Issue Date September 8, 2008 Audit Report Number 2008-KC-0006 TO: Brian D. Montgomery, Assistant Secretary for Housing – Federal Housing Commissioner, H //signed// FROM: Ronald J. Hosking, Regional Inspector General for Audit, 7AGA SUBJECT: HUD’s Office of Single Family Housing Had Not Fully Implemented an Internal Control Structure in Accordance with Requirements HIGHLIGHTS What We Audited and Why We audited the U.S. Department of Housing and Urban Development’s (HUD) Office of Single Family Housing (Single Family). This review was performed due to concerns over the expected increase in Federal Housing Administration (FHA)-insured loans generated by newly implemented and proposed FHA programs. The objective of our audit was to determine whether Single Family had implemented an internal control structure in accordance with Government Accountability Office (GAO) internal control standards and HUD requirements. What We Found Single Family had not fully implemented an internal control structure in accordance with GAO internal control standards and HUD requirements. Specifically, it did not (1) perform a formal, systematic annual risk assessment of its programs and administrative functions, (2) plan and conduct ongoing management control reviews or alternative management control reviews of its programs, (3) establish an overall strategy regarding its risk-based monitoring of program activities and participants, or (4) identify corrective actions required to improve its management controls in a timely manner. Recent events in the housing industry have driven significant increases in Single Family’s responsibilities and associated risks regarding its FHA mortgage insurance program. HUD reports show that in the past year, FHA endorsements have increased by nearly 86 percent. Given the increasing business that Single Family currently experiences and will likely continue to experience, it is imperative that Single Family quickly implement an effective internal control structure to help it ensure that its programs, activities, and functions operate efficiently and effectively. Such action is critical to ensure the lasting integrity of the FHA insurance fund. What We Recommend We recommend that HUD ensure that Single Family managers and staff fully implement an acceptable internal control structure by preparing and implementing effective written policies and procedures that comply with the GAO internal control standards and HUD Handbook 1840.1 requirements. For each recommendation without a management decision, please respond and provide status reports in accordance with HUD Handbook 2000.06, REV-3. Please furnish us copies of any correspondence or directives issued because of the audit. Auditee’s Response We provided the draft report to Single Family officials on July 21, 2008, and initially requested their response by August 20, 2008. We extended the response due date to August 29, 2008, when we provided a revised draft to the officials. Based on a subsequent request from Single Family, we granted an additional extension to September 2, 2008. We received the written response on September 2, 2008. Single Family officials reiterated information that they had provided during the audit and agreed to take actions to address our recommendation to fully implement an acceptable internal control structure. The complete text of the auditee’s response, along with our evaluation of that response, can be found in appendix A of this report. 2 TABLE OF CONTENTS Background and Objectives 4 Results of Audit Finding: Single Family Had Not Fully Implemented an Internal Control Structure in Accordance with Requirements 6 Scope and Methodology 16 Internal Controls 17 Appendixes A. Auditee Comments and OIG’s Evaluation 19 3 BACKGROUND AND OBJECTIVES The U.S. Department of Housing and Urban Development’s (HUD) Office of Single Family Housing (Single Family) is responsible for the overall management, policy direction, and administration of all single-family programs authorized under Titles I and II of the National Housing Act of 1934. One of its major responsibilities is to manage the Federal Housing Administration (FHA) insurance program. FHA is one of the largest insurers of mortgages in the world, having insured more than 34 million mortgages since its inception in 1934. In 1994, the Government Accountability Office (GAO) first identified Single Family’s mortgage insurance program as high risk. In January 2007, GAO removed Single Family from the high-risk list. GAO stated that HUD had demonstrated commitment to and progress in addressing weaknesses in the single-family mortgage insurance program. Specifically, HUD had improved its oversight of lenders and appraisers, and issued or proposed regulations to strengthen lender accountability and combat predatory lending practices. However, GAO also cautioned that HUD's corrective actions were in the early stages of implementation and additional steps were needed to resolve ongoing problems. In addition, it pointed out that HUD continued to grant loan underwriting authority to lenders that had not met the agency's performance standards. It also pointed out weaknesses in HUD's process for paying