Issue Date November 14, 2008 Audit Case Number 2009-FO-0003 TO: John W. Cox, Chief Financial Officer, F FROM: Thomas R. McEnanly, Director, Financial Audits Division, GAF SUBJECT: Additional Details to Supplement Our Report on HUD’s Fiscal Years 2008 and 2007 Financial Statements HIGHLIGHTS What We Audited and Why We are required to annually audit the consolidated financial statements of the U.S. Department of Housing and Urban Development (HUD) in accordance with the Chief Financial Officers Act of 1990, as amended. Our report on HUD’s fiscal years 2008 and 2007 financial statements is included in HUD’s Fiscal Year 2008 Performance and Accountability Report. This report supplements our report on the results of our audit of HUD’s principal financial statements for the fiscal years ending September 30, 2008, and September 30, 2007. Also provided are assessments of HUD’s internal controls and our findings with respect to HUD’s compliance with applicable laws, regulations, and government-wide policy requirements, and provisions of contracts and grant agreements.1 1 Additional details relating to the Federal Housing Administration (FHA), a HUD component, are not included in this report but are included in the accounting firm of Urbach Kahn and Werlin LLP’s audit of FHA’s financial statements. That report has been published in our report, Audit of Federal Housing Administration Financial Statements for Fiscal Years 2008 and 2007 (2009-FO-0002, dated November 07, 2008). Additional details relating to the Government National Mortgage Association, (Ginnie Mae), another HUD component, are not included in this report but are included in the accounting firm of Carmichael, Brasher, Tuvell Company’s audit of Ginnie Mae’s financial statements. That report has been published in our report, Audit of Government National Mortgage Association Financial Statements for Fiscal Years 2008 and 2007 (2009-FO-0001, dated November 07, 2008). What We Found In our opinion, HUD’s fiscal years 2008 and 2007 financial statements were fairly presented. Our opinion on HUD’s fiscal years 2008 and 2007 financial statements is reported in HUD’S Fiscal Year 2008 Performance and Accountability Report. The other auditors and our audit also disclosed the following significant deficiencies in internal controls related to the need to: Continue improvements in the oversight and monitoring of subsidy calculations and intermediaries program performance and promote full utilization of Housing Choice Voucher funds; Improve the processes for reviewing obligation balances; Comply with federal financial management systems requirements; Further strengthen controls over HUD’s computing environment; Improve personnel security practices for access to the Department’s critical financial systems; Continue to enhance and modernize FHA’s financial information systems; and Strengthen Ginnie Mae’s monitoring and management controls in regard to the mortgage-backed security program. Our findings include the following four instances of non-compliance with applicable laws and regulations: HUD did not substantially comply with the Federal Financial Management Improvement Act regarding system requirements. HUD did not substantially comply with the Anti-deficiency Act; FHA does not comply with the Credit Reform Act of 1990. Ginnie Mae did not comply with the Federal Information Management Security Act. The audit also identified $122.9 million in excess obligations recorded in HUD’s records. We also are recommending that HUD seek legislative authority to implement $1.4 billion in offsets against housing agencies’ excess unusable funding held in Net Restricted Assets Accounts at the housing agencies. These amounts represent funds that HUD could put to better use. 2 What We Recommend Most of the issues described in this report represent long-standing weaknesses. We understand that implementing sufficient change to mitigate these matters is a multiyear task due to the complexity of the issues, insufficient information technology (IT) systems funding, and other impediments to change. In this and in prior years’ audits of HUD’s financial statements, we have made recommendations to HUD’s management to address these issues. Our recommendations from the current audit, as well as those from prior years’ audits that remain open, are listed in Appendix B of this report. For each recommendation without a management decision, please respond and provide status reports in accordance with HUD Handbook 2000.06, REV-3. HUD’s Response The complete text of the agency’s response can be found in Appendix E. This response, along with additional informal comments, was considered in preparing the final version of this report. 3 TABLE OF CONTENTS Highlights 1 Internal Control 5 Compliance with Laws and Regulations 30 Appendixes A. Objectives, Scope, and Methodology 33 B. Recommendations 36 C. FFMIA Noncompliance, Responsible Program Offices, and Recommended 39 Remedial Actions D. Schedule of Questioned Costs and Funds Put to Better Use 51 E. Agency Comments 52 F. OIG Evaluation of Agency Comments 54 4 Internal Control Significant Deficiency: HUD Management Must Continue to Improve Oversight and Monitoring of Subsidy Calculations and Intermediaries’ Program Performance and Promote Full Utilization of Housing Choice Voucher Funds Under the provisions of the U.S. Housing Act of 1937, HUD provides housing assistance funds through various grant and subsidy programs to multifamily project owners (both nonprofit and for profit) and housing agencies. These intermediaries, acting for HUD, provide housing assistance to benefit primarily low-income families and individuals (households) that live in public housing, Section 8 and Section 202/811 assisted housing, and Native American housing. In fiscal year 2008, HUD spent about $28 billion to provide rent and operating subsidies that benefited more than 4.8 million households. Since 1996, we have reported on weaknesses with the monitoring of the housing assistance program’s delivery and the verification of subsidy payments. We focused on the impact these weaknesses had on HUD’s ability to (1) ensure intermediaries are correctly calculating housing subsidies and (2) verify tenant income and billings for subsidies. During the past several years, HUD has made progress in correcting this deficiency. In 2008, HUD continued utilizing the comprehensive consolidated reviews in the Office of Public and Indian Housing’s (PIH) efforts to address public housing agencies’ (PHA) improper payments and other high-risk elements. HUD’s continued commitment to the implementation of a comprehensive program to reduce erroneous payments will be essential to ensuring that HUD’s intermediaries are properly carrying out their responsibility to administer assisted housing programs according to HUD requirements. The Department has demonstrated improvements in its internal control structure to address the significant risk that HUD’s intermediaries are not properly carrying out their responsibility to administer assisted housing programs according to HUD requirements. HUD’s increased and improved monitoring has resulted in a significant decline in improper payment estimates over the last five years. However, HUD needs to continue to place emphasis on its on-site monitoring and technical assistance to ensure that acceptable levels of performance and compliance are achieved and periodically assess the accuracy of intermediaries rent determinations, tenant income verifications, and billings. Tenant income is the primary factor affecting eligibility for housing assistance, the amount of assistance a family receives, and the amount of subsidy HUD pays. Generally, HUD’s subsidy payment makes up the difference between 30 percent of a household’s adjusted income and the housing unit’s actual rent or, under the Section 8 voucher program, a payment standard. The admission of a household to these rental assistance programs and the size of the subsidy the household receives depend directly on the household’s self-reported income. However, significant amounts of excess subsidy payments occur because of errors in intermediaries’ rent determinations and undetected, unreported, or underreported income. By overpaying rent subsidies, HUD serves fewer families. Every dollar paid in excess subsidies represents funds that could have been used to subsidize other eligible families in need of assistance. 5 HUD’s Estimate of Erroneous Payments Decreased in Fiscal Year 2008 The estimate of erroneous payments that HUD reports in its Performance and Accountability Report relates to HUD’s inability to ensure or verify the accuracy of subsidy payments being determined and paid to assisted households. This year’s contracted study of HUD’s three major assisted housing programs estimated that the rent determination errors made by the intermediaries resulted in substantial subsidy overpayments and underpayments. The study was based on analyses of a statistical sample of tenant files, tenant interviews, and income verification data for activity that occurred during fiscal year 2007. However, the amounts reported in the study have been adjusted due to recent program structure changes. The Public Housing programs switched to Asset Management and began calculating formula income for PHAs as noted in 24 CFR 990.195 Calculating Formula Income. This change eliminated the 3 types of improper payment errors for the Public Housing program. This new process was implemented in January 2007. Therefore for FY 2007 this process was in place for the last 3 quarters of the year and HUD subsidy errors occurred only in the first quarter. Errors could still be made by PHAs in their calculation of the amount of tenant rent or tenants could still be under reporting their income, however beginning January 2007 this no longer affected HUD’s subsidy. The Quality Control (QC) study and Income Match Reporting study estimated these errors for the entire fiscal year because this information is useful to management of both PIH and the PHAs. However, based on the conversion to asset management and the change in calculating formula income becoming effective in January 2007, only 25 percent of the amount calculated for the Administrator, Income Reporting, and Billing errors should be reported for FY 2007. In addition, the establishment of a budget based funding methodology was implemented for the Housing Choice Voucher Program to eliminate the opportunity for billing errors in that program. Budget based means that each PHA will have a set annual budget for vouchers to serve their clients needs. The PHA will receive the annual budget in 12 equal monthly payments – thus eliminating the need to bill HUD and eliminating the Billing Error. Based on the previously mentioned program structure changes, HUD is reporting subsidy payment inconsistencies in which HUD incorrectly paid $671.5 million in annual housing subsidies. This is a 30 percent decrease in the gross erroneous payments in comparison to the prior year. The estimate of erroneous payments is reported in HUD’s Fiscal Year 2008 Performance and Accountability Report as Other Accompanying Information and will reflect the adjusted error estimates. The estimate of erroneous payments this year also includes overpaid subsidies from underreported and unreported income and intermediaries’ billings errors. 6 HUD estimated that housing subsidy overpayments from tenants misreporting their income totaled an additional $249.8 million in overpayments during calendar year 2007. HUD did not conduct a billings study during fiscal year 2008. Therefore, the results of prior year’s study will carryover for this year’s billings error estimate and have been adjusted according to the previously mentioned program structural changes. Based on the payment errors that were identified for the Office of Housing’s project-based Section 8 housing program, HUD reported an estimated $59 million in program billings errors for fiscal year 2006. In addition, PIH’s billings error estimate has been reduced to zero for the Housing Choice Voucher program. Additionally, an operating subsidy estimate of $12.3 million was included in the PIH billings estimate. Therefore, adding the Office of Housing’s estimate of $59 million to the PIH estimate of $12.3 million for operating subsidy results in a $71.3 million estimate of erroneous payments for billings errors. In totality, HUD has reduced the combined gross improper rental housing assistance payment estimates to $993 million in Fiscal Year 2007. This is a total reduction of 35% in comparison to the prior year estimates. In addition to the Rental Housing Integrity Improvement Project (RHIIP)-related estimates, HUD performed a risk assessment update on one third of all HUD programs exceeding $40 million in expenditures (except those associated with the RHIIP) to determine whether they are susceptible to significant erroneous or improper payments. The OCFO performed a risk assessment on nine of HUD’s funded activities (programs). The nine programs were updated and reevaluated for the current risk assessment. Although individual program risk ratings for the nine programs may have changed slightly, none of the programs evaluated were considered susceptible to significant improper payments for fiscal year 2007, as defined in OMB Circular A-123, Appendix C, Part 1. HUD Needs to Continue Initiatives to Detect Unreported Tenant Income The computer matching agreement between HUD’s Office of Housing and the Department of Health and Human Services (HHS) for use of the National Directory of New Hires in the Enterprise Income Verification system (EIV) was finalized in fiscal year 2008. HUD successfully expanded its computer matching program with the HHS data to all of its rental assistance programs (public housing, housing vouchers, and project-based housing) when HUD s project- based program gained access to the HHS database on January 15, 2008. The other programs had gained access previously. HUD intends to issue a final rule mandating the use of this matching data by the end of this calendar year. 7 EIV is a web-based system that compiles tenant income information and makes it available online to HUD business partners to assist in determining accurate tenant income as part of the process of setting rental subsidy. Currently, EIV matches tenant data against Social Security Administration information, including Social Security benefits and Supplemental Security Income, and with the HHS National Directory of New Hires (NDNH) database, which provides information such as wages, unemployment benefits, and W-4 (“new hires”) data, on behalf of PIH and Multifamily Housing programs. The EIV System is available to PHAs nationwide and to Owner Administered project-based assistance programs, and all are encouraged to use and implement the EIV System in their day-to-day operations. Additionally, the Department is also in the process of implementing the Multifamily Housing Error Tracking Log (ETL) initiative. The ETL initiative will document whether and to what extent owners are accurately, thoroughly, and clearly determining family income and rents in the Office of Multifamily Housing Subsidy Programs, and will track the specific dollar impact of income and rent discrepancies and the corresponding resolution of such errors. HUD Needs to Continue Progress on RHIIP Initiatives to Monitor Program Administrators HUD initiated the Rental Housing Integrity Improvement Project (RHIIP) as part of an effort in fiscal year 2001 to develop tools and the capability to minimize