Issue Date
March 18, 2010
Audit Report Number
2010 BO 0002
TO: William H. Eargle, Jr., Deputy Assistant Secretary for Operations, Office of
Community Planning and Development, DO
FROM: John A. Dvorak, Regional Inspector General for Audit, (Boston) Region 1,
1AGA
SUBJECT: HUD’s Office of Community Planning and Development Had Established and
Implemented an Appropriate Risk Assessment Process
HIGHLIGHTS
What We Audited and Why
We reviewed the U.S. Department of Housing and Urban Development’s (HUD)
Office of Community Planning and Development’s (CPD) risk assessment
process. We initiated the review as part of the activities in our fiscal year 2010
annual audit plan. Our objective was to determine whether CPD had established
and properly implemented a risk assessment process that used appropriate
measures to determine risk and identify grantees for monitoring.
What We Found
CPD had established and implemented a risk assessment process that used
relevant assessment factors to determine risk and identify grantees for monitoring.
We identified and reviewed risk assessment factors in existence, evaluated
1
whether they were adequate, and considered additional factors required under the
American Recovery and Reinvestment Act 0f 2009.
The risk assessment factors in place were adequate to identify grantees for
appropriate monitoring. Additionally, the risk analyses prepared annually were
used to select grantees for later monitoring.
What We Recommend
There are no recommendations made in this report since no reportable
deficiencies were identified.
Auditee’s Response
We provided our discussion draft audit report to the Deputy Assistant Secretary
for Operations, CPD, on March 2, 2010. An exit conference was held on March
16, 2010. This report did not require a response from the auditee and no formal
comments were received.
2
TABLE OF CONTENTS
Background and Objective 4
Results of Audit 5
Scope and Methodology 7
Internal Controls 8
3
BACKGROUND AND OBJECTIVE
The U.S. Department of Housing and Urban Development’s (HUD) Office of Community
Planning and Development (CPD) each year issues a notice providing a methodology for
conducting risk analyses for formula and competitive grantees and establishes monitoring
priorities within available resources. For fiscal years 2010 and 2011, CPD issued Notice 09-04
(Implementing Risk Analyses for Monitoring Community Planning and Development Grant
Programs in FY 2010 and 2011). This risk analysis process was incorporated into CPD’s Grants
Management Process system, a computer-based information system that is used to provide a
documented record of conclusions and results.
The notice is intended to augment the departmental policy contained in Handbook 1840.1, REV-
3, Departmental Management Control Program Handbook, which requires the development of
risk-based rating systems for all programs and is incorporated into Handbook 6509.2, REV-5,
Community Planning and Development Monitoring Handbook. The major steps for
implementing risk-based monitoring include
• Developing risk-based rating systems for program grantees,
• Rating and selecting grantees for monitoring,
• Identifying program risks and setting monitoring objectives, and
• Documenting the process and recording the rationale for choosing grantees.
Each CPD field office is responsible for conducting risk analyses and developing monitoring
strategies and an office work plan encompassing grantees and programs to be monitored during
the fiscal year. Headquarters establishes the completion dates for risk analyses and work plans
each fiscal year. The purpose of a monitoring strategy is to define the scope and focus the
monitoring efforts, including establishing a framework for determining the appropriate level of
monitoring for grantees consistent within available resources. The work plan documents the
field office decisions regarding where to apply staff and travel resources for monitoring, training,
and/or technical assistance.
Risk analysis preformed is intended to provide the information needed for CPD to target its
resources to grantees that pose the greatest risk to the integrity of its programs, including
identification of the grantees to be monitored on site and remotely, the program areas to be
covered, and the depth of the review. The selection process should result in identifying those
grantees and activities that represent the greatest vulnerability to fraud, waste, and
mismanagement. For monitoring the administration of CPD programs, HUD uses Handbook
6509.2, rev 5. To address the requirements of the American Recovery and Reinvestment Act of
2009 (ARRA) funded CPD programs, HUD has outlined its monitoring steps in its draft revision
6 to HUD Handbook 6509.2, chapter 8. This draft specifically addresses ARRA requirements
for all CPD programs funded under ARRA.
Our objective was to determine whether CPD had established and properly implemented a risk
assessment process that used appropriate measures to determine risk and identify grantees for
monitoring.
