Issue Date
November 14, 2008
Audit Case Number
2009-FO-0003
TO: John W. Cox, Chief Financial Officer, F
FROM:
Thomas R. McEnanly, Director, Financial Audits Division, GAF
SUBJECT: Additional Details to Supplement Our Report on HUD’s Fiscal Years 2008 and
2007 Financial Statements
HIGHLIGHTS
What We Audited and Why
We are required to annually audit the consolidated financial statements of the U.S.
Department of Housing and Urban Development (HUD) in accordance with the
Chief Financial Officers Act of 1990, as amended. Our report on HUD’s fiscal
years 2008 and 2007 financial statements is included in HUD’s Fiscal Year 2008
Performance and Accountability Report. This report supplements our report on
the results of our audit of HUD’s principal financial statements for the fiscal years
ending September 30, 2008, and September 30, 2007. Also provided are
assessments of HUD’s internal controls and our findings with respect to HUD’s
compliance with applicable laws, regulations, and government-wide policy
requirements, and provisions of contracts and grant agreements.1
1
Additional details relating to the Federal Housing Administration (FHA), a HUD component, are not included
in this report but are included in the accounting firm of Urbach Kahn and Werlin LLP’s audit of FHA’s financial
statements. That report has been published in our report, Audit of Federal Housing Administration Financial
Statements for Fiscal Years 2008 and 2007 (2009-FO-0002, dated November 07, 2008).
Additional details relating to the Government National Mortgage Association, (Ginnie Mae), another HUD
component, are not included in this report but are included in the accounting firm of Carmichael, Brasher, Tuvell
Company’s audit of Ginnie Mae’s financial statements. That report has been published in our report, Audit of
Government National Mortgage Association Financial Statements for Fiscal Years 2008 and 2007 (2009-FO-0001,
dated November 07, 2008).
What We Found
In our opinion, HUD’s fiscal years 2008 and 2007 financial statements
were fairly presented. Our opinion on HUD’s fiscal years 2008 and 2007
financial statements is reported in HUD’S Fiscal Year 2008 Performance
and Accountability Report. The other auditors and our audit also
disclosed the following significant deficiencies in internal controls related
to the need to:
Continue improvements in the oversight and monitoring of subsidy
calculations and intermediaries program performance and promote full
utilization of Housing Choice Voucher funds;
Improve the processes for reviewing obligation balances;
Comply with federal financial management systems requirements;
Further strengthen controls over HUD’s computing environment;
Improve personnel security practices for access to the Department’s
critical financial systems;
Continue to enhance and modernize FHA’s financial information systems;
and
Strengthen Ginnie Mae’s monitoring and management controls in regard
to the mortgage-backed security program.
Our findings include the following four instances of non-compliance with
applicable laws and regulations:
HUD did not substantially comply with the Federal Financial Management
Improvement Act regarding system requirements.
HUD did not substantially comply with the Anti-deficiency Act;
FHA does not comply with the Credit Reform Act of 1990.
Ginnie Mae did not comply with the Federal Information Management
Security Act.
The audit also identified $122.9 million in excess obligations recorded in HUD’s
records. We also are recommending that HUD seek legislative authority to
implement $1.4 billion in offsets against housing agencies’ excess unusable
funding held in Net Restricted Assets Accounts at the housing agencies. These
amounts represent funds that HUD could put to better use.
2
What We Recommend
Most of the issues described in this report represent long-standing weaknesses.
We understand that implementing sufficient change to mitigate these matters is a
multiyear task due to the complexity of the issues, insufficient information
technology (IT) systems funding, and other impediments to change. In this and in
prior years’ audits of HUD’s financial statements, we have made
recommendations to HUD’s management to address these issues. Our
recommendations from the current audit, as well as those from prior years’ audits
that remain open, are listed in Appendix B of this report.
For each recommendation without a management decision, please respond and
provide status reports in accordance with HUD Handbook 2000.06, REV-3.
HUD’s Response
The complete text of the agency’s response can be found in Appendix E. This
response, along with additional informal comments, was considered in preparing
the final version of this report.
3
TABLE OF CONTENTS
Highlights 1
Internal Control 5
Compliance with Laws and Regulations 30
Appendixes
A. Objectives, Scope, and Methodology 33
B. Recommendations 36
C. FFMIA Noncompliance, Responsible Program Offices, and Recommended 39
Remedial Actions
D. Schedule of Questioned Costs and Funds Put to Better Use 51
E. Agency Comments 52
F. OIG Evaluation of Agency Comments 54
4
Internal Control
Significant Deficiency: HUD Management Must Continue to Improve
Oversight and Monitoring of Subsidy Calculations and Intermediaries’
Program Performance and Promote Full Utilization of Housing Choice
Voucher Funds
Under the provisions of the U.S. Housing Act of 1937, HUD provides housing assistance funds
through various grant and subsidy programs to multifamily project owners (both nonprofit and
for profit) and housing agencies. These intermediaries, acting for HUD, provide housing
assistance to benefit primarily low-income families and individuals (households) that live in
public housing, Section 8 and Section 202/811 assisted housing, and Native American housing.
In fiscal year 2008, HUD spent about $28 billion to provide rent and operating subsidies that
benefited more than 4.8 million households.
Since 1996, we have reported on weaknesses with the monitoring of the housing assistance
program’s delivery and the verification of subsidy payments. We focused on the impact these
weaknesses had on HUD’s ability to (1) ensure intermediaries are correctly calculating housing
subsidies and (2) verify tenant income and billings for subsidies. During the past several years,
HUD has made progress in correcting this deficiency. In 2008, HUD continued utilizing the
comprehensive consolidated reviews in the Office of Public and Indian Housing’s (PIH) efforts
to address public housing agencies’ (PHA) improper payments and other high-risk elements.
HUD’s continued commitment to the implementation of a comprehensive program to reduce
erroneous payments will be essential to ensuring that HUD’s intermediaries are properly carrying
out their responsibility to administer assisted housing programs according to HUD requirements.
The Department has demonstrated improvements in its internal control structure to address the
significant risk that HUD’s intermediaries are not properly carrying out their responsibility to
administer assisted housing programs according to HUD requirements. HUD’s increased and
improved monitoring has resulted in a significant decline in improper payment estimates over the
last five years. However, HUD needs to continue to place emphasis on its on-site monitoring
and technical assistance to ensure that acceptable levels of performance and compliance are
achieved and periodically assess the accuracy of intermediaries rent determinations, tenant
income verifications, and billings.
Tenant income is the primary factor affecting eligibility for housing assistance, the amount of
assistance a family receives, and the amount of subsidy HUD pays. Generally, HUD’s subsidy
payment makes up the difference between 30 percent of a household’s adjusted income and the
housing unit’s actual rent or, under the Section 8 voucher program, a payment standard. The
admission of a household to these rental assistance programs and the size of the subsidy the
household receives depend directly on the household’s self-reported income. However,
significant amounts of excess subsidy payments occur because of errors in intermediaries’ rent
determinations and undetected, unreported, or underreported income. By overpaying rent
subsidies, HUD serves fewer families. Every dollar paid in excess subsidies represents funds
that could have been used to subsidize other eligible families in need of assistance.
5
HUD’s Estimate of Erroneous Payments Decreased in
Fiscal Year 2008
The estimate of erroneous payments that HUD reports in its Performance and
Accountability Report relates to HUD’s inability to ensure or verify the accuracy
of subsidy payments being determined and paid to assisted households. This
year’s contracted study of HUD’s three major assisted housing programs
estimated that the rent determination errors made by the intermediaries resulted in
substantial subsidy overpayments and underpayments. The study was based on
analyses of a statistical sample of tenant files, tenant interviews, and income
verification data for activity that occurred during fiscal year 2007. However, the
amounts reported in the study have been adjusted due to recent program structure
changes.
The Public Housing programs switched to Asset Management and began
calculating formula income for PHAs as noted in 24 CFR 990.195 Calculating
Formula Income. This change eliminated the 3 types of improper payment errors
for the Public Housing program. This new process was implemented in January
2007. Therefore for FY 2007 this process was in place for the last 3 quarters of
the year and HUD subsidy errors occurred only in the first quarter. Errors could
still be made by PHAs in their calculation of the amount of tenant rent or tenants
could still be under reporting their income, however beginning January 2007 this
no longer affected HUD’s subsidy. The Quality Control (QC) study and Income
Match Reporting study estimated these errors for the entire fiscal year because
this information is useful to management of both PIH and the PHAs. However,
based on the conversion to asset management and the change in calculating
formula income becoming effective in January 2007, only 25 percent of the
amount calculated for the Administrator, Income Reporting, and Billing errors
should be reported for FY 2007. In addition, the establishment of a budget based
funding methodology was implemented for the Housing Choice Voucher Program
to eliminate the opportunity for billing errors in that program. Budget based
means that each PHA will have a set annual budget for vouchers to serve their
clients needs. The PHA will receive the annual budget in 12 equal monthly
payments – thus eliminating the need to bill HUD and eliminating the Billing
Error.
Based on the previously mentioned program structure changes, HUD is reporting
subsidy payment inconsistencies in which HUD incorrectly paid $671.5 million in
annual housing subsidies. This is a 30 percent decrease in the gross erroneous
payments in comparison to the prior year. The estimate of erroneous payments is
reported in HUD’s Fiscal Year 2008 Performance and Accountability Report as
Other Accompanying Information and will reflect the adjusted error estimates.
The estimate of erroneous payments this year also includes overpaid subsidies
from underreported and unreported income and intermediaries’ billings errors.
6
HUD estimated that housing subsidy overpayments from tenants misreporting
their income totaled an additional $249.8 million in overpayments during calendar
year 2007.
HUD did not conduct a billings study during fiscal year 2008. Therefore, the
results of prior year’s study will carryover for this year’s billings error estimate
and have been adjusted according to the previously mentioned program structural
changes. Based on the payment errors that were identified for the Office of
Housing’s project-based Section 8 housing program, HUD reported an estimated
$59 million in program billings errors for fiscal year 2006. In addition, PIH’s
billings error estimate has been reduced to zero for the Housing Choice Voucher
program.
Additionally, an operating subsidy estimate of $12.3 million was included in the
PIH billings estimate. Therefore, adding the Office of Housing’s estimate of $59
million to the PIH estimate of $12.3 million for operating subsidy results in a
$71.3 million estimate of erroneous payments for billings errors.
In totality, HUD has reduced the combined gross improper rental housing
assistance payment estimates to $993 million in Fiscal Year 2007. This is a total
reduction of 35% in comparison to the prior year estimates.
In addition to the Rental Housing Integrity Improvement Project (RHIIP)-related
estimates, HUD performed a risk assessment update on one third of all HUD
programs exceeding $40 million in expenditures (except those associated with the
RHIIP) to determine whether they are susceptible to significant erroneous or
improper payments. The OCFO performed a risk assessment on nine of HUD’s
funded activities (programs). The nine programs were updated and reevaluated
for the current risk assessment. Although individual program risk ratings for the
nine programs may have changed slightly, none of the programs evaluated were
considered susceptible to significant improper payments for fiscal year 2007, as
defined in OMB Circular A-123, Appendix C, Part 1.
HUD Needs to Continue Initiatives to
Detect Unreported Tenant Income
The computer matching agreement between HUD’s Office of Housing and the
Department of Health and Human Services (HHS) for use of the National
Directory of New Hires in the Enterprise Income Verification system (EIV) was
finalized in fiscal year 2008. HUD successfully expanded its computer matching
program with the HHS data to all of its rental assistance programs (public
housing, housing vouchers, and project-based housing) when HUD s project-
based program gained access to the HHS database on January 15, 2008. The
other programs had gained access previously. HUD intends to issue a final rule
mandating the use of this matching data by the end of this calendar year.
7
EIV is a web-based system that compiles tenant income information and makes it
available online to HUD business partners to assist in determining accurate tenant
income as part of the process of setting rental subsidy. Currently, EIV matches
tenant data against Social Security Administration information, including Social
Security benefits and Supplemental Security Income, and with the HHS National
Directory of New Hires (NDNH) database, which provides information such as
wages, unemployment benefits, and W-4 (“new hires”) data, on behalf of PIH and
Multifamily Housing programs. The EIV System is available to PHAs
nationwide and to Owner Administered project-based assistance programs, and all
are encouraged to use and implement the EIV System in their day-to-day
operations.