single-family property management contractors made the agency vulnerable to questionable and potentially fraudulent payments. GAO stressed that Single Family needed to continue to place a high priority on efficient and effective management of its programs and pointed out that proposed program changes could introduce new risks and oversight challenges. Specifically, Single Family had proposed changes to its mortgage insurance program that would increase the size of the mortgages that FHA could insure, give HUD flexibility to set insurance premiums based on the credit risk of borrowers, and reduce downpayment requirements from the current 3 percent to as low as zero percent. In addition, HUD had seen a dramatic increase in FHA-insured home equity conversion (also known as “reverse”) mortgages. GAO concluded that as a result of this increase, Single Family would be challenged to develop adequate systems to account for these loans. GAO’s Standards for Internal Control in Federal Government provide the overall framework for establishing and maintaining internal control (management control) and for identifying and addressing major performance and management challenges and areas at greatest risk of fraud, waste, abuse, and mismanagement. GAO includes five standards for internal control that define the minimum level of quality acceptable for internal control in government and provide the basis against which internal control is to be evaluated: control environment, risk assessment, control activities, information and communication, and monitoring. HUD Handbook 1840.1, REV-3, dated February 1999, establishes HUD’s internal control program to ensure compliance with federal requirements related to internal 4 controls. The handbook details the roles and responsibilities of individual program offices with respect to the internal controls over HUD programs and administrative functions. The handbook also details processes that each program office must follow to establish and maintain a cost-effective system of internal controls that provides reasonable assurance that programs and activities are effectively and efficiently managed and protects against fraud, waste, abuse, and mismanagement. Our audit objective was to determine whether Single Family had implemented a control structure that met GAO internal control standards and HUD Handbook 1840.1 requirements. 5 RESULTS OF AUDIT Finding: Single Family Had Not Fully Implemented an Internal Control Structure in Accordance with Requirements Single Family had not fully implemented an internal control structure in accordance with GAO internal control standards and HUD requirements. Single Family developed what it believed to be an acceptable alternative internal control process. As a result, Single Family lacked assurance that its programs, activities, and functions operated efficiently and effectively. The lack of an acceptable internal control structure also increased the risk of fraud, waste, and abuse in Single Family’s new, anticipated, and existing programs. Single Family had not fully implemented an internal control structure that met GAO internal control standards and the requirements in HUD Handbook 1840.1, Departmental Management Control Program. Specifically, it did not (1) perform a formal, systematic annual risk assessment of its programs and administrative functions, (2) plan and conduct ongoing management control reviews or alternative management control reviews of its programs, (3) establish an overall strategy regarding its risk-based monitoring of program activities and participants, or (4) identify corrective actions required to improve its management controls in a timely manner. Since 1983, GAO has provided minimum standards for internal control in government. The 1982 Federal Manager’s Financial Integrity Act (the Act) required agency heads to establish a continuous process for assessing and improving their agencies’ internal controls and to annually report on the status of their efforts. The Act also required GAO to issue internal control standards that agencies must follow. GAO issued these standards in 1983. In later years, the U.S. Congress passed additional legislation that increased the emphasis on internal controls. GAO most recently revised the internal control standards in 1999. The internal control standards provide the overall framework for establishing and maintaining internal control and for identifying and addressing major performance and management challenges and areas at greatest risk of fraud, waste, abuse, and mismanagement. To meet these federal internal control requirements, HUD issued Handbook 1840.1. The handbook establishes a systematic process that includes specific roles and responsibilities for all HUD managers. It provides policies, procedures, and guidance for carrying out an effective internal control process for all HUD programs and activities. Single Family’s responsibilities and associated risks regarding its FHA mortgage insurance program have recently increased, making it critical that Single Family quickly implement an effective internal control structure. According to HUD, FHA endorsements have increased 6 by nearly 86 percent in the