 2011 pay periods. FHFA was unaware of this issue until we identified it
during our audit testing.

Standards for Internal Control in the Federal Government states that management
needs to comprehensively identify risks, considering all significant interactions
between the entity and service providers at both the entity wide and activity level,
and based upon the significance of the risk, decide what actions to take to manage
the risk. In addition, the Office of Management and Budget’s (OMB) Circular A-123
(A-123) and its related implementation guide require agencies to annually assess
the effectiveness of their internal control over financial reporting and to provide a
statement of assurance attesting to whether these internal controls are effective.
The A-123 guide requires agencies to develop and document a thorough
understanding of their financial reporting operations and how these operations are
supported by automated systems. This includes determining which specific systems

6
  The Central Personnel Data File is an automated information system containing individual records for most
Federal civilian employees. The system's primary objective is to provide a readily accessible database for
meeting the workforce information needs of the White House, the Congress, OPM, other Federal agencies, and
the public. OPM’s Enterprise Human Resources Integration (EHRI) Program's Data Warehouse is the
Government's premier source for integrated Federal workforce information. The system currently collects,
integrates, and publishes data for 2.0 million Executive Branch employees on a bi-weekly basis, supporting
agency and governmentwide analytics.

7
 Federal Insurance Contributions Act (FICA) taxes are comprised of social security and Medicare taxes. Most
employees and employers each pay a specified percentage (in 2011 social security tax rate was 4.2 percent and
Medicare was 1.45 percent) of payroll wages for social security and Medicare taxes. The social security tax is
only applied on an employee’s salary up to a maximum amount. When an employee reaches the maximum
payment, social security taxes are no longer deducted until the next calendar year. However, there is no
maximum amount for earnings subject to the Medicare taxes portion of FICA.




    Page 4                                                                                    GAO-12-499R
are involved in the financial reporting process, whether classes of transactions
identified are significant to the financial reporting process, and determining whether
each system is controlled by the agency or by an external service provider. For
those systems that are controlled by an external service provider, agencies are to
coordinate with the service provider to obtain an annual assurance statement that
highlights key controls and the results of annual testing, and if available, to review
the most recent report on the service provider’s internal controls prepared in
accordance with Statement on Standards for Attestation Engagements (SSAE) No.
16. 8 For its financial reporting process, FHFA places extensive reliance on systems
that are controlled by external service providers, including the processing of its
payroll by NFC. The A-123 guide specifies that such systems are considered part of
an entity’s information system, and should therefore be considered in making an
assessment of the effectiveness of the entity’s internal control over financial
reporting. The A-123 guide describes the nature of the procedures which could be
used to monitor internal control over such service providers:

    1. Perform tests of entity internal control over the activities of the service
       provider,

    2. Perform tests of internal control at the service provider, or

    3. Review reports prepared on the service provider in accordance with
       applicable standards.

While NFC is responsible for maintaining adequate controls to ensure the accuracy
and completeness of the payroll transactions it processes for its customer agencies
(including FHFA), it is important that customer agencies gain an understanding of
NFC’s control environment, assess the risk of errors occurring in that environment,
and establish compensating controls to address those risks. In reviewing FHFA’s A-
123 assessment documentation for fiscal year 2011, we did not find that FHFA
performed any of the procedures noted above in assessing the effectiveness of
NFC’s internal controls. In addition, FHFA did not have procedures in place that
would have enabled it to detect the errors that resulted from the systemic problem
with NFC’s SPPS.

Without an assessment of the risk of errors in the financial information provided to
FHFA by NFC and compensating controls to identify and correct any errors, the risk
is increased that such errors could go undetected and result in misstatements to
amounts reported for expenditures and accrued liabilities in FHFA’s financial
statements.




8
  SSAE 16 reports refer to reports typically prepared by an independent auditor based on a review of the controls
relevant to user entities’ internal control over financial reporting as discussed in the American Institute of Certified
Public Accountants’ Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls
at a Service Organization. A service organization provides services to the entity whose financial statements are
being audited.