erroneous payments. This type of erroneous payments targeted includes the excess rental subsidy caused by unreported and underreported tenant income. Since our last report, HUD has continued to make progress addressing the problems surrounding housing authorities’ rental subsidy determinations, underreported income, and assistance billings. However, HUD still needs to ensure that it fully utilizes automated tools to detect rent subsidy processing deficiencies and identify and measure erroneous payments. During fiscal year 2006, HUD implemented a five year plan initiative to perform consolidated reviews in order to reinforce the Office of Public and Indian Housing’s (PIH) effort in addressing public housing agencies (PHA) improper payments and other high-risk elements. These reviews were also implemented to ensure the continuation of the PIH’s comprehensive monitoring and oversight of PHAs. The five-year plan required to perform Tier 1 comprehensive reviews on approximately 20 percent or 490 of the PHAs that manage 80 percent of HUD’s funds. According to the Fiscal Year 2008 Management Plan directive, PIH identified 100 PHAs that receive 80 percent of HUD’s funding for the priority Tier 1 comprehensive reviews. Tier 2 comprehensive reviews of the remaining PHAs were optional, depending upon each field office’s resources. Tier 1 comprehensive reviews included rental integrity monitoring (RIM), RIM follow- up on Corrective Action Plans (CAPs), EIV implementation and security, Section 8 Management Assessment Program (SEMAP) confirmatory reviews, SEMAP 8 quality control reviews, Exigent Health & Safety (EH&S) spot-checks, Management Assessment Subsystem (MASS) certifications, and civil rights limited front-end reviews. Documentation provided during our review showed that 101 Tier I reviews and 17 Tier II reviews were performed during fiscal year 2008. Because of the deficiencies identified in the consolidated reviews, CAPs were implemented at 46 PHAs from the Tier 1 and at 17 PHAs from the Tier II Reviews. At the end of our fieldwork, none of the CAPs from these reviews had been closed out. Additionally, at the end of our fiscal year 2008 fieldwork we noted that 6 CAPs were still open from the 2003-2004 RIM follow-up reviews. During our fiscal year 2007 review, we determined that 6 of these CAPs were still open because the respective PHA was either in receivership or in troubled status. HUD must continue to assure that CAPs are implemented and closed out, thereby assuring that the systemic errors identified during the reviews were corrected. In prior years, we reported that the Public Housing Information Center system (now known as the PIH Inventory Management System or (PIC-IMS)) information was incomplete and/or inaccurate because housing authority reporting requirements were discretionary. As a result PHAs have been mandated to submit 100 percent of their family records to HUD’s Public Housing Information Center system (Inventory Management System) Form 50058 Module. If PHAs do not meet the minimum reporting rate of 95 percent at the time of their annual Form HUD 50058 reporting rate assessment they are subject to sanctions. During our field review at four field offices, we noted 41 PHAs that were not meeting the minimum 95 percent reporting rate. None of these PHAs were sanctioned during 2008, HUD annually evaluates those PHAs not meeting the 95% requirement, this evaluation was postponed until April 2009 after the new PIC-IMS software is deployed. Since HUD uses the tenant data from its Public Housing Information Center system (Inventory Management System) for the income-matching program and program monitoring, it is essential that the database have complete and accurate tenant information. Therefore, until a more efficient and effective means of verifying the accuracy of the data is developed, HUD needs to continue to emphasize the importance of accurate reporting and proactively enforce sanctions against those PHAs that do not follow the requirement. HUD has made substantial progress in taking steps to reduce erroneous payments. However, HUD must continue its regular on-site and remote monitoring of the PHAs and use the results from the monitoring efforts to focus on corrective actions when needed. We are encouraged by the on-going actions to focus on improving controls regarding income verification, as well as HUD’S plans regarding CAPs, consolidated reviews, and the continual income and rent training for HUD staff, owners, management agents, and PHAs. 9 Public Housing Agencies Accumulation of Funds in the Net Restricted Asset Account Congress, in an attempt to limit the cost of the Housing Choice Voucher Program and to provide flexibility to the Public Housing Agencies (PHAs) in the administration of available program funding, enacted provisions in the fiscal year 2005 Appropriation Act (Public Law 108-447), that significantly changed the way HUD provides and monitors the subsidy paid to housing agencies. Starting January 1, 2005, Congress changed the basis of the program funding from a “unit- based” process to a “budget-based” process that limits the Federal funding to a fixed amount. Under the legislation, HUD records the funding allocated to the PHA as an expense and no longer records a receivable for any under-utilized funds because the public housing authorities retain and are expected to use the funds in their entirety for authorized program activities and expenses within the time allowed. Program guidance states that any budget authority provided to PHAs that exceeds actual program expenses for the same period must be maintained in a housing agencies’ net restricted assets account. Although these funds are retained by the PHA and not the Department, the Department has a responsibility to ensure that these funds are properly accounted for and are used for authorized program activities. HUD is also responsible for monitoring both overutilization and underutilization of funds and for ensuring that appropriated funds are being used to serve the maximum number of families. According to HUD’s records, as of June 30, 2008, the net restricted assets account has increased to a balance of approximately $1.9 billion for 2,307 PHAs. Further, this $1.9 billion in unused funding is the balance remaining after an offset of $723 million required by the Fiscal Year 2008 Appropriations Law. Of the $1.9 billion, $1.4 billion has been categorized as unusable by the PHAs. The unusable portion of the net restricted assets account balance represents the excess of the amount that would be required to achieve 100 percent utilization of the vouchers awarded to the PHAs for the calendar year. The balance in this account has increased to this level because housing agencies are not fully utilizing the housing choice voucher funds allocated. Due to uncertainty over each year’s funding allocation, PHAs have reduced their spending in anticipation of the need to cover future costs from current resources. Late enactment of appropriations has required PHAs to begin each year without knowing their allocations. Also, the utilization of voucher funds are further limited because program regulations prohibit a PHA from leasing more units than those approved in its contract, even when there is a need and the resources are available to increase the number of families being served. The lifting of these leasing restrictions requires legislative action by Congress. HUD has proposed such legislative change, but it has not been enacted. 10 Below Target Utilization Rates We reviewed HUD’s Section 8 Management Assessment Program (SEMAP) Utilization Summary Report as of September 17, 2008. This report showed that 55 percent of the PHAs have utilization rates of less than 95 percent, which is below the fiscal year 2004 rate of 98.5 percent achieved using the previous funding mechanism and the Department’s FY 2011 target utilization rate of 97 percent. We reviewed the dollar amount utilization rate from the Net Restricted Assets Monitoring report. Our analysis of the report indicated that PHA performance for FYs 2005 through 2007 resulted in a calculated utilization rates of 96.0, 90.4, and 93.8 percent, respectively. HUD has acknowledged that continued improvements in utilization are needed, and plans to continue to link future administrative fee payments to PHA leasing levels. In addition, five recent OIG audits 2 have indicated that the accumulation of the net restricted assets has increased the risk of fraud, waste, and abuse of voucher program funds. The audits performed by our field offices at four PHAs revealed irregularities including the misuse of program funds, deficient accounting records and lack of control to ensure adequate utilization. Specifically, the audits indicated that housing choice voucher program funds were being used by PHAs to cover operating costs of other programs and that the funds were being spent on ineligible activities. The audits also found that a PHA did not properly update its financial systems for housing assistance and administrative fee payments made for the voucher program. In addition, we found that its accounting records did not support the balance of the net restricted assets. These issues combined with a lack of adequate funding utilization have resulted in a rapid accumulation of unused funds. The issues noted in these audits occurred in part because the Department does not include the net restricted assets account balance as part of its on-site monitoring review of PHAs. The Real Estate Assessment Center (REAC) performs a desk review of the Financial Accounting Sub-System (FASS) submissions from the PHAs. The submissions include two memo accounts regarding the net restricted assets balances (Net Cumulative Administrative Fees Equity and Net Cumulative Administrative Fees Equity). Although REAC reviews the submissions and informs the Financial Management Center and Field Offices of any irregularities, their review is primarily limited to the financial statements, data schedules that support the financial statements, and other data reported by the housing agencies that have been entered into the Department’s systems. REAC relies on the work of the Independent Auditors for review of the PHAs financial records that support the FASS submissions. In addition, the Quality Assurance Division (QAD) 2 Dallas Housing Authority Audit Report Audit Report #2008-FW-1006, City of Los Angeles Housing Authority Audit Report Audit Report #2008-LA-1015, Housing Authority of the County of San Mateo, Belmont, CA Audit Report # 2007-LA-1014, Dallas Housing Authority Audit Repot # 2008-FW-1011 and Richard Housing Authority, Richard, WA Audit Report Audit Report #2008-SE-1006. 11 conducts on-site reviews of selected PHAs to validate the leasing and cost data reported by the agencies in the Voucher Management System (VMS), but does not review data to support net restricted assets account balances. The leasing restrictions imposed by Congress do not allow the program to operate at its fullest potential and the $723 million offset was not sufficient to recapture the excess funding held by the PHAs. We recommend that HUD significantly reduce the net restricted assets balance by seeking the legislative authority to implement additional offsets of the $1.4 billion of the unusable funding accumulated and to again request that the programs’ leasing restrictions be eliminated or modified in order for more families to receive assistance. We also recommend the Department increase both its on-site monitoring efforts of this account balance, as well as continue to improve its efforts to increase fund utilization by linking administrative fee payments to PHA leasing levels. Significant Deficiency: HUD Needs to Improve Processes for Reviewing Obligation Balances HUD needs to improve controls over the monitoring of obligation balances to ensure they remain needed and legally valid as of the end of the fiscal year. HUD’s procedures for identifying and deobligating funds that are no longer needed to meet its obligations were not always effective. This has been a long-standing weakness. Our review of the 2008 year-end obligation balances showed $122.9 million in excess funds that could be recaptured. We have been reporting deficiencies in this area for several years and while HUD has been working to implement improved procedures and information systems, progress has been slow. Major deficiencies include: timely reviews of unexpended obligations for Administrative, Program Rental Assistance Payment, Rent Supplement, and Interest Reduction Program are not being performed. Annually, HUD performs a review of unliquidated obligations to determine whether the obligations should be continued, reduced, or canceled. We evaluated HUD’s internal controls for monitoring obligated balances. Project-based Section 8 Contracts HUD’s systems and controls for accounting, processing payments, monitoring, and budgeting for Section 8 project-based contracts need to be improved. HUD has been hampered in their ability to estimate funding requirements, process timely payments to project-based landlords, and to recapture excess funds in a timely manner. This is evidenced in HUD’s long-term challenges in paying Section 8 project-based landlords on a timely basis and properly monitoring and accurately accounting and budgeting for contract renewals. 