oversight

HUD's Office of Single Family Housing Had Not Fully Implemented an Internal Control Structure in Accordance with Requirements

Published by the Department of Housing and Urban Development, Office of Inspector General on 2008-09-08.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                                                           Issue Date
                                                                    September 8, 2008
                                                           Audit Report Number
                                                                        2008-KC-0006




TO:        Brian D. Montgomery, Assistant Secretary for Housing – Federal Housing
              Commissioner, H

           //signed//
FROM:      Ronald J. Hosking, Regional Inspector General for Audit, 7AGA

SUBJECT: HUD’s Office of Single Family Housing Had Not Fully Implemented an
           Internal Control Structure in Accordance with Requirements



                                HIGHLIGHTS

 What We Audited and Why

             We audited the U.S. Department of Housing and Urban Development’s
             (HUD) Office of Single Family Housing (Single Family). This review
             was performed due to concerns over the expected increase in Federal
             Housing Administration (FHA)-insured loans generated by newly
             implemented and proposed FHA programs. The objective of our audit
             was to determine whether Single Family had implemented an internal
             control structure in accordance with Government Accountability Office
             (GAO) internal control standards and HUD requirements.

 What We Found

             Single Family had not fully implemented an internal control structure in
             accordance with GAO internal control standards and HUD requirements.
             Specifically, it did not (1) perform a formal, systematic annual risk
             assessment of its programs and administrative functions, (2) plan and
             conduct ongoing management control reviews or alternative management
             control reviews of its programs, (3) establish an overall strategy regarding
             its risk-based monitoring of program activities and participants, or (4)
           identify corrective actions required to improve its management controls in
           a timely manner.

           Recent events in the housing industry have driven significant increases in
           Single Family’s responsibilities and associated risks regarding its FHA
           mortgage insurance program. HUD reports show that in the past year,
           FHA endorsements have increased by nearly 86 percent. Given the
           increasing business that Single Family currently experiences and will
           likely continue to experience, it is imperative that Single Family quickly
           implement an effective internal control structure to help it ensure that its
           programs, activities, and functions operate efficiently and effectively.
           Such action is critical to ensure the lasting integrity of the FHA insurance
           fund.

What We Recommend


           We recommend that HUD ensure that Single Family managers and staff
           fully implement an acceptable internal control structure by preparing and
           implementing effective written policies and procedures that comply with
           the GAO internal control standards and HUD Handbook 1840.1
           requirements.

           For each recommendation without a management decision, please respond
           and provide status reports in accordance with HUD Handbook 2000.06,
           REV-3. Please furnish us copies of any correspondence or directives
           issued because of the audit.

Auditee’s Response

           We provided the draft report to Single Family officials on July 21, 2008,
           and initially requested their response by August 20, 2008. We extended
           the response due date to August 29, 2008, when we provided a revised
           draft to the officials. Based on a subsequent request from Single Family,
           we granted an additional extension to September 2, 2008. We received the
           written response on September 2, 2008.

           Single Family officials reiterated information that they had provided
           during the audit and agreed to take actions to address our recommendation
           to fully implement an acceptable internal control structure.

           The complete text of the auditee’s response, along with our evaluation of
           that response, can be found in appendix A of this report.




                                         2
                        TABLE OF CONTENTS


Background and Objectives                                                    4


Results of Audit
      Finding: Single Family Had Not Fully Implemented an Internal Control
                Structure in Accordance with Requirements
                                                                             6


Scope and Methodology                                                        16


Internal Controls                                                            17

Appendixes
   A. Auditee Comments and OIG’s Evaluation                                  19




                                        3
                 BACKGROUND AND OBJECTIVES

The U.S. Department of Housing and Urban Development’s (HUD) Office of Single
Family Housing (Single Family) is responsible for the overall management, policy
direction, and administration of all single-family programs authorized under Titles I and
II of the National Housing Act of 1934. One of its major responsibilities is to manage the
Federal Housing Administration (FHA) insurance program. FHA is one of the largest
insurers of mortgages in the world, having insured more than 34 million mortgages since
its inception in 1934.

