oversight

HUD's Office of Community Planning and Development Had Established and Implemented an Appropriate Risk Assessment Process

Published by the Department of Housing and Urban Development, Office of Inspector General on 2010-03-18.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                                                                 Issue Date
                                                                 March 18, 2010
                                                                 Audit Report Number
                                                                 2010 BO 0002




TO:        William H. Eargle, Jr., Deputy Assistant Secretary for Operations, Office of
             Community Planning and Development, DO


FROM:      John A. Dvorak, Regional Inspector General for Audit, (Boston) Region 1,
              1AGA


SUBJECT: HUD’s Office of Community Planning and Development Had Established and
           Implemented an Appropriate Risk Assessment Process


                                   HIGHLIGHTS

 What We Audited and Why

            We reviewed the U.S. Department of Housing and Urban Development’s (HUD)
            Office of Community Planning and Development’s (CPD) risk assessment
            process. We initiated the review as part of the activities in our fiscal year 2010
            annual audit plan. Our objective was to determine whether CPD had established
            and properly implemented a risk assessment process that used appropriate
            measures to determine risk and identify grantees for monitoring.



 What We Found


            CPD had established and implemented a risk assessment process that used
            relevant assessment factors to determine risk and identify grantees for monitoring.
            We identified and reviewed risk assessment factors in existence, evaluated



                                             1
           whether they were adequate, and considered additional factors required under the
           American Recovery and Reinvestment Act 0f 2009.

           The risk assessment factors in place were adequate to identify grantees for
           appropriate monitoring. Additionally, the risk analyses prepared annually were
           used to select grantees for later monitoring.


What We Recommend


           There are no recommendations made in this report since no reportable
           deficiencies were identified.



Auditee’s Response


           We provided our discussion draft audit report to the Deputy Assistant Secretary
           for Operations, CPD, on March 2, 2010. An exit conference was held on March
           16, 2010. This report did not require a response from the auditee and no formal
           comments were received.




                                           2
                        TABLE OF CONTENTS

Background and Objective                    4

Results of Audit                            5

Scope and Methodology                       7

Internal Controls                           8




                                3
                       BACKGROUND AND OBJECTIVE

The U.S. Department of Housing and Urban Development’s (HUD) Office of Community
Planning and Development (CPD) each year issues a notice providing a methodology for
conducting risk analyses for formula and competitive grantees and establishes monitoring
priorities within available resources. For fiscal years 2010 and 2011, CPD issued Notice 09-04
(Implementing Risk Analyses for Monitoring Community Planning and Development Grant
Programs in FY 2010 and 2011). This risk analysis process was incorporated into CPD’s Grants
Management Process system, a computer-based information system that is used to provide a
documented record of conclusions and results.

The notice is intended to augment the departmental policy contained in Handbook 1840.1, REV-
3, Departmental Management Control Program Handbook, which requires the development of
risk-based rating systems for all programs and is incorporated into Handbook 6509.2, REV-5,
Community Planning and Development Monitoring Handbook. The major steps for
implementing risk-based monitoring include

       •   Developing risk-based rating systems for program grantees,
       •   Rating and selecting grantees for monitoring,
       •   Identifying program risks and setting monitoring objectives, and
       •   Documenting the process and recording the rationale for choosing grantees.

Each CPD field office is responsible for conducting risk analyses and developing monitoring
strategies and an office work plan encompassing grantees and programs to be monitored during
the fiscal year. Headquarters establishes the completion dates for risk analyses and work plans
each fiscal year. The purpose of a monitoring strategy is to define the scope and focus the
monitoring efforts, including establishing a framework for determining the appropriate level of
monitoring for grantees consistent within available resources. The work plan documents the
field office decisions regarding where to apply staff and travel resources for monitoring, training,
and/or technical assistance.

Risk analysis preformed is intended to provide the information needed for CPD to target its
resources to grantees that pose the greatest risk to the integrity of its programs, including
identification of the grantees to be monitored on site and remotely, the program areas to be
covered, and the depth of the review. The selection process should result in identifying those
grantees and activities that represent the greatest vulnerability to fraud, waste, and
mismanagement. For monitoring the administration of CPD programs, HUD uses Handbook
6509.2, rev 5. To address the requirements of the American Recovery and Reinvestment Act of
2009 (ARRA) funded CPD programs, HUD has outlined its monitoring steps in its draft revision
6 to HUD Handbook 6509.2, chapter 8. This draft specifically addresses ARRA requirements
for all CPD programs funded under ARRA.

Our objective was to determine whether CPD had established and properly implemented a risk
assessment process that used appropriate measures to determine risk and identify grantees for
monitoring.


                                                 4
                                RESULTS OF AUDIT

CPD Had Established and Implemented an Appropriate Risk
Assessment Process To Determine Risk and Identify Grantees for
Monitoring
CPD had established and implemented a risk assessment process that used appropriate
assessment factors to determine risk and identify grantees for monitoring. The risk analyses
prepared were directly related to the grantees selected for later monitoring. Additionally, HUD’s
Office of Policy Development and Research (PD & R) recently reviewed the effectiveness of the
risk analysis process used by CPD and recommended adjustments to the process to save time and
maintain a standardized system for assessing risk. Although we were not involved in the work
performed by PD & R, we acknowledge the potential benefit that its assessment may have when
considered and implemented by CPD.