12 HUD currently administers 17,986 housing assistance payment (HAP) contracts to provide about 1.25 million low-income housing units. A total of 13,605 contracts, covering 966,020 housing units, are subject to annual renewals. Section 8 budget authority is generally available until expended. As a result, HUD should periodically assess budget needs and identify excess program reserves in the Section 8 programs as an offset to future budget requirements. Excess program reserves represent budget authority originally received, which will not be needed to fund the related contracts to their expiration. While HUD had taken actions to identify and recapture excess budget authority in the Section 8 project-based program, weaknesses in the review process and inadequate financial systems continue to hamper HUD’s efforts. There is a lack of automated interfaces between the Office of Housing subsidiary records with the Department’s general ledger for the control of program funds. This necessitates that HUD and its contractors make extensive use of ad hoc analyses and special projects to review Section 8 contracts for excess funds, which has hampered HUD’s ability to identify excess funds remaining on Section 8 contracts in a timely manner. This fiscal year, the Office of Housing recaptured approximately $428.3 million in unliquidated obligation balances from 9,207 contracts in the Section 8 project-based program. Our review of the Section 8 project-based contracts showed an additional $44.8 million of available contract/budget authority on 102 contracts that had expiration dates prior to January 1, 2008. Funds associated with these contracts should be recaptured. During our review, we also found 32 contracts listed in the PAS that were not included in REMS data provided to us by Multifamily Housing. REMS is the official source of data on Multifamily Housing’s portfolio of insured and assisted properties. Upon further analysis of the 32 contracts, we determined that the funds available on 28 of the contracts had been recaptured during fiscal year 2008. We verified the status of the remaining four contracts with the Accounting Center in Fort Worth, TX. We found that no records existed for one contract, two contracts had been paid off, and one was expired. The available balance remaining on the four contracts, which totals approximately $29.6 million, should be recaptured. A Long-term Financial Management System Solution is Needed While our review indicated improvements in PAS data quality, HUD still needs to develop a long-term financial management system solution to streamline and automate the overall Section 8 project-based budgeting, payment, and contract management process. HUD’s process for renewing subsidy contracts is largely an ad hoc process. HUD lacks the internal processes to timely estimate the contract funding level on an ongoing basis. There is a lack of automated interfaces between the Office of Housing subsidiary records with the Department’s general ledger for the control of program funds. This necessitates that HUD and its contractors make extensive use of ad hoc analyses and special projects to review Section 8 contracts. Our review of the Section 8 project-based 13 account balances showed deficiencies that raised concerns about use of PAS data for computing funding requirements for Section 8 project-based assistance contracts. Specifically, we noted that: Funds totaling $1.1 million were recaptured from 32 projects that were reported in PAS as having no available balance. PAS data contained 24 funding lines with contract expiration dates prior to 1974, which is the year that Congress authorized the Section 8 program. Of the 24, 12 funding lines were reported in PAS as having $10.4 million funds available. Administrative/Other Program Obligations Requests for obligation reviews were forwarded by the Chief Financial Officer to the administrative and program offices. The focus of the review was on administrative obligations that exceeded a balance of $17,000 and program obligations that exceeded $217,000. Excluding the Section 8 and Section 235/236 programs, which undergo separate review processes; HUD identified 1,923 obligations with remaining balances totaling $21.5 million for deobligation. We tested the 1,923 obligations the Department identified to determine whether the associated $21.5 million had in fact been deobligated in HUD’s Central Accounting and Program Accounting Systems. We found that, as of September 30, 2008, a total of 427 obligations with remaining balances totaling $4.2 million had not been deobligated. The Department has initiated the process of closing these contracts and the associated funding should be recaptured in fiscal year 2009. We noted during fiscal year 2008, the Department continued its efforts to improve the timing and monitoring of its deobligation process. Rent Supplement and Rental Assistance Payments HUD is not recapturing excess undisbursed contract authority from the Rent Supplement and Rental Assistance Payments programs in a timely manner. Although, HUD continues to make progress in this area, improvement is still needed to ensure the timely recapture of excess funds. The Rent Supplement and Rental Assistance Payments programs have been in existence since the mid 1960’s and 1970’s respectively. The Rent Supplement program and Rental Assistance Payments operate much like the current project- based Section 8 rental assistance program. Rental assistance is paid directly to multi-family housing owners on behalf of eligible tenants 14 HUD’s subsidiary ledgers show, on a fiscal year basis, the amount authorized for disbursement and the amount that was disbursed under each project account. Funds remain in these accounts until they are paid out or deobligated by HUD. If the funds are not paid out or deobligated, the funds remain on the books, overstating the needed contract authority, the excess of which should be recaptured. Our prior audit reports showed these funds were not being recaptured timely. We have been reporting deficiencies in this area for several years. In response to our concern, in fiscal year 2006, HUD developed and implemented procedures to review quarterly and annually the programs and associated contract authority requirements. Although, progress has been made in this area, improvement is still needed to ensure the timely recapture of excess funds. We performed a review in fiscal year 2008 of unliquidated obligations for the multifamily projects accounts under the Rent Supplement and Rental Assistance programs. Our review found $20.7 million in undisbursed contract authority from prior fiscal years on 372 multifamily projects that should be recaptured. HUD agreed and processed adjustments to deobligate the $20.7 million of excess undisbursed obligations. Section 236 Interest Reduction Program The Section 236 Interest Reduction Program was created in 1968, however, new program activity ceased in the mid-1970s. The multi-family activities carried out by this program include making interest reduction payments directly to mortgage companies on behalf of multi-family project owners. The contracts entered into were typically up to 40 years and HUD was required to fund these contracts for their duration. At the time it entered into the contracts, HUD was to record obligations for the entire amount. The obligations were established based upon permanent indefinite appropriation authority. This budget authority is included in the Statement of Budgetary Resources and other consolidated financial statements as “Other programs”. Although not a major program, deficiencies in the Section 236 Interest Reduction Program have been reported by OIG in prior reports on the financial statements. The Offices of Housing and the Chief Financial Officer have been hampered by historically poor record keeping in their attempt to accurately account for unexpended Section 236 budget authority balances and estimated future payments. These estimated payments are the basis for HUD’s current recorded obligation balances necessary to fully fund the contracts to their expiration. HUD adjusts the recorded obligations as it proceeds through the term of the contracts in order to reflect best estimates of the financial commitment. Factors that can change the budgetary requirements over time include contract terminations, refinancing, and restructuring of the contracts. 15 In recent years, OIG noted that HUD made a series of corrective actions to address these deficiencies. In response to fiscal year 2004’s OIG report and OMB concerns, the Department initiated a contract-by-contract review in August 2005 to identify underreported, as well as over reported balances, and support the Section 236 contract and budget authority. In 2006, HUD developed and implemented procedures for the quarterly reconciling of its obligation accounts. In FY 2007, HUD completed a reconciliation review with service. However, this year’s review disclosed that further improvements in HUD’s processes are needed to ensure Section 236 IRP obligations are valid and can be more accurately estimated and reported. In fiscal year 2008, we identified 60 inactive Section 236 Interest Reduction Program contracts with over $13.9 million in excess contract and budget authority that could be deobligated. These 60 contracts had been prepaid and terminated from the program. HUD agreed and processed adjustments to deobligate $13.9 million. In addition, we identified 9 contracts with inaccurate payment schedules and overestimated funding requirements of over $9.7 million. HUD agreed and processed adjustments to deobligate the $ 9.7 million. The deficiencies in the Section 236 program occurred because the quarterly review procedures currently implemented were insufficient in providing updates on the project status in a timely manner. HUD needs to improve its quarterly contract reconciliation procedures to ensure that contract and budget authority for the Section 236 Interest Reduction Program are valid and estimates are accurately and timely reported. For the Department’s administrative and other program funds, HUD needs to promptly perform contract closeout reviews and recapture the associated excess contract authority and imputed budget authority. In addition, HUD needs to address data and systems weaknesses to ensure that all contracts are considered in the recapture/shortfall budget process including Rent Supplement and Rental Assistance Programs. With respect to project-based Section 8 contracts, we recommended in our audit of the Department’s fiscal year 1999 financial statements that systems be enhanced to facilitate timely closeout and recapture of funds. In addition, we recommended that the closeout and recapture process occur periodically during the fiscal year, and not just at year-end. Implementation of the recommendations is critical so that excess budget authority can be recaptured in a timely manner and considered in formulating requests for new budget authority. 16 Significant Deficiency: HUD Financial Management Systems Need to Comply with Federal Financial Management System Requirements As reported in prior years, HUD is not in full compliance with federal financial management requirements. Specifically, it has not completed development of an adequate integrated financial management system. HUD is required to implement a unified set of financial systems. This includes the financial portions of mixed systems encompassing the software, hardware, personnel, processes (manual and automated), procedures, controls, and data necessary to carry out financial management functions, manage financial operations of the agency, and report on the agency’s financial status to central agencies, Congress, and the public. As currently configured, HUD financial management systems do not meet the test of being unified. The term “unified” is defined as meaning that systems are planned for and managed together, operated in an integrated fashion, and linked electronically to efficiently and effectively provide agency wide financial system support necessary to carry out the agency’s mission and support the agency’s financial management needs. HUD’s financial systems, many of which were developed and implemented before the issue date of current standards, were not designed to perform or provide the range of financial and performance data currently required. The result is that HUD, on a department wide basis, does not have unified and integrated financial management systems that are compliant with current federal requirements or provide HUD the information needed to effectively manage its operations on a daily basis. This could negatively impact management’s ability to perform required financial management functions; efficiently manage the financial operations of the agency; and report, on a timely basis, the agency’s financial results, performance measures, and cost information. FFMIA Requires HUD to Implement a Compliant Financial Management System The Federal Financial Management Improvement Act of 1996 (FFMIA) requires, among other things, that HUD implement and maintain financial management systems that substantially comply with federal financial management system requirements. The financial management system requirements also include implementing information system security controls. These requirements are detailed in the Federal Financial Management System Requirements series issued by the Joint Financial Management Improvement Program/Financial System Integration Office (JFMIP/FISO). The requirements are also included in Office of Management and Budget (OMB) Circular A-127, “Financial Management Systems.” Circular A-127 defines a single integrated financial management system as a unified set of financial systems and the financial portions of mixed 17 systems (e.g., acquisition) encompassing the software, hardware, personnel, processes (manual and automated), procedures, controls, and data necessary to carry out financial management functions, manage the financial operations of the agency, and report on the agency’s financial status. As in previous audits of HUD’s financial statements, in fiscal year 2008 there continued to be instances of noncompliance with federal financial management system requirements. These instances of noncompliance have given rise to significant management challenges that have: (1) impaired management’s ability to prepare financial statements and other financial information without extensive compensating procedures, (2) resulted in the lack of reliable, comprehensive managerial cost information on its activities and outputs, and (3) limited the availability of information to assist management in effectively managing operations on an ongoing basis. HUD’s Financial Systems Are Not Adequate As reported in prior years, HUD does not have financial management systems that enable it to generate and report the information needed to both prepare financial statements and manage operations on an ongoing basis accurately and timely. To prepare consolidated department wide financial statements, HUD required Federal Housing Administration (FHA), the Government National Mortgage Association (Ginnie Mae), and the Office of Federal Housing Enterprise Oversight (OFHEO) to submit financial statement information on spreadsheet templates, which were loaded into a software application. In addition, all consolidating notes and supporting schedules had to be manually posted, verified, reconciled, and traced. To overcome these systemic deficiencies with respect to preparation of its annual financial statements, HUD was compelled to rely on extensive compensating procedures that were costly, labor intensive, and not always efficient. Due to a lengthy HUD Integrated Financial Management Improvement Project (HIFMIP) procurement process and lack of funding for other financial application initiatives, there were no significant changes made in fiscal year 2008 to HUD’s financial management processes. As a result, the underlying system limitations identified in past years remain. The functional limitations of the three applications (HUDCAPS, LOCCS and PAS) performing the core financial system function for HUD are dependent on its data mart and reporting tool to complete the accumulation and summarization of data needed for U.S. Department of the Treasury and OMB reporting. 