oversight

Additional Details to Supplement Our Report on HUD's Fiscal Years 2008 and 2007 Financial Statements

Published by the Department of Housing and Urban Development, Office of Inspector General on 2008-11-14.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                                                                              Issue Date
                                                                                November 14, 2008
                                                                              Audit Case Number
                                                                                 2009-FO-0003




TO:            John W. Cox, Chief Financial Officer, F


FROM:
               Thomas R. McEnanly, Director, Financial Audits Division, GAF

SUBJECT: Additional Details to Supplement Our Report on HUD’s Fiscal Years 2008 and
         2007 Financial Statements

                                            HIGHLIGHTS

 What We Audited and Why

                 We are required to annually audit the consolidated financial statements of the U.S.
                 Department of Housing and Urban Development (HUD) in accordance with the
                 Chief Financial Officers Act of 1990, as amended. Our report on HUD’s fiscal
                 years 2008 and 2007 financial statements is included in HUD’s Fiscal Year 2008
                 Performance and Accountability Report. This report supplements our report on
                 the results of our audit of HUD’s principal financial statements for the fiscal years
                 ending September 30, 2008, and September 30, 2007. Also provided are
                 assessments of HUD’s internal controls and our findings with respect to HUD’s
                 compliance with applicable laws, regulations, and government-wide policy
                 requirements, and provisions of contracts and grant agreements.1


    1
       Additional details relating to the Federal Housing Administration (FHA), a HUD component, are not included
in this report but are included in the accounting firm of Urbach Kahn and Werlin LLP’s audit of FHA’s financial
statements. That report has been published in our report, Audit of Federal Housing Administration Financial
Statements for Fiscal Years 2008 and 2007 (2009-FO-0002, dated November 07, 2008).

    Additional details relating to the Government National Mortgage Association, (Ginnie Mae), another HUD
component, are not included in this report but are included in the accounting firm of Carmichael, Brasher, Tuvell
Company’s audit of Ginnie Mae’s financial statements. That report has been published in our report, Audit of
Government National Mortgage Association Financial Statements for Fiscal Years 2008 and 2007 (2009-FO-0001,
dated November 07, 2008).
What We Found


                In our opinion, HUD’s fiscal years 2008 and 2007 financial statements
                were fairly presented. Our opinion on HUD’s fiscal years 2008 and 2007
                financial statements is reported in HUD’S Fiscal Year 2008 Performance
                and Accountability Report. The other auditors and our audit also
                disclosed the following significant deficiencies in internal controls related
                to the need to:
                Continue improvements in the oversight and monitoring of subsidy
                calculations and intermediaries program performance and promote full
                utilization of Housing Choice Voucher funds;
                Improve the processes for reviewing obligation balances;
                Comply with federal financial management systems requirements;
                Further strengthen controls over HUD’s computing environment;
                Improve personnel security practices for access to the Department’s
                critical financial systems;
                Continue to enhance and modernize FHA’s financial information systems;
                and
                Strengthen Ginnie Mae’s monitoring and management controls in regard
                to the mortgage-backed security program.

         Our findings include the following four instances of non-compliance with
         applicable laws and regulations:

                HUD did not substantially comply with the Federal Financial Management
                Improvement Act regarding system requirements.
                HUD did not substantially comply with the Anti-deficiency Act;
                FHA does not comply with the Credit Reform Act of 1990.
                Ginnie Mae did not comply with the Federal Information Management
                Security Act.

         The audit also identified $122.9 million in excess obligations recorded in HUD’s
         records. We also are recommending that HUD seek legislative authority to
         implement $1.4 billion in offsets against housing agencies’ excess unusable
         funding held in Net Restricted Assets Accounts at the housing agencies. These
         amounts represent funds that HUD could put to better use.




                                          2
What We Recommend


          Most of the issues described in this report represent long-standing weaknesses.
          We understand that implementing sufficient change to mitigate these matters is a
          multiyear task due to the complexity of the issues, insufficient information
          technology (IT) systems funding, and other impediments to change. In this and in
          prior years’ audits of HUD’s financial statements, we have made
          recommendations to HUD’s management to address these issues. Our
          recommendations from the current audit, as well as those from prior years’ audits
          that remain open, are listed in Appendix B of this report.

          For each recommendation without a management decision, please respond and
          provide status reports in accordance with HUD Handbook 2000.06, REV-3.


HUD’s Response


          The complete text of the agency’s response can be found in Appendix E. This
          response, along with additional informal comments, was considered in preparing
          the final version of this report.




                                          3
                             TABLE OF CONTENTS



Highlights                                                                 1

Internal Control                                                           5

Compliance with Laws and Regulations                                      30

Appendixes
   A. Objectives, Scope, and Methodology                                  33
   B. Recommendations                                                     36
   C. FFMIA Noncompliance, Responsible Program Offices, and Recommended   39
      Remedial Actions
   D. Schedule of Questioned Costs and Funds Put to Better Use            51
   E. Agency Comments                                                     52
   F. OIG Evaluation of Agency Comments                                   54




                                        4
                                   Internal Control

Significant Deficiency: HUD Management Must Continue to Improve
Oversight and Monitoring of Subsidy Calculations and Intermediaries’
Program Performance and Promote Full Utilization of Housing Choice
Voucher Funds
Under the provisions of the U.S. Housing Act of 1937, HUD provides housing assistance funds
through various grant and subsidy programs to multifamily project owners (both nonprofit and
for profit) and housing agencies. These intermediaries, acting for HUD, provide housing
assistance to benefit primarily low-income families and individuals (households) that live in
public housing, Section 8 and Section 202/811 assisted housing, and Native American housing.
In fiscal year 2008, HUD spent about $28 billion to provide rent and operating subsidies that
benefited more than 4.8 million households.

Since 1996, we have reported on weaknesses with the monitoring of the housing assistance
program’s delivery and the verification of subsidy payments. We focused on the impact these
weaknesses had on HUD’s ability to (1) ensure intermediaries are correctly calculating housing
subsidies and (2) verify tenant income and billings for subsidies. During the past several years,
HUD has made progress in correcting this deficiency. In 2008, HUD continued utilizing the
comprehensive consolidated reviews in the Office of Public and Indian Housing’s (PIH) efforts
to address public housing agencies’ (PHA) improper payments and other high-risk elements.
HUD’s continued commitment to the implementation of a comprehensive program to reduce
erroneous payments will be essential to ensuring that HUD’s intermediaries are properly carrying
out their responsibility to administer assisted housing programs according to HUD requirements.

The Department has demonstrated improvements in its internal control structure to address the
significant risk that HUD’s intermediaries are not properly carrying out their responsibility to
administer assisted housing programs according to HUD requirements. HUD’s increased and
improved monitoring has resulted in a significant decline in improper payment estimates over the
last five years. However, HUD needs to continue to place emphasis on its on-site monitoring
and technical assistance to ensure that acceptable levels of performance and compliance are
achieved and periodically assess the accuracy of intermediaries rent determinations, tenant
income verifications, and billings.

Tenant income is the primary factor affecting eligibility for housing assistance, the amount of
assistance a family receives, and the amount of subsidy HUD pays. Generally, HUD’s subsidy
payment makes up the difference between 30 percent of a household’s adjusted income and the
housing unit’s actual rent or, under the Section 8 voucher program, a payment standard. The
admission of a household to these rental assistance programs and the size of the subsidy the
household receives depend directly on the household’s self-reported income. However,
significant amounts of excess subsidy payments occur because of errors in intermediaries’ rent
determinations and undetected, unreported, or underreported income. By overpaying rent
subsidies, HUD serves fewer families. Every dollar paid in excess subsidies represents funds
that could have been used to subsidize other eligible families in need of assistance.



                                                5
HUD’s Estimate of Erroneous Payments Decreased in
Fiscal Year 2008


             The estimate of erroneous payments that HUD reports in its Performance and
             Accountability Report relates to HUD’s inability to ensure or verify the accuracy
             of subsidy payments being determined and paid to assisted households. This
             year’s contracted study of HUD’s three major assisted housing programs
             estimated that the rent determination errors made by the intermediaries resulted in
             substantial subsidy overpayments and underpayments. The study was based on
             analyses of a statistical sample of tenant files, tenant interviews, and income
             verification data for activity that occurred during fiscal year 2007. However, the
             amounts reported in the study have been adjusted due to recent program structure
             changes.

             The Public Housing programs switched to Asset Management and began
             calculating formula income for PHAs as noted in 24 CFR 990.195 Calculating
             Formula Income. This change eliminated the 3 types of improper payment errors
             for the Public Housing program. This new process was implemented in January
             2007. Therefore for FY 2007 this process was in place for the last 3 quarters of
             the year and HUD subsidy errors occurred only in the first quarter. Errors could
             still be made by PHAs in their calculation of the amount of tenant rent or tenants
             could still be under reporting their income, however beginning January 2007 this
             no longer affected HUD’s subsidy. The Quality Control (QC) study and Income
             Match Reporting study estimated these errors for the entire fiscal year because
             this information is useful to management of both PIH and the PHAs. However,
             based on the conversion to asset management and the change in calculating
             formula income becoming effective in January 2007, only 25 percent of the
             amount calculated for the Administrator, Income Reporting, and Billing errors
             should be reported for FY 2007. In addition, the establishment of a budget based
             funding methodology was implemented for the Housing Choice Voucher Program
             to eliminate the opportunity for billing errors in that program. Budget based
             means that each PHA will have a set annual budget for vouchers to serve their
             clients needs. The PHA will receive the annual budget in 12 equal monthly
             payments – thus eliminating the need to bill HUD and eliminating the Billing
             Error.

             Based on the previously mentioned program structure changes, HUD is reporting
             subsidy payment inconsistencies in which HUD incorrectly paid $671.5 million in
             annual housing subsidies. This is a 30 percent decrease in the gross erroneous
             payments in comparison to the prior year. The estimate of erroneous payments is
             reported in HUD’s Fiscal Year 2008 Performance and Accountability Report as
             Other Accompanying Information and will reflect the adjusted error estimates.

             The estimate of erroneous payments this year also includes overpaid subsidies
             from underreported and unreported income and intermediaries’ billings errors.


                                              6
      HUD estimated that housing subsidy overpayments from tenants misreporting
      their income totaled an additional $249.8 million in overpayments during calendar
      year 2007.

      HUD did not conduct a billings study during fiscal year 2008. Therefore, the
      results of prior year’s study will carryover for this year’s billings error estimate
      and have been adjusted according to the previously mentioned program structural
      changes. Based on the payment errors that were identified for the Office of
      Housing’s project-based Section 8 housing program, HUD reported an estimated
      $59 million in program billings errors for fiscal year 2006. In addition, PIH’s
      billings error estimate has been reduced to zero for the Housing Choice Voucher
      program.

      Additionally, an operating subsidy estimate of $12.3 million was included in the
      PIH billings estimate. Therefore, adding the Office of Housing’s estimate of $59
      million to the PIH estimate of $12.3 million for operating subsidy results in a
      $71.3 million estimate of erroneous payments for billings errors.

      In totality, HUD has reduced the combined gross improper rental housing
      assistance payment estimates to $993 million in Fiscal Year 2007. This is a total
      reduction of 35% in comparison to the prior year estimates.

      In addition to the Rental Housing Integrity Improvement Project (RHIIP)-related
      estimates, HUD performed a risk assessment update on one third of all HUD
      programs exceeding $40 million in expenditures (except those associated with the
      RHIIP) to determine whether they are susceptible to significant erroneous or
      improper payments. The OCFO performed a risk assessment on nine of HUD’s
      funded activities (programs). The nine programs were updated and reevaluated
      for the current risk assessment. Although individual program risk ratings for the
      nine programs may have changed slightly, none of the programs evaluated were
      considered susceptible to significant improper payments for fiscal year 2007, as
      defined in OMB Circular A-123, Appendix C, Part 1.



HUD Needs to Continue Initiatives to
Detect Unreported Tenant Income


      The computer matching agreement between HUD’s Office of Housing and the
      Department of Health and Human Services (HHS) for use of the National
      Directory of New Hires in the Enterprise Income Verification system (EIV) was
      finalized in fiscal year 2008. HUD successfully expanded its computer matching
      program with the HHS data to all of its rental assistance programs (public
      housing, housing vouchers, and project-based housing) when HUD s project-
      based program gained access to the HHS database on January 15, 2008. The
      other programs had gained access previously. HUD intends to issue a final rule
      mandating the use of this matching data by the end of this calendar year.


                                        7
        EIV is a web-based system that compiles tenant income information and makes it
        available online to HUD business partners to assist in determining accurate tenant
        income as part of the process of setting rental subsidy. Currently, EIV matches
        tenant data against Social Security Administration information, including Social
        Security benefits and Supplemental Security Income, and with the HHS National
        Directory of New Hires (NDNH) database, which provides information such as
        wages, unemployment benefits, and W-4 (“new hires”) data, on behalf of PIH and
        Multifamily Housing programs. The EIV System is available to PHAs
        nationwide and to Owner Administered project-based assistance programs, and all
        are encouraged to use and implement the EIV System in their day-to-day
        operations.