   `5
Page                                                                                                  GAO-12-499R
Recommendation


To identify and address any NFC errors in processing FHFA payroll, we recommend
that you direct the Chief Financial Officer to develop and implement a process to
assess and address the risk to FHFA from any internal control issues at NFC
including, as appropriate, any compensating controls commensurate with any
identified risk.

FHFA Comments and Our Evaluation

In its May 9, 2012, comments on our draft report, FHFA agreed with the
recommendation and cited actions it has taken, or intends to take, to address the
payroll-related internal control issue we identified. For example, FHFA stated that it
had instituted a formal quality control process to verify withholdings on all SPPS
payments prior to release in the NFC system. In addition, FHFA stated that it will
include a review of payroll calculations as part of its annual review for compliance
with OMB A-123. FHFA’s stated actions, if effectively implemented, should reduce
the risk of payroll-processing errors occurring and going undetected by FHFA. We
will more fully evaluate the effectiveness of the agency’s corrective actions during
our fiscal year 2012 financial audit.

Information Security Program

During our audit of FHFA’s fiscal year 2011 financial statements, we found that
FHFA had not fully implemented its information security program as we have
recommended in previous reports, and this lack resulted in several new information
systems vulnerabilities during the fiscal year. 9 Specifically, as discussed in greater
detail in the following sections, we found that FHFA had not consistently or fully
implemented controls for (1) identifying and authenticating users, (2) authorizing
access to resources, (3) managing system configurations, and (4) protecting system
and network boundaries on information systems owned and operated by FHFA or on
behalf of FHFA by service provider organizations.

FISMA requires each agency to develop, document, and implement an agencywide
information security program to provide information security for the information and
information systems that support the operations and assets of the agency, including
those provided or managed by another agency, contractor, or other source. 10 In our
review we found the following vulnerabilities.




9
GAO, Information Security: Opportunities Exist for the Federal Housing Finance Agency to Improve Controls,
GAO-10-528 (Washington, D.C.: April 30, 2010).
10
  Information security means protecting information and information systems from unauthorized access, use,
disclosure, disruption, modification or destruction in order to provide (1) integrity, which means guarding against
improper information modification or destruction, and includes ensuring information non-repudiation and
authenticity; (2) confidentiality, which means preserving authorized restrictions on access and disclosure,
including means for protecting personal privacy and proprietary information; and (3) availability, which means
ensuring timely and reliable access to and use of information.

    Page 6                                                                                          GAO-12-499R
Identification and Authentication of Users

A computer system needs to be able to identify and authenticate each user so that
activities on the system can be linked and traced to a specific individual. An
organization does this by assigning a unique user account to each user, and in so
doing, the system is able to distinguish one user from another—a process called
identification. The system also needs to establish the validity of a user’s claimed
identity by requesting some kind of information, such as a password, that is known
only by the user—a process known as authentication. The combination of
identification and authentication—such as user account-password combinations—
provides the basis for establishing individual accountability and for controlling access
to the system. However, our 2011 review found FHFA did not ensure that
appropriate password management controls were implemented on key systems we
reviewed at both FHFA and an FHFA service provider. In addition, FHFA did not
enforce disabling of inactive user accounts on one of its systems. As a result, an
increased risk exists that FHFA accounts could be compromised and used by
unauthorized individuals to access sensitive information.

Authorization Controls

Authorization is the process of granting or denying access rights and permissions to
a protected resource, such as a network, a system, an application, a function, or a
file. A key component of granting or denying access rights is the concept of “least
privilege.” Least privilege is a basic principle for securing computer resources and
data that means that users are granted only those access rights and permissions
that they need to perform their official duties. However, our 2011 review found both
FHFA and an FHFA service provider granted users excessive levels of access
privileges and permissions that were not required to perform their job. As a result,
FHFA data could be inappropriately modified, either inadvertently or deliberately.