 CPD Had Established an
 Appropriate Risk Assessment
 Process


              CPD had established and implemented a risk assessment process that used
              appropriate assessment factors to determine risk and identify grantees for
              monitoring. We identified and reviewed risk assessment factors in existence,
              evaluated whether they were adequate, and considered additional factors required
              under the American Recovery and Reinvestment Act of 2009 (ARRA). The risk
              assessment factors in place were adequate to identify grantees for appropriate
              monitoring. Additionally, the risk analyses prepared annually were used by the
              field office to identify and select the grantees for later monitoring. However,
              considering the number of subfactors needing assessment for each program and
              grantee, the time required to complete each risk analysis could be considerable.



 PD & R Reviewed CPD’s Risk
 Assessment Process




              CPD reviews the risk assessment process before issuing its notice to the field each
              year. However, this past year, PD & R was asked to review the risk-based
              monitoring of CPD’s formula grants. A December 2009 PD & R report for this
              review stated that the risk analysis process was successful and was identifying


                                               5
             programs that were more likely to have findings, but it noted some concerns and
             made recommendations.

             The report recommended some adjustments to the risk analysis process that could
             save time and maintain a standardized system for assessing risk including:

                •   Use fewer subfactors, which simply and directly estimate staff capacity,
                    program complexity, and past performance.
                •   Develop a subfactor to explicitly incorporate the judgment of the evaluator
                    and/or CPD management representative.
                •   Ensure strict adherence to limited exception criteria.
                •   Randomly sample low- and medium-risk grantees for monitoring.
                •   Increase reliance on remote monitoring for low- and medium-risk
                    grantees.

             The report stated that the greatest benefit of these changes would be a reduction in
             the time and resources required for risk analysis and monitoring. Although we
             did not independently assess the potential improvements put forth by PD & R, we
             believe that HUD is taking an active approach in continually seeking to improve
             the risk analysis process for identifying high-risk grantees for monitoring. We
             further recognize the potential benefit that PD & R’s assessment may have when
             considered by CPD.


Conclusion



             CPD had established and implemented a risk assessment process that used
             appropriate assessment factors to determine risk and identify grantees for
             monitoring. HUD also evaluates the process periodically to determine whether
             improvements or changes are needed.


Recommendations



             Our audit did not identify any reportable deficiencies, and therefore, there are no
             recommendations.




                                               6
              SCOPE AND METHODOLOGY

Our survey generally covered the period July 1 through December 31, 2009. To accomplish the
survey objectives, we

   •   Obtained an understanding of the controls related to the audit objective and the controls
       significant to the audit objective.
   •   Reviewed applicable criteria: the Housing and Economic Recovery Act of 2008
       (HERA), ARRA, Office of Management and Budget guidance, headquarters CPD
       guidance regarding risk assessments/monitoring, and local CPD guidance regarding risk
       assessments/monitoring.
   •   Contacted CPD office staff and discussed and documented the risk assessment process
       for programs and grantees. We also discussed with the Hartford, CT, and Boston, MA,
       CPD staff members their opinions on the risk assessment process.
   •   Discussed and documented additional steps in the risk assessment process with respect to
       funding received from the two stimulus funding packages (i.e., HERA and ARRA).
   •   Obtained and documented the risk analyses prepared by program/grantee for the
       Hartford, CT, CPD field office.
   •   Identified and reviewed risk assessment factors in existence, evaluated whether they were
       adequate, and considered additional factors required under ARRA.
   •   Determined the relationship between the risk assessments and grantees selected for later
       monitoring.
   •   Obtained and reviewed the report prepared by PD&R regarding the effectiveness of the
       risk analysis process used by CPD.


We conducted the audit in accordance with generally accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain sufficient, appropriate
evidence to provide a reasonable basis for our findings and conclusions based on our audit
objective. We believe that the evidence obtained provides a reasonable basis for our findings
and conclusions based on our audit objective.




                                                7
                              INTERNAL CONTROLS

Internal control is an integral component of an organization’s management that provides
reasonable assurance that the following controls are achieved:

   •   Program operations,
   •   Relevance and reliability of information,
   •   Compliance with applicable laws and regulations, and
   •   Safeguarding of assets and resources.

Internal controls relate to management’s plans, methods, and procedures used to meet its
mission, goals, and objectives. They include the processes and procedures for planning,
organizing, directing, and controlling program operations as well as the systems for measuring,
reporting, and monitoring program performance.



 Relevant Internal Controls
              We determined that the following internal controls were relevant to our audit
              objectives:

              •       Policies and procedures that management has implemented to ensure that
                      CPD staff members are made aware of and trained/supervised regarding
                      any changes to existing programs, the addition of new programs, and any
                      revisions to existing worksheets/factors or new worksheets/factors, as they
                      relate to the risk assessment evaluation, to ensure compliance with HUD
                      requirements.

              •       Policies and procedures that management has implemented to ensure that
                      risk assessments are reviewed for accuracy and completeness to minimize
                      errors and omissions that may result in an inaccurate risk assessment.

              We assessed the relevant controls identified above.

              A significant weakness exists if management controls do not provide reasonable
              assurance that the process for planning, organizing, directing, and controlling
              program operations will meet the organization’s objectives.


 Significant Weaknesses


              Based on our review, no significant weakness was noted.



                                                8