        Additionally, the Department is also in the process of implementing the
        Multifamily Housing Error Tracking Log (ETL) initiative. The ETL initiative
        will document whether and to what extent owners are accurately, thoroughly, and
        clearly determining family income and rents in the Office of Multifamily Housing
        Subsidy Programs, and will track the specific dollar impact of income and rent
        discrepancies and the corresponding resolution of such errors.

HUD Needs to Continue Progress on RHIIP
Initiatives to Monitor Program Administrators


        HUD initiated the Rental Housing Integrity Improvement Project (RHIIP) as part
        of an effort in fiscal year 2001 to develop tools and the capability to minimize
        erroneous payments. This type of erroneous payments targeted includes the
        excess rental subsidy caused by unreported and underreported tenant income.
        Since our last report, HUD has continued to make progress addressing the
        problems surrounding housing authorities’ rental subsidy determinations,
        underreported income, and assistance billings. However, HUD still needs to
        ensure that it fully utilizes automated tools to detect rent subsidy processing
        deficiencies and identify and measure erroneous payments.

        During fiscal year 2006, HUD implemented a five year plan initiative to perform
        consolidated reviews in order to reinforce the Office of Public and Indian
        Housing’s (PIH) effort in addressing public housing agencies (PHA) improper
        payments and other high-risk elements. These reviews were also implemented to
        ensure the continuation of the PIH’s comprehensive monitoring and oversight of
        PHAs. The five-year plan required to perform Tier 1 comprehensive reviews on
        approximately 20 percent or 490 of the PHAs that manage 80 percent of HUD’s
        funds. According to the Fiscal Year 2008 Management Plan directive, PIH
        identified 100 PHAs that receive 80 percent of HUD’s funding for the priority
        Tier 1 comprehensive reviews. Tier 2 comprehensive reviews of the remaining
        PHAs were optional, depending upon each field office’s resources. Tier 1
        comprehensive reviews included rental integrity monitoring (RIM), RIM follow-
        up on Corrective Action Plans (CAPs), EIV implementation and security, Section
        8 Management Assessment Program (SEMAP) confirmatory reviews, SEMAP


                                        8
quality control reviews, Exigent Health & Safety (EH&S) spot-checks,
Management Assessment Subsystem (MASS) certifications, and civil rights
limited front-end reviews.

Documentation provided during our review showed that 101 Tier I reviews and 17
Tier II reviews were performed during fiscal year 2008. Because of the
deficiencies identified in the consolidated reviews, CAPs were implemented at 46
PHAs from the Tier 1 and at 17 PHAs from the Tier II Reviews. At the end of
our fieldwork, none of the CAPs from these reviews had been closed out.
Additionally, at the end of our fiscal year 2008 fieldwork we noted that 6 CAPs
were still open from the 2003-2004 RIM follow-up reviews. During our fiscal
year 2007 review, we determined that 6 of these CAPs were still open because the
respective PHA was either in receivership or in troubled status. HUD must
continue to assure that CAPs are implemented and closed out, thereby assuring
that the systemic errors identified during the reviews were corrected.

In prior years, we reported that the Public Housing Information Center system
(now known as the PIH Inventory Management System or (PIC-IMS))
information was incomplete and/or inaccurate because housing authority reporting
requirements were discretionary. As a result PHAs have been mandated to
submit 100 percent of their family records to HUD’s Public Housing Information
Center system (Inventory Management System) Form 50058 Module. If PHAs do
not meet the minimum reporting rate of 95 percent at the time of their annual
Form HUD 50058 reporting rate assessment they are subject to sanctions. During
our field review at four field offices, we noted 41 PHAs that were not meeting the
minimum 95 percent reporting rate. None of these PHAs were sanctioned during
2008, HUD annually evaluates those PHAs not meeting the 95% requirement, this
evaluation was postponed until April 2009 after the new PIC-IMS software is
deployed. Since HUD uses the tenant data from its Public Housing Information
Center system (Inventory Management System) for the income-matching program
and program monitoring, it is essential that the database have complete and
accurate tenant information. Therefore, until a more efficient and effective means
of verifying the accuracy of the data is developed, HUD needs to continue to
emphasize the importance of accurate reporting and proactively enforce sanctions
against those PHAs that do not follow the requirement.

HUD has made substantial progress in taking steps to reduce erroneous payments.
However, HUD must continue its regular on-site and remote monitoring of the
PHAs and use the results from the monitoring efforts to focus on corrective
actions when needed. We are encouraged by the on-going actions to focus on
improving controls regarding income verification, as well as HUD’S plans
regarding CAPs, consolidated reviews, and the continual income and rent training
for HUD staff, owners, management agents, and PHAs.




                                9
Public Housing Agencies Accumulation of Funds in the
Net Restricted Asset Account


          Congress, in an attempt to limit the cost of the Housing Choice Voucher Program
          and to provide flexibility to the Public Housing Agencies (PHAs) in the
          administration of available program funding, enacted provisions in the fiscal year
          2005 Appropriation Act (Public Law 108-447), that significantly changed the way
          HUD provides and monitors the subsidy paid to housing agencies. Starting
          January 1, 2005, Congress changed the basis of the program funding from a “unit-
          based” process to a “budget-based” process that limits the Federal funding to a
          fixed amount. Under the legislation, HUD records the funding allocated to the
          PHA as an expense and no longer records a receivable for any under-utilized
          funds because the public housing authorities retain and are expected to use the
          funds in their entirety for authorized program activities and expenses within the
          time allowed. Program guidance states that any budget authority provided to
          PHAs that exceeds actual program expenses for the same period must be
          maintained in a housing agencies’ net restricted assets account. Although these
          funds are retained by the PHA and not the Department, the Department has a
          responsibility to ensure that these funds are properly accounted for and are used
          for authorized program activities. HUD is also responsible for monitoring both
          overutilization and underutilization of funds and for ensuring that appropriated
          funds are being used to serve the maximum number of families. According to
          HUD’s records, as of June 30, 2008, the net restricted assets account has
          increased to a balance of approximately $1.9 billion for 2,307 PHAs. Further, this
          $1.9 billion in unused funding is the balance remaining after an offset of $723
          million required by the Fiscal Year 2008 Appropriations Law. Of the $1.9 billion,
          $1.4 billion has been categorized as unusable by the PHAs. The unusable portion
          of the net restricted assets account balance represents the excess of the amount
          that would be required to achieve 100 percent utilization of the vouchers awarded
          to the PHAs for the calendar year.

          The balance in this account has increased to this level because housing agencies
          are not fully utilizing the housing choice voucher funds allocated. Due to
          uncertainty over each year’s funding allocation, PHAs have reduced their
          spending in anticipation of the need to cover future costs from current resources.
          Late enactment of appropriations has required PHAs to begin each year without
          knowing their allocations. Also, the utilization of voucher funds are further
          limited because program regulations prohibit a PHA from leasing more units than
          those approved in its contract, even when there is a need and the resources are
          available to increase the number of families being served. The lifting of these
          leasing restrictions requires legislative action by Congress. HUD has proposed
          such legislative change, but it has not been enacted.




                                          10
Below Target Utilization Rates



           We reviewed HUD’s Section 8 Management Assessment Program (SEMAP)
           Utilization Summary Report as of September 17, 2008. This report showed that
           55 percent of the PHAs have utilization rates of less than 95 percent, which is
           below the fiscal year 2004 rate of 98.5 percent achieved using the previous
           funding mechanism and the Department’s FY 2011 target utilization rate of 97
           percent. We reviewed the dollar amount utilization rate from the Net Restricted
           Assets Monitoring report. Our analysis of the report indicated that PHA
           performance for FYs 2005 through 2007 resulted in a calculated utilization rates
           of 96.0, 90.4, and 93.8 percent, respectively. HUD has acknowledged that
           continued improvements in utilization are needed, and plans to continue to link
           future administrative fee payments to PHA leasing levels.

           In addition, five recent OIG audits 2 have indicated that the accumulation of the
           net restricted assets has increased the risk of fraud, waste, and abuse of voucher
           program funds. The audits performed by our field offices at four PHAs revealed
           irregularities including the misuse of program funds, deficient accounting records
           and lack of control to ensure adequate utilization. Specifically, the audits
           indicated that housing choice voucher program funds were being used by PHAs to
           cover operating costs of other programs and that the funds were being spent on
           ineligible activities. The audits also found that a PHA did not properly update its
           financial systems for housing assistance and administrative fee payments made
           for the voucher program. In addition, we found that its accounting records did not
           support the balance of the net restricted assets. These issues combined with a lack
           of adequate funding utilization have resulted in a rapid accumulation of unused
           funds.

           The issues noted in these audits occurred in part because the Department does not
           include the net restricted assets account balance as part of its on-site monitoring
           review of PHAs. The Real Estate Assessment Center (REAC) performs a desk
           review of the Financial Accounting Sub-System (FASS) submissions from the
           PHAs. The submissions include two memo accounts regarding the net restricted
           assets balances (Net Cumulative Administrative Fees Equity and Net Cumulative
           Administrative Fees Equity). Although REAC reviews the submissions and
           informs the Financial Management Center and Field Offices of any irregularities,
           their review is primarily limited to the financial statements, data schedules that
           support the financial statements, and other data reported by the housing agencies
           that have been entered into the Department’s systems. REAC relies on the work
           of the Independent Auditors for review of the PHAs financial records that support
           the FASS submissions. In addition, the Quality Assurance Division (QAD)

            2
                Dallas Housing Authority Audit Report Audit Report #2008-FW-1006, City of Los Angeles Housing Authority Audit
                Report Audit Report #2008-LA-1015, Housing Authority of the County of San Mateo, Belmont, CA Audit Report #
                2007-LA-1014, Dallas Housing Authority Audit Repot # 2008-FW-1011 and Richard Housing Authority, Richard, WA
                Audit Report Audit Report #2008-SE-1006.




                                                         11
              conducts on-site reviews of selected PHAs to validate the leasing and cost data
              reported by the agencies in the Voucher Management System (VMS), but does
              not review data to support net restricted assets account balances.

              The leasing restrictions imposed by Congress do not allow the program to operate
              at its fullest potential and the $723 million offset was not sufficient to recapture
              the excess funding held by the PHAs. We recommend that HUD significantly
              reduce the net restricted assets balance by seeking the legislative authority to
              implement additional offsets of the $1.4 billion of the unusable funding
              accumulated and to again request that the programs’ leasing restrictions be
              eliminated or modified in order for more families to receive assistance. We also
              recommend the Department increase both its on-site monitoring efforts of this
              account balance, as well as continue to improve its efforts to increase fund
              utilization by linking administrative fee payments to PHA leasing levels.


Significant Deficiency: HUD Needs to Improve Processes for Reviewing
Obligation Balances
HUD needs to improve controls over the monitoring of obligation balances to ensure they remain
needed and legally valid as of the end of the fiscal year. HUD’s procedures for identifying and
deobligating funds that are no longer needed to meet its obligations were not always effective.
This has been a long-standing weakness. Our review of the 2008 year-end obligation balances
showed $122.9 million in excess funds that could be recaptured. We have been reporting
deficiencies in this area for several years and while HUD has been working to implement
improved procedures and information systems, progress has been slow. Major deficiencies
include: timely reviews of unexpended obligations for Administrative, Program Rental
Assistance Payment, Rent Supplement, and Interest Reduction Program are not being performed.

Annually, HUD performs a review of unliquidated obligations to determine whether the
obligations should be continued, reduced, or canceled. We evaluated HUD’s internal controls
for monitoring obligated balances.


  Project-based Section 8
  Contracts


       HUD’s systems and controls for accounting, processing payments, monitoring, and
       budgeting for Section 8 project-based contracts need to be improved. HUD has been
       hampered in their ability to estimate funding requirements, process timely payments to
       project-based landlords, and to recapture excess funds in a timely manner. This is
       evidenced in HUD’s long-term challenges in paying Section 8 project-based landlords on
       a timely basis and properly monitoring and accurately accounting and budgeting for
       contract renewals.




                                               12
   HUD currently administers 17,986 housing assistance payment (HAP) contracts to
   provide about 1.25 million low-income housing units. A total of 13,605 contracts,
   covering 966,020 housing units, are subject to annual renewals.

   Section 8 budget authority is generally available until expended. As a result, HUD
   should periodically assess budget needs and identify excess program reserves in the
   Section 8 programs as an offset to future budget requirements. Excess program reserves
   represent budget authority originally received, which will not be needed to fund the
   related contracts to their expiration. While HUD had taken actions to identify and
   recapture excess budget authority in the Section 8 project-based program, weaknesses in
   the review process and inadequate financial systems continue to hamper HUD’s efforts.
   There is a lack of automated interfaces between the Office of Housing subsidiary records
   with the Department’s general ledger for the control of program funds. This necessitates
   that HUD and its contractors make extensive use of ad hoc analyses and special projects
   to review Section 8 contracts for excess funds, which has hampered HUD’s ability to
   identify excess funds remaining on Section 8 contracts in a timely manner.