In 1994, the Government Accountability Office (GAO) first identified Single Family’s
mortgage insurance program as high risk. In January 2007, GAO removed Single Family
from the high-risk list. GAO stated that HUD had demonstrated commitment to and
progress in addressing weaknesses in the single-family mortgage insurance program.
Specifically, HUD had improved its oversight of lenders and appraisers, and issued or
proposed regulations to strengthen lender accountability and combat predatory lending
practices. However, GAO also cautioned that HUD's corrective actions were in the early
stages of implementation and additional steps were needed to resolve ongoing problems.
In addition, it pointed out that HUD continued to grant loan underwriting authority to
lenders that had not met the agency's performance standards. It also pointed out
weaknesses in HUD's process for paying single-family property management contractors
made the agency vulnerable to questionable and potentially fraudulent payments.

GAO stressed that Single Family needed to continue to place a high priority on efficient
and effective management of its programs and pointed out that proposed program
changes could introduce new risks and oversight challenges. Specifically, Single Family
had proposed changes to its mortgage insurance program that would increase the size of
the mortgages that FHA could insure, give HUD flexibility to set insurance premiums
based on the credit risk of borrowers, and reduce downpayment requirements from the
current 3 percent to as low as zero percent. In addition, HUD had seen a dramatic
increase in FHA-insured home equity conversion (also known as “reverse”) mortgages.
GAO concluded that as a result of this increase, Single Family would be challenged to
develop adequate systems to account for these loans.

GAO’s Standards for Internal Control in Federal Government provide the overall
framework for establishing and maintaining internal control (management control) and
for identifying and addressing major performance and management challenges and areas
at greatest risk of fraud, waste, abuse, and mismanagement. GAO includes five standards
for internal control that define the minimum level of quality acceptable for internal
control in government and provide the basis against which internal control is to be
evaluated: control environment, risk assessment, control activities, information and
communication, and monitoring.

HUD Handbook 1840.1, REV-3, dated February 1999, establishes HUD’s internal
control program to ensure compliance with federal requirements related to internal


                                            4
controls. The handbook details the roles and responsibilities of individual program
offices with respect to the internal controls over HUD programs and administrative
functions. The handbook also details processes that each program office must follow to
establish and maintain a cost-effective system of internal controls that provides
reasonable assurance that programs and activities are effectively and efficiently managed
and protects against fraud, waste, abuse, and mismanagement.

Our audit objective was to determine whether Single Family had implemented a control
structure that met GAO internal control standards and HUD Handbook 1840.1
requirements.




                                            5
                             RESULTS OF AUDIT

Finding: Single Family Had Not Fully Implemented an Internal
            Control Structure in Accordance with Requirements
Single Family had not fully implemented an internal control structure in accordance with
GAO internal control standards and HUD requirements. Single Family developed what it
believed to be an acceptable alternative internal control process. As a result, Single
Family lacked assurance that its programs, activities, and functions operated efficiently
and effectively. The lack of an acceptable internal control structure also increased the
risk of fraud, waste, and abuse in Single Family’s new, anticipated, and existing
programs.


Single Family had not fully implemented an internal control structure that met GAO internal
control standards and the requirements in HUD Handbook 1840.1, Departmental
Management Control Program. Specifically, it did not (1) perform a formal, systematic
annual risk assessment of its programs and administrative functions, (2) plan and conduct
ongoing management control reviews or alternative management control reviews of its
programs, (3) establish an overall strategy regarding its risk-based monitoring of program
activities and participants, or (4) identify corrective actions required to improve its
management controls in a timely manner.

Since 1983, GAO has provided minimum standards for internal control in government. The
1982 Federal Manager’s Financial Integrity Act (the Act) required agency heads to establish
a continuous process for assessing and improving their agencies’ internal controls and to
annually report on the status of their efforts. The Act also required GAO to issue internal
control standards that agencies must follow. GAO issued these standards in 1983. In later
years, the U.S. Congress passed additional legislation that increased the emphasis on
internal controls. GAO most recently revised the internal control standards in 1999.

The internal control standards provide the overall framework for establishing and
maintaining internal control and for identifying and addressing major performance and
management challenges and areas at greatest risk of fraud, waste, abuse, and
mismanagement. To meet these federal internal control requirements, HUD issued
Handbook 1840.1. The handbook establishes a systematic process that includes specific
roles and responsibilities for all HUD managers. It provides policies, procedures, and
guidance for carrying out an effective internal control process for all HUD programs and
activities.