18 HUD’s Financial Systems do not Provide Managerial Cost Data In fiscal year 2006 the Government Accountability Office (GAO) reported in GAO-06-1002R Managerial Cost Accounting Practices that HUD’s financial systems do not have the functionality to provide managerial cost accounting across its programs and activities. This lack of functionality has resulted in the lack of reliable and comprehensive managerial cost information on its activities and outputs. HUD lacks an effective cost accounting system that is capable of tracking and reporting costs of HUD’s programs in a timely manner to assist in managing its daily operations. This condition renders HUD unable to produce reliable cost-based performance information. HUD officials have indicated that various cost allocation studies and resource management analyses are required to determine the cost of various activities needed for mandatory financial reporting. However, this information is widely distributed among a variety of information systems, which are not linked and therefore cannot share data. This makes the accumulation of cost information time consuming, labor intensive, untimely, and ultimately makes that cost information not readily available. Budget, cost management, and performance measurement data are not integrated because HUD: Did not interface its budget formulation system with its core financial system; Lacks the data and system feeds to automate a process to accumulate, allocate, and report costs of activities on a regular basis for financial reporting needs, as well as internal use in managing programs and activities; Does not have the capability to derive current full cost for use in the daily management of Department operations; and Requires an ongoing extensive quality initiative to ensure the accuracy of the cost aspects of its performance measures as they are derived from sources outside the core financial system. While HUD has modified its resource management application to enhance its cost and performance reporting for program offices and activities, the application does not use core financial system processed data as a source. Instead, HUD uses a variety of applications, studies, and models to estimate the cost of its program management activities. One of these applications, TEAM/REAP, was designed for use in budget formulation and execution, strategic planning, organizational and management analyses, and ongoing management of staff resources. It was enhanced to include an allocation module that added the capability to tie staff 19 distribution to strategic objectives, the President’s Management Agenda, and HUD program offices’ management plans. HUD also concluded a pilot program of this functionality in fiscal year 2007. Additionally, HUD has developed time codes and an associated activity for nearly all HUD program offices to allow automated cost allocation to the program office activity level. HUD has indicated that the labor costs that will be allocated to these activities will be obtained from the HUD payroll service provider. However, because the cost information does not pass through the general ledger, current federal financial management requirements are not met. Financial Systems do not Provide for Effective and Efficient Financial Management During fiscal year 2008, HUD’s financial information systems did not allow it to achieve its financial management goals in an effective and efficient manner in accordance with current federal requirements. To perform core financial system functions, HUD depends on three major applications, in addition to a data warehouse and a report-writing tool. Two of the three applications that perform core financial system functions require significant management oversight and manual reconciliations to ensure accurate and complete information. HUD’s use of multiple applications to perform core financial system functions further complicates financial management and increases the cost and time expended. Extensive effort is required to manage and coordinate the processing of transactions to ensure the completeness and reliability of information. Additionally, the interface between the core financial system and HUD’s procurement system does not provide the required financial information. The procurement system interface with HUDCAPS does not contain data elements to support the payment and closeout processes. Also, the procurement system does not interface with LOCCS and PAS. Therefore, the processes of fund certification, obligation, de-obligation, payment, and close out of transactions that are paid out of the LOCCS system are all completed separately, within either PAS or LOCCS. This lack of compliance with federal requirements impairs HUD’s ability to effectively monitor and manage its procurement actions. HUD Plans to implement a Department Wide Core Financial System HUD plans to implement a commercial federal certified core financial system and integrate the current core financial system into one Department-wide core 20 financial system. HUD is initiating business process reengineering work to ensure a smooth transition to a single integrated core financial system. FHA and Ginnie Mae have already implemented a compatible and compliant system to support the transition to the enterprise core financial system. HUD plans to select a qualified shared service provider to host the enterprise system and integrate the three financial systems (HUD, FHA, and Ginnie Mae) into a single system by fiscal year 2013. Achieving integrated financial management for HUD will result in a reduction in the total number of systems maintained, provide online, real-time information for management decision-making, enable HUD to participate in E- government initiatives, and align with HUD's information technology modernization goals. However, HUD’s Integrated Financial Management Improvement Project (HIFMIP), launched in fiscal year 2003, has been plagued by delays, and implementation of the core financial system has not yet begun. Additionally, the previous HIFMIP project manager vacated the position in February 2008, and a permanent replacement has not yet been named. HIFMIP was intended to modernize HUD’s financial management systems in accordance with a vision consistent with administration priorities, legislation, Office of Management and Budget directives, modern business practices, customer service, and technology. HIFMIP will encompass all of HUD’s financial systems, including those supporting FHA and Ginnie Mae. HUD had intended to begin the implementation in fiscal year 2006. Due to delays with the procurement process, however, HUD anticipates that it will not be able to begin the implementation of its core financial system until fiscal year 2009. The success of the HIFMIP project continues to be at risk due to dated requirement documents, as well as the lack of a permanent, full-time project manager. We continue to note the following weaknesses with HUD’s financial management systems: HUD’s ability to prepare financial statements and other financial information requires extensive compensating procedures. HUD has limited availability of information to assist management in effectively managing operations on an ongoing basis. Significant Deficiency: Controls over HUD’s Computing Environment Can Be Further Strengthened HUD’s computing environment, data centers, networks, and servers provide critical support to all facets of the Department’s programs, mortgage insurance, financial management, and administrative operations. In prior years, we reported on various weaknesses with general system controls and controls over certain applications, as well as weak security management. These deficiencies increase risks associated with safeguarding funds, property, and assets from waste, loss, unauthorized use, or misappropriation. 21 We evaluated selected information systems general controls of the Department’s computer systems on which HUD’s financial systems reside. Our review found information systems control weaknesses that could negatively affect HUD’s ability to accomplish its assigned mission, protect its data and information technology assets, fulfill its legal responsibilities and maintain its day-to-day functions. Presented below is a summary of the control weaknesses found during the review. Entity-wide Security Program HUD has made strides toward implementing a compliant entity wide security program as required by the Federal Information Security Management Act of 2002 (FISMA). HUD developed guidance, conducted meetings, and provided training to program officials to ensure security policies are properly implemented at the program and system level. However, additional progress is needed. Specifically, in fiscal year 2008 we found that: HUD’s program offices and system owners did not always ensure that HUD’s inventory of automated systems was up-to-date and systems were properly categorized as required by OMB. System owners did not ensure that all non-major applications that are hosted outside of HUD’s infrastructure were secure. HUD did not fully comply with OMB’s privacy requirements, including the completion of privacy survey reports and privacy impact assessments for all new systems that contain personally identifiable information3 before placing them into development or production. HUD did not fully implement all technical controls specified by OMB memorandum M-06-164, which addresses information that is removed from or accessed from outside the agency. Security Controls Over HUD’s Databases 3 The term Personally Identifiable Information means any information about an individual maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and information which can be used to distinguish or trace an individual's identity, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, etc., including any other personal information which is linked or linkable to an individual. Source: OMB Memorandum M-06-19, “Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments,” dated July 12, 2006 4 “Protection of Sensitive Agency Information” issued June 23, 2006 22 A number of weaknesses were identified by the OIG during a review of security controls over HUD’s databases. We identified security configuration and technical control deficiencies within HUD’s database security controls in the areas of (1) passwords, (2) system patches, and (3) system configuration. If proper access controls are not in place, there is no assurance that the data residing on HUD financial and financial management systems are adequately protected against unauthorized disclosure, modification, or destruction. Allowing conditions that undermine the integrity of security contributes to inefficient security operations and administration or may lead to interruption of production operations. Additionally, improper configurations do not allow the Office of the Chief Information Officer (OCIO) and program offices to ensure that the database environment is managed in a way that is secure, efficient, and effective. HUD Procurement System We audited HUD's Procurement systems in fiscal year 20065. Through actions taken during fiscal years 2007 and 2008, the Office of the Chief Procurement Officer has made progress toward resolving the issues identified during the audit. However, two significant recommendations made in the report remain open and the procurement systems continue to be in noncompliance with Federal financial management requirements. The Office of the Chief Procurement Officer (OCPO) has yet to complete the corrective actions for the known open information security vulnerabilities or to develop mitigation strategies if new system development is underway. The OCPO plans to replace the current acquisition systems, but it has not yet been able to secure funding to complete the planned corrective action. Consequently, OCPO has not yet implemented functionality to ensure that there is sufficient information within HUD’s procurement systems to support the primary acquisition functions of fund certification, obligation, de- obligation, payment, and closeout. Controls Over FHA Information Technology Resources On October 31, 2007, we issued an audit report on our assessment of FHA’s management of its information technology resources6. Some recommendations addressed to the OCIO remain open and are expected to be implemented and closed by December 2008 as follows: (1) provide additional guidance and training to application system owners regarding completion of their application’s business impact analysis; (2) complete the design and implementation of an information security program to include descriptions of system owner roles and responsibilities, information on the security controls with FHA for each 5 Audit Report No. 2007-DP-0003: Review of HUD’s Procurement Systems issued January 25, 2007 6 Audit report No. 2008-DP-0002: Review of FHA Controls Over Its Information Technology Resources 23 general support system on which its applications reside, and information on the use of the Information System Security Forum as a user representative forum for each general support system; and (3) develop and provide role-based training to FHA staff with information security roles and responsibilities HUD’s Financial Systems As part of our review of HUD's information systems controls, we evaluated information security controls over the Northridge Loan System (NLS), Departmental Accounts Receivable Tracking/Collection System (DARTS), HUDCAPS, LOCCS and the Financial Data Mart. We identified control weaknesses that could negatively affect the integrity, confidentiality, and availability of computerized financial data within three of HUD’s financial systems--HUDCAPS, LOCCS, and the Financial Data Mart. HUDCAPS In our fiscal year 2007 audit, we found that the Office of the Chief Financial Officer (OCFO) granted two contracted developers above read access to the HUDCAPS production data stored within the mainframe environment without documenting either their acceptance of the risks associated with or the justification for this access level. The documentation to support this access was not maintained by the system owner, and acceptance of the risks associated with this access level was not documented in the system security plan. Additionally, neither of the two developers received the required level of background investigation. One developer received only a minimum background investigation. The other developer was not investigated at all. During fiscal year 2008, the OCFO, in coordination with the OCIO, has made progress in addressing this issue. The OCFO has improved their documentation and maintenance of files containing authorizations and justifications for contracted system developers to have read or above-read access to production data. They have assessed the risk of providing above read and read only access to contractors and have specifically acknowledged and accepted that risk within their system security documentation. However, although the OCFO has obtained a listing of all users with access to the HUDCAPS production environment, they have not yet completed an assessment to determine specifically what HUDCAPS access is granted to each contractor, or prepared a listing of all users with above read access to application data. They also have yet to initiate a request with the Office of Security and Emergency Planning staff to determine whether the contractor employees have had the appropriate background investigations or to follow up with Office of Security and Emergency Planning staff to ensure background investigations are initiated for contractor staff if required. In addition, they still need to complete actions to 24 remove above read access privileges for all contracted system developers with unnecessary access within production databases for HUDCAPS and any other OCFO systems. LOCCS During our fiscal year 2007 audit, we found that the controls over the LOCCS user recertification process were not effective to verify the access of all users. Systemic deficiencies led to the omission of more than 10,000 users from the LOCCS recertification process. An additional 199 users had last recertification dates within the application prior to March 31, 2006, indicating that they also were not included in the fiscal year 2007 recertification process. During fiscal year 2008, the OCFO made improvements to this process by generating a report from the system that allows them to identify users that only have approving authority within the application for the user recertification process. However, further improvements are necessary to ensure that all users of LOCCS are recertified in accordance with HUD policy. Our review of the 2008 data again identified LOCCS users that were not recertified by the system. This shows that the corrective action taken in response to our 2007 finding did not fully address the problem. Financial Data Mart In fiscal year 2007, the OCFO identified and reported that an unauthorized individual had access