   This fiscal year, the Office of Housing recaptured approximately $428.3 million in
   unliquidated obligation balances from 9,207 contracts in the Section 8 project-based
   program. Our review of the Section 8 project-based contracts showed an additional $44.8
   million of available contract/budget authority on 102 contracts that had expiration dates
   prior to January 1, 2008. Funds associated with these contracts should be recaptured.

   During our review, we also found 32 contracts listed in the PAS that were not included in
   REMS data provided to us by Multifamily Housing. REMS is the official source of data
   on Multifamily Housing’s portfolio of insured and assisted properties. Upon further
   analysis of the 32 contracts, we determined that the funds available on 28 of the contracts
   had been recaptured during fiscal year 2008. We verified the status of the remaining four
   contracts with the Accounting Center in Fort Worth, TX. We found that no records
   existed for one contract, two contracts had been paid off, and one was expired. The
   available balance remaining on the four contracts, which totals approximately $29.6
   million, should be recaptured.



A Long-term Financial Management
System Solution is Needed


   While our review indicated improvements in PAS data quality, HUD still needs to
   develop a long-term financial management system solution to streamline and automate
   the overall Section 8 project-based budgeting, payment, and contract management
   process. HUD’s process for renewing subsidy contracts is largely an ad hoc process.
   HUD lacks the internal processes to timely estimate the contract funding level on an
   ongoing basis. There is a lack of automated interfaces between the Office of Housing
   subsidiary records with the Department’s general ledger for the control of program funds.
   This necessitates that HUD and its contractors make extensive use of ad hoc analyses and
   special projects to review Section 8 contracts. Our review of the Section 8 project-based


                                           13
 account balances showed deficiencies that raised concerns about use of PAS data for
 computing funding requirements for Section 8 project-based assistance contracts.
 Specifically, we noted that:

        Funds totaling $1.1 million were recaptured from 32 projects that were reported in
        PAS as having no available balance.

        PAS data contained 24 funding lines with contract expiration dates prior to 1974,
        which is the year that Congress authorized the Section 8 program. Of the 24, 12
        funding lines were reported in PAS as having $10.4 million funds available.



Administrative/Other Program
Obligations


        Requests for obligation reviews were forwarded by the Chief Financial Officer to
        the administrative and program offices. The focus of the review was on
        administrative obligations that exceeded a balance of $17,000 and program
        obligations that exceeded $217,000. Excluding the Section 8 and Section 235/236
        programs, which undergo separate review processes; HUD identified 1,923
        obligations with remaining balances totaling $21.5 million for deobligation. We
        tested the 1,923 obligations the Department identified to determine whether the
        associated $21.5 million had in fact been deobligated in HUD’s Central
        Accounting and Program Accounting Systems. We found that, as of September
        30, 2008, a total of 427 obligations with remaining balances totaling $4.2 million
        had not been deobligated. The Department has initiated the process of closing
        these contracts and the associated funding should be recaptured in fiscal year
        2009. We noted during fiscal year 2008, the Department continued its efforts to
        improve the timing and monitoring of its deobligation process.



   Rent Supplement and Rental
   Assistance Payments


        HUD is not recapturing excess undisbursed contract authority from the Rent
        Supplement and Rental Assistance Payments programs in a timely manner.
        Although, HUD continues to make progress in this area, improvement is still
        needed to ensure the timely recapture of excess funds.

        The Rent Supplement and Rental Assistance Payments programs have been in
        existence since the mid 1960’s and 1970’s respectively. The Rent Supplement
        program and Rental Assistance Payments operate much like the current project-
        based Section 8 rental assistance program. Rental assistance is paid directly to
        multi-family housing owners on behalf of eligible tenants


                                        14
         HUD’s subsidiary ledgers show, on a fiscal year basis, the amount authorized for
         disbursement and the amount that was disbursed under each project account.
         Funds remain in these accounts until they are paid out or deobligated by HUD. If
         the funds are not paid out or deobligated, the funds remain on the books,
         overstating the needed contract authority, the excess of which should be
         recaptured. Our prior audit reports showed these funds were not being recaptured
         timely.

         We have been reporting deficiencies in this area for several years. In response to
         our concern, in fiscal year 2006, HUD developed and implemented procedures to
         review quarterly and annually the programs and associated contract authority
         requirements. Although, progress has been made in this area, improvement is still
         needed to ensure the timely recapture of excess funds.

         We performed a review in fiscal year 2008 of unliquidated obligations for the
         multifamily projects accounts under the Rent Supplement and Rental Assistance
         programs. Our review found $20.7 million in undisbursed contract authority from
         prior fiscal years on 372 multifamily projects that should be recaptured. HUD
         agreed and processed adjustments to deobligate the $20.7 million of excess
         undisbursed obligations.

Section 236 Interest Reduction Program



         The Section 236 Interest Reduction Program was created in 1968, however, new
         program activity ceased in the mid-1970s. The multi-family activities carried out
         by this program include making interest reduction payments directly to mortgage
         companies on behalf of multi-family project owners. The contracts entered into
         were typically up to 40 years and HUD was required to fund these contracts for
         their duration. At the time it entered into the contracts, HUD was to record
         obligations for the entire amount. The obligations were established based upon
         permanent indefinite appropriation authority. This budget authority is included in
         the Statement of Budgetary Resources and other consolidated financial statements
         as “Other programs”.

         Although not a major program, deficiencies in the Section 236 Interest Reduction
         Program have been reported by OIG in prior reports on the financial statements.
         The Offices of Housing and the Chief Financial Officer have been hampered by
         historically poor record keeping in their attempt to accurately account for
         unexpended Section 236 budget authority balances and estimated future
         payments. These estimated payments are the basis for HUD’s current recorded
         obligation balances necessary to fully fund the contracts to their expiration. HUD
         adjusts the recorded obligations as it proceeds through the term of the contracts in
         order to reflect best estimates of the financial commitment. Factors that can
         change the budgetary requirements over time include contract terminations,
         refinancing, and restructuring of the contracts.


                                          15
       In recent years, OIG noted that HUD made a series of corrective actions to
       address these deficiencies. In response to fiscal year 2004’s OIG report and
       OMB concerns, the Department initiated a contract-by-contract review in August
       2005 to identify underreported, as well as over reported balances, and support the
       Section 236 contract and budget authority. In 2006, HUD developed and
       implemented procedures for the quarterly reconciling of its obligation accounts.
       In FY 2007, HUD completed a reconciliation review with service. However, this
       year’s review disclosed that further improvements in HUD’s processes are needed
       to ensure Section 236 IRP obligations are valid and can be more accurately
       estimated and reported.

       In fiscal year 2008, we identified 60 inactive Section 236 Interest Reduction
       Program contracts with over $13.9 million in excess contract and budget authority
       that could be deobligated. These 60 contracts had been prepaid and terminated
       from the program. HUD agreed and processed adjustments to deobligate $13.9
       million. In addition, we identified 9 contracts with inaccurate payment schedules
       and overestimated funding requirements of over $9.7 million. HUD agreed and
       processed adjustments to deobligate the $ 9.7 million.

       The deficiencies in the Section 236 program occurred because the quarterly
       review procedures currently implemented were insufficient in providing updates
       on the project status in a timely manner. HUD needs to improve its quarterly
       contract reconciliation procedures to ensure that contract and budget authority for
       the Section 236 Interest Reduction Program are valid and estimates are accurately
       and timely reported.

For the Department’s administrative and other program funds, HUD needs to promptly
perform contract closeout reviews and recapture the associated excess contract authority
and imputed budget authority. In addition, HUD needs to address data and systems
weaknesses to ensure that all contracts are considered in the recapture/shortfall budget
process including Rent Supplement and Rental Assistance Programs.

With respect to project-based Section 8 contracts, we recommended in our audit of the
Department’s fiscal year 1999 financial statements that systems be enhanced to facilitate
timely closeout and recapture of funds. In addition, we recommended that the closeout
and recapture process occur periodically during the fiscal year, and not just at year-end.
Implementation of the recommendations is critical so that excess budget authority can be
recaptured in a timely manner and considered in formulating requests for new budget
authority.




                                        16
Significant Deficiency: HUD Financial Management Systems Need to Comply
with Federal Financial Management System Requirements

As reported in prior years, HUD is not in full compliance with federal financial management
requirements. Specifically, it has not completed development of an adequate integrated financial
management system. HUD is required to implement a unified set of financial systems. This
includes the financial portions of mixed systems encompassing the software, hardware,
personnel, processes (manual and automated), procedures, controls, and data necessary to carry
out financial management functions, manage financial operations of the agency, and report on
the agency’s financial status to central agencies, Congress, and the public. As currently
configured, HUD financial management systems do not meet the test of being unified. The term
“unified” is defined as meaning that systems are planned for and managed together, operated in
an integrated fashion, and linked electronically to efficiently and effectively provide agency wide
financial system support necessary to carry out the agency’s mission and support the agency’s
financial management needs.

HUD’s financial systems, many of which were developed and implemented before the issue date
of current standards, were not designed to perform or provide the range of financial and
performance data currently required. The result is that HUD, on a department wide basis, does
not have unified and integrated financial management systems that are compliant with current
federal requirements or provide HUD the information needed to effectively manage its
operations on a daily basis. This could negatively impact management’s ability to perform
required financial management functions; efficiently manage the financial operations of the
agency; and report, on a timely basis, the agency’s financial results, performance measures, and
cost information.

 FFMIA Requires HUD to
 Implement a Compliant Financial
 Management System


               The Federal Financial Management Improvement Act of 1996 (FFMIA) requires,
               among other things, that HUD implement and maintain financial management
               systems that substantially comply with federal financial management system
               requirements. The financial management system requirements also include
               implementing information system security controls. These requirements are
               detailed in the Federal Financial Management System Requirements series issued
               by the Joint Financial Management Improvement Program/Financial System
               Integration Office (JFMIP/FISO). The requirements are also included in Office of
               Management and Budget (OMB) Circular A-127, “Financial Management
               Systems.” Circular A-127 defines a single integrated financial management
               system as a unified set of financial systems and the financial portions of mixed


                                                17
           systems (e.g., acquisition) encompassing the software, hardware, personnel,
           processes (manual and automated), procedures, controls, and data necessary to
           carry out financial management functions, manage the financial operations of the
           agency, and report on the agency’s financial status.

           As in previous audits of HUD’s financial statements, in fiscal year 2008 there
           continued to be instances of noncompliance with federal financial management
           system requirements. These instances of noncompliance have given rise to
           significant management challenges that have: (1) impaired management’s ability
           to prepare financial statements and other financial information without extensive
           compensating procedures, (2) resulted in the lack of reliable, comprehensive
           managerial cost information on its activities and outputs, and (3) limited the
           availability of information to assist management in effectively managing
           operations on an ongoing basis.


HUD’s Financial Systems Are
Not Adequate


           As reported in prior years, HUD does not have financial management systems that
           enable it to generate and report the information needed to both prepare financial
           statements and manage operations on an ongoing basis accurately and timely. To
           prepare consolidated department wide financial statements, HUD required Federal
           Housing Administration (FHA), the Government National Mortgage Association
           (Ginnie Mae), and the Office of Federal Housing Enterprise Oversight (OFHEO)
           to submit financial statement information on spreadsheet templates, which were
           loaded into a software application. In addition, all consolidating notes and
           supporting schedules had to be manually posted, verified, reconciled, and traced.
           To overcome these systemic deficiencies with respect to preparation of its annual
           financial statements, HUD was compelled to rely on extensive compensating
           procedures that were costly, labor intensive, and not always efficient.

           Due to a lengthy HUD Integrated Financial Management Improvement Project
           (HIFMIP) procurement process and lack of funding for other financial application
           initiatives, there were no significant changes made in fiscal year 2008 to HUD’s
           financial management processes. As a result, the underlying system limitations
           identified in past years remain. The functional limitations of the three
           applications (HUDCAPS, LOCCS and PAS) performing the core financial system
           function for HUD are dependent on its data mart and reporting tool to complete
           the accumulation and summarization of data needed for U.S. Department of the
           Treasury and OMB reporting.




                                           18
HUD’s Financial Systems do not
Provide Managerial Cost Data


         In fiscal year 2006 the Government Accountability Office (GAO) reported in
         GAO-06-1002R Managerial Cost Accounting Practices that HUD’s financial
         systems do not have the functionality to provide managerial cost accounting
         across its programs and activities. This lack of functionality has resulted in the
         lack of reliable and comprehensive managerial cost information on its activities
         and outputs. HUD lacks an effective cost accounting system that is capable of
         tracking and reporting costs of HUD’s programs in a timely manner to assist in
         managing its daily operations. This condition renders HUD unable to produce
         reliable cost-based performance information.