Single Family’s responsibilities and associated risks regarding its FHA mortgage insurance
program have recently increased, making it critical that Single Family quickly implement an
effective internal control structure. According to HUD, FHA endorsements have increased



                                             6
by nearly 86 percent in the past year. FHA’s business will likely continue to increase due to
changes in the housing industry, implementation of new FHA-related programs, and
changes in existing programs. Therefore, Single Family needs to have an effective internal
control structure in place to help it ensure that its programs, activities, and functions operate
efficiently and effectively.

 Formal, Systematic Annual
 Risk Assessment Process Not
 Performed


                Single Family did not perform a formal, systematic annual risk assessment
                of all of its programs and administrative functions. A risk assessment is
                the identification and analysis of relevant risks associated with achieving
                objectives and forming a basis for determining how risks should be
                managed. HUD Handbook 1840.1 explains that key aspects of risk
                assessment include analyses of the general control environment and
                inherent risks and an evaluation of the adequacy of existing controls. The
                handbook also states that HUD managers should assign individual
                programs and administrative functions an annual risk rating of low,
                medium, or high, using the HUD risk assessment worksheet. HUD
                managers are to use the risk ratings as part of their overall risk assessment
                of agency controls and to provide senior officials with information for
                reporting on agency controls as required by the Act.

                Further, the handbook states that managers should develop and maintain
                adequate written documentation of each risk analysis and risk rating they
                have conducted on their programs and functions. The handbook points out
                that this information would be useful for reviewing the validity of
                conclusions reached and performing subsequent assessments and reviews.

                Single Family officials were not able to provide documentation to show
                that they had completed HUD’s annual risk assessment requirements.
                Single Family certified to HUD’s Office of the Chief Financial Officer in
                fiscal years 2006 and 2007 that it evaluated the adequacy of its internal
                controls and used the risk management worksheet for program and
                administrative functions to guide its evaluation. However, Single Family
                officials stated that they did not complete the risk management worksheet
                in either fiscal year 2006 or 2007, nor could they provide evidence of any
                other form of annual risk assessment of Single Family’s programs and
                functions.




                                                7
Management Control Reviews
Not Performed

          Single Family did not plan and conduct ongoing management control
          reviews or alternative management control reviews. HUD Handbook
          1840.1 states that managers must plan and conduct ongoing evaluations of
          internal (management) controls to ensure that the controls remain effective
          and efficient and function as intended. The handbook identifies two basic
          types of evaluations: management control reviews and alternative
          management control reviews. Management control reviews are
          comprehensive and detailed reviews of operations in a functional area.
          Alternative reviews are evaluations of the control techniques in a
          functional area using a more limited scope methodology than the
          management control reviews. The purpose of these reviews is to evaluate
          a program, system, accounting function, or administrative activity to
          determine whether adequate control techniques exist and to identify
          material or other weaknesses in internal controls.

          Single Family could not provide any management control reviews from
          fiscal years 2006 and 2007. For this same period, Single Family provided
          only two reviews that it considered to be alternative management control
          reviews. However, one of the reviews did not qualify as an alternative
          management control review, and Single Family had not completed all
          requirements for the other review.

             •   One review did not meet the objective of an alternative
                 management control review. The study addressed whether a
                 statistical correlation existed between lenders’ default and claims
                 rates and the acceptability of lenders’ underwriting and loan
                 documentation on insured loans. The study was not intended to
                 evaluate and address identified internal control weaknesses, as is
                 the intent of alternative management control reviews.

             •   The second review generally addressed the intent of alternative
                 management control reviews but did not identify all required
                 elements. The review focused on assessing and improving a
                 process, and it documented the type and scope of the review,
                 Single Family’s findings, and a future corrective action. However,
                 the review did not identify the responsible official, nor did it
                 include a detailed description of the process used in testing the
                 systems.




                                       8
Overall Risk-Based Monitoring
Strategy Not Established


           Single Family did not establish an overall strategy regarding its risk-based
           monitoring of program activities and participants. HUD Handbook 1840.1
           requires program office directors to develop specific risk-based
           monitoring strategies, including risk-based rating systems for program
           participants. The handbook emphasizes that because conditions change
           over time, management needs to determine whether internal controls
           continue to effectively address new or changed risks. Risk-based
           monitoring is a strategy for identifying program activities and participants
           that represent the greatest risk and are the most susceptible to fraud, waste,
           and mismanagement and targeting management attention and resources to
           those activities and participants. The overall objective of the risk-based
           monitoring process is to allocate a larger share of monitoring resources to
           program functions posing the highest risk.