to sensitive data within the Financial Data Mart that was not needed to perform assigned duties. In June 2007, we determined that an unauthorized individual was accessing production data from the Financial Data Mart using an application’s login ID and password. In addition, the password assigned to the application login ID did not conform to HUD’s password policy. Further, we determined that all users with access to the HUD Web can access and generate reports containing proprietary financial data maintained within the Financial Data Mart. During fiscal year 2008, the OCFO assessed and accepted the risk associated with providing web users access to some of the data within the Financial Data Mart. In addition, the OCFO, in coordination with the OCIO, initiated plans to obtain and review access logs to the Financial Data Mart server, and to modify application passwords to be in compliance with HUD's password policy. The corrective actions are expected to be completed during fiscal year 2009. IBM Mainframe z/OS Operating System In fiscal year 2007, we followed up on previously reported weaknesses related to the IBM mainframe z/OS operating system. For instance, we found that HUD had not: (1) removed the unused data files in the IBM mainframe environment in a timely manner; and (2) removed the references to a retired application. We also reported that more work was needed to ensure that the most powerful administrative authority is restricted to only 25 those persons who require it to perform their duties, and that the administrator account is properly managed. During our fiscal year 2008 review, we determined that HUD has taken steps to ensure that the super-user authority is properly restricted, and the administrator account is properly managed. HUD also removed unused data files from the IBM environment, as well as references to a retired application. Additionally, HUD has established a standard procedure to monitor and oversee the removal of personal data files belonging to users who have left the Department. Software Configuration Management We previously reported that weaknesses remain in the areas of support for the Department-wide configuration management7 function and the HUD Procurement System configuration management plan. We also reported that configuration management plans for several FHA applications lacked information or contained outdated information. There were also weaknesses specific to each configuration management plan we reviewed. HUD has made progress in implementing controls to resolve the reported weaknesses. However, HUD has not yet fully resolved the issue of obsolete and incomplete information in the configuration management plans for the HUD Procurement System and selected FHA applications. For fiscal year 2008, we reviewed the configuration management plan for the Institution Master File (IMF) and found that this plan also lacked information or contained outdated information. Details of this finding will be included in our report for our fiscal year 2008 review of information systems controls in support of the financial statements audit to be issued during 2009. Contingency Planning and Preparedness Although, HUD continues to make progress in the implementation of controls for contingency planning and preparedness, improvement is still needed. In fiscal year 2007, our review of the disaster recovery plan for the contractor-operated data center facility indicated that the listing of mission critical applications had not yet been updated. We were advised that a contract modification was required to update the listing, and HUD planned to accomplish this by December 31, 2007. During our fiscal year 2008 audit, we determined that the listing of mission critical applications still has not been updated. We also found that the appendix containing information on the disaster recovery team personnel was not current. 7 Configuration management is the control and documentation of changes made to a system’s hardware, software and documentation throughout the development and operational life of the system. 26 In addition, we determined that contingency planning at third party business sites is inadequate. We surveyed 29 third party business partners to determine if they had business continuity plans, continuity of operations plans or disaster recovery plans in place that would provide the means to continue business, relocate to alternative work areas and access HUD systems. We found that sixty-nine percent did not have any type of contingency, continuity or disaster recovery plan. While thirty-one percent of the third party business partners did have some type of plan, those plans contained only limited provisions on backup of critical information and alternative work areas. Staffs were unfamiliar or had limited knowledge of contingency planning requirements, and documentation was not readily available for use in case of emergency. HUD had not specified contingency planning, continuity of operations or disaster recovery requirements in its agreements with third party business partners. Such information is usually included in the terms and conditions of a contract or service-level agreement with the external business partner. Consequently, third party business partners have developed limited contingency planning policies that do not meet HUD or National Institute of Standards and Technology (NIST) requirements. Physical Security Our on-site reviews during fiscal years 2006 and 2007 found that physical security controls for HUD facilities were generally in place at the network operations center and the data center, both maintained by HUD’s two information technology infrastructure contractors. This year, we evaluated how HUD’s third party business partners8 compensate for the lack of physical security controls when information is removed from, maintained or accessed from outside the agency location. We also determined what security guidance is provided by HUD. We found that physical security at the third party business sites we visited is inadequate and weaknesses exist at those sites. We found instances where servers were located in common areas (i.e. lunch rooms, halls), case binders with personally identifiable information were left unattended, no guard or receptionist was at the entrance, access doors were unlocked, and encryption of data residing on laptops or portable devices was not a requirement. We determined that HUD had not specified the level of security controls and included it in the terms and conditions of the contract or service-level agreement with the external business partner. As a result, third party business partners have developed various information technology security controls and policies that do not meet HUD or federal 8 Third party business partners are external business partners who contract to do business with HUD such as Housing Authorities and mortgage lenders who use PIH Inventory Management System (PIH-IMS), Tenant Rental Assistance Certification System (TRACS) and Computerized Homes Underwriting Management System (CHUMS). 27 requirements, and therefore cannot be relied upon to provide adequate protection over HUD’s sensitive data. Significant Deficiency: Weak Personnel Security Practices Continue to Pose Risks of Unauthorized Access to the Department’s Critical Financial Systems For several years, we have reported that HUD’s personnel security practices over access to its systems and applications were inadequate. Deficiencies in HUD’s information technology personnel security program were found and recommendations were made to correct the problems. However, the risk of unauthorized access to HUD’s financial systems remains a critical issue. We followed up on previously reported information technology personnel security weaknesses and deficiencies and found that deficiencies still exist. Specifically: Since 2004, we have reported that HUD does not have a complete list of all users with above-read access at the application level. Those users with above read access to sensitive application systems are required to have a background investigation. Our review this year found that HUD still does not have a central repository that lists all users with access to HUD’s general support and application systems. Consequently, HUD has no central listing for reconciling that all users who have access to HUD critical and sensitive systems have had the appropriate background investigation. While HUD’s implementation in 2007 of the Centralized HUD Account Management Process (CHAMP) was a step towards improving its user account management practices, CHAMP remains incomplete and does not fully address OIG’s concerns. Specially, we found: a. CHAMP does not contain complete and accurate data. The OCIO did not electronically migrate data from the HUD Online User Registration System (HOURS) into CHAMP. Instead, they chose to enter the legacy data manually. However, this process has not yet been completed. As of April 22, 2008, OCIO has entered user data for 37 out of 248 applications (15%) into CHAMP. b. HUD can neither compile a complete listing of all authorized users and their access privileges nor identify all the applications to which users have access because CHAMP does not have reporting capabilities. c. CHAMP does not contain a mechanism to escalate or reassign tasks that have not been completed within a specified timeframe. d. CHAMP can only handle access requests for internal users such as HUD employees and contractors, but not for external users such as Housing 28 Authorities and trusted business partners. During our fiscal year 2007 audit, we reported that contractors were inappropriately granted access to sensitive systems. Consequently, we recommended that the OCIO remove greater-than-read access to sensitive systems for users who have not submitted appropriate background investigation documents or who are no longer authorized to access information resources. Corrective action to resolve this weakness has not yet been completed. We previously identified a retired HUD employee whose user ID remained active on HUD systems for 13 months following her retirement. In addition, there was evidence to suggest that the network password assigned to that user had been modified approximately six weeks after the employee’s retirement. We found that although HUD had processes and procedures for removing the computer system access of retiring employees, Human Resources, program area applications owners, the Office of Security and Emergency Planning, and the Office of the Chief Information Officer need to coordinate to improve these processes. HUD did not conduct a security categorization and a risk assessment for CHAMP as required by Federal Information Processing Standards (FIPS) Publications (PUB) 199 and 200. HUD’s OCIO incorrectly chose not to conduct a security categorization and risk assessment for CHAMP because they believed that these items are not required for CHAMP, which is listed as a process rather than a system. HUD also believes that since CHAMP is exclusively owned by its information technology contractor, it is not subject to the requirements of a security categorization and a risk assessment. Without a security categorization and risk assessment on CHAMP, HUD cannot know the full extent of risks that the CHAMP process is vulnerable to or whether adequate levels of security controls have been put in place to protect data and applications impacted by CHAMP. 29 Compliance with Laws and Regulations HUD Did not Substantially Comply with the Federal Financial Management Improvement Act FFMIA requires auditors to report whether the agency’s financial management systems substantially comply with the Federal financial management systems requirements, applicable accounting standards, and support the U.S. Standard General Ledger (SGL) at the transaction level. We found that HUD was not in substantial compliance with FFMIA because HUD’s financial management system did not substantially comply with Federal Financial Management System Requirements. During fiscal year 2008, the Department made limited progress as it attempted to address its financial management deficiencies to bring the agency’s financial management systems into compliance with Federal Financial Management Improvement Act (FFMIA). However, the deficiencies remain as the Department financial management systems continue to not meet current requirements and are not operated in an integrated fashion, and linked electronically to efficiently and effectively provide agency wide financial system support necessary to carry out the agency’s mission and support the agency’s financial management needs. HUD's policy is to complete OMB A-127 reviews of all HUD financial systems within a three year cycle. HUD did not complete any of the planned 2007 and 2008 independent reviews of its current financial management systems to verify compliance with financial system requirements, identify system and procedural weaknesses, and develop the corrective actions to address identified weaknesses. Additionally, HUD only completed four independent reviews that were planned in 2006. Federal Financial Management System Requirements In its Fiscal Year 2008 Performance and Accountability Report, HUD reports that 2 of its 42 financial management systems do not comply with the requirements of the FFMIA and OMB Circular A-127, Financial Management Systems. Even though 40 individual systems have been certified as compliant with federal financial management systems requirements, HUD has not adequately performed independent reviews of these systems as required by OMB Circular A-127. Collectively and in the aggregate, deficiencies still exist. We continue to report as a significant deficiency that HUD Financial Management Systems Need to Comply with Federal Financial Management Systems Requirements. The significant deficiency addresses how HUD’s financial management systems remain substantially noncompliant with federal financial management requirements. 