         HUD officials have indicated that various cost allocation studies and resource
         management analyses are required to determine the cost of various activities
         needed for mandatory financial reporting. However, this information is widely
         distributed among a variety of information systems, which are not linked and
         therefore cannot share data. This makes the accumulation of cost information
         time consuming, labor intensive, untimely, and ultimately makes that cost
         information not readily available. Budget, cost management, and performance
         measurement data are not integrated because HUD:

             Did not interface its budget formulation system with its core financial system;

             Lacks the data and system feeds to automate a process to accumulate, allocate,
             and report costs of activities on a regular basis for financial reporting needs, as
             well as internal use in managing programs and activities;

             Does not have the capability to derive current full cost for use in the daily
             management of Department operations; and

             Requires an ongoing extensive quality initiative to ensure the accuracy of the
             cost aspects of its performance measures as they are derived from sources
             outside the core financial system.

         While HUD has modified its resource management application to enhance its cost
         and performance reporting for program offices and activities, the application does
         not use core financial system processed data as a source. Instead, HUD uses a
         variety of applications, studies, and models to estimate the cost of its program
         management activities. One of these applications, TEAM/REAP, was designed
         for use in budget formulation and execution, strategic planning, organizational
         and management analyses, and ongoing management of staff resources. It was
         enhanced to include an allocation module that added the capability to tie staff



                                           19
              distribution to strategic objectives, the President’s Management Agenda, and
              HUD program offices’ management plans. HUD also concluded a pilot program
              of this functionality in fiscal year 2007.

              Additionally, HUD has developed time codes and an associated activity for nearly
              all HUD program offices to allow automated cost allocation to the program office
              activity level. HUD has indicated that the labor costs that will be allocated to
              these activities will be obtained from the HUD payroll service provider.
              However, because the cost information does not pass through the general ledger,
              current federal financial management requirements are not met.


Financial Systems do not Provide for
Effective and Efficient Financial
Management


              During fiscal year 2008, HUD’s financial information systems did not allow it to
              achieve its financial management goals in an effective and efficient manner in
              accordance with current federal requirements. To perform core financial system
              functions, HUD depends on three major applications, in addition to a data
              warehouse and a report-writing tool. Two of the three applications that perform
              core financial system functions require significant management oversight and
              manual reconciliations to ensure accurate and complete information. HUD’s use
              of multiple applications to perform core financial system functions further
              complicates financial management and increases the cost and time expended.
              Extensive effort is required to manage and coordinate the processing of
              transactions to ensure the completeness and reliability of information.


              Additionally, the interface between the core financial system and HUD’s
              procurement system does not provide the required financial information. The
              procurement system interface with HUDCAPS does not contain data elements to
              support the payment and closeout processes. Also, the procurement system does
              not interface with LOCCS and PAS. Therefore, the processes of fund
              certification, obligation, de-obligation, payment, and close out of transactions that
              are paid out of the LOCCS system are all completed separately, within either PAS
              or LOCCS. This lack of compliance with federal requirements impairs HUD’s
              ability to effectively monitor and manage its procurement actions.


     HUD Plans to implement a
     Department Wide Core Financial
     System


              HUD plans to implement a commercial federal certified core financial system and
              integrate the current core financial system into one Department-wide core


                                               20
               financial system. HUD is initiating business process reengineering work to
               ensure a smooth transition to a single integrated core financial system. FHA and
               Ginnie Mae have already implemented a compatible and compliant system to
               support the transition to the enterprise core financial system. HUD plans to select
               a qualified shared service provider to host the enterprise system and integrate the
               three financial systems (HUD, FHA, and Ginnie Mae) into a single system by
               fiscal year 2013. Achieving integrated financial management for HUD will result
               in a reduction in the total number of systems maintained, provide online, real-time
               information for management decision-making, enable HUD to participate in E-
               government initiatives, and align with HUD's information technology
               modernization goals.

               However, HUD’s Integrated Financial Management Improvement Project
               (HIFMIP), launched in fiscal year 2003, has been plagued by delays, and
               implementation of the core financial system has not yet begun. Additionally, the
               previous HIFMIP project manager vacated the position in February 2008, and a
               permanent replacement has not yet been named. HIFMIP was intended to
               modernize HUD’s financial management systems in accordance with a vision
               consistent with administration priorities, legislation, Office of Management and
               Budget directives, modern business practices, customer service, and technology.
               HIFMIP will encompass all of HUD’s financial systems, including those
               supporting FHA and Ginnie Mae. HUD had intended to begin the
               implementation in fiscal year 2006. Due to delays with the procurement process,
               however, HUD anticipates that it will not be able to begin the implementation of
               its core financial system until fiscal year 2009. The success of the HIFMIP
               project continues to be at risk due to dated requirement documents, as well as the
               lack of a permanent, full-time project manager. We continue to note the
               following weaknesses with HUD’s financial management systems:

                  HUD’s ability to prepare financial statements and other financial information
                  requires extensive compensating procedures.

                  HUD has limited availability of information to assist management in
                  effectively managing operations on an ongoing basis.




Significant Deficiency: Controls over HUD’s Computing Environment Can Be
Further Strengthened
HUD’s computing environment, data centers, networks, and servers provide critical support to
all facets of the Department’s programs, mortgage insurance, financial management, and
administrative operations. In prior years, we reported on various weaknesses with general
system controls and controls over certain applications, as well as weak security management.
These deficiencies increase risks associated with safeguarding funds, property, and assets from
waste, loss, unauthorized use, or misappropriation.



                                               21
We evaluated selected information systems general controls of the Department’s computer
systems on which HUD’s financial systems reside. Our review found information systems
control weaknesses that could negatively affect HUD’s ability to accomplish its assigned
mission, protect its data and information technology assets, fulfill its legal responsibilities and
maintain its day-to-day functions. Presented below is a summary of the control weaknesses
found during the review.


                                        Entity-wide Security Program

         HUD has made strides toward implementing a compliant entity wide security program as
         required by the Federal Information Security Management Act of 2002 (FISMA). HUD
         developed guidance, conducted meetings, and provided training to program officials to
         ensure security policies are properly implemented at the program and system level.
         However, additional progress is needed. Specifically, in fiscal year 2008 we found that:

             HUD’s program offices and system owners did not always ensure that HUD’s
             inventory of automated systems was up-to-date and systems were properly
             categorized as required by OMB.

             System owners did not ensure that all non-major applications that are hosted outside
             of HUD’s infrastructure were secure.

             HUD did not fully comply with OMB’s privacy requirements, including the
             completion of privacy survey reports and privacy impact assessments for all new
             systems that contain personally identifiable information3 before placing them into
             development or production.

             HUD did not fully implement all technical controls specified by OMB memorandum
             M-06-164, which addresses information that is removed from or accessed from
             outside the agency.




                                Security Controls Over HUD’s Databases



3
  The term Personally Identifiable Information means any information about an individual maintained by an agency,
including, but not limited to, education, financial transactions, medical history, and criminal or employment history
and information which can be used to distinguish or trace an individual's identity, such as their name, social security
number, date and place of birth, mother’s maiden name, biometric records, etc., including any other personal
information which is linked or linkable to an individual. Source: OMB Memorandum M-06-19, “Reporting
Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency
Information Technology Investments,” dated July 12, 2006
4
  “Protection of Sensitive Agency Information” issued June 23, 2006


                                                          22
           A number of weaknesses were identified by the OIG during a review of security controls
           over HUD’s databases. We identified security configuration and technical control
           deficiencies within HUD’s database security controls in the areas of (1) passwords, (2)
           system patches, and (3) system configuration.

           If proper access controls are not in place, there is no assurance that the data residing on
           HUD financial and financial management systems are adequately protected against
           unauthorized disclosure, modification, or destruction. Allowing conditions that
           undermine the integrity of security contributes to inefficient security operations and
           administration or may lead to interruption of production operations. Additionally,
           improper configurations do not allow the Office of the Chief Information Officer (OCIO)
           and program offices to ensure that the database environment is managed in a way that is
           secure, efficient, and effective.



                                         HUD Procurement System

           We audited HUD's Procurement systems in fiscal year 20065. Through actions taken
           during fiscal years 2007 and 2008, the Office of the Chief Procurement Officer has made
           progress toward resolving the issues identified during the audit. However, two
           significant recommendations made in the report remain open and the procurement
           systems continue to be in noncompliance with Federal financial management
           requirements. The Office of the Chief Procurement Officer (OCPO) has yet to complete
           the corrective actions for the known open information security vulnerabilities or to
           develop mitigation strategies if new system development is underway. The OCPO plans
           to replace the current acquisition systems, but it has not yet been able to secure funding to
           complete the planned corrective action. Consequently, OCPO has not yet implemented
           functionality to ensure that there is sufficient information within HUD’s procurement
           systems to support the primary acquisition functions of fund certification, obligation, de-
           obligation, payment, and closeout.




                        Controls Over FHA Information Technology Resources

           On October 31, 2007, we issued an audit report on our assessment of FHA’s management of
           its information technology resources6. Some recommendations addressed to the OCIO
           remain open and are expected to be implemented and closed by December 2008 as follows:
           (1) provide additional guidance and training to application system owners regarding
           completion of their application’s business impact analysis; (2) complete the design and
           implementation of an information security program to include descriptions of system
           owner roles and responsibilities, information on the security controls with FHA for each

5
    Audit Report No. 2007-DP-0003: Review of HUD’s Procurement Systems issued January 25, 2007
6
    Audit report No. 2008-DP-0002: Review of FHA Controls Over Its Information Technology Resources


                                                       23
general support system on which its applications reside, and information on the use of the
Information System Security Forum as a user representative forum for each general
support system; and (3) develop and provide role-based training to FHA staff with
information security roles and responsibilities



                          HUD’s Financial Systems

As part of our review of HUD's information systems controls, we evaluated information
security controls over the Northridge Loan System (NLS), Departmental Accounts
Receivable Tracking/Collection System (DARTS), HUDCAPS, LOCCS and the
Financial Data Mart. We identified control weaknesses that could negatively affect the
integrity, confidentiality, and availability of computerized financial data within three of
HUD’s financial systems--HUDCAPS, LOCCS, and the Financial Data Mart.




                                         HUDCAPS

In our fiscal year 2007 audit, we found that the Office of the Chief Financial Officer
(OCFO) granted two contracted developers above read access to the HUDCAPS
production data stored within the mainframe environment without documenting either
their acceptance of the risks associated with or the justification for this access level. The
documentation to support this access was not maintained by the system owner, and
acceptance of the risks associated with this access level was not documented in the
system security plan. Additionally, neither of the two developers received the required
level of background investigation. One developer received only a minimum background
investigation. The other developer was not investigated at all.

During fiscal year 2008, the OCFO, in coordination with the OCIO, has made progress in
addressing this issue. The OCFO has improved their documentation and maintenance of
files containing authorizations and justifications for contracted system developers to have
read or above-read access to production data. They have assessed the risk of providing
above read and read only access to contractors and have specifically acknowledged and
accepted that risk within their system security documentation. However, although the
OCFO has obtained a listing of all users with access to the HUDCAPS production
environment, they have not yet completed an assessment to determine specifically what
HUDCAPS access is granted to each contractor, or prepared a listing of all users with
above read access to application data. They also have yet to initiate a request with the
Office of Security and Emergency Planning staff to determine whether the contractor
employees have had the appropriate background investigations or to follow up with
Office of Security and Emergency Planning staff to ensure background investigations are
initiated for contractor staff if required. In addition, they still need to complete actions to


                                          24
remove above read access privileges for all contracted system developers with
unnecessary access within production databases for HUDCAPS and any other OCFO
systems.

                                         LOCCS

During our fiscal year 2007 audit, we found that the controls over the LOCCS user
recertification process were not effective to verify the access of all users. Systemic
deficiencies led to the omission of more than 10,000 users from the LOCCS
recertification process. An additional 199 users had last recertification dates within the
application prior to March 31, 2006, indicating that they also were not included in the
fiscal year 2007 recertification process. During fiscal year 2008, the OCFO made
improvements to this process by generating a report from the system that allows them to
identify users that only have approving authority within the application for the user
recertification process. However, further improvements are necessary to ensure that all
users of LOCCS are recertified in accordance with HUD policy. Our review of the 2008
data again identified LOCCS users that were not recertified by the system. This shows
that the corrective action taken in response to our 2007 finding did not fully address the
problem.

                              Financial Data Mart

In fiscal year 2007, the OCFO identified and reported that an unauthorized individual had
access to sensitive data within the Financial Data Mart that was not needed to perform
assigned duties. In June 2007, we determined that an unauthorized individual was
accessing production data from the Financial Data Mart using an application’s login ID
and password. In addition, the password assigned to the application login ID did not
conform to HUD’s password policy. Further, we determined that all users with access to
the HUD Web can access and generate reports containing proprietary financial data
maintained within the Financial Data Mart.

During fiscal year 2008, the OCFO assessed and accepted the risk associated with
providing web users access to some of the data within the Financial Data Mart. In
addition, the OCFO, in coordination with the OCIO, initiated plans to obtain and review
access logs to the Financial Data Mart server, and to modify application passwords to be
in compliance with HUD's password policy. The corrective actions are expected to be
completed during fiscal year 2009.



                       IBM Mainframe z/OS Operating System

In fiscal year 2007, we followed up on previously reported weaknesses related to the
IBM mainframe z/OS operating system. For instance, we found that HUD had not: (1)
removed the unused data files in the IBM mainframe environment in a timely manner;
and (2) removed the references to a retired application. We also reported that more work
was needed to ensure that the most powerful administrative authority is restricted to only



                                        25
        those persons who require it to perform their duties, and that the administrator account is
        properly managed.