           Recent Office of Inspector General (OIG) and private contractor reports
           have identified areas in which Single Family could strengthen internal
           controls or needs to implement or improve controls to avoid material
           weaknesses. Single Family may have had a better opportunity to identify
           these internal control issues by practicing risk-based monitoring.

           For example, OIG recently reported a need for Single Family to strengthen
           its monitoring of HUD’s homeownership centers (OIG report #2008-KC-
           0001, issued January 2008). The homeownership centers are tasked with
           ensuring that FHA-approved lenders comply with HUD lending
           requirements and resolving deficiencies identified. The homeownership
           centers did not always resolve materially deficient and potentially
           fraudulent loans consistently.

           In another example, a private contractor recently reported similar
           problems in its front-end risk assessment of Single Family’s lender
           insurance program. In its June 2007 report, the contractor rated the Single
           Family lender insurance program’s organizational structure as
           unsatisfactory. The contractor identified the lack of centralized
           monitoring of HUD’s homeownership centers’ compliance activities as
           one of the reasons for the unsatisfactory rating. It also noted that although
           the homeownership centers had responsibility for ensuring lender
           compliance, there was a lack of ongoing monitoring of the
           homeownership centers’ activities to ensure that they performed their
           compliance duties. For example, Single Family did not employ
           centralized monitoring of the removal of nonperforming lenders to ensure
           that they were not inadvertently allowed to remain in the program.



                                         9
             In another recent report, OIG’s contracted independent auditors identified
             other problems that occurred, in part, due to the lack of risk-based
             monitoring. The independent auditor’s report on FHA’s fiscal year 2007
             financial statements (OIG report #2008-FO-0002, issued November 2007)
             identified two material weaknesses related to home equity conversion
             mortgages (reverse mortgages), caused in part by

                 •   A lack of a comprehensive, documented, program-level risk
                     assessment;
                 •   A lack of an effective process to document FHA’s conclusions
                     regarding results of its validation review; and
                 •   A lack of employee understanding of system security
                     responsibilities due to an ineffective organizational authority and
                     insufficient staff resources.

             The report also noted that most of the control weaknesses were specific to
             the reverse mortgage program; however, the weaknesses may indicate
             systemic problems within FHA due to the level of inadequate risk
             assessments and lack of documentation within this program.

             Single Family should have employed an overall risk-based monitoring
             strategy to help ensure that (1) homeownership centers resolved loan
             deficiencies consistently; (2) nonperforming lenders were not
             inadvertently allowed to remain in the lender insurance program; and (3)
             the reverse mortgage program operated efficiently and effectively,
             particularly since this program had dramatically increased in loan volume
             in recent years.

Unsatisfactory Ratings and
Corrective Actions Not
Provided to Responsible
Officials in a Timely Manner

             Single Family did not notify responsible officials of significant problems
             identified by a private contractor, nor did it provide the officials with
             corrective action plans in a timely manner. GAO standards for internal
             control emphasize that deficiencies identified during ongoing monitoring
             or through separate evaluations should be communicated to the individual
             responsible for the function and also to at least one level of management
             above that individual. Also, serious matters should be reported to top
             management. HUD Handbook 1840.1 states that management is
             responsible for the timely identification of corrective actions required to
             improve management controls. For material weaknesses, corrective action
             plans are to be submitted to the Chief Financial Officer within 60 calendar
             days of the final determination of the weakness. For weaknesses not


                                          10
             deemed material but significant and requiring corrective actions, plans
             should be submitted to the Chief Financial Officer within 60 days from
             identification of the weakness.

             The private contractor that conducted the front-end risk assessment of the
             lender insurance program, as described previously, reported its findings to
             Single Family in June 2007. In addition to rating the Single Family lender
             insurance program’s organizational structure as unsatisfactory, the
             contractor reported a lack of single point decision-making authority and
             accountability to facilitate faster decision making. Accordingly, Single
             Family managers were slow in implementing specific guidance and
             procedures affecting the lender insurance program.