Configuration Management

Configuration management involves, among other things, (1) verifying the
correctness of the security settings in the operating systems, applications, or
computing and network devices and (2) obtaining reasonable assurance that
systems are configured and operating securely and as intended. Patch
management, a component of configuration management, is an important element in
mitigating the risks associated with software vulnerabilities. When a software
vulnerability is discovered, the software vendor may develop and distribute a patch
or work-around to mitigate the vulnerability. Without the patch, an attacker can
exploit a software vulnerability to read, modify, or delete sensitive information;
disrupt operations; or launch attacks against systems at another organization.
Nevertheless, servers for systems used by FHFA had not been consistently patched
in a timely manner. In addition, FHFA devices were not always securely configured.
Specifically, FHFA did not properly configure a test server, and network
vulnerabilities existed on multiple network devices. Failing to apply critical patches
and the appropriate configuration settings for systems and network devices
increases the risk of exposing systems to vulnerabilities that could be exploited.



   `7
Page                                                                       GAO-12-499R
Boundary Protection

Boundary protection involves the protection of a logical or physical boundary around
a set of information resources and implementation of measures to prevent
unauthorized information exchange across the boundary in either direction. Firewall
devices represent the most common boundary protection technology at the network
level. However, during our 2011 review, we found FHFA service-provider network
firewalls did not sufficiently log network traffic across the devices. In addition,
controls were insufficient to ensure firewalls operating on systems that we reviewed
appropriately restricted access to the systems. These weaknesses increase the risk
that malicious activity could occur and escape detection.

The underlying cause of the vulnerabilities we identified in fiscal year 2011 is that
FHFA has not fully implemented our previous recommendations related to FHFA’s
information security program. For example, we have previously reported that FHFA
did not always effectively monitor its systems. This lack of monitoring contributes, in
part, to the new control issues we identified in our 2011 review. These new and
continuing control issues increase the risk that (1) contractors or other users with
privileged access could gain unauthorized access to or improperly use agency
financial systems, applications, and information, and (2) unauthorized system
changes could be implemented. Until FHFA mitigates its control deficiencies by fully
implementing an effective information security program, increased risk exists that its
financial and support systems and the information they contain will be subject to
unauthorized access, use, disclosure, disruption, modification, or destruction.

Status of Prior Years’ Audit Recommendations

At the beginning of our fiscal year 2011 financial audit, 19 recommendations to
improve FHFA’s financial operations from our prior audits remained open and
therefore required corrective action by FHFA. In the course of performing our fiscal
year 2011 financial audit, we identified numerous actions taken by FHFA to address
many of the internal control issues related to these recommendations. On the basis
of our 2011 review of FHFA’s actions, we closed 11 of our prior years’ audit
recommendations.

Specifically, at the beginning of our 2011 audit, six recommendations related to
accounting procedures remained open. As of the completion of our 2011 audit,
FHFA had taken action to fully address two of the six recommendations. (See
enclosure I.) However, more work is needed to fully resolve the underlying control
issues for the remaining four accounting procedures related recommendations. The
four recommendations that remained open as of the completion date of our fiscal
year 2011 financial audit relate to invoice payment procedures, undelivered orders,
and expense accruals. Although FHFA updated its Administrative Accounting
Manual and developed additional documented procedures and training materials in
response to our recommendations on invoice payment procedures and the
calculation of undelivered orders balances and accruals, we continued to find
problems during our audit testing with the mathematical accuracy of invoices,
accurate reporting of undelivered order balances, and the calculation of year-end
accruals. The errors we identified in our 2011 audit were not material to the fiscal

Page 8                                                                     GAO-12-499R
year 2011 financial statements, but the continuation of such errors indicates that
further efforts are needed to routinely enforce procedures related to these areas.


In addition, at the beginning of our fiscal year 2011 audit, 13 recommendations
related to information systems controls remained open. As of the completion of our
audit, FHFA had taken action to fully address 9 of the 13 recommendations. (See
enclosure II.) FHFA continues to take actions to establish an overall information
security management program. However, more work is needed to fully resolve the
control issues for the remaining four recommendations related to information
systems controls. Specifically, the recommendations that remained open at the
close of the fiscal year 2011 audit relate to logical access controls and FHFA’s
information security program. Although FHFA has made progress in addressing
these recommendations, additional work is required before these issues are fully
resolved. For example, FHFA completed continuous monitoring reports that
summarize monitoring activities by the agency; however, it had not yet developed
policies and procedures for monitoring third party service organization staff and
contractors. In addition, FHFA had developed procedures for an annual risk
assessment of FHFA contractor systems, but the procedures did not specifically
address the assessment of security reviews and plans of action and milestones
developed by BPD and contractors. 11 During our fiscal year 2012 audit, we will
assess the implementation of any new procedures developed by FHFA to address
our recommendations related to information systems controls.
                                                _______