past year. FHA’s business will likely continue to increase due to changes in the housing industry, implementation of new FHA-related programs, and changes in existing programs. Therefore, Single Family needs to have an effective internal control structure in place to help it ensure that its programs, activities, and functions operate efficiently and effectively. Formal, Systematic Annual Risk Assessment Process Not Performed Single Family did not perform a formal, systematic annual risk assessment of all of its programs and administrative functions. A risk assessment is the identification and analysis of relevant risks associated with achieving objectives and forming a basis for determining how risks should be managed. HUD Handbook 1840.1 explains that key aspects of risk assessment include analyses of the general control environment and inherent risks and an evaluation of the adequacy of existing controls. The handbook also states that HUD managers should assign individual programs and administrative functions an annual risk rating of low, medium, or high, using the HUD risk assessment worksheet. HUD managers are to use the risk ratings as part of their overall risk assessment of agency controls and to provide senior officials with information for reporting on agency controls as required by the Act. Further, the handbook states that managers should develop and maintain adequate written documentation of each risk analysis and risk rating they have conducted on their programs and functions. The handbook points out that this information would be useful for reviewing the validity of conclusions reached and performing subsequent assessments and reviews. Single Family officials were not able to provide documentation to show that they had completed HUD’s annual risk assessment requirements. Single Family certified to HUD’s Office of the Chief Financial Officer in fiscal years 2006 and 2007 that it evaluated the adequacy of its internal controls and used the risk management worksheet for program and administrative functions to guide its evaluation. However, Single Family officials stated that they did not complete the risk management worksheet in either fiscal year 2006 or 2007, nor could they provide evidence of any other form of annual risk assessment of Single Family’s programs and functions. 7 Management Control Reviews Not Performed Single Family did not plan and conduct ongoing management control reviews or alternative management control reviews. HUD Handbook 1840.1 states that managers must plan and conduct ongoing evaluations of internal (management) controls to ensure that the controls remain effective and efficient and function as intended. The handbook identifies two basic types of evaluations: management control reviews and alternative management control reviews. Management control reviews are comprehensive and detailed reviews of operations in a functional area. Alternative reviews are evaluations of the control techniques in a functional area using a more limited scope methodology than the management control reviews. The purpose of these reviews is to evaluate a program, system, accounting function, or administrative activity to determine whether adequate control techniques exist and to identify material or other weaknesses in internal controls. Single Family could not provide any management control reviews from fiscal years 2006 and 2007. For this same period, Single Family provided only two reviews that it considered to be alternative management control reviews. However, one of the reviews did not qualify as an alternative management control review, and Single Family had not completed all requirements for the other review. • One review did not meet the objective of an alternative management control review. The study addressed whether a statistical correlation existed between lenders’ default and claims rates and the acceptability of lenders’ underwriting and loan documentation on insured loans. The study was not intended to evaluate and address identified internal control weaknesses, as is the intent of alternative management control reviews. • The second review generally addressed the intent of alternative management control reviews but did not identify all required elements. The review focused on assessing and improving a process, and it documented the type and scope of the review, Single Family’s findings, and a future corrective action. However, the review did not identify the responsible official, nor did it include a detailed description of the process used in testing the systems. 