             As of February 2008, Single Family had not briefed the primary
             organization head on the results of the contractor’s review, nor had it
             provided a corrective action plan to address the weaknesses identified in
             the review. Given the importance of the lender oversight function
             performed by the homeownership centers, Single Family should have
             promptly notified officials responsible for overseeing its operations,
             including the primary organization head, of the deficiencies and provided
             them with corrective action plans.

Managers Used Alternative
Process They Believed Was
Acceptable

             Single Family developed what it believed to be an acceptable alternative
             internal control process. Also, in an effort to improve its internal control
             process, Single Family hired a contractor in October 2007 to develop an
             internal quality control policies and procedures manual. Single Family
             expected that the contractor would help it better address its internal control
             assessment and implementation needs.

             Handbook 1840.1 directs managers at all levels to identify all risks that
             may prevent accomplishing program goals and objectives, assess the
             severity of the risks, implement policies and procedures for controlling the
             risks, allocate available program resources to effectively manage the risks
             in a timely manner, and provide objective and timely reporting on the
             status of the risks. In addition, managers must evaluate, on a regular basis,
             the effectiveness of controls in their operations. The handbook also states
             that while various methods may be used to evaluate controls, careful
             planning, execution, documentation, and reporting are required. The
             handbook provides a methodology for managers to




                                          11
   •   Systematically assess the susceptibility of their program or activity
       to the risk of fraud, waste, abuse, or mismanagement;
   •   Conduct evaluations of the effectiveness of their management
       controls;
   •   Identify actions and resources needed to correct weaknesses;
   •   Maintain quality control over the program; and
   •   Provide an early warning capability to alert senior management of
       potential or emerging problems.

Single Family managers asserted that although they did not strictly adhere
to the systematic methodology in handbook 1840.1, they conducted
multiple activities and used various tools that they believed were sufficient
to constitute an acceptable internal control structure. Throughout the
audit, we requested that Single Family provide documentation and
explanations of what it considered elements of its alternative internal
control process. This report recognizes and evaluates the information
provided during the audit.

For example, Single Family periodically conducted strategic planning
sessions, which served as brainstorming sessions to discuss operational
needs, expected outcomes, staffing assignments to address the needs,
target dates, and status updates. However, the strategic planning
documents did not demonstrate that the tasks discussed were based on
formal risk assessments or management control reviews.

Single Family managers also stated that Single Family’s homeownership
centers monitored lenders to ensure that they complied with HUD lending
requirements and used automated tools such as the Neighborhood Watch
Early Warning system and the Credit Watch Termination system in their
monitoring efforts. Neighborhood Watch provides loan performance data
for lenders and appraisers, by loan types and geographic areas, using
FHA-insured single-family loan information. Credit Watch identifies
lenders that have originated or sponsored poorly performing loans (i.e.,
high default and claim rates).

While Single Family had various tools with which to conduct its business,
these and other operational tools did not substitute for fully implementing
an efficient and effective, comprehensive internal control structure. Single
Family’s daily functions and tools did not constitute a formal, systematic
process for assessing its entire internal control environment, nor did the
daily functions and tools serve to validate internal control and operational
decisions made by Single Family.

Single Family hired a private contractor in October 2007 to develop an
internal quality control policies and procedures manual. The intended
purpose of the manual was to validate risk management priorities


                             12
            identified by Single Family and to serve as a management tool to ensure
            that Single Family appropriately addressed areas of material risk.

            As stated in the contract, the manual was expected to provide guidance to
            headquarters and homeownership center staff to address, minimize, and
            mitigate the impact of any issues that constitute financial or programmatic
            material risks, through regular monitoring, reporting, oversight, and
            appropriate follow-up. The manual was intended to assist Single Family
            in implementing a uniform set of policies, procedures, and practices to be
            consistently followed at HUD headquarters and the homeownership center
            levels and which would provide a seamless process for identifying,
            monitoring and overseeing material risk management issues in all program
            areas. Further, the contractor was to provide an internal quality control
            plan to enhance the level of consistency in the application of risk
            management standards governing the execution of program activities.

            As of the end of our review, the first contract deliverables were not yet
            due; therefore, we were unable to evaluate the contractor’s work.
            However, the contractor’s project plan seemed to focus on a list of high-
            risk priority areas identified by Single Family managers, rather than all
            programs, activities, and functions. In addition, the project plan and
            related documents did not explain how Single Family identified the high-
            priority areas, nor did Single Family provide us with an explanation of or
            documentation showing how it identified these areas.