This report contains recommendations to you. The head of a federal agency is
required by 31 U.S.C. § 720 to submit a written statement on actions taken on these
recommendations. You should submit your statement to the Senate Committee on
Homeland Security and Governmental Affairs and the House Committee on
Oversight and Government Reform within 60 days of the date of this report. A written
statement must also be sent to the House and Senate Committees on
Appropriations with the agency’s first request for appropriations made more than 60
days after the date of this report.

This report is intended for use by FHFA management. We are sending copies of this
report to the Chairman and Ranking Member of the Senate Committee on Banking,
Housing, and Urban Affairs; the Chairman and Ranking Member of the House
Committee on Financial Services; the Chairman of the Federal Housing Finance
Oversight Board; the Secretary of the Treasury; the Secretary of Housing and Urban
Development; the Chairman of the Securities and Exchange Commission; the
Director of the Office of Management and Budget; and other interested parties. In
addition, this report will be available at no charge on GAO’s web site at
http://www.gao.gov.



11
  FHFA outsources its financial management services to the Department of the Treasury Bureau of the Public
Debt Administrative Resource Center. Oracle Corporation staff serve as database and systems administrators
and provide backup and recovery services for FHFA’s financial information.


   `9
Page                                                                                         GAO-12-499R
We acknowledge and appreciate the cooperation and assistance provided by FHFA
management and staff during our audit of FHFA’s fiscal years 2011 and 2010
financial statements. If you have any questions about this report or need assistance
in addressing these issues, please contact Steven Sebastian at (202) 512-3406 or
sebastians@gao.gov or Gregory Wilshusen at (202) 512-6244 or
wilshuseng@gao.gov. Contact points for our Offices of Congressional Relations and
Public Affairs may be found on the last page of this report. GAO staff who made
major contributions to this report are Peggy Smith, Assistant Director (FMA); Vijay
D’Sousa, Assistant Director (IT); William E. Brown, Senior Analyst; and Shaunyce
Wallace, Senior Analyst.


Sincerely yours,




Steven J. Sebastian
Managing Director
Financial Management and Assurance




Gregory C. Wilshusen
Director
Information Security Issues

Enclosures – 4




Page 10                                                                 GAO-12-499R
Enclosure I: Status of Prior Recommendations


This enclosure presents the status of the six remaining open recommendations
initially reported in GAO's April 29, 2011 and June 3, 2010 management reports. 12
The recommendations are grouped according to deficiency areas specified in the
management reports.

Table 1: Status of Recommendations from GAO's 2010 and 2009 Management Reports at the end of
GAO's Audit of the Federal Housing Finance Agency's (FHFA) Fiscal Year 2011 Financial Statements.
                                                                                Status of corrective
                                                                                       action
                                                                      Year                      In
Audit area                                                          initially  Completed progress
                                                                   reported
Disposal of capitalized property and equipment
     1.   Establish a mechanism to monitor compliance with policies
          and procedures surrounding the proper disposal of capitalized     2010      X
          property and equipment.
     2.   Update the Property Management Policy to include
          procedures for how to properly document approval before                     X
                                                                            2010
          disposal of FHFA assets.

Invoice payment procedures
     3. Enhance FHFA’s Invoice and Payment Desktop Procedures to
        include detailed instructions on how to verify the accuracy of      2010                  X
        invoice amounts prior to payment.
Undelivered orders
     4.Enhance the Administrative Accounting Manual by
       incorporating specific, detailed steps for the contracting officer                         X
       technical representatives (COTR) review of contract balances,        2009
       including the use of the open obligations report provided by
       the Bureau of the Public Debt in the COTR review process.
  5.   Enhance the Administrative Accounting Manual by including
       specific, detailed steps on when and how to properly account         2009                  X
       for obligating and deobligating contract amounts.
Expense accruals
     6.   Enhance training materials related to accruals to include
          examples of expenses that should and should not be accrued                              X
                                                                            2009
          at the end of an accounting period.