Additionally, the Department is also in the process of implementing the
Multifamily Housing Error Tracking Log (ETL) initiative. The ETL initiative
will document whether and to what extent owners are accurately, thoroughly, and
clearly determining family income and rents in the Office of Multifamily Housing
Subsidy Programs, and will track the specific dollar impact of income and rent
discrepancies and the corresponding resolution of such errors.
HUD Needs to Continue Progress on RHIIP
Initiatives to Monitor Program Administrators
HUD initiated the Rental Housing Integrity Improvement Project (RHIIP) as part
of an effort in fiscal year 2001 to develop tools and the capability to minimize
erroneous payments. This type of erroneous payments targeted includes the
excess rental subsidy caused by unreported and underreported tenant income.
Since our last report, HUD has continued to make progress addressing the
problems surrounding housing authorities’ rental subsidy determinations,
underreported income, and assistance billings. However, HUD still needs to
ensure that it fully utilizes automated tools to detect rent subsidy processing
deficiencies and identify and measure erroneous payments.
During fiscal year 2006, HUD implemented a five year plan initiative to perform
consolidated reviews in order to reinforce the Office of Public and Indian
Housing’s (PIH) effort in addressing public housing agencies (PHA) improper
payments and other high-risk elements. These reviews were also implemented to
ensure the continuation of the PIH’s comprehensive monitoring and oversight of
PHAs. The five-year plan required to perform Tier 1 comprehensive reviews on
approximately 20 percent or 490 of the PHAs that manage 80 percent of HUD’s
funds. According to the Fiscal Year 2008 Management Plan directive, PIH
identified 100 PHAs that receive 80 percent of HUD’s funding for the priority
Tier 1 comprehensive reviews. Tier 2 comprehensive reviews of the remaining
PHAs were optional, depending upon each field office’s resources. Tier 1
comprehensive reviews included rental integrity monitoring (RIM), RIM follow-
up on Corrective Action Plans (CAPs), EIV implementation and security, Section
8 Management Assessment Program (SEMAP) confirmatory reviews, SEMAP
8
quality control reviews, Exigent Health & Safety (EH&S) spot-checks,
Management Assessment Subsystem (MASS) certifications, and civil rights
limited front-end reviews.
Documentation provided during our review showed that 101 Tier I reviews and 17
Tier II reviews were performed during fiscal year 2008. Because of the
deficiencies identified in the consolidated reviews, CAPs were implemented at 46
PHAs from the Tier 1 and at 17 PHAs from the Tier II Reviews. At the end of
our fieldwork, none of the CAPs from these reviews had been closed out.
Additionally, at the end of our fiscal year 2008 fieldwork we noted that 6 CAPs
were still open from the 2003-2004 RIM follow-up reviews. During our fiscal
year 2007 review, we determined that 6 of these CAPs were still open because the
respective PHA was either in receivership or in troubled status. HUD must
continue to assure that CAPs are implemented and closed out, thereby assuring
that the systemic errors identified during the reviews were corrected.
In prior years, we reported that the Public Housing Information Center system
(now known as the PIH Inventory Management System or (PIC-IMS))
information was incomplete and/or inaccurate because housing authority reporting
requirements were discretionary. As a result PHAs have been mandated to
submit 100 percent of their family records to HUD’s Public Housing Information
Center system (Inventory Management System) Form 50058 Module. If PHAs do
not meet the minimum reporting rate of 95 percent at the time of their annual
Form HUD 50058 reporting rate assessment they are subject to sanctions. During
our field review at four field offices, we noted 41 PHAs that were not meeting the
minimum 95 percent reporting rate. None of these PHAs were sanctioned during
2008, HUD annually evaluates those PHAs not meeting the 95% requirement, this
evaluation was postponed until April 2009 after the new PIC-IMS software is
deployed. Since HUD uses the tenant data from its Public Housing Information
Center system (Inventory Management System) for the income-matching program
and program monitoring, it is essential that the database have complete and
accurate tenant information. Therefore, until a more efficient and effective means
of verifying the accuracy of the data is developed, HUD needs to continue to
emphasize the importance of accurate reporting and proactively enforce sanctions
against those PHAs that do not follow the requirement.
HUD has made substantial progress in taking steps to reduce erroneous payments.
However, HUD must continue its regular on-site and remote monitoring of the
PHAs and use the results from the monitoring efforts to focus on corrective
actions when needed. We are encouraged by the on-going actions to focus on
improving controls regarding income verification, as well as HUD’S plans
regarding CAPs, consolidated reviews, and the continual income and rent training
for HUD staff, owners, management agents, and PHAs.
9
Public Housing Agencies Accumulation of Funds in the
Net Restricted Asset Account
Congress, in an attempt to limit the cost of the Housing Choice Voucher Program
and to provide flexibility to the Public Housing Agencies (PHAs) in the
administration of available program funding, enacted provisions in the fiscal year
2005 Appropriation Act (Public Law 108-447), that significantly changed the way
HUD provides and monitors the subsidy paid to housing agencies. Starting
January 1, 2005, Congress changed the basis of the program funding from a “unit-
based” process to a “budget-based” process that limits the Federal funding to a
fixed amount. Under the legislation, HUD records the funding allocated to the
PHA as an expense and no longer records a receivable for any under-utilized
funds because the public housing authorities retain and are expected to use the
funds in their entirety for authorized program activities and expenses within the
time allowed. Program guidance states that any budget authority provided to
PHAs that exceeds actual program expenses for the same period must be
maintained in a housing agencies’ net restricted assets account. Although these
funds are retained by the PHA and not the Department, the Department has a
responsibility to ensure that these funds are properly accounted for and are used
for authorized program activities. HUD is also responsible for monitoring both
overutilization and underutilization of funds and for ensuring that appropriated
funds are being used to serve the maximum number of families. According to
HUD’s records, as of June 30, 2008, the net restricted assets account has
increased to a balance of approximately $1.9 billion for 2,307 PHAs. Further, this
$1.9 billion in unused funding is the balance remaining after an offset of $723
million required by the Fiscal Year 2008 Appropriations Law. Of the $1.9 billion,
$1.4 billion has been categorized as unusable by the PHAs. The unusable portion
of the net restricted assets account balance represents the excess of the amount
that would be required to achieve 100 percent utilization of the vouchers awarded
to the PHAs for the calendar year.
The balance in this account has increased to this level because housing agencies
are not fully utilizing the housing choice voucher funds allocated. Due to
uncertainty over each year’s funding allocation, PHAs have reduced their
spending in anticipation of the need to cover future costs from current resources.
Late enactment of appropriations has required PHAs to begin each year without
knowing their allocations. Also, the utilization of voucher funds are further
limited because program regulations prohibit a PHA from leasing more units than
those approved in its contract, even when there is a need and the resources are
available to increase the number of families being served. The lifting of these
leasing restrictions requires legislative action by Congress. HUD has proposed
such legislative change, but it has not been enacted.
10
Below Target Utilization Rates
We reviewed HUD’s Section 8 Management Assessment Program (SEMAP)
Utilization Summary Report as of September 17, 2008. This report showed that
55 percent of the PHAs have utilization rates of less than 95 percent, which is
below the fiscal year 2004 rate of 98.5 percent achieved using the previous
funding mechanism and the Department’s FY 2011 target utilization rate of 97
percent. We reviewed the dollar amount utilization rate from the Net Restricted
Assets Monitoring report. Our analysis of the report indicated that PHA
performance for FYs 2005 through 2007 resulted in a calculated utilization rates
of 96.0, 90.4, and 93.8 percent, respectively. HUD has acknowledged that
continued improvements in utilization are needed, and plans to continue to link
future administrative fee payments to PHA leasing levels.
In addition, five recent OIG audits 2 have indicated that the accumulation of the
net restricted assets has increased the risk of fraud, waste, and abuse of voucher
program funds. The audits performed by our field offices at four PHAs revealed
irregularities including the misuse of program funds, deficient accounting records
and lack of control to ensure adequate utilization. Specifically, the audits
indicated that housing choice voucher program funds were being used by PHAs to
cover operating costs of other programs and that the funds were being spent on
ineligible activities. The audits also found that a PHA did not properly update its
financial systems for housing assistance and administrative fee payments made
for the voucher program. In addition, we found that its accounting records did not
support the balance of the net restricted assets. These issues combined with a lack
of adequate funding utilization have resulted in a rapid accumulation of unused
funds.
The issues noted in these audits occurred in part because the Department does not
include the net restricted assets account balance as part of its on-site monitoring
review of PHAs. The Real Estate Assessment Center (REAC) performs a desk
review of the Financial Accounting Sub-System (FASS) submissions from the
PHAs. The submissions include two memo accounts regarding the net restricted
assets balances (Net Cumulative Administrative Fees Equity and Net Cumulative
Administrative Fees Equity). Although REAC reviews the submissions and
informs the Financial Management Center and Field Offices of any irregularities,
their review is primarily limited to the financial statements, data schedules that
support the financial statements, and other data reported by the housing agencies
that have been entered into the Department’s systems. REAC relies on the work
of the Independent Auditors for review of the PHAs financial records that support
the FASS submissions. In addition, the Quality Assurance Division (QAD)
2
Dallas Housing Authority Audit Report Audit Report #2008-FW-1006, City of Los Angeles Housing Authority Audit
Report Audit Report #2008-LA-1015, Housing Authority of the County of San Mateo, Belmont, CA Audit Report #
2007-LA-1014, Dallas Housing Authority Audit Repot # 2008-FW-1011 and Richard Housing Authority, Richard, WA
Audit Report Audit Report #2008-SE-1006.
11
conducts on-site reviews of selected PHAs to validate the leasing and cost data
reported by the agencies in the Voucher Management System (VMS), but does
not review data to support net restricted assets account balances.
The leasing restrictions imposed by Congress do not allow the program to operate
at its fullest potential and the $723 million offset was not sufficient to recapture
the excess funding held by the PHAs. We recommend that HUD significantly
reduce the net restricted assets balance by seeking the legislative authority to
implement additional offsets of the $1.4 billion of the unusable funding
accumulated and to again request that the programs’ leasing restrictions be
eliminated or modified in order for more families to receive assistance. We also
recommend the Department increase both its on-site monitoring efforts of this
account balance, as well as continue to improve its efforts to increase fund
utilization by linking administrative fee payments to PHA leasing levels.
Significant Deficiency: HUD Needs to Improve Processes for Reviewing
Obligation Balances
HUD needs to improve controls over the monitoring of obligation balances to ensure they remain
needed and legally valid as of the end of the fiscal year. HUD’s procedures for identifying and
deobligating funds that are no longer needed to meet its obligations were not always effective.
This has been a long-standing weakness. Our review of the 2008 year-end obligation balances
showed $122.9 million in excess funds that could be recaptured. We have been reporting
deficiencies in this area for several years and while HUD has been working to implement
improved procedures and information systems, progress has been slow. Major deficiencies
include: timely reviews of unexpended obligations for Administrative, Program Rental
Assistance Payment, Rent Supplement, and Interest Reduction Program are not being performed.
Annually, HUD performs a review of unliquidated obligations to determine whether the
obligations should be continued, reduced, or canceled. We evaluated HUD’s internal controls
for monitoring obligated balances.
Project-based Section 8
Contracts
HUD’s systems and controls for accounting, processing payments, monitoring, and
budgeting for Section 8 project-based contracts need to be improved. HUD has been
hampered in their ability to estimate funding requirements, process timely payments to
project-based landlords, and to recapture excess funds in a timely manner. This is
evidenced in HUD’s long-term challenges in paying Section 8 project-based landlords on
a timely basis and properly monitoring and accurately accounting and budgeting for
contract renewals.
12
HUD currently administers 17,986 housing assistance payment (HAP) contracts to
provide about 1.25 million low-income housing units. A total of 13,605 contracts,
covering 966,020 housing units, are subject to annual renewals.
Section 8 budget authority is generally available until expended. As a result, HUD
should periodically assess budget needs and identify excess program reserves in the
Section 8 programs as an offset to future budget requirements. Excess program reserves
represent budget authority originally received, which will not be needed to fund the
related contracts to their expiration. While HUD had taken actions to identify and
recapture excess budget authority in the Section 8 project-based program, weaknesses in
the review process and inadequate financial systems continue to hamper HUD’s efforts.