Single Family Responsibilities
Increasing and FHA Program
Growing, Increasing Risks

            Recent events in the housing industry have driven increases in Single
            Family responsibilities and associated risks with its FHA mortgage
            insurance program. HUD reports showed that in the past year, FHA
            endorsements have increased by nearly 86 percent.

            One reason for the increase was the newly implemented FHASecure
            program. Under the program, borrowers can refinance their non-FHA
            fixed or adjustable rate loans into FHA loans if they meet certain
            eligibility criteria. In April 2008, HUD reported that since it began the
            FHASecure program in August 2007 it had facilitated more than 150,000
            homeowners to refinance their mortgages and estimated that it would
            likely facilitate loans for 500,000 families by the end of calendar year
            2008. FHA’s business had also increased due to increases in home equity
            conversion (reverse) mortgages. FHA endorsed more than 43,000 reverse
            mortgages in fiscal year 2005. During fiscal year 2007, FHA endorsed




                                         13
            about 108,000 reverse mortgages, an increase of approximately 150
            percent.

            In addition, the Congress recently increased the maximum mortgage
            amount that FHA can insure, allowing it to insure more, higher-value
            mortgages. For most single-family homes, HUD raised the maximum
            mortgage limit by 35 percent, from about $200,000 in low-cost areas to
            more than $270,000, and by more than 100 percent in high-cost areas,
            from more than $360,000 to nearly $730,000. Further, the Congress
            recently passed legislation that created a new FHA program to help at-risk
            borrowers. Under the program, FHA could insure up to$300 billion in
            new, less costly mortgages for homeowners who otherwise would not
            likely qualify for government-insured loans.

            In summary, Single Family’s responsibilities and associated risks are
            rapidly and greatly increasing due to changes in the housing industry,
            implementation of new FHA-related programs, and changes in existing
            programs. These changes make it imperative for Single Family to quickly
            implement a comprehensive and effective internal control structure that
            meets GAO and HUD requirements.

Increased Risks Due to Lack of
Fully Implemented Internal
Control Structure

            Without a fully implemented internal control structure, Single Family
            lacked assurance that its programs, activities, and functions operated
            efficiently and effectively or would do so in the future. This condition
            increased the risk of fraud, waste, and abuse in its new, anticipated, and
            existing programs.

            As GAO stresses, a key factor in helping to achieve agencies’ missions
            and program results and to minimize operational problems is to implement
            appropriate internal controls. Effective internal controls also help in
            managing change to cope with shifting environments and evolving
            demands and priorities. As programs change and as agencies strive to
            improve operational processes, management must continually assess and
            evaluate its internal controls to ensure that the control activities used are
            effective and updated when necessary.

            In summary, internal controls serve as the first line of defense in
            safeguarding assets and preventing and detecting errors and fraud. Single
            Family has implemented new programs in recent months, is likely to be
            tasked with additional new programs in the near future, and has made
            changes to existing programs. Having an acceptable and fully functioning



                                         14
          internal control structure that meets GAO and HUD requirements is
          central to Single Family’s ability to ensure its accountability within
          HUD’s overall control structure.

Recommendation


          We recommend that HUD’s Assistant Secretary for Housing

          1A. Ensure that Single Family managers and staff fully implement an
              acceptable internal control structure by preparing and implementing
              effective written policies and procedures that comply with GAO
              internal control standards and HUD Handbook 1840.1 requirements.




                                       15
                  SCOPE AND METHODOLOGY

Our review covered the period October 2005 through September 2007 and was expanded
as necessary. To accomplish our objective, we reviewed GAO’s Standards for Internal
Controls and HUD Handbook 1840.1, Departmental Management Control Program, to
identify actions that Single Family must perform and document to comply with HUD’s
internal control process.

We interviewed staff from HUD’s Office of the Chief Financial Officer, Office of
Housing (Housing), and Single Family to gain an understanding of their internal control
structure. We also interviewed Housing and Single Family officials regarding their
processes for
     • Annually assessing Single Family internal controls,
     • Completing management control reviews and front-end risk assessments, and
     • Implementing corrective actions and risk-based monitoring strategies.