30 FHA’s auditor reports as a significant deficiency that FHA needs to continue to enhance and modernize its financial information systems. The significant deficiency addresses the challenges in FHA’s capacity to simultaneously address various system modernization initiatives and control deficiencies affecting the reliability and completeness of FHA’s financial information. Ginnie Mae’s auditor reports a non compliance with Federal Information Security Management Act (FISMA). The Act requires Ginnie Mae to implement an agency-wide information security program to provide information security for the information systems that support the operations and assets of the agency including those provided or managed by a contractor. The auditor’s review found Ginnie Mae lacks assurance that critical information technology general control elements for the Integrated Portfolio Management System (IPMS), which is managed and controlled by a Ginnie Mae contractor, are working effectively to reduce agency information system risks. We also continue to report as significant deficiencies that (1) Controls over HUD’s Computing Environment Can Be Further Strengthened and (2) Weak Personnel Security Practices Continue to Pose Risks of Unauthorized Access to the Department’s Critical Financial Systems. These significant deficiencies discuss how weaknesses with general controls and certain application controls, and weak security management increase risks associated with safeguarding funds, property, and assets from waste, loss, unauthorized use or misappropriation. In addition, OIG audit reports have disclosed that security over financial information was not provided in accordance with OMB Circular A-130 Management of Federal Information Resources, Appendix III and the FISMA. We have included the specific nature of noncompliance issues, responsible program offices and recommended remedial actions in Appendix C of this report. HUD Did Not Substantially Comply with the Anti-Deficiency Act HUD’s Office of the Chief Financial Officer (OCFO) is not conducting, completing, reporting and closing the investigation of potential Anti-Deficiency Act violations in a timely manner and has not created timeframes for the conduct and completion of the investigations of potential Anti-Deficiency Act violations, as required by the FY 2003 Appropriation Act, Public Law 108-7, Title II – Department of Housing and Urban Development. Additionally, the OCFO has not reported known violations immediately to the President through OMB, Congress, nor GAO, as required by the Anti-Deficiency Act. The OCFO is responsible for investigating and reporting on violations of the Anti- Deficiency Act. As of the conclusion of this audit, the OCFO had investigated a total of 26 potential Anti-Deficiency Act violations. The Chief Financial Officer (CFO) made determinations that three cases that occurred in 2003 are Anti-Deficiency Act violations 31 that warrant reporting to the President, Congress, and GAO. In regards to determinations for the remaining cases, another three were considered to be Anti-Deficiency Act violations but were still under review by the OCFO, 15 were determined not to be a violation, and five cases were under preliminary review. Our review determined that although it has been five years since discovery of some of the Anti-Deficiency Act violations, the OCFO has not issued a report on any of the three cases determined to be reportable Anti-Deficiency Act violations. We reviewed the three case files and found that the OCFO completed draft transmittal letters and reports in 2004, but the letters and reports were not issued. CFO is not in compliance with OMB A-11 Section 435 and 31 U.S.C. 1351 and 1517(b). Specifically, the United States Code states that once it is determined that there has been a violation; it shall be reported immediately to the President, Congress, and GAO. The OCFO stated that the reports have not been submitted to the appropriate parties because OMB and HUD cannot agree on whether or not names should be included in the reports. We feel these reports should not be held up for that reason, since OMB A-11 Section 145 specifically states that the letter will set forth the name and position of the officer(s) or employee(s) responsible for the violation. Additionally, there are another three investigations that have been determined to be Anti- Deficiency Act violations. The draft reports have been prepared and are under review by the OCFO. Two of these three Anti-Deficiency act violation cases have been under investigation for four years and the other one has been under investigation for a year. In our fiscal year 2008 review, we noted that HUD management did complete its review of all outstanding cases. However, HUD management has indicated that they took corrective actions to address any necessary immediate funding actions, and to correct funds control deficiencies and unacceptable long-standing past practices to minimize the risk of future violations. Additionally, HUD management plans to establish and finalize timeframes in an internal OCFO policy memorandum for the conduct and completion of investigations of potential ADA violations during the first quarter of FY 2009 to ensure investigations are conducted, completed, reported, and closed in a timely manner. 32 APPENDIXES Appendix A Objectives, Scope, and Methodology Management is responsible for * Preparing the principal financial statements in conformity with generally accepted accounting principles; * Establishing, maintaining and evaluating internal controls and systems to provide reasonable assurance that the broad objectives of Federal Managers’ Financial Integrity Act are met; and * Complying with applicable laws and regulations and government wide policies In auditing HUD’s principal financial statements, we were required by Government Auditing Standards to obtain reasonable assurance about whether HUD’s principal financial statements are free of material misstatements and presented fairly in accordance with generally accepted federal accounting principles. We believe that our audit provides a reasonable basis for our opinion. In planning our audit of HUD’s principal financial statements, we considered internal controls over financial reporting by obtaining an understanding of the design of HUD’s internal controls, determined whether these internal controls had been placed in operation, assessed control risk, and performed tests of controls to determine our auditing procedures for the purpose of expressing our opinion on the principal financial statements and not to provide assurance on the internal control over financial reporting. Consequently, we do not provide an opinion on internal controls. We also tested compliance with selected provisions of applicable laws and regulations and government wide policies that may materially affect the consolidated principal financial statements. Providing an opinion on compliance with selected provisions of laws and regulations was not an objective and, accordingly, we do not express such an opinion. We considered HUD’s internal control over Required Supplementary Stewardship Information reported in HUD’s Fiscal Year 2008 Performance and Accountability Report by obtaining an understanding of the design of HUD’s internal controls, determined whether these internal controls had been placed in operation, assessed control risk, and performed limited testing procedures as required by AU Section 558 , Required Supplementary Information. The tests performed were not to provide assurance on these internal controls, and accordingly, we do not provide assurance on such controls. With respect to internal controls related to performance measures to be reported in the Management’s Discussion and Analysis and HUD’s Fiscal Year 2008 Performance and Accountability Report, we obtained an understanding of the design of significant internal controls relating to the existence and completeness assertions as described in Section 230.5 of OMB Circular A-11 Preparation, Submission and Execution of the budget. We performed 33 limited testing procedures as required by AU Section 558 Required Supplementary Information and OMB Bulletin 07-04 Audit Requirements for Federal Financial Statements, as amended. Our procedures were not designed to provide assurance on internal control over reported performance measures and, accordingly, we do not provide an opinion on such controls. To fulfill these responsibilities, we * Examined, on a test basis, evidence supporting the amounts and disclosures in the consolidated principal financial statements; * Assessed the accounting principles used and the significant estimates made by management; * Evaluated the overall presentation of the consolidated principal financial statements; * Obtained an understanding of internal controls over financial reporting, executing transactions in accordance with budget authority, compliance with laws and regulations, and safeguarding assets; * Tested and evaluated the design and operating effectiveness of relevant internal controls over significant cycles, classes of transactions, and account balances; * Tested HUD’s compliance with certain provisions of laws and regulations, government- wide policies, noncompliance with which could have a direct and material effect on the determination of financial statement amounts and certain other laws and regulations specified in OMB Bulletin 07-04 as amended, including the requirements referred to in the Federal Managers’ Financial Integrity Act; * Considered compliance with the process required by the Federal Managers’ Financial Integrity Act for evaluating and reporting on internal control and accounting systems; and * Performed other procedures we considered necessary in the circumstances. We did not evaluate the internal controls relevant to operating objectives as broadly defined by the Federal Managers’ Financial Integrity Act. We limited our internal control testing to those controls that are material in relation to HUD’s financial statements. Because of inherent limitations in any internal control structure, misstatements may nevertheless occur and not be detected. We also caution that projection of any evaluation of the structure to future periods is subject to the risk that procedures may become inadequate because of changes in conditions or that the effectiveness of the design and operation of policies and procedures may deteriorate. Our consideration of the internal controls over financial reporting would not necessarily disclose all matters in the internal controls over financial reporting that might be significant deficiencies. We noted certain matters in the internal control structure and its operation that we consider significant deficiencies under OMB Bulletin 07-04, as amended. Under standards issued by the American Institute of Certified Public Accountants, a significant deficiency is a deficiency in internal control, or a combination of deficiencies, that adversely affects HUD’s ability to initiate, authorize, record, process, or report financial data reliably in accordance with generally accepted accounting principles such that there is more than a remote likelihood that a misstatement of the entity’s financial statements that is more than inconsequential will not be prevented or detected. A material weakness is a significant deficiency, or combination of significant deficiencies, that result in a more than remote likelihood that a material misstatement of the financial statements will not be prevented or detected. 34 Our work was performed in accordance with generally accepted Government Auditing Standards and OMB Bulletin 07-04, as amended. This report is intended solely for the use of HUD management, OMB and the Congress. However, this report is a matter of public record and its distribution is not limited. 35 Appendix B Recommendations To facilitate tracking recommendations in the Audit Resolution and Corrective Action Tracking System, this appendix lists the newly developed recommendations resulting from our report on HUD’S fiscal year 2008 financial statements. Also listed are recommendations from prior years’ reports that have not been fully implemented. This appendix does not include recommendations pertaining to FHA and Ginnie Mae issues because they are tracked under separate financial statement audit reports of that entity. Recommendations from the Current Report With respect to the significant deficiency that HUD management must continue to improve oversight and monitoring of subsidy calculations and intermediaries’ program performance and promote full utilization of Housing choice Voucher funds, we recommend that the Office of Public and Indian Housing in coordination with the Office of General Counsel: 1.a. Seek legislative authority to implement $1.4 billion in offsets against PHA’s excess unusable funding held in the Net Restricted Assets Account. 1.b. Seek legislative authority to eliminate or modify the leasing restrictions placed on the Housing Choice Voucher program. With respect to the significant deficiency that HUD management must continue to improve oversight and monitoring of subsidy calculations and intermediaries’ program performance and promote full utilization of Housing choice Voucher funds, we recommend that the Office of Public and Indian Housing: 1.c. Increase the monitoring efforts over the Net Restricted Asset Account held by PHAs. 1.d. Improve its efforts to increase the fund utilization rates for the Housing Choice Voucher Program. With respect to the significant deficiency that HUD needs to improve the process for reviewing obligation balances, we recommend that the Chief Financial Officer in coordination with the appropriate program offices: 2.a. Deobligate $122.9 million of excess unexpended funds identified as a result of the fiscal year 2008 financial statement audit. 2.b. Improve and document the quarterly contract reconciliation procedures to ensure that Section 236 obligations reported are valid and can be accurately estimated and reported. 36 2.c. Implement regularly scheduled review and reconciliation procedures to ensure excess undisbursed contract authority from Rental Assistance Payments and Rent Supplement projects are timely recaptured. With respect to HUD’s substantial noncompliance with the Federal Financial Management Improvement Act, we recommend that the Chief Financial Officer: 3.a. Develop a plan to comply with OMB A-127 review requirements which results in the evaluation of all HUD financial management systems within a 3 year cycle. With respect to HUD’s substantial noncompliance with the Anti-deficiency Act, we recommend that the Chief Financial Officer in coordination with the appropriate program offices: 4.a. Establish timeframes for the conduct and completion of investigations of potential Anti- deficiency Act violations as required by the FY 2003 Appropriations Act to ensure investigations are conducted, completed, reported, and closed in a timely manner. 