        During our fiscal year 2008 review, we determined that HUD has taken steps to ensure
        that the super-user authority is properly restricted, and the administrator account is
        properly managed. HUD also removed unused data files from the IBM environment, as
        well as references to a retired application. Additionally, HUD has established a standard
        procedure to monitor and oversee the removal of personal data files belonging to users
        who have left the Department.



                                Software Configuration Management

        We previously reported that weaknesses remain in the areas of support for the
        Department-wide configuration management7 function and the HUD Procurement
        System configuration management plan. We also reported that configuration
        management plans for several FHA applications lacked information or contained
        outdated information. There were also weaknesses specific to each configuration
        management plan we reviewed.

        HUD has made progress in implementing controls to resolve the reported weaknesses.
        However, HUD has not yet fully resolved the issue of obsolete and incomplete
        information in the configuration management plans for the HUD Procurement System
        and selected FHA applications.

        For fiscal year 2008, we reviewed the configuration management plan for the Institution
        Master File (IMF) and found that this plan also lacked information or contained outdated
        information. Details of this finding will be included in our report for our fiscal year 2008
        review of information systems controls in support of the financial statements audit to be
        issued during 2009.



                              Contingency Planning and Preparedness

        Although, HUD continues to make progress in the implementation of controls for
        contingency planning and preparedness, improvement is still needed. In fiscal year 2007,
        our review of the disaster recovery plan for the contractor-operated data center facility
        indicated that the listing of mission critical applications had not yet been updated. We
        were advised that a contract modification was required to update the listing, and HUD
        planned to accomplish this by December 31, 2007. During our fiscal year 2008 audit, we
        determined that the listing of mission critical applications still has not been updated. We
        also found that the appendix containing information on the disaster recovery team
        personnel was not current.

7
 Configuration management is the control and documentation of changes made to a system’s hardware, software
and documentation throughout the development and operational life of the system.


                                                     26
        In addition, we determined that contingency planning at third party business sites is
        inadequate. We surveyed 29 third party business partners to determine if they had
        business continuity plans, continuity of operations plans or disaster recovery plans in
        place that would provide the means to continue business, relocate to alternative work
        areas and access HUD systems. We found that sixty-nine percent did not have any type
        of contingency, continuity or disaster recovery plan. While thirty-one percent of the third
        party business partners did have some type of plan, those plans contained only limited
        provisions on backup of critical information and alternative work areas. Staffs were
        unfamiliar or had limited knowledge of contingency planning requirements, and
        documentation was not readily available for use in case of emergency.

        HUD had not specified contingency planning, continuity of operations or disaster
        recovery requirements in its agreements with third party business partners. Such
        information is usually included in the terms and conditions of a contract or service-level
        agreement with the external business partner. Consequently, third party business partners
        have developed limited contingency planning policies that do not meet HUD or National
        Institute of Standards and Technology (NIST) requirements.




                                               Physical Security

        Our on-site reviews during fiscal years 2006 and 2007 found that physical security
        controls for HUD facilities were generally in place at the network operations center and
        the data center, both maintained by HUD’s two information technology infrastructure
        contractors.

        This year, we evaluated how HUD’s third party business partners8 compensate for the
        lack of physical security controls when information is removed from, maintained or
        accessed from outside the agency location. We also determined what security guidance is
        provided by HUD. We found that physical security at the third party business sites we
        visited is inadequate and weaknesses exist at those sites. We found instances where
        servers were located in common areas (i.e. lunch rooms, halls), case binders with
        personally identifiable information were left unattended, no guard or receptionist was at
        the entrance, access doors were unlocked, and encryption of data residing on laptops or
        portable devices was not a requirement.

        We determined that HUD had not specified the level of security controls and included it
        in the terms and conditions of the contract or service-level agreement with the external
        business partner. As a result, third party business partners have developed various
        information technology security controls and policies that do not meet HUD or federal


8
 Third party business partners are external business partners who contract to do business with HUD such as
Housing Authorities and mortgage lenders who use PIH Inventory Management System (PIH-IMS), Tenant Rental
Assistance Certification System (TRACS) and Computerized Homes Underwriting Management System (CHUMS).


                                                   27
       requirements, and therefore cannot be relied upon to provide adequate protection over
       HUD’s sensitive data.




Significant Deficiency: Weak Personnel Security Practices Continue to Pose
Risks of Unauthorized Access to the Department’s Critical Financial Systems
For several years, we have reported that HUD’s personnel security practices over access to its
systems and applications were inadequate. Deficiencies in HUD’s information technology
personnel security program were found and recommendations were made to correct the
problems. However, the risk of unauthorized access to HUD’s financial systems remains a
critical issue. We followed up on previously reported information technology personnel security
weaknesses and deficiencies and found that deficiencies still exist. Specifically:

              Since 2004, we have reported that HUD does not have a complete list of all users
              with above-read access at the application level. Those users with above read
              access to sensitive application systems are required to have a background
              investigation. Our review this year found that HUD still does not have a central
              repository that lists all users with access to HUD’s general support and
              application systems. Consequently, HUD has no central listing for reconciling
              that all users who have access to HUD critical and sensitive systems have had the
              appropriate background investigation.

              While HUD’s implementation in 2007 of the Centralized HUD Account
              Management Process (CHAMP) was a step towards improving its user account
              management practices, CHAMP remains incomplete and does not fully address
              OIG’s concerns. Specially, we found:

              a. CHAMP does not contain complete and accurate data. The OCIO did not
                 electronically migrate data from the HUD Online User Registration System
                 (HOURS) into CHAMP. Instead, they chose to enter the legacy data
                 manually. However, this process has not yet been completed. As of April
                 22, 2008, OCIO has entered user data for 37 out of 248 applications (15%)
                 into CHAMP.

              b. HUD can neither compile a complete listing of all authorized users and their
                 access privileges nor identify all the applications to which users have access
                 because CHAMP does not have reporting capabilities.

              c. CHAMP does not contain a mechanism to escalate or reassign tasks that have
                 not been completed within a specified timeframe.

              d. CHAMP can only handle access requests for internal users such as HUD
                 employees and contractors, but not for external users such as Housing



                                              28
   Authorities and trusted business partners.

During our fiscal year 2007 audit, we reported that contractors were
inappropriately granted access to sensitive systems. Consequently, we
recommended that the OCIO remove greater-than-read access to sensitive systems
for users who have not submitted appropriate background investigation
documents or who are no longer authorized to access information resources.
Corrective action to resolve this weakness has not yet been completed.

We previously identified a retired HUD employee whose user ID remained active
on HUD systems for 13 months following her retirement. In addition, there was
evidence to suggest that the network password assigned to that user had been
modified approximately six weeks after the employee’s retirement. We found
that although HUD had processes and procedures for removing the computer
system access of retiring employees, Human Resources, program area
applications owners, the Office of Security and Emergency Planning, and the
Office of the Chief Information Officer need to coordinate to improve these
processes.

HUD did not conduct a security categorization and a risk assessment for CHAMP
as required by Federal Information Processing Standards (FIPS) Publications
(PUB) 199 and 200. HUD’s OCIO incorrectly chose not to conduct a security
categorization and risk assessment for CHAMP because they believed that these
items are not required for CHAMP, which is listed as a process rather than a
system. HUD also believes that since CHAMP is exclusively owned by its
information technology contractor, it is not subject to the requirements of a
security categorization and a risk assessment. Without a security categorization
and risk assessment on CHAMP, HUD cannot know the full extent of risks that
the CHAMP process is vulnerable to or whether adequate levels of security
controls have been put in place to protect data and applications impacted by
CHAMP.




                                29
                 Compliance with Laws and Regulations

HUD Did not Substantially Comply with the Federal Financial Management
Improvement Act
FFMIA requires auditors to report whether the agency’s financial management systems
substantially comply with the Federal financial management systems requirements, applicable
accounting standards, and support the U.S. Standard General Ledger (SGL) at the transaction
level. We found that HUD was not in substantial compliance with FFMIA because HUD’s
financial management system did not substantially comply with Federal Financial Management
System Requirements.

During fiscal year 2008, the Department made limited progress as it attempted to address its
financial management deficiencies to bring the agency’s financial management systems into
compliance with Federal Financial Management Improvement Act (FFMIA). However, the
deficiencies remain as the Department financial management systems continue to not meet
current requirements and are not operated in an integrated fashion, and linked electronically to
efficiently and effectively provide agency wide financial system support necessary to carry out
the agency’s mission and support the agency’s financial management needs.

HUD's policy is to complete OMB A-127 reviews of all HUD financial systems within a three
year cycle. HUD did not complete any of the planned 2007 and 2008 independent reviews of its
current financial management systems to verify compliance with financial system requirements,
identify system and procedural weaknesses, and develop the corrective actions to address
identified weaknesses. Additionally, HUD only completed four independent reviews that were
planned in 2006.


     Federal Financial Management System
     Requirements

               In its Fiscal Year 2008 Performance and Accountability Report, HUD reports that
               2 of its 42 financial management systems do not comply with the requirements of
               the FFMIA and OMB Circular A-127, Financial Management Systems. Even
               though 40 individual systems have been certified as compliant with federal
               financial management systems requirements, HUD has not adequately performed
               independent reviews of these systems as required by OMB Circular A-127.
               Collectively and in the aggregate, deficiencies still exist.

               We continue to report as a significant deficiency that HUD Financial
               Management Systems Need to Comply with Federal Financial Management
               Systems Requirements. The significant deficiency addresses how HUD’s
               financial management systems remain substantially noncompliant with federal
               financial management requirements.



                                                30
              FHA’s auditor reports as a significant deficiency that FHA needs to continue to
              enhance and modernize its financial information systems. The significant
              deficiency addresses the challenges in FHA’s capacity to simultaneously address
              various system modernization initiatives and control deficiencies affecting the
              reliability and completeness of FHA’s financial information.

              Ginnie Mae’s auditor reports a non compliance with Federal Information Security
              Management Act (FISMA). The Act requires Ginnie Mae to implement an
              agency-wide information security program to provide information security for the
              information systems that support the operations and assets of the agency including
              those provided or managed by a contractor. The auditor’s review found Ginnie
              Mae lacks assurance that critical information technology general control elements
              for the Integrated Portfolio Management System (IPMS), which is managed and
              controlled by a Ginnie Mae contractor, are working effectively to reduce agency
              information system risks.

              We also continue to report as significant deficiencies that (1) Controls over
              HUD’s Computing Environment Can Be Further Strengthened and (2) Weak
              Personnel Security Practices Continue to Pose Risks of Unauthorized Access to
              the Department’s Critical Financial Systems. These significant deficiencies
              discuss how weaknesses with general controls and certain application controls,
              and weak security management increase risks associated with safeguarding funds,
              property, and assets from waste, loss, unauthorized use or misappropriation.

              In addition, OIG audit reports have disclosed that security over financial
              information was not provided in accordance with OMB Circular A-130
              Management of Federal Information Resources, Appendix III and the FISMA.

We have included the specific nature of noncompliance issues, responsible program offices and
recommended remedial actions in Appendix C of this report.


HUD Did Not Substantially Comply with the Anti-Deficiency Act
       HUD’s Office of the Chief Financial Officer (OCFO) is not conducting, completing,
       reporting and closing the investigation of potential Anti-Deficiency Act violations in a
       timely manner and has not created timeframes for the conduct and completion of the
       investigations of potential Anti-Deficiency Act violations, as required by the FY 2003
       Appropriation Act, Public Law 108-7, Title II – Department of Housing and Urban
       Development. Additionally, the OCFO has not reported known violations immediately to
       the President through OMB, Congress, nor GAO, as required by the Anti-Deficiency Act.

       The OCFO is responsible for investigating and reporting on violations of the Anti-
       Deficiency Act. As of the conclusion of this audit, the OCFO had investigated a total of
       26 potential Anti-Deficiency Act violations. The Chief Financial Officer (CFO) made
       determinations that three cases that occurred in 2003 are Anti-Deficiency Act violations


                                              31
that warrant reporting to the President, Congress, and GAO. In regards to determinations
for the remaining cases, another three were considered to be Anti-Deficiency Act
violations but were still under review by the OCFO, 15 were determined not to be a
violation, and five cases were under preliminary review.

Our review determined that although it has been five years since discovery of some of the
Anti-Deficiency Act violations, the OCFO has not issued a report on any of the three
cases determined to be reportable Anti-Deficiency Act violations. We reviewed the three
case files and found that the OCFO completed draft transmittal letters and reports in
2004, but the letters and reports were not issued. CFO is not in compliance with OMB
A-11 Section 435 and 31 U.S.C. 1351 and 1517(b). Specifically, the United States Code
states that once it is determined that there has been a violation; it shall be reported
immediately to the President, Congress, and GAO. The OCFO stated that the reports
have not been submitted to the appropriate parties because OMB and HUD cannot agree
on whether or not names should be included in the reports. We feel these reports should
not be held up for that reason, since OMB A-11 Section 145 specifically states that the
letter will set forth the name and position of the officer(s) or employee(s) responsible for
the violation.