In addition, we requested that Single Family provide documentation to support its

    •   Completion of the annual risk assessment of its internal controls, any
        management control reviews or alternative management control reviews
        performed, and any front-end risk assessments performed during fiscal years
        2006 and 2007;

    •   Corrective action process for resolving HUD OIG report recommendations and
        recommendations resulting from internal evaluations of its controls; and

    •   Overall risk-based monitoring strategy for its three divisions (Office of Single
        Family Program Development, Office of Single Family Asset Management, and
        Office of Lender Activities and Program Compliance).

We reviewed GAO and HUD OIG reports to determine whether either entity had
previously identified noncompliance with internal control standards or HUD Handbook
1840.1. We also reviewed Single Family internal reports, contractor reports, HUD’s
2006 and 2007 performance and accountability reports, business cycle memorandums,
and FHA’s fiscal year 2007 financial statements audit.

We performed on-site work from October 2007 to March 2008 at HUD headquarters
located at 451 7th Street, SW, Washington, DC.

We conducted this performance audit in accordance with generally accepted government
auditing standards. Those standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our findings and
conclusions based on our audit objectives. We believe that the evidence obtained
provides a reasonable basis for our findings and conclusions based on our audit
objectives.


                                           16
                          INTERNAL CONTROLS

Internal control is an integral component of an organization’s management that provides
reasonable assurance that the following objectives are being achieved:

   •   Effectiveness and efficiency of operations,
   •   Reliability of financial reporting, and
   •   Compliance with applicable laws and regulations.

Internal controls relate to management’s plans, methods, and procedures used to meet its
mission, goals, and objectives. Internal controls include the processes and procedures for
planning, organizing, directing, and controlling program operations. They include the
systems for measuring, reporting, and monitoring program performance.



 Relevant Internal Controls
               We determined the following internal controls were relevant to our audit
               objectives: Single Family’s controls for

                  •   Identifying risk related to its programs and/or administrative
                      functions.

                  •   Evaluating its programs, systems, accounting functions, and
                      administrative activities to determine whether adequate control
                      techniques exist and to identify material and other weaknesses in
                      internal controls.

                  •   Risk-based monitoring to identify and target management attention
                      and resources to program activities and participants that represent the
                      greatest risk to program missions and are the most susceptible to
                      fraud, waste, and mismanagement.

                  •   Performing front-end risk assessments to determine the susceptibility
                      to waste, fraud, abuse, and mismanagement of new or substantially
                      revised programs and administrative functions.

                  •   Identifying, planning, and implementing corrective actions to
                      improve internal controls.

               We assessed the relevant controls identified above.




                                            17
           A significant weakness exists if management controls do not provide
           reasonable assurance that the process for planning, organizing, directing, and
           controlling program operations will meet the organization’s objectives.

Significant Weaknesses
           Based on our review, we believe the following items are significant
           weaknesses:

               •   Single Family did not perform a formal, systematic annual risk
                   assessment of its programs and administrative functions.

               •   Single Family did not plan and conduct ongoing management control
                   reviews or alternative management control reviews of its programs.

               •   Single Family did not have an overall strategy regarding its risk-
                   based monitoring of activities and participants.

               •   Single Family did not identify corrective actions required to
                   improve its management controls in a timely manner.




                                         18
                        APPENDIXES

Appendix A

     AUDITEE COMMENTS AND OIG’S EVALUATION


Ref to OIG Evaluation        Auditee Comments




Comment 1




                            19
Ref to OIG Evaluation    Auditee Comments




Comment 2




                        20
Ref to OIG Evaluation    Auditee Comments




                        21
                     OIG Evaluation of Auditee Comments


Comment 1   We revised the draft report to further recognize that Single Family has
            elements of a control structure in place and is implementing a plan to
            further address its internal control needs. However, we did not determine
            whether the new internal plan complies with GAO internal control
            standards or HUD Handbook 1840.1, REV-3.

Comment 2   As stated in the report, we analyzed the process used by Single Family’s
            board of directors and the operational tools employed, and concluded that
            these did not substitute for fully implementing an efficient and effective,
            comprehensive internal control structure. The processes and tools used by
            Single Family were elements of an internal control structure but did not
            more than compensate for the requirements stated in HUD Handbook
            1840.1, REV-3.




                                        22