8 Overall Risk-Based Monitoring Strategy Not Established Single Family did not establish an overall strategy regarding its risk-based monitoring of program activities and participants. HUD Handbook 1840.1 requires program office directors to develop specific risk-based monitoring strategies, including risk-based rating systems for program participants. The handbook emphasizes that because conditions change over time, management needs to determine whether internal controls continue to effectively address new or changed risks. Risk-based monitoring is a strategy for identifying program activities and participants that represent the greatest risk and are the most susceptible to fraud, waste, and mismanagement and targeting management attention and resources to those activities and participants. The overall objective of the risk-based monitoring process is to allocate a larger share of monitoring resources to program functions posing the highest risk. Recent Office of Inspector General (OIG) and private contractor reports have identified areas in which Single Family could strengthen internal controls or needs to implement or improve controls to avoid material weaknesses. Single Family may have had a better opportunity to identify these internal control issues by practicing risk-based monitoring. For example, OIG recently reported a need for Single Family to strengthen its monitoring of HUD’s homeownership centers (OIG report #2008-KC- 0001, issued January 2008). The homeownership centers are tasked with ensuring that FHA-approved lenders comply with HUD lending requirements and resolving deficiencies identified. The homeownership centers did not always resolve materially deficient and potentially fraudulent loans consistently. In another example, a private contractor recently reported similar problems in its front-end risk assessment of Single Family’s lender insurance program. In its June 2007 report, the contractor rated the Single Family lender insurance program’s organizational structure as unsatisfactory. The contractor identified the lack of centralized monitoring of HUD’s homeownership centers’ compliance activities as one of the reasons for the unsatisfactory rating. It also noted that although the homeownership centers had responsibility for ensuring lender compliance, there was a lack of ongoing monitoring of the homeownership centers’ activities to ensure that they performed their compliance duties. For example, Single Family did not employ centralized monitoring of the removal of nonperforming lenders to ensure that they were not inadvertently allowed to remain in the program. 9 In another recent report, OIG’s contracted independent auditors identified other problems that occurred, in part, due to the lack of risk-based monitoring. The independent auditor’s report on FHA’s fiscal year 2007 financial statements (OIG report #2008-FO-0002, issued November 2007) identified two material weaknesses related to home equity conversion mortgages (reverse mortgages), caused in part by • A lack of a comprehensive, documented, program-level risk assessment; • A lack of an effective process to document FHA’s conclusions regarding results of its validation review; and • A lack of employee understanding of system security responsibilities due to an ineffective organizational authority and insufficient staff resources. The report also noted that most of the control weaknesses were specific to the reverse mortgage program; however, the weaknesses may indicate systemic problems within FHA due to the level of inadequate risk assessments and lack of documentation within this program. Single Family should have employed an overall risk-based monitoring strategy to help ensure that (1) homeownership centers resolved loan deficiencies consistently; (2) nonperforming lenders were not inadvertently allowed to remain in the lender insurance program; and (3) the reverse mortgage program operated efficiently and effectively, particularly since this program had dramatically increased in loan volume in recent years. Unsatisfactory Ratings and Corrective Actions Not Provided to Responsible Officials in a Timely Manner Single Family did not notify responsible officials of significant problems identified by a private contractor, nor did it provide the officials with corrective action plans in a timely manner. GAO standards for internal control emphasize that deficiencies identified during ongoing monitoring or through separate evaluations should be communicated to the individual responsible for the function and also to at least one level of management above that individual. Also, serious matters should be reported to top management. HUD Handbook 1840.1 states that management is responsible for the timely identification of corrective actions required to improve management controls. For material weaknesses, corrective action plans are to be submitted to the Chief Financial Officer within 60 calendar days of the final determination of the weakness. For weaknesses not 10 deemed material but significant and requiring corrective actions, plans should be submitted to the Chief Financial Officer within 60 days from identification of the weakness. The private contractor that conducted the front-end risk assessment of the lender insurance program, as described previously, reported its findings to Single Family in June 2007. In addition to rating the Single Family lender insurance program’s organizational structure as unsatisfactory, the contractor reported a lack of single point decision-making authority and accountability to facilitate faster decision making. Accordingly, Single Family managers were slow in implementing specific guidance and procedures affecting the lender insurance program. As of February 2008, Single Family had not briefed the primary organization