Additionally, there are another three investigations that have been determined to be Anti-
Deficiency Act violations. The draft reports have been prepared and are under review by
the OCFO. Two of these three Anti-Deficiency act violation cases have been under
investigation for four years and the other one has been under investigation for a year.

In our fiscal year 2008 review, we noted that HUD management did complete its review
of all outstanding cases. However, HUD management has indicated that they took
corrective actions to address any necessary immediate funding actions, and to correct
funds control deficiencies and unacceptable long-standing past practices to minimize the
risk of future violations. Additionally, HUD management plans to establish and finalize
timeframes in an internal OCFO policy memorandum for the conduct and completion of
investigations of potential ADA violations during the first quarter of FY 2009 to ensure
investigations are conducted, completed, reported, and closed in a timely manner.




                                         32
                                      APPENDIXES


Appendix A
                       Objectives, Scope, and Methodology

Management is responsible for

*      Preparing the principal financial statements in conformity with generally accepted
       accounting principles;
*      Establishing, maintaining and evaluating internal controls and systems to provide
       reasonable assurance that the broad objectives of Federal Managers’ Financial Integrity
       Act are met; and
*      Complying with applicable laws and regulations and government wide policies

In auditing HUD’s principal financial statements, we were required by Government Auditing
Standards to obtain reasonable assurance about whether HUD’s principal financial statements
are free of material misstatements and presented fairly in accordance with generally accepted
federal accounting principles. We believe that our audit provides a reasonable basis for our
opinion.

In planning our audit of HUD’s principal financial statements, we considered internal controls
over financial reporting by obtaining an understanding of the design of HUD’s internal controls,
determined whether these internal controls had been placed in operation, assessed control risk,
and performed tests of controls to determine our auditing procedures for the purpose of
expressing our opinion on the principal financial statements and not to provide assurance on the
internal control over financial reporting. Consequently, we do not provide an opinion on internal
controls. We also tested compliance with selected provisions of applicable laws and regulations
and government wide policies that may materially affect the consolidated principal financial
statements. Providing an opinion on compliance with selected provisions of laws and regulations
was not an objective and, accordingly, we do not express such an opinion.

We considered HUD’s internal control over Required Supplementary Stewardship Information
reported in HUD’s Fiscal Year 2008 Performance and Accountability Report by obtaining an
understanding of the design of HUD’s internal controls, determined whether these internal
controls had been placed in operation, assessed control risk, and performed limited testing
procedures as required by AU Section 558 , Required Supplementary Information. The tests
performed were not to provide assurance on these internal controls, and accordingly, we do not
provide assurance on such controls.

With respect to internal controls related to performance measures to be reported in the
Management’s Discussion and Analysis and HUD’s Fiscal Year 2008 Performance and
Accountability Report, we obtained an understanding of the design of significant internal
controls relating to the existence and completeness assertions as described in Section 230.5 of
OMB Circular A-11 Preparation, Submission and Execution of the budget. We performed


                                                33
limited testing procedures as required by AU Section 558 Required Supplementary Information
and OMB Bulletin 07-04 Audit Requirements for Federal Financial Statements, as amended.
Our procedures were not designed to provide assurance on internal control over reported
performance measures and, accordingly, we do not provide an opinion on such controls.

To fulfill these responsibilities, we

*      Examined, on a test basis, evidence supporting the amounts and disclosures in the
       consolidated principal financial statements;
*      Assessed the accounting principles used and the significant estimates made by
       management;
*      Evaluated the overall presentation of the consolidated principal financial statements;
*      Obtained an understanding of internal controls over financial reporting, executing
       transactions in accordance with budget authority, compliance with laws and regulations,
       and safeguarding assets;
*      Tested and evaluated the design and operating effectiveness of relevant internal controls
       over significant cycles, classes of transactions, and account balances;
*      Tested HUD’s compliance with certain provisions of laws and regulations, government-
       wide policies, noncompliance with which could have a direct and material effect on the
       determination of financial statement amounts and certain other laws and regulations
       specified in OMB Bulletin 07-04 as amended, including the requirements referred to in
       the Federal Managers’ Financial Integrity Act;
*      Considered compliance with the process required by the Federal Managers’ Financial
       Integrity Act for evaluating and reporting on internal control and accounting systems; and
*      Performed other procedures we considered necessary in the circumstances.

We did not evaluate the internal controls relevant to operating objectives as broadly defined by
the Federal Managers’ Financial Integrity Act. We limited our internal control testing to those
controls that are material in relation to HUD’s financial statements. Because of inherent
limitations in any internal control structure, misstatements may nevertheless occur and not be
detected. We also caution that projection of any evaluation of the structure to future periods is
subject to the risk that procedures may become inadequate because of changes in conditions or
that the effectiveness of the design and operation of policies and procedures may deteriorate.

Our consideration of the internal controls over financial reporting would not necessarily disclose
all matters in the internal controls over financial reporting that might be significant deficiencies.
We noted certain matters in the internal control structure and its operation that we consider
significant deficiencies under OMB Bulletin 07-04, as amended. Under standards issued by the
American Institute of Certified Public Accountants, a significant deficiency is a deficiency in
internal control, or a combination of deficiencies, that adversely affects HUD’s ability to initiate,
authorize, record, process, or report financial data reliably in accordance with generally accepted
accounting principles such that there is more than a remote likelihood that a misstatement of the
entity’s financial statements that is more than inconsequential will not be prevented or detected.

A material weakness is a significant deficiency, or combination of significant deficiencies, that
result in a more than remote likelihood that a material misstatement of the financial statements
will not be prevented or detected.



                                                 34
Our work was performed in accordance with generally accepted Government Auditing Standards
and OMB Bulletin 07-04, as amended.

This report is intended solely for the use of HUD management, OMB and the Congress.
However, this report is a matter of public record and its distribution is not limited.




                                              35
Appendix B
                                   Recommendations


To facilitate tracking recommendations in the Audit Resolution and Corrective Action Tracking
System, this appendix lists the newly developed recommendations resulting from our report on
HUD’S fiscal year 2008 financial statements. Also listed are recommendations from prior years’
reports that have not been fully implemented. This appendix does not include recommendations
pertaining to FHA and Ginnie Mae issues because they are tracked under separate financial
statement audit reports of that entity.


                 Recommendations from the Current Report
With respect to the significant deficiency that HUD management must continue to improve
oversight and monitoring of subsidy calculations and intermediaries’ program performance and
promote full utilization of Housing choice Voucher funds, we recommend that the Office of
Public and Indian Housing in coordination with the Office of General Counsel:

1.a.    Seek legislative authority to implement $1.4 billion in offsets against PHA’s excess
        unusable funding held in the Net Restricted Assets Account.

1.b.   Seek legislative authority to eliminate or modify the leasing restrictions placed on the
       Housing Choice Voucher program.

With respect to the significant deficiency that HUD management must continue to improve
oversight and monitoring of subsidy calculations and intermediaries’ program performance and
promote full utilization of Housing choice Voucher funds, we recommend that the Office of
Public and Indian Housing:

1.c.   Increase the monitoring efforts over the Net Restricted Asset Account held by PHAs.

1.d.   Improve its efforts to increase the fund utilization rates for the Housing Choice Voucher
       Program.

With respect to the significant deficiency that HUD needs to improve the process for reviewing
obligation balances, we recommend that the Chief Financial Officer in coordination with the
appropriate program offices:

2.a.   Deobligate $122.9 million of excess unexpended funds identified as a result of the fiscal
       year 2008 financial statement audit.

2.b.   Improve and document the quarterly contract reconciliation procedures to ensure that
       Section 236 obligations reported are valid and can be accurately estimated and reported.




                                                36
2.c.   Implement regularly scheduled review and reconciliation procedures to ensure excess
       undisbursed contract authority from Rental Assistance Payments and Rent Supplement
       projects are timely recaptured.

With respect to HUD’s substantial noncompliance with the Federal Financial Management
Improvement Act, we recommend that the Chief Financial Officer:

3.a.   Develop a plan to comply with OMB A-127 review requirements which results in the
       evaluation of all HUD financial management systems within a 3 year cycle.

With respect to HUD’s substantial noncompliance with the Anti-deficiency Act, we recommend
that the Chief Financial Officer in coordination with the appropriate program offices:

4.a.   Establish timeframes for the conduct and completion of investigations of potential Anti-
       deficiency Act violations as required by the FY 2003 Appropriations Act to ensure
       investigations are conducted, completed, reported, and closed in a timely manner.

4.b.   Report the three known Anti-Deficiency Act violations immediately to the President,
       Congress, and General Accountability Office (GAO), as required by the Anti-deficiency
       Act.



         Unimplemented Recommendations from Prior Years’ Reports

Not included in the recommendations listed above are recommendations from prior years’
reports on the Department’s financial statements that have not been fully implemented based on
the status reported in the Audit Resolution and Corrective Action Tracking System. The
Department should continue to track these under the prior years’ report numbers in accordance
with departmental procedures. Each of these open recommendations and its status is shown
below. Where appropriate, we have updated the prior recommendations to reflect changes in
emphasis resulting from recent work or management decisions.


OIG Report Number 2008-FO-0003 (Fiscal Year 2007 Financial Statements)

With respect to the significant deficiency that HUD needs to improve the process for reviewing
obligation balances, we recommend that the Chief Financial Officer in coordination with the
appropriate program offices:

       1.a.   Deobligate $342.3 million of excess unexpended funds identified as a result of the
              fiscal year 2007 financial statement audit. (Final Action Target Date is 10/31/08;
              Reported in ARCATS as Recommendation 4A)

       1.b.   Improve the quarterly contract reconciliation procedure currently being
              implemented by performing periodic reviews of subsidiary ledgers to ensure that
              Section 236 obligations reported are valid and can be more accurately estimated


                                              37
               and reported. (Final Action Target Date is 10/31/08; Reported in ARCATS as
               Recommendation 4B)

        1.c.   Implement a periodic review of terminated Rent Supplement and Rental
               Assistance Payments projects to ensure changes in contract status are timely
               identified and excess undisbursed contract authority is recaptured in a timely
               manner. (Final Action Target Date is 10/15/08; Reported in ARCATS as
               Recommendation 4C)


With respect to the significant deficiency that HUD needs to improve its budgeting and funds
control over section 8 project-based contracts, we recommend that the Assistant Secretary for
Housing in coordination with the Chief Financial Officer and the Chief Information Officer:

       2.a     Develop a long-term financial management system solution to streamline and
               automate the overall Section 8 project-based budgeting, payment, and contract
               management process. (Final Action Target Date is 12/31/08; Reported in
               ARCATS as Recommendation 3A)

       2.b     Consider revising current Section 8 Project-base recapture methodology to
               include recapturing funds from expired Section 8 contracts occurring in the
               current fiscal year. We found that HUD could have recaptured up to $580 million
               from these expired contracts, in lieu of recapturing funds from active long-term
               contracts. (Final Action Target Date is 10/31/08; Reported in ARCATS as
               Recommendation 3B)




                                                38
Appendix C

Federal Financial Management Improvement Act Noncompliance,
Responsible Program Offices, and Recommended Remedial Actions

This Appendix provides details required under Federal Financial Management Improvement Act
(FFMIA) reporting requirements. To meet those requirements, we performed tests of
compliance using the implementation guidance for FFMIA issued by OMB and GAO’s Financial
Audit Manual. The results of our tests disclosed that HUD’s systems did not substantially
comply with the foregoing requirements. The details for our basis of reporting substantial
noncompliance, responsible parties, primary causes and the Department’s intended remedial
actions are included in the following sections.

Federal Financial Management Systems Requirements
1. HUD’s annual assurance statement issued pursuant to Section 4 of the Financial Manager’s
Integrity Act, will report two non-conforming systems9.

          The organizations responsible for systems that were found not to comply with the
          requirements of OMB Circular A-127 based on the Department’s assessments are as
          follows:

     Responsible Office                                Number of Systems     Non-conforming Systems
     Office of Housing                                        19                        0
     Office of Chief Financial Officer                        14                        0
     Office of Administration                                  2                        0
     Office of Chief Procurement Officer                       2                        2
     Office of Community Planning and Development              2                        0
     Office of Public and Indian Housing                       2                        0
     Government National Mortgage Association                  1                        0
     Totals                                                   42                        2




9
    The two-nonconforming systems are: A35-HUD Procurement System and P035-Small Purchase System.


                                                    39
     The following section outlines the Department’s plan to correct noncompliance with OMB
     Circular A-127 as submitted to us as of September 30, 2008 and unedited by us.