Source: GAO analysis of FHFA data.




12
  GAO, Management Report: Opportunities for Improvements in FHFA’s Internal Controls and Accounting
Procedures, GAO-11-398R (Washington, D.C.: Apr. 29, 2011). GAO, Management Report: Opportunities for
Improvements in FHFA’s Internal Controls and Accounting Procedures, GAO-10-587R (Washington, D.C.: June
3, 2010).


   ` 11
Page                                                                                      GAO-12-499R
Enclosure II: Status of Prior Recommendations from GAO's Fiscal Year 2009
Information Security Management Report

This enclosure presents the status of the 13 remaining open recommendations
initially reported in GAO's April 30, 2010 information security management report. 13
The recommendations are grouped according to deficiency areas specified in that
management report.




                                      (Please see next page.)




13
  GAO, Information Security: Opportunities Exist for the Federal Housing Finance Agency to Improve Controls,
GAO-10-528 (Washington, D.C.: Apr. 30, 2010).

 Page 12                                                                                      GAO-12-499R
Table 2: Status of Recommendations from GAO's 2009 Information Security Management
Report at the end of GAO's Audit of the Federal Housing Finance Agency's (FHFA) Fiscal Year
2010 Financial Statements.
                                                                                           Status of corrective
                                                                                Year              action
                                                                              initially                    In
                                                                             reported     Completed    progress
Audit Area

Logical access controls
1.    Maintain network access authorizations for every agency network         2009                        X
      user.
2.    Review current access to network files and directories containing                                   X
                                                                              2009
      confidential information and restrict access to personnel with an
      authorized need to access that information.
Controls over physical access
3.    Secure areas that contain information technology equipment and          2009            X
      sensitive information.
4.    Complete sufficient physical security policies to address protection
      of agency assets, including incident response, access                   2009            X
      authorizations, and environmental safety controls.
5.    Perform physical security risk assessments at key facilities.           2009            X

6.    Develop, document, and implement monitoring procedures to
      ensure that physical access authorizations to secure areas              2009            X
      containing sensitive computer resources, including server rooms
      and sensitive information, are current and controlled.
7.    Develop, document, and implement monitoring procedures and
      install appropriate equipment to ensure that FHFA can detect and        2009            X
      respond to potential physical security incidents.
8.    Increase employees' awareness of the need to enforce physical           2009            X
      security safeguards.
Improvements to FHFA's information security program
9.    Develop, document, and implement procedures enforcing                   2009            X
      separation of incompatible duties among personnel.
10.   Finalize, approve, and implement configuration management               2009            X
      policies and procedures.
11.   Approve and test continuity of operations and disaster recovery         2009            X
      plans.
12.   Develop, document, and implement procedures to monitor access                                       X
      to agency financial information by the Bureau of the Public Debt        2009
      (BPD) and Oracle Corporation staff and contractors.
13.  Develop, document, and implement procedures to assess all                                            X
     security reviews and plans of action and milestones developed by         2009
     BPD and Oracle Corporation staff and contractors.
Source: GAO analysis of FHFA data.




   ` 13
Page                                                                                              GAO-12-499R
Enclosure III: Comments from the Federal Housing Finance Agency




Page 14                                                       GAO-12-499R
   ` 15
Page      GAO-12-499R
Enclosure IV: Audit Scope and Methodology

To fulfill our responsibilities as auditor of the financial statements of the Federal
Housing Finance Agency (FHFA), our audit work included the following:

   •   examined, on a test basis, evidence supporting the amounts and disclosures
       in the financial statements;

   •   assessed the accounting principles used and significant estimates made by
       FHFA management;

   •   evaluated the overall presentation of the financial statements;

   •   obtained an understanding of the entity and its operations, including its
       internal control over financial reporting;

   •   considered FHFA’s process for evaluating and reporting on internal control
       over financial reporting that FHFA is required to perform by 31 U.S.C. § 3512
       (c), (d), commonly known as the Federal Managers’ Financial Integrity Act of
       1982;

   •   assessed the risk that a material misstatement exists in the financial
       statements and the risk that a material weakness exists in internal control
       over financial reporting;
   •   evaluated the design and operating effectiveness of internal control over
       financial reporting based on the assessed risk;