head on the results of the contractor’s review, nor had it provided a corrective action plan to address the weaknesses identified in the review. Given the importance of the lender oversight function performed by the homeownership centers, Single Family should have promptly notified officials responsible for overseeing its operations, including the primary organization head, of the deficiencies and provided them with corrective action plans. Managers Used Alternative Process They Believed Was Acceptable Single Family developed what it believed to be an acceptable alternative internal control process. Also, in an effort to improve its internal control process, Single Family hired a contractor in October 2007 to develop an internal quality control policies and procedures manual. Single Family expected that the contractor would help it better address its internal control assessment and implementation needs. Handbook 1840.1 directs managers at all levels to identify all risks that may prevent accomplishing program goals and objectives, assess the severity of the risks, implement policies and procedures for controlling the risks, allocate available program resources to effectively manage the risks in a timely manner, and provide objective and timely reporting on the status of the risks. In addition, managers must evaluate, on a regular basis, the effectiveness of controls in their operations. The handbook also states that while various methods may be used to evaluate controls, careful planning, execution, documentation, and reporting are required. The handbook provides a methodology for managers to 11 • Systematically assess the susceptibility of their program or activity to the risk of fraud, waste, abuse, or mismanagement; • Conduct evaluations of the effectiveness of their management controls; • Identify actions and resources needed to correct weaknesses; • Maintain quality control over the program; and • Provide an early warning capability to alert senior management of potential or emerging problems. Single Family managers asserted that although they did not strictly adhere to the systematic methodology in handbook 1840.1, they conducted multiple activities and used various tools that they believed were sufficient to constitute an acceptable internal control structure. Throughout the audit, we requested that Single Family provide documentation and explanations of what it considered elements of its alternative internal control process. This report recognizes and evaluates the information provided during the audit. For example, Single Family periodically conducted strategic planning sessions, which served as brainstorming sessions to discuss operational needs, expected outcomes, staffing assignments to address the needs, target dates, and status updates. However, the strategic planning documents did not demonstrate that the tasks discussed were based on formal risk assessments or management control reviews. Single Family managers also stated that Single Family’s homeownership centers monitored lenders to ensure that they complied with HUD lending requirements and used automated tools such as the Neighborhood Watch Early Warning system and the Credit Watch Termination system in their monitoring efforts. Neighborhood Watch provides loan performance data for lenders and appraisers, by loan types and geographic areas, using FHA-insured single-family loan information. Credit Watch identifies lenders that have originated or sponsored poorly performing loans (i.e., high default and claim rates). While Single Family had various tools with which to conduct its business, these and other operational tools did not substitute for fully implementing an efficient and effective, comprehensive internal control structure. Single Family’s daily functions and tools did not constitute a formal, systematic process for assessing its entire internal control environment, nor did the daily functions and tools serve to validate internal control and operational decisions made by Single Family. Single Family hired a private contractor in October 2007 to develop an internal quality control policies and procedures manual. The intended purpose of the manual was to validate risk management priorities 12 identified by Single Family and to serve as a management tool to ensure that Single Family appropriately addressed areas of material risk. As stated in the contract, the manual was expected to provide guidance to headquarters and homeownership center staff to address, minimize, and mitigate the impact of any issues that constitute financial or programmatic material risks, through regular monitoring, reporting, oversight, and appropriate follow-up. The manual was intended to assist Single Family in implementing a uniform set of policies, procedures, and practices to be consistently followed at HUD headquarters and the homeownership center levels and which would provide a seamless process for identifying, monitoring and overseeing material risk management issues in all program areas. Further, the contractor was to provide an internal quality control plan to enhance the level of consistency in the application of risk management standards governing the