4.b. Report the three known Anti-Deficiency Act violations immediately to the President, Congress, and General Accountability Office (GAO), as required by the Anti-deficiency Act. Unimplemented Recommendations from Prior Years’ Reports Not included in the recommendations listed above are recommendations from prior years’ reports on the Department’s financial statements that have not been fully implemented based on the status reported in the Audit Resolution and Corrective Action Tracking System. The Department should continue to track these under the prior years’ report numbers in accordance with departmental procedures. Each of these open recommendations and its status is shown below. Where appropriate, we have updated the prior recommendations to reflect changes in emphasis resulting from recent work or management decisions. OIG Report Number 2008-FO-0003 (Fiscal Year 2007 Financial Statements) With respect to the significant deficiency that HUD needs to improve the process for reviewing obligation balances, we recommend that the Chief Financial Officer in coordination with the appropriate program offices: 1.a. Deobligate $342.3 million of excess unexpended funds identified as a result of the fiscal year 2007 financial statement audit. (Final Action Target Date is 10/31/08; Reported in ARCATS as Recommendation 4A) 1.b. Improve the quarterly contract reconciliation procedure currently being implemented by performing periodic reviews of subsidiary ledgers to ensure that Section 236 obligations reported are valid and can be more accurately estimated 37 and reported. (Final Action Target Date is 10/31/08; Reported in ARCATS as Recommendation 4B) 1.c. Implement a periodic review of terminated Rent Supplement and Rental Assistance Payments projects to ensure changes in contract status are timely identified and excess undisbursed contract authority is recaptured in a timely manner. (Final Action Target Date is 10/15/08; Reported in ARCATS as Recommendation 4C) With respect to the significant deficiency that HUD needs to improve its budgeting and funds control over section 8 project-based contracts, we recommend that the Assistant Secretary for Housing in coordination with the Chief Financial Officer and the Chief Information Officer: 2.a Develop a long-term financial management system solution to streamline and automate the overall Section 8 project-based budgeting, payment, and contract management process. (Final Action Target Date is 12/31/08; Reported in ARCATS as Recommendation 3A) 2.b Consider revising current Section 8 Project-base recapture methodology to include recapturing funds from expired Section 8 contracts occurring in the current fiscal year. We found that HUD could have recaptured up to $580 million from these expired contracts, in lieu of recapturing funds from active long-term contracts. (Final Action Target Date is 10/31/08; Reported in ARCATS as Recommendation 3B) 38 Appendix C Federal Financial Management Improvement Act Noncompliance, Responsible Program Offices, and Recommended Remedial Actions This Appendix provides details required under Federal Financial Management Improvement Act (FFMIA) reporting requirements. To meet those requirements, we performed tests of compliance using the implementation guidance for FFMIA issued by OMB and GAO’s Financial Audit Manual. The results of our tests disclosed that HUD’s systems did not substantially comply with the foregoing requirements. The details for our basis of reporting substantial noncompliance, responsible parties, primary causes and the Department’s intended remedial actions are included in the following sections. Federal Financial Management Systems Requirements 1. HUD’s annual assurance statement issued pursuant to Section 4 of the Financial Manager’s Integrity Act, will report two non-conforming systems9. The organizations responsible for systems that were found not to comply with the requirements of OMB Circular A-127 based on the Department’s assessments are as follows: Responsible Office Number of Systems Non-conforming Systems Office of Housing 19 0 Office of Chief Financial Officer 14 0 Office of Administration 2 0 Office of Chief Procurement Officer 2 2 Office of Community Planning and Development 2 0 Office of Public and Indian Housing 2 0 Government National Mortgage Association 1 0 Totals 42 2 9 The two-nonconforming systems are: A35-HUD Procurement System and P035-Small Purchase System. 39 The following section outlines the Department’s plan to correct noncompliance with OMB Circular A-127 as submitted to us as of September 30, 2008 and unedited by us. Office of the Chief Procurement Officer A35 HUD Procurement Systems (HPS) P035 Small Purchase System (SPS) Noncompliance Issue(s) Tasks/Steps Target Dates Completion (including Milestones) Dates INTERNAL CONTROLS INTERMEDIATE RESOLUTION PLAN 1A Review transactions of the four contracting officers 1. HUD’s Procurement who input records in excess of their contract authority COMPLETED COMPLETED Systems Do Not Have and take actions as appropriate. Adequate Controls for OCPO researched the transactions in question to Monitoring the determine if the obligations were appropriate or 12/23/2006 12/14/2006 Procurement Process not. OCPO determined that the transactions were properly executed by contracting officers acting 3/31/2007 12/14/2006 within their authority. No further action is necessary. 1B Implement system controls to ensure that contracting officers are not able to exceed their procurement authority. COMPLETED COMPLETED The OCPO will implement procurement authority control procedures. The OCPO will include validation of contracting 3/31/2007 4/25/07 officer authority as part of each Procurement Management Review. Commencing 1/08/2007 1C Implement controls to ensure that contracting officers 1/8/2007 On-Going are required to either input or approve all transactions that record funds through the HUDCAPS interfaces. The OCPO will implement procedural controls to COMPLETED COMPLETED require contracting officers to validate transactions in HPS. 1D Modify the systems to make the contracting officer field 4/30/2007 4/25/2007 mandatory. The OPOC will implement procedures for electronic records, which are recorded in HPS, are COMPLETED COMPLETED reviewed to ensure that a Contracting Officer is identified for each record. The OCPO will implement validation of the Revised to 6/20/2008 contracting officer identification as part of each 11/30/2008 Procurement Management Review. – See 1B Commencing bullet 2 above. Validation of contracting 1/8/2007 1/08/2007 authority is the same as implementation of task. On-Going NOTE: OCPO is in the process of conducting a cost benefit analysis, whose outcome will determine the best 40 Noncompliance Issue(s) Tasks/Steps Target Dates Completion (including Milestones) Dates course of action in implementing system changes or replacing systems. 2. HUD Procurement 2A Ensure that system administration and security COMPLETED COMPLETED Systems’ Separation of administration functions are separate. Duties Controls Were The OPCO will formally appoint separate Bypassed individuals to act as security administrator and 4/16/2007 05/01/2007 system administrator for each OCPO system and that the individuals will not be performing conflicting duties. 2B Ensure that staff is not assigned conflicting duties, COMPLETED COMPLETED that separate functions are performed by separate individuals, and that the concept of least privilege is applied. OCPO will determine if multiple system profiles are actually a valid requirement on an individual basis in HPS. The goal is to eliminate unnecessary and redundant profiles in HPS and that the individuals will not be performing conflicting duties. o The OCPO will identify users with 2/15/2007 12/21/2006 multiple HPS profiles o The OCPO will deactivate 07/31/2007 07/19/2007 unnecessary/redundant profiles NOTE: While we can separate the duties procedurally, the separation cannot be enforced in HPS or SPS without reprogramming. 2C Implement formal policies and procedures to COMPLETED COMPLETED recertify the access granted to users at least an [sic] annually. The OCPO will develop and implement formal procedures for granting access by using the concept of least privilege to OCPO systems, as well as annual user access reviews by: o Revise system access request forms 1/31/2007 12/31/2006 o Revise process in which user requests 2/28/2007 1/31/2007 system access o Revise procedure in which system 3/31/2007 1/31/2007 access is granted o Develop formal procedure to enforce 06/30/2007 07/18/2007 annual user access review 2D Create and implement routing functionality within COMPLETED COMPLETED the Small Purchase System to allow users to be 8/27/2008 granted access to more than one office or region. OCPO recommends implementing the following tasks to alleviate the routing issue. OCPO will determine if multiple SPS system profiles are actually a valid requirement on an individual basis. The goal is to eliminate all unnecessary and redundant profiles in SPS. 41 Noncompliance Issue(s) Tasks/Steps Target Dates Completion (including Milestones) Dates o The OCPO will identify users with multiple SPS profiles 2/15/2007 12/21/2006 o The OCPO will restructure the issuing office hierarchy to alleviate the necessity 11/30/2007 12/14/2007 of multiple profiles for a given user. NOTE: OCPO is in the process of conducting a cost benefit analysis, whose outcome will determine the best course of action in implementing system changes or replacing systems. 3. HUD’s Procurement 3A Perform a cost benefit analysis to determine whether it COMPLETED COMPLETED Systems Do Not Contain is more advantageous to modify or replace the Sufficient Financial Data to procurement systems to ensure compliance with Joint Allow It to Effectively Federal Management Improvement Program Manage and Monitor Requirements. Procurement Transactions The OCPO will perform a cost benefit analysis to replace the OCPO systems. 05/31/2008 2/12/2008 3B Implement functionality to ensure that there is sufficient information within HUD’s procurement systems to support the primary acquisition functions of fund certification, obligation, deobligation, payment, and closeout. Based on the availability of funds, OCPO will replace its systems with COTS software to ensure found issues with internal and security controls are addressed. MILESTONES – NOT LATER THAN Develop Independent Government Estimate 5/4/2007 05/03/2007 Conduct Market Research Source Selection 04/6/2007 04/06/2007 Roll-out pilot of production system TBD No funding TBD – provided for NOTE: OCPO is in the process of conducting a cost Waiting for FY2008, benefit analysis, whose outcome will determine the best funding to FY2009 & course of action in implementing system changes or become FY2010 replacing systems. available funding are also at risk. SECURITY CONTROLS 4. The Office of the Chief 4A Obtain the training and/or resources necessary to Procurement Officer Did develop or perform compliant (1) information system Not Design or Implement categorization analyses; (2) risk assessments; (3) Required Information security plans; (4) contingency plans and tests; (5) Security Controls monitoring processes, which include applicable Federal Information Processing Standards Publication 200 managerial, operational, and technical information security controls; and (6) evaluations of the managerial, operational, and technical security controls. OCPO will ensure that training or other resources are obtained to develop or perform required managerial, operational, and technical security controls. 42 Noncompliance Issue(s) Tasks/Steps Target Dates Completion (including Milestones) Dates Update Risk Assessments Update Security Plans 12/31/2008 08/31/2007 Update Contingency Plans and tests; 12/31/2008 08/31/2007 12/31/2008 Test Performed Monitoring processes, which include 12/13/2007 applicable Federal Information Processing Last C&A Standards (FIPS) Publication 200 conducted FY2008 managerial, operational, and technical 06/30/2005. C&A was information security controls; and Next C&A completed scheduled for on 4th Qrt 2008 8/29/2008. Evaluations of the managerial, operational, and Awaiting technical security controls. Last C&A signed copy conducted from OCIO 06/30/2005. for our Next C&A records. scheduled for 4th Qrt 2008 4B Complete the corrective actions for the known open information security vulnerabilities or develop mitigation strategies if new system development is underway. OCPO will ensure it develops mitigation strategies for the known open information security vulnerabilities. Review vulnerabilities Develop mitigation strategy 11/30/2008 4C Designate a manager to assume responsibility for 11/30/2008 ensuring the Office of the Chief Procurement Officer’s compliance with federal certification and accreditation COMPLETED COMPLETED process requirements and to provide “continuous monitoring” of the office’s information systems security. OCPO will designate a manager responsible for ensuring compliance with information systems security and federal certification and accreditation process. 1/15/2007 03/13/2007 OCPO will work with OCIO to define roles and responsibilities and to ensure that appropriate resources are provided to perform required 2/1/2007 2/1/2007 monitoring and certification and accreditation. 43 Noncompliance Issue(s) Tasks/Steps Target Dates Completion (including Milestones) Dates 4D Reevaluate the HUD Procurement System and Small COMPLETED COMPLETED Purchase System application systems’ security categorization in light of OMB guidance on personally identifiable information. OCPO will reevaluate the HUD Procurement System and Small Purchase System application 8/31/2007 8/31/2007 systems’ security categorization in light of OMB guidance on personal identifiable information. 4E Perform a Business Impact Analysis (BCA for the procurement systems. Based on the results of the COMPLETED impact analysis, determine what actions HUD can take 9/25/2008 to limit the amount of time needed to recover from the various levels of contingencies that can occur and include the determined actions in the contingency plans for the systems. OCPO will develop a business impact analysis for the procurement systems and revise the contingency plan based on the BIA. Develop business impact analyses Incorporate BIA into contingency plans 4/30/2007 9/30/2007 Note: OCPO is in process of conduction a cost benefit analysis, whose outcome will determine the best course of action in implementing system changes or replacing the systems. 44 2. Our audit disclosed significant deficiencies regarding the security over financial information. Similar conditions have also been noted in other OIG audit reports. We are including security issues as a basis for noncompliance with FFMIA because of the collective effect of the issue and noncompliance with Circular A-130, Appendix 3 and the Federal Information Security Management Act (FISMA). The responsible office, nature of the problem, and primary causes are summarized below: Responsible Office Nature of the Problem Office of Housing and Reduction in FHA’s capacity to simultaneously address various system CIO modernization initiatives and control deficiencies affected the reliability and completeness of FHA’s financial information. FHA currently maintains four Multifamily and 11 Single Family systems that are administered separately from the core financial management system (FHA Subsidiary Ledger or FHASL). FHA’s two primary Multifamily insurance systems were scheduled to be operational on October 1, 2008, but they were still going through user acceptance testing. The implementation date was revised to November 11, 2008. The general control weaknesses were noted in certain FHA’s Single Family systems as follows: Only 3 of 24 HUD employees or contractors with access to the Single Family Claims system had complete and proper background investigations. Two users of the Single Family Claims system had unauthorized access rights to read, write, and update records. Five contract developers had update access to Single Family Claims production data files. FHA neither had adequate controls over, nor reviews of, audit logs for the Single Family Claims system. FHA did not develop or implement adequate security controls over information transmitted between FHA and its numerous lenders and other business partners. FHA failed to adequately assess its compliance with mandatory system security controls. FHA did not properly ensure annual security reviews were completed by HUD employees. FHA has conducted an accounting risk assessment to identify short and long term deficiencies in a manual business process for handling applications for claim benefits for FHA’s Home Equity Conversion Mortgage (HECM) program, but will continue to rely on significant review and reconciliation procedures as compensating controls until a replacement system solution can be procured and implemented. An independent examination, conducted in accordance with AICPA Statement on Auditing Standards (SAS) No. 70, Audits of Service Organizations, 45 Responsible Office Nature of the Problem Type I, Control Design, of the HECM notes servicing system identified over thirty specific system control deficiencies, including: Lack of formal approval for critical system security documents Weaknesses with system access policies and physical access control monitoring Inadequate system baseline documentation Lack of formal authorization procedures for system software changes Segregation of duties weaknesses Deficiencies in the Continuity of Operations Plan Due to deficiencies in the Generic Debt subsystem interface, FHA is unable to maintain reliable cohort level data for the financing accounts within its (FHASL) general ledger system as required by the Credit Reform Act of 1990. These conditions occurred because in addition to the efforts to address system deficiencies, the FHA’s Systems Division is currently responsible for a number of other major IT related projects, including: Implementing systems to handle the newly legislated Hope for Homeowners program for risk-sharing of single family loans insured that became effective October 1, 2008. Procurement and implementation of a new integrated insured reverse mortgage loan and notes servicing system. Implementing the new Real Estate Owned property management system at the various Single Family Marketing and Management (M&M) contractor sites. This system will be interfaced with the SAMS legacy application system. Managing such critical system initiatives simultaneously and without additional funding or staff resources may increase the risk of system or processing errors in the agency’s financial data, or increase the risk of unauthorized access into critical or sensitive agency systems. Such errors or unauthorized access could lead to misstatements in financial reporting or misappropriation of FHA assets. 