   •   tested relevant internal control over financial reporting;

   •   tested compliance with selected provisions of the following laws and their
       related regulations: 31 U.S.C. § 3902 (a), (b), (f) – Interest penalties under the
       Prompt Payment Act; 31 U.S.C. § 3904 – Limitations on Discount Payments
       Under the Prompt Payment Act; 5 U.S.C. § 5313 – Positions at level II; 12
       U.S.C. § 4515 – Personnel; 12 U.S.C. § 4517(h) – Appointment of
       accountants, economists, and examiners; Continuing Appropriations Act,
       2011, as amended by Continuing Appropriations and Surface Transportation
       Extensions Act, 2011; Presidential Memorandum on Freezing Federal
       Employee Pay Schedules and Rates That Are Set by Administrative
       Discretion, 75 Fed. Reg. 81829 (Dec. 29, 2010); Federal Employees'
       Retirement System Act of 1986, as amended; Social Security Act of 1935, as
       amended; Federal Employees Health Benefits Act of 1959, as amended; 12
       C.F.R. Part 1206 – Assessments; and Federal Housing Enterprises Financial
       Safety and Soundness Act of 1992, as amended by the Housing and
       Economic Recovery Act of 2008; and




Page 16                                                                       GAO-12-499R
     •   evaluated information security controls based on our Federal Information
         System Controls Audit Manual14 which contains guidance for reviewing
         information systems.




(196256)



14
 GAO, Federal Information System Controls Audit Manual (FISCAM), GAO-09-232G (Washington, D.C.: February 2009).




   ` 17
Page                                                                                               GAO-12-499R
This is a work of the U.S. government and is not subject to copyright protection in the
United States. The published product may be reproduced and distributed in its entirety
without further permission from GAO. However, because this work may contain
copyrighted images or other material, permission from the copyright holder may be
necessary if you wish to reproduce this material separately.
                      The Government Accountability Office, the audit, evaluation, and
GAO’s Mission         investigative arm of Congress, exists to support Congress in meeting its
                      constitutional responsibilities and to help improve the performance and
                      accountability of the federal government for the American people. GAO
                      examines the use of public funds; evaluates federal programs and
                      policies; and provides analyses, recommendations, and other assistance
                      to help Congress make informed oversight, policy, and funding decisions.
                      GAO’s commitment to good government is reflected in its core values of
                      accountability, integrity, and reliability.

                      The fastest and easiest way to obtain copies of GAO documents at no
Obtaining Copies of   cost is through GAO’s website (www.gao.gov). Each weekday afternoon,
GAO Reports and       GAO posts on its website newly released reports, testimony, and
                      correspondence. To have GAO e-mail you a list of newly posted products,
Testimony             go to www.gao.gov and select “E-mail Updates.”

Order by Phone        The price of each GAO publication reflects GAO’s actual cost of
                      production and distribution and depends on the number of pages in the
                      publication and whether the publication is printed in color or black and
                      white. Pricing and ordering information is posted on GAO’s website,
                      http://www.gao.gov/ordering.htm.
                      Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
                      TDD (202) 512-2537.
                      Orders may be paid for using American Express, Discover Card,
                      MasterCard, Visa, check, or money order. Call for additional information.
                      Connect with GAO on Facebook, Flickr, Twitter, and YouTube.
Connect with GAO      Subscribe to our RSS Feeds or E-mail Updates. Listen to our Podcasts.
                      Visit GAO on the web at www.gao.gov.
                      Contact:
To Report Fraud,
Waste, and Abuse in   Website: www.gao.gov/fraudnet/fraudnet.htm
                      E-mail: fraudnet@gao.gov
Federal Programs      Automated answering system: (800) 424-5454 or (202) 512-7470

                      Katherine Siggerud, Managing Director, siggerudk@gao.gov, (202) 512-
Congressional         4400, U.S. Government Accountability Office, 441 G Street NW, Room
Relations             7125, Washington, DC 20548

                      Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800
Public Affairs        U.S. Government Accountability Office, 441 G Street NW, Room 7149
                      Washington, DC 20548




                        Please Print on Recycled Paper.