                           Office of the Chief Procurement Officer

                           A35 HUD Procurement Systems (HPS)
                            P035 Small Purchase System (SPS)

  Noncompliance Issue(s)                           Tasks/Steps                              Target Dates   Completion
                                             (including Milestones)                                          Dates
INTERNAL CONTROLS
                            INTERMEDIATE RESOLUTION PLAN

                            1A Review transactions of the four contracting officers
1. HUD’s Procurement           who input records in excess of their contract authority
                                                                                            COMPLETED      COMPLETED
   Systems Do Not Have         and take actions as appropriate.
   Adequate Controls for          OCPO researched the transactions in question to
   Monitoring the                 determine if the obligations were appropriate or          12/23/2006     12/14/2006
   Procurement Process            not.
                                  OCPO determined that the transactions were
                                  properly executed by contracting officers acting          3/31/2007      12/14/2006
                                  within their authority. No further action is
                                  necessary.

                            1B   Implement system controls to ensure that contracting
                                 officers are not able to exceed their procurement
                                 authority.                                                 COMPLETED      COMPLETED
                                     The OCPO will implement procurement authority
                                     control procedures.

                                    The OCPO will include validation of contracting         3/31/2007      4/25/07
                                    officer authority as part of each Procurement
                                    Management Review.
                                                                                            Commencing     1/08/2007
                            1C   Implement controls to ensure that contracting officers     1/8/2007       On-Going
                                 are required to either input or approve all transactions
                                 that record funds through the HUDCAPS interfaces.
                                     The OCPO will implement procedural controls to         COMPLETED      COMPLETED
                                     require contracting officers to validate
                                     transactions in HPS.

                            1D Modify the systems to make the contracting officer field     4/30/2007      4/25/2007
                               mandatory.
                                 The OPOC will implement procedures for
                                 electronic records, which are recorded in HPS, are
                                                                                            COMPLETED      COMPLETED
                                 reviewed to ensure that a Contracting Officer is
                                 identified for each record.
                                 The OCPO will implement validation of the                  Revised to     6/20/2008
                                 contracting officer identification as part of each         11/30/2008
                                 Procurement Management Review. – See 1B                    Commencing
                                 bullet 2 above. Validation of contracting                  1/8/2007       1/08/2007
                                 authority is the same as implementation of task.                          On-Going
                            NOTE: OCPO is in the process of conducting a cost
                            benefit analysis, whose outcome will determine the best


                                                  40
  Noncompliance Issue(s)                            Tasks/Steps                          Target Dates   Completion
                                              (including Milestones)                                      Dates
                            course of action in implementing system changes or
                            replacing systems.

2. HUD Procurement          2A Ensure that system administration and security            COMPLETED      COMPLETED
   Systems’ Separation of      administration functions are separate.
   Duties Controls Were             The OPCO will formally appoint separate
   Bypassed                        individuals to act as security administrator and      4/16/2007      05/01/2007
                                   system administrator for each OCPO system and
                                   that the individuals will not be performing
                                   conflicting duties.

                            2B Ensure that staff is not assigned conflicting duties,
                                                                                         COMPLETED      COMPLETED
                               that separate functions are performed by separate
                               individuals, and that the concept of least privilege is
                               applied.
                                    OCPO will determine if multiple system profiles
                                    are actually a valid requirement on an individual
                                    basis in HPS. The goal is to eliminate
                                    unnecessary and redundant profiles in HPS and
                                    that the individuals will not be performing
                                    conflicting duties.
                                        o The OCPO will identify users with
                                                                                         2/15/2007      12/21/2006
                                             multiple HPS profiles
                                        o The OCPO will deactivate
                                                                                         07/31/2007     07/19/2007
                                             unnecessary/redundant profiles

                            NOTE: While we can separate the duties procedurally, the
                            separation cannot be enforced in HPS or SPS without
                            reprogramming.

                            2C Implement formal policies and procedures to               COMPLETED      COMPLETED
                               recertify the access granted to users at least an [sic]
                               annually.
                                    The OCPO will develop and implement formal
                                   procedures for granting access by using the
                                   concept of least privilege to OCPO systems, as
                                   well as annual user access reviews by:
                                        o Revise system access request forms             1/31/2007      12/31/2006
                                        o Revise process in which user requests          2/28/2007      1/31/2007
                                            system access
                                        o Revise procedure in which system               3/31/2007      1/31/2007
                                            access is granted
                                        o Develop formal procedure to enforce            06/30/2007     07/18/2007
                                            annual user access review

                            2D Create and implement routing functionality within         COMPLETED      COMPLETED
                               the Small Purchase System to allow users to be                           8/27/2008
                               granted access to more than one office or region.
                                      OCPO recommends implementing the
                                       following tasks to alleviate the routing issue.
                                       OCPO will determine if multiple SPS system
                                       profiles are actually a valid requirement on
                                       an individual basis. The goal is to eliminate
                                       all unnecessary and redundant profiles in
                                       SPS.


                                                 41
  Noncompliance Issue(s)                                 Tasks/Steps                             Target Dates   Completion
                                                   (including Milestones)                                         Dates
                                               o   The OCPO will identify users with
                                                   multiple SPS profiles                         2/15/2007      12/21/2006
                                               o   The OCPO will restructure the issuing
                                                   office hierarchy to alleviate the necessity   11/30/2007     12/14/2007
                                                   of multiple profiles for a given user.

                                  NOTE: OCPO is in the process of conducting a cost
                                  benefit analysis, whose outcome will determine the best
                                  course of action in implementing system changes or
                                  replacing systems.

3. HUD’s Procurement              3A Perform a cost benefit analysis to determine whether it     COMPLETED      COMPLETED
   Systems Do Not Contain            is more advantageous to modify or replace the
   Sufficient Financial Data to      procurement systems to ensure compliance with Joint
   Allow It to Effectively           Federal    Management        Improvement      Program
   Manage and Monitor                Requirements.
   Procurement Transactions             The OCPO will perform a cost benefit analysis to
                                        replace the OCPO systems.                                05/31/2008     2/12/2008

                                  3B   Implement functionality to ensure that there is
                                       sufficient information within HUD’s procurement
                                       systems to support the primary acquisition functions of
                                       fund certification, obligation, deobligation, payment,
                                       and closeout.
                                                Based on the availability of funds, OCPO will
                                                replace its systems with COTS software to
                                                ensure found issues with internal and security
                                                controls are addressed.
                                                MILESTONES – NOT LATER THAN
                                                     Develop Independent Government
                                                     Estimate
                                                                                                 5/4/2007       05/03/2007
                                                     Conduct Market Research
                                                     Source Selection                            04/6/2007      04/06/2007
                                                     Roll-out pilot of production system         TBD            No funding
                                                                                                 TBD –          provided for
                                  NOTE: OCPO is in the process of conducting a cost              Waiting for    FY2008,
                                  benefit analysis, whose outcome will determine the best        funding to     FY2009 &
                                  course of action in implementing system changes or             become         FY2010
                                  replacing systems.                                             available      funding are
                                                                                                                also at risk.
SECURITY CONTROLS
4. The Office of the Chief        4A Obtain the training and/or resources necessary to
   Procurement Officer Did           develop or perform compliant (1) information system
   Not Design or Implement           categorization analyses; (2) risk assessments; (3)
   Required Information              security plans; (4) contingency plans and tests; (5)
   Security Controls                 monitoring processes, which include applicable Federal
                                     Information Processing Standards Publication 200
                                     managerial, operational, and technical information
                                     security controls; and (6) evaluations of the managerial,
                                     operational, and technical security controls.
                                           OCPO will ensure that training or other resources
                                           are obtained to develop or perform required
                                           managerial, operational, and technical security
                                           controls.


                                                        42
Noncompliance Issue(s)                         Tasks/Steps                              Target Dates    Completion
                                         (including Milestones)                                           Dates
                                      Update Risk Assessments
                                      Update Security Plans
                                                                                        12/31/2008      08/31/2007
                                      Update Contingency Plans and tests;
                                                                                        12/31/2008      08/31/2007
                                                                                        12/31/2008      Test Performed
                                      Monitoring processes, which include                               12/13/2007
                                       applicable Federal Information Processing        Last C&A
                                       Standards (FIPS) Publication 200                 conducted       FY2008
                                       managerial, operational, and technical           06/30/2005.     C&A was
                                       information security controls; and               Next C&A        completed
                                                                                        scheduled for   on
                                                                                        4th Qrt 2008    8/29/2008.
                                      Evaluations of the managerial, operational, and                   Awaiting
                                       technical security controls.                     Last C&A        signed copy
                                                                                        conducted       from OCIO
                                                                                        06/30/2005.     for our
                                                                                        Next C&A        records.
                                                                                        scheduled for
                                                                                        4th Qrt 2008
                         4B   Complete the corrective actions for the known open
                              information security vulnerabilities or develop
                              mitigation strategies if new system development is
                              underway.
                                    OCPO will ensure it develops mitigation
                                    strategies for the known open information
                                    security vulnerabilities.
                                       Review vulnerabilities
                                       Develop mitigation strategy
                                                                                        11/30/2008
                         4C   Designate a manager to assume responsibility for          11/30/2008
                              ensuring the Office of the Chief Procurement Officer’s
                              compliance with federal certification and accreditation   COMPLETED
                                                                                                        COMPLETED
                              process requirements and to provide “continuous
                              monitoring” of the office’s information systems
                              security.
                                    OCPO will designate a manager responsible for
                                    ensuring compliance with information systems
                                    security and federal certification and
                                    accreditation process.                              1/15/2007       03/13/2007
                                    OCPO will work with OCIO to define roles and
                                    responsibilities and to ensure that appropriate
                                    resources are provided to perform required                          2/1/2007
                                                                                        2/1/2007
                                    monitoring and certification and accreditation.




                                              43
Noncompliance Issue(s)                          Tasks/Steps                             Target Dates   Completion
                                          (including Milestones)                                         Dates
                         4D Reevaluate the HUD Procurement System and Small             COMPLETED      COMPLETED
                            Purchase System application systems’ security
                            categorization in light of OMB guidance on personally
                            identifiable information.
                                  OCPO will reevaluate the HUD Procurement
                                  System and Small Purchase System application          8/31/2007      8/31/2007
                                  systems’ security categorization in light of OMB
                                  guidance on personal identifiable information.

                         4E   Perform a Business Impact Analysis (BCA for the
                              procurement systems. Based on the results of the
                                                                                                       COMPLETED
                              impact analysis, determine what actions HUD can take
                                                                                                       9/25/2008
                              to limit the amount of time needed to recover from the
                              various levels of contingencies that can occur and
                              include the determined actions in the contingency plans
                              for the systems.
                                    OCPO will develop a business impact analysis
                                    for the procurement systems and revise the
                                    contingency plan based on the BIA.
                                       Develop business impact analyses
                                       Incorporate BIA into contingency plans
                                                                                        4/30/2007
                                                                                        9/30/2007
                         Note: OCPO is in process of conduction a cost benefit
                         analysis, whose outcome will determine the best course of
                         action in implementing system changes or replacing the
                         systems.




                                              44
2. Our audit disclosed significant deficiencies regarding the security over financial
information. Similar conditions have also been noted in other OIG audit reports. We are
including security issues as a basis for noncompliance with FFMIA because of the
collective effect of the issue and noncompliance with Circular A-130, Appendix 3 and the
Federal Information Security Management Act (FISMA). The responsible office, nature of
the problem, and primary causes are summarized below:

Responsible Office      Nature of the Problem

Office of Housing and   Reduction in FHA’s capacity to simultaneously address various system
CIO                     modernization initiatives and control deficiencies affected the reliability and
                        completeness of FHA’s financial information.

                        FHA currently maintains four Multifamily and 11 Single Family systems that
                        are administered separately from the core financial management system
                        (FHA Subsidiary Ledger or FHASL).

                        FHA’s two primary Multifamily insurance systems were scheduled to be
                        operational on October 1, 2008, but they were still going through user
                        acceptance testing. The implementation date was revised to November 11,
                        2008.

                        The general control weaknesses were noted in certain FHA’s Single
                        Family systems as follows:
                                Only 3 of 24 HUD employees or contractors with access to the
                                Single Family Claims system had complete and proper
                                background investigations.
                                Two users of the Single Family Claims system had unauthorized
                                access rights to read, write, and update records.
                                Five contract developers had update access to Single Family
                                Claims production data files.
                                FHA neither had adequate controls over, nor reviews of, audit logs
                                for the Single Family Claims system.
                                FHA did not develop or implement adequate security controls over
                                information transmitted between FHA and its numerous lenders
                                and other business partners.
                                FHA failed to adequately assess its compliance with mandatory
                                system security controls.
                                FHA did not properly ensure annual security reviews were
                                completed by HUD employees.

                        FHA has conducted an accounting risk assessment to identify short and
                        long term deficiencies in a manual business process for handling
                        applications for claim benefits for FHA’s Home Equity Conversion
                        Mortgage (HECM) program, but will continue to rely on significant
                        review and reconciliation procedures as compensating controls until a
                        replacement system solution can be procured and implemented. An
                        independent examination, conducted in accordance with AICPA Statement
                        on Auditing Standards (SAS) No. 70, Audits of Service Organizations,



                                            45
Responsible Office       Nature of the Problem

                         Type I, Control Design, of the HECM notes servicing system identified
                         over thirty specific system control deficiencies, including:
                                  Lack of formal approval for critical system security documents
                                  Weaknesses with system access policies and physical access
                                  control monitoring
                                  Inadequate system baseline documentation
                                  Lack of formal authorization procedures for system software
                                  changes
                                  Segregation of duties weaknesses
                                  Deficiencies in the Continuity of Operations Plan

                         Due to deficiencies in the Generic Debt subsystem interface, FHA is unable
                         to maintain reliable cohort level data for the financing accounts within its
                         (FHASL) general ledger system as required by the Credit Reform Act of
                         1990.