There is a lack of automated interfaces between the Office of Housing subsidiary records
with the Department’s general ledger for the control of program funds. This necessitates
that HUD and its contractors make extensive use of ad hoc analyses and special projects
to review Section 8 contracts for excess funds, which has hampered HUD’s ability to
identify excess funds remaining on Section 8 contracts in a timely manner.
This fiscal year, the Office of Housing recaptured approximately $428.3 million in
unliquidated obligation balances from 9,207 contracts in the Section 8 project-based
program. Our review of the Section 8 project-based contracts showed an additional $44.8
million of available contract/budget authority on 102 contracts that had expiration dates
prior to January 1, 2008. Funds associated with these contracts should be recaptured.
During our review, we also found 32 contracts listed in the PAS that were not included in
REMS data provided to us by Multifamily Housing. REMS is the official source of data
on Multifamily Housing’s portfolio of insured and assisted properties. Upon further
analysis of the 32 contracts, we determined that the funds available on 28 of the contracts
had been recaptured during fiscal year 2008. We verified the status of the remaining four
contracts with the Accounting Center in Fort Worth, TX. We found that no records
existed for one contract, two contracts had been paid off, and one was expired. The
available balance remaining on the four contracts, which totals approximately $29.6
million, should be recaptured.
A Long-term Financial Management
System Solution is Needed
While our review indicated improvements in PAS data quality, HUD still needs to
develop a long-term financial management system solution to streamline and automate
the overall Section 8 project-based budgeting, payment, and contract management
process. HUD’s process for renewing subsidy contracts is largely an ad hoc process.
HUD lacks the internal processes to timely estimate the contract funding level on an
ongoing basis. There is a lack of automated interfaces between the Office of Housing
subsidiary records with the Department’s general ledger for the control of program funds.
This necessitates that HUD and its contractors make extensive use of ad hoc analyses and
special projects to review Section 8 contracts. Our review of the Section 8 project-based
13
account balances showed deficiencies that raised concerns about use of PAS data for
computing funding requirements for Section 8 project-based assistance contracts.
Specifically, we noted that:
Funds totaling $1.1 million were recaptured from 32 projects that were reported in
PAS as having no available balance.
PAS data contained 24 funding lines with contract expiration dates prior to 1974,
which is the year that Congress authorized the Section 8 program. Of the 24, 12
funding lines were reported in PAS as having $10.4 million funds available.
Administrative/Other Program
Obligations
Requests for obligation reviews were forwarded by the Chief Financial Officer to
the administrative and program offices. The focus of the review was on
administrative obligations that exceeded a balance of $17,000 and program
obligations that exceeded $217,000. Excluding the Section 8 and Section 235/236
programs, which undergo separate review processes; HUD identified 1,923
obligations with remaining balances totaling $21.5 million for deobligation. We
tested the 1,923 obligations the Department identified to determine whether the
associated $21.5 million had in fact been deobligated in HUD’s Central
Accounting and Program Accounting Systems. We found that, as of September
30, 2008, a total of 427 obligations with remaining balances totaling $4.2 million
had not been deobligated. The Department has initiated the process of closing
these contracts and the associated funding should be recaptured in fiscal year
2009. We noted during fiscal year 2008, the Department continued its efforts to
improve the timing and monitoring of its deobligation process.
Rent Supplement and Rental
Assistance Payments
HUD is not recapturing excess undisbursed contract authority from the Rent
Supplement and Rental Assistance Payments programs in a timely manner.
Although, HUD continues to make progress in this area, improvement is still
needed to ensure the timely recapture of excess funds.
The Rent Supplement and Rental Assistance Payments programs have been in
existence since the mid 1960’s and 1970’s respectively. The Rent Supplement
program and Rental Assistance Payments operate much like the current project-
based Section 8 rental assistance program. Rental assistance is paid directly to
multi-family housing owners on behalf of eligible tenants
14
HUD’s subsidiary ledgers show, on a fiscal year basis, the amount authorized for
disbursement and the amount that was disbursed under each project account.
Funds remain in these accounts until they are paid out or deobligated by HUD. If
the funds are not paid out or deobligated, the funds remain on the books,
overstating the needed contract authority, the excess of which should be
recaptured. Our prior audit reports showed these funds were not being recaptured
timely.
We have been reporting deficiencies in this area for several years. In response to
our concern, in fiscal year 2006, HUD developed and implemented procedures to
review quarterly and annually the programs and associated contract authority
requirements. Although, progress has been made in this area, improvement is still
needed to ensure the timely recapture of excess funds.
We performed a review in fiscal year 2008 of unliquidated obligations for the
multifamily projects accounts under the Rent Supplement and Rental Assistance
programs. Our review found $20.7 million in undisbursed contract authority from
prior fiscal years on 372 multifamily projects that should be recaptured. HUD
agreed and processed adjustments to deobligate the $20.7 million of excess
undisbursed obligations.
Section 236 Interest Reduction Program
The Section 236 Interest Reduction Program was created in 1968, however, new
program activity ceased in the mid-1970s. The multi-family activities carried out
by this program include making interest reduction payments directly to mortgage
companies on behalf of multi-family project owners. The contracts entered into
were typically up to 40 years and HUD was required to fund these contracts for
their duration. At the time it entered into the contracts, HUD was to record
obligations for the entire amount. The obligations were established based upon
permanent indefinite appropriation authority. This budget authority is included in
the Statement of Budgetary Resources and other consolidated financial statements
as “Other programs”.
Although not a major program, deficiencies in the Section 236 Interest Reduction
Program have been reported by OIG in prior reports on the financial statements.
The Offices of Housing and the Chief Financial Officer have been hampered by
historically poor record keeping in their attempt to accurately account for
unexpended Section 236 budget authority balances and estimated future
payments. These estimated payments are the basis for HUD’s current recorded
obligation balances necessary to fully fund the contracts to their expiration. HUD
adjusts the recorded obligations as it proceeds through the term of the contracts in
order to reflect best estimates of the financial commitment. Factors that can
change the budgetary requirements over time include contract terminations,
refinancing, and restructuring of the contracts.
15
In recent years, OIG noted that HUD made a series of corrective actions to
address these deficiencies. In response to fiscal year 2004’s OIG report and
OMB concerns, the Department initiated a contract-by-contract review in August
2005 to identify underreported, as well as over reported balances, and support the
Section 236 contract and budget authority. In 2006, HUD developed and
implemented procedures for the quarterly reconciling of its obligation accounts.
In FY 2007, HUD completed a reconciliation review with service. However, this
year’s review disclosed that further improvements in HUD’s processes are needed
to ensure Section 236 IRP obligations are valid and can be more accurately
estimated and reported.
In fiscal year 2008, we identified 60 inactive Section 236 Interest Reduction
Program contracts with over $13.9 million in excess contract and budget authority
that could be deobligated. These 60 contracts had been prepaid and terminated
from the program. HUD agreed and processed adjustments to deobligate $13.9
million. In addition, we identified 9 contracts with inaccurate payment schedules
and overestimated funding requirements of over $9.7 million. HUD agreed and
processed adjustments to deobligate the $ 9.7 million.
The deficiencies in the Section 236 program occurred because the quarterly
review procedures currently implemented were insufficient in providing updates
on the project status in a timely manner. HUD needs to improve its quarterly
contract reconciliation procedures to ensure that contract and budget authority for
the Section 236 Interest Reduction Program are valid and estimates are accurately
and timely reported.
For the Department’s administrative and other program funds, HUD needs to promptly
perform contract closeout reviews and recapture the associated excess contract authority
and imputed budget authority. In addition, HUD needs to address data and systems
weaknesses to ensure that all contracts are considered in the recapture/shortfall budget
process including Rent Supplement and Rental Assistance Programs.
With respect to project-based Section 8 contracts, we recommended in our audit of the
Department’s fiscal year 1999 financial statements that systems be enhanced to facilitate
timely closeout and recapture of funds. In addition, we recommended that the closeout
and recapture process occur periodically during the fiscal year, and not just at year-end.
Implementation of the recommendations is critical so that excess budget authority can be
recaptured in a timely manner and considered in formulating requests for new budget
authority.
16
Significant Deficiency: HUD Financial Management Systems Need to Comply
with Federal Financial Management System Requirements
As reported in prior years, HUD is not in full compliance with federal financial management
requirements. Specifically, it has not completed development of an adequate integrated financial
management system. HUD is required to implement a unified set of financial systems. This
includes the financial portions of mixed systems encompassing the software, hardware,
personnel, processes (manual and automated), procedures, controls, and data necessary to carry
out financial management functions, manage financial operations of the agency, and report on
the agency’s financial status to central agencies, Congress, and the public. As currently
configured, HUD financial management systems do not meet the test of being unified. The term
“unified” is defined as meaning that systems are planned for and managed together, operated in
an integrated fashion, and linked electronically to efficiently and effectively provide agency wide
financial system support necessary to carry out the agency’s mission and support the agency’s
financial management needs.
HUD’s financial systems, many of which were developed and implemented before the issue date
of current standards, were not designed to perform or provide the range of financial and
performance data currently required. The result is that HUD, on a department wide basis, does
not have unified and integrated financial management systems that are compliant with current
federal requirements or provide HUD the information needed to effectively manage its
operations on a daily basis. This could negatively impact management’s ability to perform
required financial management functions; efficiently manage the financial operations of the
agency; and report, on a timely basis, the agency’s financial results, performance measures, and
cost information.
FFMIA Requires HUD to
Implement a Compliant Financial
Management System
The Federal Financial Management Improvement Act of 1996 (FFMIA) requires,
among other things, that HUD implement and maintain financial management
systems that substantially comply with federal financial management system
requirements. The financial management system requirements also include
implementing information system security controls. These requirements are
detailed in the Federal Financial Management System Requirements series issued
by the Joint Financial Management Improvement Program/Financial System
Integration Office (JFMIP/FISO). The requirements are also included in Office of
Management and Budget (OMB) Circular A-127, “Financial Management
Systems.” Circular A-127 defines a single integrated financial management
system as a unified set of financial systems and the financial portions of mixed
17
systems (e.g., acquisition) encompassing the software, hardware, personnel,
processes (manual and automated), procedures, controls, and data necessary to
carry out financial management functions, manage the financial operations of the
agency, and report on the agency’s financial status.
As in previous audits of HUD’s financial statements, in fiscal year 2008 there
continued to be instances of noncompliance with federal financial management
system requirements. These instances of noncompliance have given rise to
significant management challenges that have: (1) impaired management’s ability
to prepare financial statements and other financial information without extensive
compensating procedures, (2) resulted in the lack of reliable, comprehensive
managerial cost information on its activities and outputs, and (3) limited the
availability of information to assist management in effectively managing
operations on an ongoing basis.
HUD’s Financial Systems Are
Not Adequate
As reported in prior years, HUD does not have financial management systems that
enable it to generate and report the information needed to both prepare financial
statements and manage operations on an ongoing basis accurately and timely. To
prepare consolidated department wide financial statements, HUD required Federal
Housing Administration (FHA), the Government National Mortgage Association
(Ginnie Mae), and the Office of Federal Housing Enterprise Oversight (OFHEO)
to submit financial statement information on spreadsheet templates, which were
loaded into a software application. In addition, all consolidating notes and
supporting schedules had to be manually posted, verified, reconciled, and traced.
To overcome these systemic deficiencies with respect to preparation of its annual
financial statements, HUD was compelled to rely on extensive compensating
procedures that were costly, labor intensive, and not always efficient.
Due to a lengthy HUD Integrated Financial Management Improvement Project
(HIFMIP) procurement process and lack of funding for other financial application
initiatives, there were no significant changes made in fiscal year 2008 to HUD’s
financial management processes. As a result, the underlying system limitations
identified in past years remain. The functional limitations of the three
applications (HUDCAPS, LOCCS and PAS) performing the core financial system
function for HUD are dependent on its data mart and reporting tool to complete
the accumulation and summarization of data needed for U.S. Department of the
Treasury and OMB reporting.
18
HUD’s Financial Systems do not
Provide Managerial Cost Data
In fiscal year 2006 the Government Accountability Office (GAO) reported in
GAO-06-1002R Managerial Cost Accounting Practices that HUD’s financial
systems do not have the functionality to provide managerial cost accounting
across its programs and activities. This lack of functionality has resulted in the
lack of reliable and comprehensive managerial cost information on its activities
and outputs. HUD lacks an effective cost accounting system that is capable of
tracking and reporting costs of HUD’s programs in a timely manner to assist in
managing its daily operations. This condition renders HUD unable to produce
reliable cost-based performance information.