execution of program activities. As of the end of our review, the first contract deliverables were not yet due; therefore, we were unable to evaluate the contractor’s work. However, the contractor’s project plan seemed to focus on a list of high- risk priority areas identified by Single Family managers, rather than all programs, activities, and functions. In addition, the project plan and related documents did not explain how Single Family identified the high- priority areas, nor did Single Family provide us with an explanation of or documentation showing how it identified these areas. Single Family Responsibilities Increasing and FHA Program Growing, Increasing Risks Recent events in the housing industry have driven increases in Single Family responsibilities and associated risks with its FHA mortgage insurance program. HUD reports showed that in the past year, FHA endorsements have increased by nearly 86 percent. One reason for the increase was the newly implemented FHASecure program. Under the program, borrowers can refinance their non-FHA fixed or adjustable rate loans into FHA loans if they meet certain eligibility criteria. In April 2008, HUD reported that since it began the FHASecure program in August 2007 it had facilitated more than 150,000 homeowners to refinance their mortgages and estimated that it would likely facilitate loans for 500,000 families by the end of calendar year 2008. FHA’s business had also increased due to increases in home equity conversion (reverse) mortgages. FHA endorsed more than 43,000 reverse mortgages in fiscal year 2005. During fiscal year 2007, FHA endorsed 13 about 108,000 reverse mortgages, an increase of approximately 150 percent. In addition, the Congress recently increased the maximum mortgage amount that FHA can insure, allowing it to insure more, higher-value mortgages. For most single-family homes, HUD raised the maximum mortgage limit by 35 percent, from about $200,000 in low-cost areas to more than $270,000, and by more than 100 percent in high-cost areas, from more than $360,000 to nearly $730,000. Further, the Congress recently passed legislation that created a new FHA program to help at-risk borrowers. Under the program, FHA could insure up to$300 billion in new, less costly mortgages for homeowners who otherwise would not likely qualify for government-insured loans. In summary, Single Family’s responsibilities and associated risks are rapidly and greatly increasing due to changes in the housing industry, implementation of new FHA-related programs, and changes in existing programs. These changes make it imperative for Single Family to quickly implement a comprehensive and effective internal control structure that meets GAO and HUD requirements. Increased Risks Due to Lack of Fully Implemented Internal Control Structure Without a fully implemented internal control structure, Single Family lacked assurance that its programs, activities, and functions operated efficiently and effectively or would do so in the future. This condition increased the risk of fraud, waste, and abuse in its new, anticipated, and existing programs. As GAO stresses, a key factor in helping to achieve agencies’ missions and program results and to minimize operational problems is to implement appropriate internal controls. Effective internal controls also help in managing change to cope with shifting environments and evolving demands and priorities. As programs change and as agencies strive to improve operational processes, management must continually assess and evaluate its internal controls to ensure that the control activities used are effective and updated when necessary. In summary, internal controls serve as the first line of defense in safeguarding assets and preventing and detecting errors and fraud. Single Family has implemented new programs in recent months, is likely to be tasked with additional new programs in the near future, and has made changes to existing programs. Having an acceptable and fully functioning 14 internal control structure that meets GAO and HUD requirements is central to Single Family’s ability to ensure its accountability within HUD’s overall control structure. Recommendation We recommend that HUD’s Assistant Secretary for Housing 1A. Ensure that Single Family managers and staff fully implement an acceptable internal control structure by preparing and implementing effective written policies and procedures that comply with GAO internal control standards and HUD Handbook 1840.1 requirements. 