These conditions occurred because in addition to the efforts to address system deficiencies, the
FHA’s Systems Division is currently responsible for a number of other major IT related projects,
including:
        Implementing systems to handle the newly legislated Hope for Homeowners program for
        risk-sharing of single family loans insured that became effective October 1, 2008.
        Procurement and implementation of a new integrated insured reverse mortgage loan and
        notes servicing system.
        Implementing the new Real Estate Owned property management system at the various Single
        Family Marketing and Management (M&M) contractor sites. This system will be interfaced
        with the SAMS legacy application system.

Managing such critical system initiatives simultaneously and without additional funding or staff
resources may increase the risk of system or processing errors in the agency’s financial data, or
increase the risk of unauthorized access into critical or sensitive agency systems. Such errors or
unauthorized access could lead to misstatements in financial reporting or misappropriation of FHA
assets.




                                             46
Responsible Office       Nature of the Problem

Office of Chief          Weaknesses exist in HUD’s entity-wide security program. Specifically:
Information Officer
                         In fiscal year 2008, HUD’s program offices and system owners did not
                         always ensure that HUD’s inventory of automated systems was up-to-date
                         and systems were properly categorized as required by OMB.

                         System owners did not ensure that all non-major applications that are
                         hosted outside of HUD’s infrastructure were secure.

                         HUD did not fully comply with OMB’s privacy requirements, including
                         the completion of privacy survey reports and privacy impact assessments
                         for all new systems that contain personally identifiable information before
                         placing them into development or production.

                         HUD did not fully implement all technical controls specified by OMB
                         memorandum M-06-16, which addresses information that is removed from
                         or accessed from outside the agency.

These conditions occurred because HUD’s management does not consistently enforce policies and
procedures.

Office of Chief          The security configuration and technical control deficiencies within HUD’s
Information Officer      database security controls were found in the areas of (1) passwords, (2)
                         system patches, and (3) system configuration.

These conditions occurred because HUD’s management does not consistently enforce policies and
procedures.

Office of Chief          Control weaknesses still exist for HUD Procurement System (HPS) and
Procurement Officer      HUD Small Purchase System (SPS), specifically:

                         Both procurement systems continue to be in noncompliance with Federal
                         financial management requirements. The Office of the Chief Procurement
                         Officer (OCPO) has yet to complete the corrective actions for the known
                         open information security vulnerabilities or to develop mitigation strategies if
                         new system development is underway. The OCPO plans to replace the
                         current acquisition systems, but it has not yet been able to secure funding to
                         complete the planned corrective action. Consequently, OCPO has not yet
                         implemented functionality to ensure that there is sufficient information
                         within HUD’s procurement systems to support the primary acquisition
                         functions of fund certification, obligation, de-obligation, payment, and
                         closeout.

These conditions occurred because the OCPO has not yet been able to secure funding to complete the
planned corrective action.

Office of Chief          Control weaknesses that could negatively affect the integrity,
Information Officer      confidentiality, and availability of computerized financial data still exist,
and Office of the        specifically:
Chief Financial          Although the OCFO has obtained a listing of all users with access to


                                              47
Responsible Office        Nature of the Problem

Officer                   the HUDCAPS production environment, they have not yet
                          completed an assessment to determine specifically what HUDCAPS
                          access is granted to each contractor, or prepared a listing of all users
                          with above read access to application data. They also have yet to
                          initiate a request with the Office of Security and Emergency
                          Planning staff to determine whether the contractor employees have
                          had the appropriate background investigations or to follow up with
                          Office of Security and Emergency Planning staff to ensure
                          background investigations are initiated for contractor staff if
                          required. In addition, they still need to complete actions to remove
                          above read access privileges for all contracted system developers
                          with unnecessary access within production databases for HUDCAPS
                          and any other OCFO systems.

                          The corrective action taken to ensure that all users of LOCCS were
                          recertified in accordance with HUD policy was not effective since
                          we again were able to identified LOCCS users that were not
                          recertified by the system during fiscal year 2008.

                          The OCFO assessed and accepted the risk associated with providing web
                          users access to some of the data within the Financial Data Mart. In addition,
                          the OCFO, in coordination with the OCIO, initiated plans to obtain and
                          review access logs to the Financial Data Mart server, and to modify
                          application passwords to be in compliance with HUD's password policy. The
                          corrective actions are expected to be completed during fiscal year 2009.

These conditions occurred because HUD’s management does not consistently enforce policies and
procedures.

Office of Chief           Our review of software configuration management indicated that HUD has
Information Officer       not yet fully resolved the issue of obsolete and incomplete information in
                          the configuration management plans for the HUD Procurement System
                          and selected FHA applications.

                          For fiscal year 2008, the configuration management plan for the Institution
                          Master File (IMF) lacked information or contained outdated information.

These conditions occurred because management does not consistently enforce policies and procedures.




                                              48
Responsible Office        Nature of the Problem

Office of Chief           Our review of the disaster recovery plan for the contractor-operated data
Information Officer       center facility indicates that the listing of mission critical applications still has
                          not yet been updated, and the appendix containing information on the disaster
                          recovery team personnel was not current.

                          In addition, the contingency planning at third party business sites is
                          inadequate. Sixty-nine percent of 29 third party business partners surveyed,
                          did not have any type of contingency, continuity or disaster recovery plan.
                          While thirty-one percent of the third party business partners did have some
                          type of plan, those plans contained only limited provisions on backup of
                          critical information and alternative work areas. Staffs were unfamiliar or had
                          limited knowledge of contingency planning requirements and documentation
                          was not readily available for use in case of emergency.

These conditions occurred because management does not consistently enforce policies and procedures
and HUD had not specified contingency planning, continuity of operations or disaster recovery
requirements in its agreements with third party business partners. Consequently, third party business
partners have developed limited contingency planning policies that do not meet HUD or National
Institute of Standards and Technology (NIST) requirements.

Office of Chief           The physical security at the third party business sites is inadequate and
Information Officer       weaknesses exist at those sites. The servers at those sites were located in
                          common areas (i.e. lunch rooms, halls), case binders with personally
                          identifiable information were left unattended, no guard or receptionist was at
                          the entrance, access doors were unlocked, and encryption of data residing on
                          laptops or portable devices was not a requirement.

This condition occurred because HUD had not specified the level of security controls and included it in
the terms and conditions of the contract or service-level agreement with the external business partner.
As a result, third party business partners have developed various information technology security
controls and policies that do not meet HUD or federal requirements, and therefore cannot be relied upon
to provide adequate protection over HUD’s sensitive data.




                                                49
Responsible Office        Nature of the Problem

Office of Chief           Personnel security weaknesses still exist, specifically:
Information Officer
                          HUD still does not have a central repository that lists all users with access
                          to HUD’s general support and application systems. Consequently, HUD
                          has no assurance that all users who have access to HUD critical and
                          sensitive systems have had the appropriate background investigation.

                          The Centralized HUD Account Management Process (CHAMP) remains
                          incomplete and does not fully address OIG’s concerns. Specially, we
                          found:
                           a. CHAMP does not contain complete and accurate data. The OCIO did
                              not electronically migrate data from the HUD Online User
                              Registration System (HOURS) into CHAMP. Instead, they chose to
                              enter the legacy data manually. However, this process has not yet
                              been completed. As of April 22, 2008, OCIO has entered user data
                              for 37 out of 248 applications (15%) into CHAMP.
                           b. HUD can neither compile a complete listing of all authorized users
                              and their access privileges nor identify all the applications to which
                              users have access because CHAMP does not have reporting
                              capabilities.
                           c. CHAMP does not contain a mechanism to escalate or reassign tasks
                              that have not been completed within a specified timeframe.
                           d. CHAMP can only handle access requests for internal users such as
                              HUD employees and contractors, but not for external users such as
                              Housing Authorities and trusted business partners.

                          HUD has not yet completely removed greater-than-read access to sensitive
                          systems for users who have not submitted appropriate background
                          investigation documents or who are no longer authorized to access
                          information resources.

                          HUD had processes and procedures for removing the computer system
                          access of retiring employees however controls over these processes needed
                          improvement.

                          HUD did not conduct a security categorization and a risk assessment for
                          CHAMP as required by Federal Information Processing Standards (FIPS)
                          Publications (PUB) 199 and 200. Without a security categorization and
                          risk assessment on CHAMP, HUD cannot know the full extent of risks that
                          the CHAMP process is vulnerable to or whether adequate levels of
                          security controls have been put in place to protect data and applications
                          impacted by CHAMP.

These conditions occurred because management does not consistently enforce policies and procedures.




                                               50
Appendix D

                SCHEDULE OF QUESTIONED COSTS
                 AND FUNDS PUT TO BETTER USE

 Recommendation          Ineligible 1/    Unsupported     Unreasonable or        Funds Put to
       Number                                      2/      Unnecessary 3/        Better Use 4/
             1.a.                                                                      $1.4B
             2.a.                                                                   $122.9 M



1/   Ineligible costs are costs charged to a HUD-financed or HUD-insured program or activity
     that the auditor believes are not allowable by law, contract or federal, state or local
     polices or regulations.

2/   Unsupported costs are those costs charged to a HUD-financed or HUD-insured program
     or activity where we cannot determine eligibility at the time of audit. Unsupported costs
     require a future decision by HUD program officials. This decision, in addition to
     obtaining supporting documentation, might involve a legal interpretation or clarification
     of departmental policies and procedures.

3/   Unnecessary/Unreasonable costs are those costs not generally recognized as ordinary,
     prudent, relevant, and or necessary within established practices. Unreasonable costs
     exceed the costs that would be incurred by a prudent person in conducting a competitive
     business.

4/   Recommendations that funds be put to better use are estimates of amounts that could be
     used more efficiently if an Office of Inspector General (OIG) recommendation is
     implemented. This includes reductions in outlays, deobligation of funds, withdrawal of
     interest subsidy costs not incurred by implementing recommended improvements,
     avoidance of unnecessary expenditures noted in pre-award reviews, and any other savings
     which are specifically identified.




                                             51
Appendix E
             Agency Comments




                  52
53
Appendix F

             OIG EVALUATION OF AGENCY COMMENTS


With the exception of the report’s conclusions on HUD’s substantial noncompliance with the
Federal Financial Management Improvement Act of 1996 (FFMIA) and FHA’s auditor’s
conclusion that FHA did not comply with the Credit Reform Act, HUD management generally
agreed with our presentation of findings and recommendations subject to detail comments.

HUD’s management disagrees with the conclusion that HUD is still not substantially compliant
with FFMIA. HUD agrees that their systems processes can be more efficiently integrated to
eliminate the need for existing compensating controls, but feel the existing environment is
substantially compliant and not representative of a material risk of misreporting.

We disagree with HUD’s conclusions. FFMIA emphasizes the need for agencies to have systems
that are able to generate reliable, useful, and timely information for decision-making purposes
and to ensure accountability on an ongoing basis. The deficiencies noted in HUD’s financial
management systems are due to the current financial system being developed prior to the
issuance of current requirements. It is also technically obsolete, has inefficient multiple batch
processes, and requires labor-intensive manual reconciliations. Because of these inefficiencies,
HUD’s management systems are unable to routinely produce reliable, useful, and timely
financial information. This weakness manifests itself by limiting HUD’s capacity to manage with
timely and objective data, and thereby hampers its ability to effectively manage and oversee its
major programs.

In addition, HUD is not fully compliant with one of the three indicators of compliance with
Federal financial management requirements. HUD has significant deficiencies related to security
over financial management information systems in accordance with FISMA and OMB Circular
A-130 Appendix III. The Department has not met the minimum set of automated information
resource controls relating to Entity-wide Security Program Planning and Management.

HUD disagreed with the FHA auditor’s conclusion that FHA did not comply with the Credit
Reform Act of 1990 due to FHA’s inability to maintain accurate trial balances at the cohort level
for financing accounts. FHA auditor reported that:

               “Due to deficiencies in the interface with the Generic Debt subsystem, the FHA’s
               core financial management system does not maintain accurate trial balance
               account information at the cohort level for the financing accounts. Accordingly,
               FHA may not be able to accurately calculate the re-estimated cost “for a group of
               direct loans or loan guarantees for a given credit program made in a fiscal year” in
               accordance with the requirements of Statement of Federal Financial Accounting
               Standard No 2, Accounting for Direct Loans and Loan Guarantees and the
               Federal Credit Reform Act of 1990. These balances are adjusted manually at the
               end of the year.”



                                                54
FHA’s auditor reviewed and considered HUD’s and FHA’s comments and disagreed with HUD
and FHA concerning FHA’s noncompliance with the Credit Reform Act.




                                          55