HUD officials have indicated that various cost allocation studies and resource
management analyses are required to determine the cost of various activities
needed for mandatory financial reporting. However, this information is widely
distributed among a variety of information systems, which are not linked and
therefore cannot share data. This makes the accumulation of cost information
time consuming, labor intensive, untimely, and ultimately makes that cost
information not readily available. Budget, cost management, and performance
measurement data are not integrated because HUD:
Did not interface its budget formulation system with its core financial system;
Lacks the data and system feeds to automate a process to accumulate, allocate,
and report costs of activities on a regular basis for financial reporting needs, as
well as internal use in managing programs and activities;
Does not have the capability to derive current full cost for use in the daily
management of Department operations; and
Requires an ongoing extensive quality initiative to ensure the accuracy of the
cost aspects of its performance measures as they are derived from sources
outside the core financial system.
While HUD has modified its resource management application to enhance its cost
and performance reporting for program offices and activities, the application does
not use core financial system processed data as a source. Instead, HUD uses a
variety of applications, studies, and models to estimate the cost of its program
management activities. One of these applications, TEAM/REAP, was designed
for use in budget formulation and execution, strategic planning, organizational
and management analyses, and ongoing management of staff resources. It was
enhanced to include an allocation module that added the capability to tie staff
19
distribution to strategic objectives, the President’s Management Agenda, and
HUD program offices’ management plans. HUD also concluded a pilot program
of this functionality in fiscal year 2007.
Additionally, HUD has developed time codes and an associated activity for nearly
all HUD program offices to allow automated cost allocation to the program office
activity level. HUD has indicated that the labor costs that will be allocated to
these activities will be obtained from the HUD payroll service provider.
However, because the cost information does not pass through the general ledger,
current federal financial management requirements are not met.
Financial Systems do not Provide for
Effective and Efficient Financial
Management
During fiscal year 2008, HUD’s financial information systems did not allow it to
achieve its financial management goals in an effective and efficient manner in
accordance with current federal requirements. To perform core financial system
functions, HUD depends on three major applications, in addition to a data
warehouse and a report-writing tool. Two of the three applications that perform
core financial system functions require significant management oversight and
manual reconciliations to ensure accurate and complete information. HUD’s use
of multiple applications to perform core financial system functions further
complicates financial management and increases the cost and time expended.
Extensive effort is required to manage and coordinate the processing of
transactions to ensure the completeness and reliability of information.
Additionally, the interface between the core financial system and HUD’s
procurement system does not provide the required financial information. The
procurement system interface with HUDCAPS does not contain data elements to
support the payment and closeout processes. Also, the procurement system does
not interface with LOCCS and PAS. Therefore, the processes of fund
certification, obligation, de-obligation, payment, and close out of transactions that
are paid out of the LOCCS system are all completed separately, within either PAS
or LOCCS. This lack of compliance with federal requirements impairs HUD’s
ability to effectively monitor and manage its procurement actions.
HUD Plans to implement a
Department Wide Core Financial
System
HUD plans to implement a commercial federal certified core financial system and
integrate the current core financial system into one Department-wide core
20
financial system. HUD is initiating business process reengineering work to
ensure a smooth transition to a single integrated core financial system. FHA and
Ginnie Mae have already implemented a compatible and compliant system to
support the transition to the enterprise core financial system. HUD plans to select
a qualified shared service provider to host the enterprise system and integrate the
three financial systems (HUD, FHA, and Ginnie Mae) into a single system by
fiscal year 2013. Achieving integrated financial management for HUD will result
in a reduction in the total number of systems maintained, provide online, real-time
information for management decision-making, enable HUD to participate in E-
government initiatives, and align with HUD's information technology
modernization goals.
However, HUD’s Integrated Financial Management Improvement Project
(HIFMIP), launched in fiscal year 2003, has been plagued by delays, and
implementation of the core financial system has not yet begun. Additionally, the
previous HIFMIP project manager vacated the position in February 2008, and a
permanent replacement has not yet been named. HIFMIP was intended to
modernize HUD’s financial management systems in accordance with a vision
consistent with administration priorities, legislation, Office of Management and
Budget directives, modern business practices, customer service, and technology.
HIFMIP will encompass all of HUD’s financial systems, including those
supporting FHA and Ginnie Mae. HUD had intended to begin the
implementation in fiscal year 2006. Due to delays with the procurement process,
however, HUD anticipates that it will not be able to begin the implementation of
its core financial system until fiscal year 2009. The success of the HIFMIP
project continues to be at risk due to dated requirement documents, as well as the
lack of a permanent, full-time project manager. We continue to note the
following weaknesses with HUD’s financial management systems:
HUD’s ability to prepare financial statements and other financial information
requires extensive compensating procedures.
HUD has limited availability of information to assist management in
effectively managing operations on an ongoing basis.
Significant Deficiency: Controls over HUD’s Computing Environment Can Be
Further Strengthened
HUD’s computing environment, data centers, networks, and servers provide critical support to
all facets of the Department’s programs, mortgage insurance, financial management, and
administrative operations. In prior years, we reported on various weaknesses with general
system controls and controls over certain applications, as well as weak security management.
These deficiencies increase risks associated with safeguarding funds, property, and assets from
waste, loss, unauthorized use, or misappropriation.
21
We evaluated selected information systems general controls of the Department’s computer
systems on which HUD’s financial systems reside. Our review found information systems
control weaknesses that could negatively affect HUD’s ability to accomplish its assigned
mission, protect its data and information technology assets, fulfill its legal responsibilities and
maintain its day-to-day functions. Presented below is a summary of the control weaknesses
found during the review.
Entity-wide Security Program
HUD has made strides toward implementing a compliant entity wide security program as
required by the Federal Information Security Management Act of 2002 (FISMA). HUD
developed guidance, conducted meetings, and provided training to program officials to
ensure security policies are properly implemented at the program and system level.
However, additional progress is needed. Specifically, in fiscal year 2008 we found that:
HUD’s program offices and system owners did not always ensure that HUD’s
inventory of automated systems was up-to-date and systems were properly
categorized as required by OMB.
System owners did not ensure that all non-major applications that are hosted outside
of HUD’s infrastructure were secure.
HUD did not fully comply with OMB’s privacy requirements, including the
completion of privacy survey reports and privacy impact assessments for all new
systems that contain personally identifiable information3 before placing them into
development or production.
HUD did not fully implement all technical controls specified by OMB memorandum
M-06-164, which addresses information that is removed from or accessed from
outside the agency.
Security Controls Over HUD’s Databases
3
The term Personally Identifiable Information means any information about an individual maintained by an agency,
including, but not limited to, education, financial transactions, medical history, and criminal or employment history
and information which can be used to distinguish or trace an individual's identity, such as their name, social security
number, date and place of birth, mother’s maiden name, biometric records, etc., including any other personal
information which is linked or linkable to an individual. Source: OMB Memorandum M-06-19, “Reporting
Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency
Information Technology Investments,” dated July 12, 2006
4
“Protection of Sensitive Agency Information” issued June 23, 2006
22
A number of weaknesses were identified by the OIG during a review of security controls
over HUD’s databases. We identified security configuration and technical control
deficiencies within HUD’s database security controls in the areas of (1) passwords, (2)
system patches, and (3) system configuration.
If proper access controls are not in place, there is no assurance that the data residing on
HUD financial and financial management systems are adequately protected against
unauthorized disclosure, modification, or destruction. Allowing conditions that
undermine the integrity of security contributes to inefficient security operations and
administration or may lead to interruption of production operations. Additionally,
improper configurations do not allow the Office of the Chief Information Officer (OCIO)
and program offices to ensure that the database environment is managed in a way that is
secure, efficient, and effective.
HUD Procurement System
We audited HUD's Procurement systems in fiscal year 20065. Through actions taken
during fiscal years 2007 and 2008, the Office of the Chief Procurement Officer has made
progress toward resolving the issues identified during the audit. However, two
significant recommendations made in the report remain open and the procurement
systems continue to be in noncompliance with Federal financial management
requirements. The Office of the Chief Procurement Officer (OCPO) has yet to complete
the corrective actions for the known open information security vulnerabilities or to
develop mitigation strategies if new system development is underway. The OCPO plans
to replace the current acquisition systems, but it has not yet been able to secure funding to
complete the planned corrective action. Consequently, OCPO has not yet implemented
functionality to ensure that there is sufficient information within HUD’s procurement
systems to support the primary acquisition functions of fund certification, obligation, de-
obligation, payment, and closeout.
Controls Over FHA Information Technology Resources
On October 31, 2007, we issued an audit report on our assessment of FHA’s management of
its information technology resources6. Some recommendations addressed to the OCIO
remain open and are expected to be implemented and closed by December 2008 as follows:
(1) provide additional guidance and training to application system owners regarding
completion of their application’s business impact analysis; (2) complete the design and
implementation of an information security program to include descriptions of system
owner roles and responsibilities, information on the security controls with FHA for each
5
Audit Report No. 2007-DP-0003: Review of HUD’s Procurement Systems issued January 25, 2007
6
Audit report No. 2008-DP-0002: Review of FHA Controls Over Its Information Technology Resources
23
general support system on which its applications reside, and information on the use of the
Information System Security Forum as a user representative forum for each general
support system; and (3) develop and provide role-based training to FHA staff with
information security roles and responsibilities
HUD’s Financial Systems
As part of our review of HUD's information systems controls, we evaluated information
security controls over the Northridge Loan System (NLS), Departmental Accounts
Receivable Tracking/Collection System (DARTS), HUDCAPS, LOCCS and the
Financial Data Mart. We identified control weaknesses that could negatively affect the
integrity, confidentiality, and availability of computerized financial data within three of
HUD’s financial systems--HUDCAPS, LOCCS, and the Financial Data Mart.
HUDCAPS
In our fiscal year 2007 audit, we found that the Office of the Chief Financial Officer
(OCFO) granted two contracted developers above read access to the HUDCAPS
production data stored within the mainframe environment without documenting either
their acceptance of the risks associated with or the justification for this access level. The
documentation to support this access was not maintained by the system owner, and
acceptance of the risks associated with this access level was not documented in the
system security plan. Additionally, neither of the two developers received the required
level of background investigation. One developer received only a minimum background
investigation. The other developer was not investigated at all.
During fiscal year 2008, the OCFO, in coordination with the OCIO, has made progress in
addressing this issue. The OCFO has improved their documentation and maintenance of
files containing authorizations and justifications for contracted system developers to have
read or above-read access to production data. They have assessed the risk of providing
above read and read only access to contractors and have specifically acknowledged and
accepted that risk within their system security documentation. However, although the
OCFO has obtained a listing of all users with access to the HUDCAPS production
environment, they have not yet completed an assessment to determine specifically what
HUDCAPS access is granted to each contractor, or prepared a listing of all users with
above read access to application data. They also have yet to initiate a request with the
Office of Security and Emergency Planning staff to determine whether the contractor
employees have had the appropriate background investigations or to follow up with
Office of Security and Emergency Planning staff to ensure background investigations are
initiated for contractor staff if required. In addition, they still need to complete actions to
24
remove above read access privileges for all contracted system developers with
unnecessary access within production databases for HUDCAPS and any other OCFO
systems.
LOCCS
During our fiscal year 2007 audit, we found that the controls over the LOCCS user
recertification process were not effective to verify the access of all users. Systemic
deficiencies led to the omission of more than 10,000 users from the LOCCS
recertification process. An additional 199 users had last recertification dates within the
application prior to March 31, 2006, indicating that they also were not included in the
fiscal year 2007 recertification process. During fiscal year 2008, the OCFO made
improvements to this process by generating a report from the system that allows them to
identify users that only have approving authority within the application for the user
recertification process. However, further improvements are necessary to ensure that all
users of LOCCS are recertified in accordance with HUD policy. Our review of the 2008
data again identified LOCCS users that were not recertified by the system. This shows
that the corrective action taken in response to our 2007 finding did not fully address the
problem.
Financial Data Mart
In fiscal year 2007, the OCFO identified and reported that an unauthorized individual had
access to sensitive data within the Financial Data Mart that was not needed to perform
assigned duties. In June 2007, we determined that an unauthorized individual was
accessing production data from the Financial Data Mart using an application’s login ID
and password. In addition, the password assigned to the application login ID did not
conform to HUD’s password policy. Further, we determined that all users with access to
the HUD Web can access and generate reports containing proprietary financial data
maintained within the Financial Data Mart.