15 SCOPE AND METHODOLOGY Our review covered the period October 2005 through September 2007 and was expanded as necessary. To accomplish our objective, we reviewed GAO’s Standards for Internal Controls and HUD Handbook 1840.1, Departmental Management Control Program, to identify actions that Single Family must perform and document to comply with HUD’s internal control process. We interviewed staff from HUD’s Office of the Chief Financial Officer, Office of Housing (Housing), and Single Family to gain an understanding of their internal control structure. We also interviewed Housing and Single Family officials regarding their processes for • Annually assessing Single Family internal controls, • Completing management control reviews and front-end risk assessments, and • Implementing corrective actions and risk-based monitoring strategies. In addition, we requested that Single Family provide documentation to support its • Completion of the annual risk assessment of its internal controls, any management control reviews or alternative management control reviews performed, and any front-end risk assessments performed during fiscal years 2006 and 2007; • Corrective action process for resolving HUD OIG report recommendations and recommendations resulting from internal evaluations of its controls; and • Overall risk-based monitoring strategy for its three divisions (Office of Single Family Program Development, Office of Single Family Asset Management, and Office of Lender Activities and Program Compliance). We reviewed GAO and HUD OIG reports to determine whether either entity had previously identified noncompliance with internal control standards or HUD Handbook 1840.1. We also reviewed Single Family internal reports, contractor reports, HUD’s 2006 and 2007 performance and accountability reports, business cycle memorandums, and FHA’s fiscal year 2007 financial statements audit. We performed on-site work from October 2007 to March 2008 at HUD headquarters located at 451 7th Street, SW, Washington, DC. We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. 16 INTERNAL CONTROLS Internal control is an integral component of an organization’s management that provides reasonable assurance that the following objectives are being achieved: • Effectiveness and efficiency of operations, • Reliability of financial reporting, and • Compliance with applicable laws and regulations. Internal controls relate to management’s plans, methods, and procedures used to meet its mission, goals, and objectives. Internal controls include the processes and procedures for planning, organizing, directing, and controlling program operations. They include the systems for measuring, reporting, and monitoring program performance. Relevant Internal Controls We determined the following internal controls were relevant to our audit objectives: Single Family’s controls for • Identifying risk related to its programs and/or administrative functions. • Evaluating its programs, systems, accounting functions, and administrative activities to determine whether adequate control techniques exist and to identify material and other weaknesses in internal controls. • Risk-based monitoring to identify and target management attention and resources to program activities and participants that represent the greatest risk to program missions and are the most susceptible to fraud, waste, and mismanagement. • Performing front-end risk assessments to determine the susceptibility to waste, fraud, abuse, and mismanagement of new or substantially revised programs and administrative functions. • Identifying, planning, and implementing corrective actions to improve internal controls. We assessed the relevant controls identified above. 17 A significant weakness exists if management controls do not provide reasonable assurance that the process for planning, organizing, directing, and controlling program operations will meet the organization’s objectives. Significant Weaknesses Based on our review, we believe the following items are significant weaknesses: • Single Family did not perform a formal, systematic annual risk assessment of its programs and administrative functions. • Single Family did not plan and conduct ongoing management control reviews or alternative management control reviews of its programs. • Single Family did not have an overall strategy regarding its risk- based monitoring of activities and participants. • Single Family did not identify corrective actions required to improve its management controls in a timely manner. 18 APPENDIXES Appendix A AUDITEE COMMENTS AND OIG’S EVALUATION Ref to OIG Evaluation Auditee Comments Comment 1 19 Ref to OIG Evaluation Auditee Comments Comment 2 20 Ref to OIG Evaluation Auditee Comments 21 OIG Evaluation of Auditee Comments Comment 1 We revised the draft report to further recognize that Single Family has elements of a control structure in place and is implementing a plan to further address its internal control needs. However, we did not determine whether the new internal plan complies with GAO internal control standards or HUD Handbook 1840.1, REV-3. Comment 2 As stated in the report, we analyzed the process used by Single Family’s board of directors and the operational tools employed, and concluded that these did not substitute for fully implementing an efficient and effective, comprehensive internal control structure. The processes and tools used by Single Family were elements of an internal control structure but did not more than compensate for the requirements stated in HUD Handbook 1840.1, REV-3. 22
HUD's Office of Single Family Housing Had Not Fully Implemented an Internal Control Structure in Accordance with Requirements
Published by the Department of Housing and Urban Development, Office of Inspector General on 2008-09-08.
Below is a raw (and likely hideous) rendition of the original report. (PDF)