46 Responsible Office Nature of the Problem Office of Chief Weaknesses exist in HUD’s entity-wide security program. Specifically: Information Officer In fiscal year 2008, HUD’s program offices and system owners did not always ensure that HUD’s inventory of automated systems was up-to-date and systems were properly categorized as required by OMB. System owners did not ensure that all non-major applications that are hosted outside of HUD’s infrastructure were secure. HUD did not fully comply with OMB’s privacy requirements, including the completion of privacy survey reports and privacy impact assessments for all new systems that contain personally identifiable information before placing them into development or production. HUD did not fully implement all technical controls specified by OMB memorandum M-06-16, which addresses information that is removed from or accessed from outside the agency. These conditions occurred because HUD’s management does not consistently enforce policies and procedures. Office of Chief The security configuration and technical control deficiencies within HUD’s Information Officer database security controls were found in the areas of (1) passwords, (2) system patches, and (3) system configuration. These conditions occurred because HUD’s management does not consistently enforce policies and procedures. Office of Chief Control weaknesses still exist for HUD Procurement System (HPS) and Procurement Officer HUD Small Purchase System (SPS), specifically: Both procurement systems continue to be in noncompliance with Federal financial management requirements. The Office of the Chief Procurement Officer (OCPO) has yet to complete the corrective actions for the known open information security vulnerabilities or to develop mitigation strategies if new system development is underway. The OCPO plans to replace the current acquisition systems, but it has not yet been able to secure funding to complete the planned corrective action. Consequently, OCPO has not yet implemented functionality to ensure that there is sufficient information within HUD’s procurement systems to support the primary acquisition functions of fund certification, obligation, de-obligation, payment, and closeout. These conditions occurred because the OCPO has not yet been able to secure funding to complete the planned corrective action. Office of Chief Control weaknesses that could negatively affect the integrity, Information Officer confidentiality, and availability of computerized financial data still exist, and Office of the specifically: Chief Financial Although the OCFO has obtained a listing of all users with access to 47 Responsible Office Nature of the Problem Officer the HUDCAPS production environment, they have not yet completed an assessment to determine specifically what HUDCAPS access is granted to each contractor, or prepared a listing of all users with above read access to application data. They also have yet to initiate a request with the Office of Security and Emergency Planning staff to determine whether the contractor employees have had the appropriate background investigations or to follow up with Office of Security and Emergency Planning staff to ensure background investigations are initiated for contractor staff if required. In addition, they still need to complete actions to remove above read access privileges for all contracted system developers with unnecessary access within production databases for HUDCAPS and any other OCFO systems. The corrective action taken to ensure that all users of LOCCS were recertified in accordance with HUD policy was not effective since we again were able to identified LOCCS users that were not recertified by the system during fiscal year 2008. The OCFO assessed and accepted the risk associated with providing web users access to some of the data within the Financial Data Mart. In addition, the OCFO, in coordination with the OCIO, initiated plans to obtain and review access logs to the Financial Data Mart server, and to modify application passwords to be in compliance with HUD's password policy. The corrective actions are expected to be completed during fiscal year 2009. These conditions occurred because HUD’s management does not consistently enforce policies and procedures. Office of Chief Our review of software configuration management indicated that HUD has Information Officer not yet fully resolved the issue of obsolete and incomplete information in the configuration management plans for the HUD Procurement System and selected FHA applications. For fiscal year 2008, the configuration management plan for the Institution Master File (IMF) lacked information or contained outdated information. These conditions occurred because management does not consistently enforce policies and procedures. 48 Responsible Office Nature of the Problem Office of Chief Our review of the disaster recovery plan for the contractor-operated data Information Officer center facility indicates that the listing of mission critical applications still has not yet been updated, and the appendix containing information on the disaster recovery team personnel was not current. In addition, the contingency planning at third party business sites is inadequate. Sixty-nine percent of 29 third party business partners surveyed, did not have any type of contingency, continuity or disaster recovery plan. While thirty-one percent of the third party business partners did have some type of plan, those plans contained only limited provisions on backup of critical information and alternative work areas. Staffs were unfamiliar or had limited knowledge of contingency planning requirements and documentation was not readily available for use in case of emergency. These conditions occurred because management does not consistently enforce policies and procedures and HUD had not specified contingency planning, continuity of operations or disaster recovery requirements in its agreements with third party business partners. Consequently, third party business partners have developed limited contingency planning policies that do not meet HUD or National Institute of Standards and Technology (NIST) requirements. Office of Chief The physical security at the third party business sites is inadequate and Information Officer weaknesses exist at those sites. The servers at those sites were located in common areas (i.e. lunch rooms, halls), case binders with personally identifiable information were left unattended, no guard or receptionist was at the entrance, access doors were unlocked, and encryption of data residing on laptops or portable devices was not a requirement. This condition occurred because HUD had not specified the level of security controls and included it in the terms and conditions of the contract or service-level agreement with the external business partner. As a result, third party business partners have developed various information technology security controls and policies that do not meet HUD or federal requirements, and therefore cannot be relied upon to provide adequate protection over HUD’s sensitive data. 49 Responsible Office Nature of the Problem Office of Chief Personnel security weaknesses still exist, specifically: Information Officer HUD still does not have a central repository that lists all users with access to HUD’s general support and application systems. Consequently, HUD has no assurance that all users who have access to HUD critical and sensitive systems have had the appropriate background investigation. The Centralized HUD Account Management Process (CHAMP) remains incomplete and does not fully address OIG’s concerns. Specially, we found: a. CHAMP does not contain complete and accurate data. The OCIO did not electronically migrate data from the HUD Online User Registration System (HOURS) into CHAMP. Instead, they chose to enter the legacy data manually. However, this process has not yet been completed. As of April 22, 2008, OCIO has entered user data for 37 out of 248 applications (15%) into CHAMP. b. HUD can neither compile a complete listing of all authorized users and their access privileges nor identify all the applications to which users have access because CHAMP does not have reporting capabilities. c. CHAMP does not contain a mechanism to escalate or reassign tasks that have not been completed within a specified timeframe. d. CHAMP can only handle access requests for internal users such as HUD employees and contractors, but not for external users such as Housing Authorities and trusted business partners. HUD has not yet completely removed greater-than-read access to sensitive systems for users who have not submitted appropriate background investigation documents or who are no longer authorized to access information resources. HUD had processes and procedures for removing the computer system access of retiring employees however controls over these processes needed improvement. HUD did not conduct a security categorization and a risk assessment for CHAMP as required by Federal Information Processing Standards (FIPS) Publications (PUB) 199 and 200. Without a security categorization and risk assessment on CHAMP, HUD cannot know the full extent of risks that the CHAMP process is vulnerable to or whether adequate levels of security controls have been put in place to protect data and applications impacted by CHAMP. These conditions occurred because management does not consistently enforce policies and procedures. 50 Appendix D SCHEDULE OF QUESTIONED COSTS AND FUNDS PUT TO BETTER USE Recommendation Ineligible 1/ Unsupported Unreasonable or Funds Put to Number 2/ Unnecessary 3/ Better Use 4/ 1.a. $1.4B 2.a. $122.9 M 1/ Ineligible costs are costs charged to a HUD-financed or HUD-insured program or activity that the auditor believes are not allowable by law, contract or federal, state or local polices or regulations. 2/ Unsupported costs are those costs charged to a HUD-financed or HUD-insured program or activity where we cannot determine eligibility at the time of audit. Unsupported costs require a future decision by HUD program officials. This decision, in addition to obtaining supporting documentation, might involve a legal interpretation or clarification of departmental policies and procedures. 3/ Unnecessary/Unreasonable costs are those costs not generally recognized as ordinary, prudent, relevant, and or necessary within established practices. Unreasonable costs exceed the costs that would be incurred by a prudent person in conducting a competitive business. 4/ Recommendations that funds be put to better use are estimates of amounts that could be used more efficiently if an Office of Inspector General (OIG) recommendation is implemented. This includes reductions in outlays, deobligation of funds, withdrawal of interest subsidy costs not incurred by implementing recommended improvements, avoidance of unnecessary expenditures noted in pre-award reviews, and any other savings which are specifically identified. 51 Appendix E Agency Comments 52 53 Appendix F OIG EVALUATION OF AGENCY COMMENTS With the exception of the report’s conclusions on HUD’s substantial noncompliance with the Federal Financial Management Improvement Act of 1996 (FFMIA) and FHA’s auditor’s conclusion that FHA did not comply with the Credit Reform Act, HUD management generally agreed with our presentation of findings and recommendations subject to detail comments. HUD’s management disagrees with the conclusion that HUD is still not substantially compliant with FFMIA. HUD agrees that their systems processes can be more efficiently integrated to eliminate the need for existing compensating controls, but feel the existing environment is substantially compliant and not representative of a material risk of misreporting. We disagree with HUD’s conclusions. FFMIA emphasizes the need for agencies to have systems that are able to generate reliable, useful, and timely information for decision-making purposes and to ensure accountability on an ongoing basis. The deficiencies noted in HUD’s financial management systems are due to the current financial system being developed prior to the issuance of current requirements. It is also technically obsolete, has inefficient multiple batch processes, and requires labor-intensive manual reconciliations. Because of these inefficiencies, HUD’s management systems are unable to routinely produce reliable, useful, and timely financial information. This weakness manifests itself by limiting HUD’s capacity to manage with timely and objective data, and thereby hampers its ability to effectively manage and oversee its major programs. In addition, HUD is not fully compliant with one of the three indicators of compliance with Federal financial management requirements. HUD has significant deficiencies related to security over financial management information systems in accordance with FISMA and OMB Circular A-130 Appendix III. The Department has not met the minimum set of automated information resource controls relating to Entity-wide Security Program Planning and Management. HUD disagreed with the FHA auditor’s conclusion that FHA did not comply with the Credit Reform Act of 1990 due to FHA’s inability to maintain accurate trial balances at the cohort level for financing accounts. FHA auditor reported that: “Due to deficiencies in the interface with the Generic Debt subsystem, the FHA’s core financial management system does not maintain accurate trial balance account information at the cohort level for the financing accounts. Accordingly, FHA may not be able to accurately calculate the re-estimated cost “for a group of direct loans or loan guarantees for a given credit program made in a fiscal year” in accordance with the requirements of Statement of Federal Financial Accounting Standard No 2, Accounting for Direct Loans and Loan Guarantees and the Federal Credit Reform Act of 1990. These balances are adjusted manually at the end of the year.” 54 FHA’s auditor reviewed and considered HUD’s and FHA’s comments and disagreed with HUD and FHA concerning FHA’s noncompliance with the Credit Reform Act. 55
Additional Details to Supplement Our Report on HUD's Fiscal Years 2008 and 2007 Financial Statements
Published by the Department of Housing and Urban Development, Office of Inspector General on 2008-11-14.
Below is a raw (and likely hideous) rendition of the original report. (PDF)