During fiscal year 2008, the OCFO assessed and accepted the risk associated with
providing web users access to some of the data within the Financial Data Mart. In
addition, the OCFO, in coordination with the OCIO, initiated plans to obtain and review
access logs to the Financial Data Mart server, and to modify application passwords to be
in compliance with HUD's password policy. The corrective actions are expected to be
completed during fiscal year 2009.
IBM Mainframe z/OS Operating System
In fiscal year 2007, we followed up on previously reported weaknesses related to the
IBM mainframe z/OS operating system. For instance, we found that HUD had not: (1)
removed the unused data files in the IBM mainframe environment in a timely manner;
and (2) removed the references to a retired application. We also reported that more work
was needed to ensure that the most powerful administrative authority is restricted to only
25
those persons who require it to perform their duties, and that the administrator account is
properly managed.
During our fiscal year 2008 review, we determined that HUD has taken steps to ensure
that the super-user authority is properly restricted, and the administrator account is
properly managed. HUD also removed unused data files from the IBM environment, as
well as references to a retired application. Additionally, HUD has established a standard
procedure to monitor and oversee the removal of personal data files belonging to users
who have left the Department.
Software Configuration Management
We previously reported that weaknesses remain in the areas of support for the
Department-wide configuration management7 function and the HUD Procurement
System configuration management plan. We also reported that configuration
management plans for several FHA applications lacked information or contained
outdated information. There were also weaknesses specific to each configuration
management plan we reviewed.
HUD has made progress in implementing controls to resolve the reported weaknesses.
However, HUD has not yet fully resolved the issue of obsolete and incomplete
information in the configuration management plans for the HUD Procurement System
and selected FHA applications.
For fiscal year 2008, we reviewed the configuration management plan for the Institution
Master File (IMF) and found that this plan also lacked information or contained outdated
information. Details of this finding will be included in our report for our fiscal year 2008
review of information systems controls in support of the financial statements audit to be
issued during 2009.
Contingency Planning and Preparedness
Although, HUD continues to make progress in the implementation of controls for
contingency planning and preparedness, improvement is still needed. In fiscal year 2007,
our review of the disaster recovery plan for the contractor-operated data center facility
indicated that the listing of mission critical applications had not yet been updated. We
were advised that a contract modification was required to update the listing, and HUD
planned to accomplish this by December 31, 2007. During our fiscal year 2008 audit, we
determined that the listing of mission critical applications still has not been updated. We
also found that the appendix containing information on the disaster recovery team
personnel was not current.
7
Configuration management is the control and documentation of changes made to a system’s hardware, software
and documentation throughout the development and operational life of the system.
26
In addition, we determined that contingency planning at third party business sites is
inadequate. We surveyed 29 third party business partners to determine if they had
business continuity plans, continuity of operations plans or disaster recovery plans in
place that would provide the means to continue business, relocate to alternative work
areas and access HUD systems. We found that sixty-nine percent did not have any type
of contingency, continuity or disaster recovery plan. While thirty-one percent of the third
party business partners did have some type of plan, those plans contained only limited
provisions on backup of critical information and alternative work areas. Staffs were
unfamiliar or had limited knowledge of contingency planning requirements, and
documentation was not readily available for use in case of emergency.
HUD had not specified contingency planning, continuity of operations or disaster
recovery requirements in its agreements with third party business partners. Such
information is usually included in the terms and conditions of a contract or service-level
agreement with the external business partner. Consequently, third party business partners
have developed limited contingency planning policies that do not meet HUD or National
Institute of Standards and Technology (NIST) requirements.
Physical Security
Our on-site reviews during fiscal years 2006 and 2007 found that physical security
controls for HUD facilities were generally in place at the network operations center and
the data center, both maintained by HUD’s two information technology infrastructure
contractors.
This year, we evaluated how HUD’s third party business partners8 compensate for the
lack of physical security controls when information is removed from, maintained or
accessed from outside the agency location. We also determined what security guidance is
provided by HUD. We found that physical security at the third party business sites we
visited is inadequate and weaknesses exist at those sites. We found instances where
servers were located in common areas (i.e. lunch rooms, halls), case binders with
personally identifiable information were left unattended, no guard or receptionist was at
the entrance, access doors were unlocked, and encryption of data residing on laptops or
portable devices was not a requirement.
We determined that HUD had not specified the level of security controls and included it
in the terms and conditions of the contract or service-level agreement with the external
business partner. As a result, third party business partners have developed various
information technology security controls and policies that do not meet HUD or federal
8
Third party business partners are external business partners who contract to do business with HUD such as
Housing Authorities and mortgage lenders who use PIH Inventory Management System (PIH-IMS), Tenant Rental
Assistance Certification System (TRACS) and Computerized Homes Underwriting Management System (CHUMS).
27
requirements, and therefore cannot be relied upon to provide adequate protection over
HUD’s sensitive data.
Significant Deficiency: Weak Personnel Security Practices Continue to Pose
Risks of Unauthorized Access to the Department’s Critical Financial Systems
For several years, we have reported that HUD’s personnel security practices over access to its
systems and applications were inadequate. Deficiencies in HUD’s information technology
personnel security program were found and recommendations were made to correct the
problems. However, the risk of unauthorized access to HUD’s financial systems remains a
critical issue. We followed up on previously reported information technology personnel security
weaknesses and deficiencies and found that deficiencies still exist. Specifically:
Since 2004, we have reported that HUD does not have a complete list of all users
with above-read access at the application level. Those users with above read
access to sensitive application systems are required to have a background
investigation. Our review this year found that HUD still does not have a central
repository that lists all users with access to HUD’s general support and
application systems. Consequently, HUD has no central listing for reconciling
that all users who have access to HUD critical and sensitive systems have had the
appropriate background investigation.
While HUD’s implementation in 2007 of the Centralized HUD Account
Management Process (CHAMP) was a step towards improving its user account
management practices, CHAMP remains incomplete and does not fully address
OIG’s concerns. Specially, we found:
a. CHAMP does not contain complete and accurate data. The OCIO did not
electronically migrate data from the HUD Online User Registration System
(HOURS) into CHAMP. Instead, they chose to enter the legacy data
manually. However, this process has not yet been completed. As of April
22, 2008, OCIO has entered user data for 37 out of 248 applications (15%)
into CHAMP.
b. HUD can neither compile a complete listing of all authorized users and their
access privileges nor identify all the applications to which users have access
because CHAMP does not have reporting capabilities.
c. CHAMP does not contain a mechanism to escalate or reassign tasks that have
not been completed within a specified timeframe.
d. CHAMP can only handle access requests for internal users such as HUD
employees and contractors, but not for external users such as Housing
28
Authorities and trusted business partners.
During our fiscal year 2007 audit, we reported that contractors were
inappropriately granted access to sensitive systems. Consequently, we
recommended that the OCIO remove greater-than-read access to sensitive systems
for users who have not submitted appropriate background investigation
documents or who are no longer authorized to access information resources.
Corrective action to resolve this weakness has not yet been completed.
We previously identified a retired HUD employee whose user ID remained active
on HUD systems for 13 months following her retirement. In addition, there was
evidence to suggest that the network password assigned to that user had been
modified approximately six weeks after the employee’s retirement. We found
that although HUD had processes and procedures for removing the computer
system access of retiring employees, Human Resources, program area
applications owners, the Office of Security and Emergency Planning, and the
Office of the Chief Information Officer need to coordinate to improve these
processes.
HUD did not conduct a security categorization and a risk assessment for CHAMP
as required by Federal Information Processing Standards (FIPS) Publications
(PUB) 199 and 200. HUD’s OCIO incorrectly chose not to conduct a security
categorization and risk assessment for CHAMP because they believed that these
items are not required for CHAMP, which is listed as a process rather than a
system. HUD also believes that since CHAMP is exclusively owned by its
information technology contractor, it is not subject to the requirements of a
security categorization and a risk assessment. Without a security categorization
and risk assessment on CHAMP, HUD cannot know the full extent of risks that
the CHAMP process is vulnerable to or whether adequate levels of security
controls have been put in place to protect data and applications impacted by
CHAMP.
29
Compliance with Laws and Regulations
HUD Did not Substantially Comply with the Federal Financial Management
Improvement Act
FFMIA requires auditors to report whether the agency’s financial management systems
substantially comply with the Federal financial management systems requirements, applicable
accounting standards, and support the U.S. Standard General Ledger (SGL) at the transaction
level. We found that HUD was not in substantial compliance with FFMIA because HUD’s
financial management system did not substantially comply with Federal Financial Management
System Requirements.
During fiscal year 2008, the Department made limited progress as it attempted to address its
financial management deficiencies to bring the agency’s financial management systems into
compliance with Federal Financial Management Improvement Act (FFMIA). However, the
deficiencies remain as the Department financial management systems continue to not meet
current requirements and are not operated in an integrated fashion, and linked electronically to
efficiently and effectively provide agency wide financial system support necessary to carry out
the agency’s mission and support the agency’s financial management needs.
HUD's policy is to complete OMB A-127 reviews of all HUD financial systems within a three
year cycle. HUD did not complete any of the planned 2007 and 2008 independent reviews of its
current financial management systems to verify compliance with financial system requirements,
identify system and procedural weaknesses, and develop the corrective actions to address
identified weaknesses. Additionally, HUD only completed four independent reviews that were
planned in 2006.
Federal Financial Management System
Requirements
In its Fiscal Year 2008 Performance and Accountability Report, HUD reports that
2 of its 42 financial management systems do not comply with the requirements of
the FFMIA and OMB Circular A-127, Financial Management Systems. Even
though 40 individual systems have been certified as compliant with federal
financial management systems requirements, HUD has not adequately performed
independent reviews of these systems as required by OMB Circular A-127.
Collectively and in the aggregate, deficiencies still exist.
We continue to report as a significant deficiency that HUD Financial
Management Systems Need to Comply with Federal Financial Management
Systems Requirements. The significant deficiency addresses how HUD’s
financial management systems remain substantially noncompliant with federal
financial management requirements.
30
FHA’s auditor reports as a significant deficiency that FHA needs to continue to
enhance and modernize its financial information systems. The significant
deficiency addresses the challenges in FHA’s capacity to simultaneously address
various system modernization initiatives and control deficiencies affecting the
reliability and completeness of FHA’s financial information.
Ginnie Mae’s auditor reports a non compliance with Federal Information Security
Management Act (FISMA). The Act requires Ginnie Mae to implement an
agency-wide information security program to provide information security for the
information systems that support the operations and assets of the agency including
those provided or managed by a contractor. The auditor’s review found Ginnie
Mae lacks assurance that critical information technology general control elements
for the Integrated Portfolio Management System (IPMS), which is managed and
controlled by a Ginnie Mae contractor, are working effectively to reduce agency
information system risks.
We also continue to report as significant deficiencies that (1) Controls over
HUD’s Computing Environment Can Be Further Strengthened and (2) Weak
Personnel Security Practices Continue to Pose Risks of Unauthorized Access to
the Department’s Critical Financial Systems. These significant deficiencies
discuss how weaknesses with general controls and certain application controls,
and weak security management increase risks associated with safeguarding funds,
property, and assets from waste, loss, unauthorized use or misappropriation.
In addition, OIG audit reports have disclosed that security over financial
information was not provided in accordance with OMB Circular A-130
Management of Federal Information Resources, Appendix III and the FISMA.
We have included the specific nature of noncompliance issues, responsible program offices and
recommended remedial actions in Appendix C of this report.
HUD Did Not Substantially Comply with the Anti-Deficiency Act
HUD’s Office of the Chief Financial Officer (OCFO) is not conducting, completing,
reporting and closing the investigation of potential Anti-Deficiency Act violations in a
timely manner and has not created timeframes for the conduct and completion of the
investigations of potential Anti-Deficiency Act violations, as required by the FY 2003
Appropriation Act, Public Law 108-7, Title II – Department of Housing and Urban
Development. Additionally, the OCFO has not reported known violations immediately to
the President through OMB, Congress, nor GAO, as required by the Anti-Deficiency Act.
The OCFO is responsible for investigating and reporting on violations of the Anti-
Deficiency Act. As of the conclusion of this audit, the OCFO had investigated a total of
26 potential Anti-Deficiency Act violations. The Chief Financial Officer (CFO) made
determinations that three cases that occurred in 2003 are Anti-Deficiency Act violations
31
that warrant reporting to the President, Congress, and GAO. In regards to determinations
for the remaining cases, another three were considered to be Anti-Deficiency Act
violations but were still under review by the OCFO, 15 were determined not to be a
violation, and five cases were under preliminary review.
Our review determined that although it has been five years since discovery of some of the
Anti-Deficiency Act violations, the OCFO has not issued a report on any of the three
cases determined to be reportable Anti-Deficiency Act violations. We reviewed the three
case files and found that the OCFO completed draft transmittal letters and reports in
2004, but the letters and reports were not issued. CFO is not in compliance with OMB
A-11 Section 435 and 31 U.S.C. 1351 and 1517(b). Specifically, the United States Code
states that once it is determined that there has been a violation; it shall be reported
immediately to the President, Congress, and GAO. The OCFO stated that the reports
have not been submitted to the appropriate parties because OMB and HUD cannot agree
on whether or not names should be included in the reports. We feel these reports should
not be held up for that reason, since OMB A-11 Section 145 specifically states that the
letter will set forth the name and position of the officer(s) or employee(s) responsible for
the violation.
Additionally, there are another three investigations that have been determined to be Anti-
Deficiency Act violations. The draft reports have been prepared and are under review by
the OCFO. Two of these three Anti-Deficiency act violation cases have been under
investigation for four years and the other one has been under investigation for a year.
In our fiscal year 2008 review, we noted that HUD management did complete its review
of all outstanding cases. However, HUD management has indicated that they took
corrective actions to address any necessary immediate funding actions, and to correct
funds control deficiencies and unacceptable long-standing past practices to minimize the
risk of future violations. Additionally, HUD management plans to establish and finalize
timeframes in an internal OCFO policy memorandum for the conduct and completion of
investigations of potential ADA violations during the first quarter of FY 2009 to ensure
investigations are conducted, completed, reported, and closed in a timely manner.
32
APPENDIXES
Appendix A
Objectives, Scope, and Methodology
Management is responsible for
* Preparing the principal financial statements in conformity with generally accepted
accounting principles;
* Establishing, maintaining and evaluating internal controls and systems to provide
reasonable assurance that the broad objectives of Federal Managers’ Financial Integrity
Act are met; and
* Complying with applicable laws and regulations and government wide policies
In auditing HUD’s principal financial statements, we were required by Government Auditing
Standards to obtain reasonable assurance about whether HUD’s principal financial statements
are free of material misstatements and presented fairly in accordance with generally accepted
federal accounting principles. We believe that our audit provides a reasonable basis for our
opinion.
In planning our audit of HUD’s principal financial statements, we considered internal controls
over financial reporting by obtaining an understanding of the design of HUD’s internal controls,
determined whether these internal controls had been placed in operation, assessed control risk,
and performed tests of controls to determine our auditing procedures for the purpose of
expressing our opinion on the principal financial statements and not to provide assurance on the
internal control over financial reporting. Consequently, we do not provide an opinion on internal
controls. We also tested compliance with selected provisions of applicable laws and regulations
and government wide policies that may materially affect the consolidated principal financial
statements. Providing an opinion on compliance with selected provisions of laws and regulations
was not an objective and, accordingly, we do not express such an opinion.
We considered HUD’s internal control over Required Supplementary Stewardship Information
reported in HUD’s Fiscal Year 2008 Performance and Accountability Report by obtaining an
understanding of the design of HUD’s internal controls, determined whether these internal
controls had been placed in operation, assessed control risk, and performed limited testing
procedures as required by AU Section 558 , Required Supplementary Information. The tests
performed were not to provide assurance on these internal controls, and accordingly, we do not
provide assurance on such controls.
With respect to internal controls related to performance measures to be reported in the
Management’s Discussion and Analysis and HUD’s Fiscal Year 2008 Performance and
Accountability Report, we obtained an understanding of the design of significant internal
controls relating to the existence and completeness assertions as described in Section 230.5 of
OMB Circular A-11 Preparation, Submission and Execution of the budget. We performed
33
limited testing procedures as required by AU Section 558 Required Supplementary Information
and OMB Bulletin 07-04 Audit Requirements for Federal Financial Statements, as amended.
Our procedures were not designed to provide assurance on internal control over reported
performance measures and, accordingly, we do not provide an opinion on such controls.
To fulfill these responsibilities, we
* Examined, on a test basis, evidence supporting the amounts and disclosures in the
consolidated principal financial statements;
* Assessed the accounting principles used and the significant estimates made by
management;
* Evaluated the overall presentation of the consolidated principal financial statements;
* Obtained an understanding of internal controls over financial reporting, executing
transactions in accordance with budget authority, compliance with laws and regulations,
and safeguarding assets;
* Tested and evaluated the design and operating effectiveness of relevant internal controls
over significant cycles, classes of transactions, and account balances;
* Tested HUD’s compliance with certain provisions of laws and regulations, government-
wide policies, noncompliance with which could have a direct and material effect on the
determination of financial statement amounts and certain other laws and regulations
specified in OMB Bulletin 07-04 as amended, including the requirements referred to in
the Federal Managers’ Financial Integrity Act;
* Considered compliance with the process required by the Federal Managers’ Financial
Integrity Act for evaluating and reporting on internal control and accounting systems; and
* Performed other procedures we considered necessary in the circumstances.
We did not evaluate the internal controls relevant to operating objectives as broadly defined by
the Federal Managers’ Financial Integrity Act. We limited our internal control testing to those
controls that are material in relation to HUD’s financial statements. Because of inherent
limitations in any internal control structure, misstatements may nevertheless occur and not be
detected. We also caution that projection of any evaluation of the structure to future periods is
subject to the risk that procedures may become inadequate because of changes in conditions or
that the effectiveness of the design and operation of policies and procedures may deteriorate.
Our consideration of the internal controls over financial reporting would not necessarily disclose
all matters in the internal controls over financial reporting that might be significant deficiencies.
We noted certain matters in the internal control structure and its operation that we consider
significant deficiencies under OMB Bulletin 07-04, as amended. Under standards issued by the
American Institute of Certified Public Accountants, a significant deficiency is a deficiency in
internal control, or a combination of deficiencies, that adversely affects HUD’s ability to initiate,
authorize, record, process, or report financial data reliably in accordance with generally accepted
accounting principles such that there is more than a remote likelihood that a misstatement of the
entity’s financial statements that is more than inconsequential will not be prevented or detected.
A material weakness is a significant deficiency, or combination of significant deficiencies, that
result in a more than remote likelihood that a material misstatement of the financial statements
will not be prevented or detected.
34
Our work was performed in accordance with generally accepted Government Auditing Standards
and OMB Bulletin 07-04, as amended.
This report is intended solely for the use of HUD management, OMB and the Congress.
However, this report is a matter of public record and its distribution is not limited.
35
Appendix B
Recommendations
To facilitate tracking recommendations in the Audit Resolution and Corrective Action Tracking
System, this appendix lists the newly developed recommendations resulting from our report on
HUD’S fiscal year 2008 financial statements. Also listed are recommendations from prior years’
reports that have not been fully implemented. This appendix does not include recommendations
pertaining to FHA and Ginnie Mae issues because they are tracked under separate financial
statement audit reports of that entity.
Recommendations from the Current Report
With respect to the significant deficiency that HUD management must continue to improve
oversight and monitoring of subsidy calculations and intermediaries’ program performance and
promote full utilization of Housing choice Voucher funds, we recommend that the Office of
Public and Indian Housing in coordination with the Office of General Counsel:
1.a. Seek legislative authority to implement $1.4 billion in offsets against PHA’s excess
unusable funding held in the Net Restricted Assets Account.
1.b. Seek legislative authority to eliminate or modify the leasing restrictions placed on the
Housing Choice Voucher program.
With respect to the significant deficiency that HUD management must continue to improve
oversight and monitoring of subsidy calculations and intermediaries’ program performance and
promote full utilization of Housing choice Voucher funds, we recommend that the Office of
Public and Indian Housing:
1.c. Increase the monitoring efforts over the Net Restricted Asset Account held by PHAs.
1.d. Improve its efforts to increase the fund utilization rates for the Housing Choice Voucher
Program.
With respect to the significant deficiency that HUD needs to improve the process for reviewing
obligation balances, we recommend that the Chief Financial Officer in coordination with the
appropriate program offices:
2.a. Deobligate $122.9 million of excess unexpended funds identified as a result of the fiscal
year 2008 financial statement audit.
2.b. Improve and document the quarterly contract reconciliation procedures to ensure that
Section 236 obligations reported are valid and can be accurately estimated and reported.
36
2.c. Implement regularly scheduled review and reconciliation procedures to ensure excess
undisbursed contract authority from Rental Assistance Payments and Rent Supplement
projects are timely recaptured.
With respect to HUD’s substantial noncompliance with the Federal Financial Management
Improvement Act, we recommend that the Chief Financial Officer:
3.a. Develop a plan to comply with OMB A-127 review requirements which results in the
evaluation of all HUD financial management systems within a 3 year cycle.
With respect to HUD’s substantial noncompliance with the Anti-deficiency Act, we recommend
that the Chief Financial Officer in coordination with the appropriate program offices:
4.a. Establish timeframes for the conduct and completion of investigations of potential Anti-
deficiency Act violations as required by the FY 2003 Appropriations Act to ensure
investigations are conducted, completed, reported, and closed in a timely manner.
4.b. Report the three known Anti-Deficiency Act violations immediately to the President,
Congress, and General Accountability Office (GAO), as required by the Anti-deficiency
Act.
Unimplemented Recommendations from Prior Years’ Reports
Not included in the recommendations listed above are recommendations from prior years’
reports on the Department’s financial statements that have not been fully implemented based on
the status reported in the Audit Resolution and Corrective Action Tracking System. The
Department should continue to track these under the prior years’ report numbers in accordance
with departmental procedures. Each of these open recommendations and its status is shown
below. Where appropriate, we have updated the prior recommendations to reflect changes in
emphasis resulting from recent work or management decisions.
OIG Report Number 2008-FO-0003 (Fiscal Year 2007 Financial Statements)
With respect to the significant deficiency that HUD needs to improve the process for reviewing
obligation balances, we recommend that the Chief Financial Officer in coordination with the
appropriate program offices:
1.a. Deobligate $342.3 million of excess unexpended funds identified as a result of the
fiscal year 2007 financial statement audit. (Final Action Target Date is 10/31/08;
Reported in ARCATS as Recommendation 4A)
1.b. Improve the quarterly contract reconciliation procedure currently being
implemented by performing periodic reviews of subsidiary ledgers to ensure that
Section 236 obligations reported are valid and can be more accurately estimated
37
and reported. (Final Action Target Date is 10/31/08; Reported in ARCATS as
Recommendation 4B)
1.c. Implement a periodic review of terminated Rent Supplement and Rental
Assistance Payments projects to ensure changes in contract status are timely
identified and excess undisbursed contract authority is recaptured in a timely
manner. (Final Action Target Date is 10/15/08; Reported in ARCATS as
Recommendation 4C)
With respect to the significant deficiency that HUD needs to improve its budgeting and funds
control over section 8 project-based contracts, we recommend that the Assistant Secretary for
Housing in coordination with the Chief Financial Officer and the Chief Information Officer:
2.a Develop a long-term financial management system solution to streamline and
automate the overall Section 8 project-based budgeting, payment, and contract
management process. (Final Action Target Date is 12/31/08; Reported in
ARCATS as Recommendation 3A)
2.b Consider revising current Section 8 Project-base recapture methodology to
include recapturing funds from expired Section 8 contracts occurring in the
current fiscal year. We found that HUD could have recaptured up to $580 million
from these expired contracts, in lieu of recapturing funds from active long-term
contracts. (Final Action Target Date is 10/31/08; Reported in ARCATS as
Recommendation 3B)
38
Appendix C
Federal Financial Management Improvement Act Noncompliance,
Responsible Program Offices, and Recommended Remedial Actions
This Appendix provides details required under Federal Financial Management Improvement Act
(FFMIA) reporting requirements. To meet those requirements, we performed tests of
compliance using the implementation guidance for FFMIA issued by OMB and GAO’s Financial
Audit Manual. The results of our tests disclosed that HUD’s systems did not substantially
comply with the foregoing requirements. The details for our basis of reporting substantial
noncompliance, responsible parties, primary causes and the Department’s intended remedial
actions are included in the following sections.
Federal Financial Management Systems Requirements
1. HUD’s annual assurance statement issued pursuant to Section 4 of the Financial Manager’s
Integrity Act, will report two non-conforming systems9.
The organizations responsible for systems that were found not to comply with the
requirements of OMB Circular A-127 based on the Department’s assessments are as
follows:
Responsible Office Number of Systems Non-conforming Systems
Office of Housing 19 0
Office of Chief Financial Officer 14 0
Office of Administration 2 0
Office of Chief Procurement Officer 2 2
Office of Community Planning and Development 2 0
Office of Public and Indian Housing 2 0
Government National Mortgage Association 1 0
Totals 42 2
9
The two-nonconforming systems are: A35-HUD Procurement System and P035-Small Purchase System.
39
The following section outlines the Department’s plan to correct noncompliance with OMB
Circular A-127 as submitted to us as of September 30, 2008 and unedited by us.
Office of the Chief Procurement Officer
A35 HUD Procurement Systems (HPS)
P035 Small Purchase System (SPS)
Noncompliance Issue(s) Tasks/Steps Target Dates Completion
(including Milestones) Dates
INTERNAL CONTROLS
INTERMEDIATE RESOLUTION PLAN
1A Review transactions of the four contracting officers
1. HUD’s Procurement who input records in excess of their contract authority
COMPLETED COMPLETED
Systems Do Not Have and take actions as appropriate.
Adequate Controls for OCPO researched the transactions in question to
Monitoring the determine if the obligations were appropriate or 12/23/2006 12/14/2006
Procurement Process not.
OCPO determined that the transactions were
properly executed by contracting officers acting 3/31/2007 12/14/2006
within their authority. No further action is
necessary.
1B Implement system controls to ensure that contracting
officers are not able to exceed their procurement
authority. COMPLETED COMPLETED
The OCPO will implement procurement authority
control procedures.
The OCPO will include validation of contracting 3/31/2007 4/25/07
officer authority as part of each Procurement
Management Review.
Commencing 1/08/2007
1C Implement controls to ensure that contracting officers 1/8/2007 On-Going
are required to either input or approve all transactions
that record funds through the HUDCAPS interfaces.
The OCPO will implement procedural controls to COMPLETED COMPLETED
require contracting officers to validate
transactions in HPS.
1D Modify the systems to make the contracting officer field 4/30/2007 4/25/2007
mandatory.
The OPOC will implement procedures for
electronic records, which are recorded in HPS, are
COMPLETED COMPLETED
reviewed to ensure that a Contracting Officer is
identified for each record.
The OCPO will implement validation of the Revised to 6/20/2008
contracting officer identification as part of each 11/30/2008
Procurement Management Review. – See 1B Commencing
bullet 2 above. Validation of contracting 1/8/2007 1/08/2007
authority is the same as implementation of task. On-Going
NOTE: OCPO is in the process of conducting a cost
benefit analysis, whose outcome will determine the best
40
Noncompliance Issue(s) Tasks/Steps Target Dates Completion
(including Milestones) Dates
course of action in implementing system changes or
replacing systems.
2. HUD Procurement 2A Ensure that system administration and security COMPLETED COMPLETED
Systems’ Separation of administration functions are separate.
Duties Controls Were The OPCO will formally appoint separate
Bypassed individuals to act as security administrator and 4/16/2007 05/01/2007
system administrator for each OCPO system and
that the individuals will not be performing
conflicting duties.
2B Ensure that staff is not assigned conflicting duties,
COMPLETED COMPLETED
that separate functions are performed by separate
individuals, and that the concept of least privilege is
applied.
OCPO will determine if multiple system profiles
are actually a valid requirement on an individual
basis in HPS. The goal is to eliminate
unnecessary and redundant profiles in HPS and
that the individuals will not be performing
conflicting duties.
o The OCPO will identify users with
2/15/2007 12/21/2006
multiple HPS profiles
o The OCPO will deactivate
07/31/2007 07/19/2007
unnecessary/redundant profiles
NOTE: While we can separate the duties procedurally, the
separation cannot be enforced in HPS or SPS without
reprogramming.
2C Implement formal policies and procedures to COMPLETED COMPLETED
recertify the access granted to users at least an [sic]
annually.
The OCPO will develop and implement formal
procedures for granting access by using the
concept of least privilege to OCPO systems, as
well as annual user access reviews by:
o Revise system access request forms 1/31/2007 12/31/2006
o Revise process in which user requests 2/28/2007 1/31/2007
system access
o Revise procedure in which system 3/31/2007 1/31/2007
access is granted
o Develop formal procedure to enforce 06/30/2007 07/18/2007
annual user access review
2D Create and implement routing functionality within COMPLETED COMPLETED
the Small Purchase System to allow users to be 8/27/2008
granted access to more than one office or region.
OCPO recommends implementing the
following tasks to alleviate the routing issue.
OCPO will determine if multiple SPS system
profiles are actually a valid requirement on
an individual basis. The goal is to eliminate
all unnecessary and redundant profiles in
SPS.
41
Noncompliance Issue(s) Tasks/Steps Target Dates Completion
(including Milestones) Dates
o The OCPO will identify users with
multiple SPS profiles 2/15/2007 12/21/2006
o The OCPO will restructure the issuing
office hierarchy to alleviate the necessity 11/30/2007 12/14/2007
of multiple profiles for a given user.
NOTE: OCPO is in the process of conducting a cost
benefit analysis, whose outcome will determine the best
course of action in implementing system changes or
replacing systems.
3. HUD’s Procurement 3A Perform a cost benefit analysis to determine whether it COMPLETED COMPLETED
Systems Do Not Contain is more advantageous to modify or replace the
Sufficient Financial Data to procurement systems to ensure compliance with Joint
Allow It to Effectively Federal Management Improvement Program
Manage and Monitor Requirements.
Procurement Transactions The OCPO will perform a cost benefit analysis to
replace the OCPO systems. 05/31/2008 2/12/2008
3B Implement functionality to ensure that there is
sufficient information within HUD’s procurement
systems to support the primary acquisition functions of
fund certification, obligation, deobligation, payment,
and closeout.
Based on the availability of funds, OCPO will
replace its systems with COTS software to
ensure found issues with internal and security
controls are addressed.
MILESTONES – NOT LATER THAN
Develop Independent Government
Estimate
5/4/2007 05/03/2007
Conduct Market Research
Source Selection 04/6/2007 04/06/2007
Roll-out pilot of production system TBD No funding
TBD – provided for
NOTE: OCPO is in the process of conducting a cost Waiting for FY2008,
benefit analysis, whose outcome will determine the best funding to FY2009 &
course of action in implementing system changes or become FY2010
replacing systems. available funding are
also at risk.
SECURITY CONTROLS
4. The Office of the Chief 4A Obtain the training and/or resources necessary to
Procurement Officer Did develop or perform compliant (1) information system
Not Design or Implement categorization analyses; (2) risk assessments; (3)
Required Information security plans; (4) contingency plans and tests; (5)
Security Controls monitoring processes, which include applicable Federal
Information Processing Standards Publication 200
managerial, operational, and technical information
security controls; and (6) evaluations of the managerial,
operational, and technical security controls.
OCPO will ensure that training or other resources
are obtained to develop or perform required
managerial, operational, and technical security
controls.
42
Noncompliance Issue(s) Tasks/Steps Target Dates Completion
(including Milestones) Dates
Update Risk Assessments
Update Security Plans
12/31/2008 08/31/2007
Update Contingency Plans and tests;
12/31/2008 08/31/2007
12/31/2008 Test Performed
Monitoring processes, which include 12/13/2007
applicable Federal Information Processing Last C&A
Standards (FIPS) Publication 200 conducted FY2008
managerial, operational, and technical 06/30/2005. C&A was
information security controls; and Next C&A completed
scheduled for on
4th Qrt 2008 8/29/2008.
Evaluations of the managerial, operational, and Awaiting
technical security controls. Last C&A signed copy
conducted from OCIO
06/30/2005. for our
Next C&A records.
scheduled for
4th Qrt 2008
4B Complete the corrective actions for the known open
information security vulnerabilities or develop
mitigation strategies if new system development is
underway.
OCPO will ensure it develops mitigation
strategies for the known open information
security vulnerabilities.
Review vulnerabilities
Develop mitigation strategy
11/30/2008
4C Designate a manager to assume responsibility for 11/30/2008
ensuring the Office of the Chief Procurement Officer’s
compliance with federal certification and accreditation COMPLETED
COMPLETED
process requirements and to provide “continuous
monitoring” of the office’s information systems
security.
OCPO will designate a manager responsible for
ensuring compliance with information systems
security and federal certification and
accreditation process. 1/15/2007 03/13/2007
OCPO will work with OCIO to define roles and
responsibilities and to ensure that appropriate
resources are provided to perform required 2/1/2007
2/1/2007
monitoring and certification and accreditation.
43
Noncompliance Issue(s) Tasks/Steps Target Dates Completion
(including Milestones) Dates
4D Reevaluate the HUD Procurement System and Small COMPLETED COMPLETED
Purchase System application systems’ security
categorization in light of OMB guidance on personally
identifiable information.
OCPO will reevaluate the HUD Procurement
System and Small Purchase System application 8/31/2007 8/31/2007
systems’ security categorization in light of OMB
guidance on personal identifiable information.
4E Perform a Business Impact Analysis (BCA for the
procurement systems. Based on the results of the
COMPLETED
impact analysis, determine what actions HUD can take
9/25/2008
to limit the amount of time needed to recover from the
various levels of contingencies that can occur and
include the determined actions in the contingency plans
for the systems.
OCPO will develop a business impact analysis
for the procurement systems and revise the
contingency plan based on the BIA.
Develop business impact analyses
Incorporate BIA into contingency plans
4/30/2007
9/30/2007
Note: OCPO is in process of conduction a cost benefit
analysis, whose outcome will determine the best course of
action in implementing system changes or replacing the
systems.
44
2. Our audit disclosed significant deficiencies regarding the security over financial
information. Similar conditions have also been noted in other OIG audit reports. We are
including security issues as a basis for noncompliance with FFMIA because of the
collective effect of the issue and noncompliance with Circular A-130, Appendix 3 and the
Federal Information Security Management Act (FISMA). The responsible office, nature of
the problem, and primary causes are summarized below:
Responsible Office Nature of the Problem
Office of Housing and Reduction in FHA’s capacity to simultaneously address various system
CIO modernization initiatives and control deficiencies affected the reliability and
completeness of FHA’s financial information.
FHA currently maintains four Multifamily and 11 Single Family systems that
are administered separately from the core financial management system
(FHA Subsidiary Ledger or FHASL).
FHA’s two primary Multifamily insurance systems were scheduled to be
operational on October 1, 2008, but they were still going through user
acceptance testing. The implementation date was revised to November 11,
2008.
The general control weaknesses were noted in certain FHA’s Single
Family systems as follows:
Only 3 of 24 HUD employees or contractors with access to the
Single Family Claims system had complete and proper
background investigations.
Two users of the Single Family Claims system had unauthorized
access rights to read, write, and update records.
Five contract developers had update access to Single Family
Claims production data files.
FHA neither had adequate controls over, nor reviews of, audit logs
for the Single Family Claims system.
FHA did not develop or implement adequate security controls over
information transmitted between FHA and its numerous lenders
and other business partners.
FHA failed to adequately assess its compliance with mandatory
system security controls.
FHA did not properly ensure annual security reviews were
completed by HUD employees.
FHA has conducted an accounting risk assessment to identify short and
long term deficiencies in a manual business process for handling
applications for claim benefits for FHA’s Home Equity Conversion
Mortgage (HECM) program, but will continue to rely on significant
review and reconciliation procedures as compensating controls until a
replacement system solution can be procured and implemented. An
independent examination, conducted in accordance with AICPA Statement
on Auditing Standards (SAS) No. 70, Audits of Service Organizations,
45
Responsible Office Nature of the Problem
Type I, Control Design, of the HECM notes servicing system identified
over thirty specific system control deficiencies, including:
Lack of formal approval for critical system security documents
Weaknesses with system access policies and physical access
control monitoring
Inadequate system baseline documentation
Lack of formal authorization procedures for system software
changes
Segregation of duties weaknesses
Deficiencies in the Continuity of Operations Plan
Due to deficiencies in the Generic Debt subsystem interface, FHA is unable
to maintain reliable cohort level data for the financing accounts within its
(FHASL) general ledger system as required by the Credit Reform Act of
1990.
These conditions occurred because in addition to the efforts to address system deficiencies, the
FHA’s Systems Division is currently responsible for a number of other major IT related projects,
including:
Implementing systems to handle the newly legislated Hope for Homeowners program for
risk-sharing of single family loans insured that became effective October 1, 2008.
Procurement and implementation of a new integrated insured reverse mortgage loan and
notes servicing system.
Implementing the new Real Estate Owned property management system at the various Single
Family Marketing and Management (M&M) contractor sites. This system will be interfaced
with the SAMS legacy application system.
Managing such critical system initiatives simultaneously and without additional funding or staff
resources may increase the risk of system or processing errors in the agency’s financial data, or
increase the risk of unauthorized access into critical or sensitive agency systems. Such errors or
unauthorized access could lead to misstatements in financial reporting or misappropriation of FHA
assets.
46
Responsible Office Nature of the Problem
Office of Chief Weaknesses exist in HUD’s entity-wide security program. Specifically:
Information Officer
In fiscal year 2008, HUD’s program offices and system owners did not
always ensure that HUD’s inventory of automated systems was up-to-date
and systems were properly categorized as required by OMB.
System owners did not ensure that all non-major applications that are
hosted outside of HUD’s infrastructure were secure.
HUD did not fully comply with OMB’s privacy requirements, including
the completion of privacy survey reports and privacy impact assessments
for all new systems that contain personally identifiable information before
placing them into development or production.
HUD did not fully implement all technical controls specified by OMB
memorandum M-06-16, which addresses information that is removed from
or accessed from outside the agency.
These conditions occurred because HUD’s management does not consistently enforce policies and
procedures.
Office of Chief The security configuration and technical control deficiencies within HUD’s
Information Officer database security controls were found in the areas of (1) passwords, (2)
system patches, and (3) system configuration.
These conditions occurred because HUD’s management does not consistently enforce policies and
procedures.
Office of Chief Control weaknesses still exist for HUD Procurement System (HPS) and
Procurement Officer HUD Small Purchase System (SPS), specifically:
Both procurement systems continue to be in noncompliance with Federal
financial management requirements. The Office of the Chief Procurement
Officer (OCPO) has yet to complete the corrective actions for the known
open information security vulnerabilities or to develop mitigation strategies if
new system development is underway. The OCPO plans to replace the
current acquisition systems, but it has not yet been able to secure funding to
complete the planned corrective action. Consequently, OCPO has not yet
implemented functionality to ensure that there is sufficient information
within HUD’s procurement systems to support the primary acquisition
functions of fund certification, obligation, de-obligation, payment, and
closeout.
These conditions occurred because the OCPO has not yet been able to secure funding to complete the
planned corrective action.
Office of Chief Control weaknesses that could negatively affect the integrity,
Information Officer confidentiality, and availability of computerized financial data still exist,
and Office of the specifically:
Chief Financial Although the OCFO has obtained a listing of all users with access to
47
Responsible Office Nature of the Problem
Officer the HUDCAPS production environment, they have not yet
completed an assessment to determine specifically what HUDCAPS
access is granted to each contractor, or prepared a listing of all users
with above read access to application data. They also have yet to
initiate a request with the Office of Security and Emergency
Planning staff to determine whether the contractor employees have
had the appropriate background investigations or to follow up with
Office of Security and Emergency Planning staff to ensure
background investigations are initiated for contractor staff if
required. In addition, they still need to complete actions to remove
above read access privileges for all contracted system developers
with unnecessary access within production databases for HUDCAPS
and any other OCFO systems.
The corrective action taken to ensure that all users of LOCCS were
recertified in accordance with HUD policy was not effective since
we again were able to identified LOCCS users that were not
recertified by the system during fiscal year 2008.
The OCFO assessed and accepted the risk associated with providing web
users access to some of the data within the Financial Data Mart. In addition,
the OCFO, in coordination with the OCIO, initiated plans to obtain and
review access logs to the Financial Data Mart server, and to modify
application passwords to be in compliance with HUD's password policy. The
corrective actions are expected to be completed during fiscal year 2009.
These conditions occurred because HUD’s management does not consistently enforce policies and
procedures.
Office of Chief Our review of software configuration management indicated that HUD has
Information Officer not yet fully resolved the issue of obsolete and incomplete information in
the configuration management plans for the HUD Procurement System
and selected FHA applications.
For fiscal year 2008, the configuration management plan for the Institution
Master File (IMF) lacked information or contained outdated information.
These conditions occurred because management does not consistently enforce policies and procedures.
48
Responsible Office Nature of the Problem
Office of Chief Our review of the disaster recovery plan for the contractor-operated data
Information Officer center facility indicates that the listing of mission critical applications still has
not yet been updated, and the appendix containing information on the disaster
recovery team personnel was not current.
In addition, the contingency planning at third party business sites is
inadequate. Sixty-nine percent of 29 third party business partners surveyed,
did not have any type of contingency, continuity or disaster recovery plan.
While thirty-one percent of the third party business partners did have some
type of plan, those plans contained only limited provisions on backup of
critical information and alternative work areas. Staffs were unfamiliar or had
limited knowledge of contingency planning requirements and documentation
was not readily available for use in case of emergency.
These conditions occurred because management does not consistently enforce policies and procedures
and HUD had not specified contingency planning, continuity of operations or disaster recovery
requirements in its agreements with third party business partners. Consequently, third party business
partners have developed limited contingency planning policies that do not meet HUD or National
Institute of Standards and Technology (NIST) requirements.
Office of Chief The physical security at the third party business sites is inadequate and
Information Officer weaknesses exist at those sites. The servers at those sites were located in
common areas (i.e. lunch rooms, halls), case binders with personally
identifiable information were left unattended, no guard or receptionist was at
the entrance, access doors were unlocked, and encryption of data residing on
laptops or portable devices was not a requirement.
This condition occurred because HUD had not specified the level of security controls and included it in
the terms and conditions of the contract or service-level agreement with the external business partner.
As a result, third party business partners have developed various information technology security
controls and policies that do not meet HUD or federal requirements, and therefore cannot be relied upon
to provide adequate protection over HUD’s sensitive data.
49
Responsible Office Nature of the Problem
Office of Chief Personnel security weaknesses still exist, specifically:
Information Officer
HUD still does not have a central repository that lists all users with access
to HUD’s general support and application systems. Consequently, HUD
has no assurance that all users who have access to HUD critical and
sensitive systems have had the appropriate background investigation.
The Centralized HUD Account Management Process (CHAMP) remains
incomplete and does not fully address OIG’s concerns. Specially, we
found:
a. CHAMP does not contain complete and accurate data. The OCIO did
not electronically migrate data from the HUD Online User
Registration System (HOURS) into CHAMP. Instead, they chose to
enter the legacy data manually. However, this process has not yet
been completed. As of April 22, 2008, OCIO has entered user data
for 37 out of 248 applications (15%) into CHAMP.
b. HUD can neither compile a complete listing of all authorized users
and their access privileges nor identify all the applications to which
users have access because CHAMP does not have reporting
capabilities.
c. CHAMP does not contain a mechanism to escalate or reassign tasks
that have not been completed within a specified timeframe.
d. CHAMP can only handle access requests for internal users such as
HUD employees and contractors, but not for external users such as
Housing Authorities and trusted business partners.
HUD has not yet completely removed greater-than-read access to sensitive
systems for users who have not submitted appropriate background
investigation documents or who are no longer authorized to access
information resources.
HUD had processes and procedures for removing the computer system
access of retiring employees however controls over these processes needed
improvement.
HUD did not conduct a security categorization and a risk assessment for
CHAMP as required by Federal Information Processing Standards (FIPS)
Publications (PUB) 199 and 200. Without a security categorization and
risk assessment on CHAMP, HUD cannot know the full extent of risks that
the CHAMP process is vulnerable to or whether adequate levels of
security controls have been put in place to protect data and applications
impacted by CHAMP.
These conditions occurred because management does not consistently enforce policies and procedures.
50
Appendix D
SCHEDULE OF QUESTIONED COSTS
AND FUNDS PUT TO BETTER USE
Recommendation Ineligible 1/ Unsupported Unreasonable or Funds Put to
Number 2/ Unnecessary 3/ Better Use 4/
1.a. $1.4B
2.a. $122.9 M
1/ Ineligible costs are costs charged to a HUD-financed or HUD-insured program or activity
that the auditor believes are not allowable by law, contract or federal, state or local
polices or regulations.
2/ Unsupported costs are those costs charged to a HUD-financed or HUD-insured program
or activity where we cannot determine eligibility at the time of audit. Unsupported costs
require a future decision by HUD program officials. This decision, in addition to
obtaining supporting documentation, might involve a legal interpretation or clarification
of departmental policies and procedures.
3/ Unnecessary/Unreasonable costs are those costs not generally recognized as ordinary,
prudent, relevant, and or necessary within established practices. Unreasonable costs
exceed the costs that would be incurred by a prudent person in conducting a competitive
business.
4/ Recommendations that funds be put to better use are estimates of amounts that could be
used more efficiently if an Office of Inspector General (OIG) recommendation is
implemented. This includes reductions in outlays, deobligation of funds, withdrawal of
interest subsidy costs not incurred by implementing recommended improvements,
avoidance of unnecessary expenditures noted in pre-award reviews, and any other savings
which are specifically identified.
51
Appendix E
Agency Comments
52
53
Appendix F
OIG EVALUATION OF AGENCY COMMENTS
With the exception of the report’s conclusions on HUD’s substantial noncompliance with the
Federal Financial Management Improvement Act of 1996 (FFMIA) and FHA’s auditor’s
conclusion that FHA did not comply with the Credit Reform Act, HUD management generally
agreed with our presentation of findings and recommendations subject to detail comments.
HUD’s management disagrees with the conclusion that HUD is still not substantially compliant
with FFMIA. HUD agrees that their systems processes can be more efficiently integrated to
eliminate the need for existing compensating controls, but feel the existing environment is
substantially compliant and not representative of a material risk of misreporting.
We disagree with HUD’s conclusions. FFMIA emphasizes the need for agencies to have systems
that are able to generate reliable, useful, and timely information for decision-making purposes
and to ensure accountability on an ongoing basis. The deficiencies noted in HUD’s financial
management systems are due to the current financial system being developed prior to the
issuance of current requirements. It is also technically obsolete, has inefficient multiple batch
processes, and requires labor-intensive manual reconciliations. Because of these inefficiencies,
HUD’s management systems are unable to routinely produce reliable, useful, and timely
financial information. This weakness manifests itself by limiting HUD’s capacity to manage with
timely and objective data, and thereby hampers its ability to effectively manage and oversee its
major programs.
In addition, HUD is not fully compliant with one of the three indicators of compliance with
Federal financial management requirements. HUD has significant deficiencies related to security
over financial management information systems in accordance with FISMA and OMB Circular
A-130 Appendix III. The Department has not met the minimum set of automated information
resource controls relating to Entity-wide Security Program Planning and Management.
HUD disagreed with the FHA auditor’s conclusion that FHA did not comply with the Credit
Reform Act of 1990 due to FHA’s inability to maintain accurate trial balances at the cohort level
for financing accounts. FHA auditor reported that:
“Due to deficiencies in the interface with the Generic Debt subsystem, the FHA’s
core financial management system does not maintain accurate trial balance
account information at the cohort level for the financing accounts. Accordingly,
FHA may not be able to accurately calculate the re-estimated cost “for a group of
direct loans or loan guarantees for a given credit program made in a fiscal year” in
accordance with the requirements of Statement of Federal Financial Accounting
Standard No 2, Accounting for Direct Loans and Loan Guarantees and the
Federal Credit Reform Act of 1990. These balances are adjusted manually at the
end of the year.”
54
FHA’s auditor reviewed and considered HUD’s and FHA’s comments and disagreed with HUD
and FHA concerning FHA’s noncompliance with the Credit Reform Act.
55
Additional Details to Supplement Our Report on HUD's Fiscal Years 2008 and 2007 Financial Statements
Published by the Department of Housing and Urban Development, Office of Inspector General on 2008-11-14.
Below is a raw (and likely hideous) rendition of the original report. (PDF)