4
RESULTS OF AUDIT
CPD Had Established and Implemented an Appropriate Risk
Assessment Process To Determine Risk and Identify Grantees for
Monitoring
CPD had established and implemented a risk assessment process that used appropriate
assessment factors to determine risk and identify grantees for monitoring. The risk analyses
prepared were directly related to the grantees selected for later monitoring. Additionally, HUD’s
Office of Policy Development and Research (PD & R) recently reviewed the effectiveness of the
risk analysis process used by CPD and recommended adjustments to the process to save time and
maintain a standardized system for assessing risk. Although we were not involved in the work
performed by PD & R, we acknowledge the potential benefit that its assessment may have when
considered and implemented by CPD.
CPD Had Established an
Appropriate Risk Assessment
Process
CPD had established and implemented a risk assessment process that used
appropriate assessment factors to determine risk and identify grantees for
monitoring. We identified and reviewed risk assessment factors in existence,
evaluated whether they were adequate, and considered additional factors required
under the American Recovery and Reinvestment Act of 2009 (ARRA). The risk
assessment factors in place were adequate to identify grantees for appropriate
monitoring. Additionally, the risk analyses prepared annually were used by the
field office to identify and select the grantees for later monitoring. However,
considering the number of subfactors needing assessment for each program and
grantee, the time required to complete each risk analysis could be considerable.
PD & R Reviewed CPD’s Risk
Assessment Process
CPD reviews the risk assessment process before issuing its notice to the field each
year. However, this past year, PD & R was asked to review the risk-based
monitoring of CPD’s formula grants. A December 2009 PD & R report for this
review stated that the risk analysis process was successful and was identifying
5
programs that were more likely to have findings, but it noted some concerns and
made recommendations.
The report recommended some adjustments to the risk analysis process that could
save time and maintain a standardized system for assessing risk including:
• Use fewer subfactors, which simply and directly estimate staff capacity,
program complexity, and past performance.
• Develop a subfactor to explicitly incorporate the judgment of the evaluator
and/or CPD management representative.
• Ensure strict adherence to limited exception criteria.
• Randomly sample low- and medium-risk grantees for monitoring.
• Increase reliance on remote monitoring for low- and medium-risk
grantees.
The report stated that the greatest benefit of these changes would be a reduction in
the time and resources required for risk analysis and monitoring. Although we
did not independently assess the potential improvements put forth by PD & R, we
believe that HUD is taking an active approach in continually seeking to improve
the risk analysis process for identifying high-risk grantees for monitoring. We
further recognize the potential benefit that PD & R’s assessment may have when
considered by CPD.
Conclusion
CPD had established and implemented a risk assessment process that used
appropriate assessment factors to determine risk and identify grantees for
monitoring. HUD also evaluates the process periodically to determine whether
improvements or changes are needed.
Recommendations
Our audit did not identify any reportable deficiencies, and therefore, there are no
recommendations.
6
SCOPE AND METHODOLOGY
Our survey generally covered the period July 1 through December 31, 2009. To accomplish the
survey objectives, we
• Obtained an understanding of the controls related to the audit objective and the controls
significant to the audit objective.
• Reviewed applicable criteria: the Housing and Economic Recovery Act of 2008
(HERA), ARRA, Office of Management and Budget guidance, headquarters CPD
guidance regarding risk assessments/monitoring, and local CPD guidance regarding risk
assessments/monitoring.
• Contacted CPD office staff and discussed and documented the risk assessment process
for programs and grantees. We also discussed with the Hartford, CT, and Boston, MA,
CPD staff members their opinions on the risk assessment process.
• Discussed and documented additional steps in the risk assessment process with respect to
funding received from the two stimulus funding packages (i.e., HERA and ARRA).
• Obtained and documented the risk analyses prepared by program/grantee for the
Hartford, CT, CPD field office.
• Identified and reviewed risk assessment factors in existence, evaluated whether they were
adequate, and considered additional factors required under ARRA.
• Determined the relationship between the risk assessments and grantees selected for later
monitoring.
• Obtained and reviewed the report prepared by PD&R regarding the effectiveness of the
risk analysis process used by CPD.
We conducted the audit in accordance with generally accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain sufficient, appropriate
evidence to provide a reasonable basis for our findings and conclusions based on our audit
objective. We believe that the evidence obtained provides a reasonable basis for our findings
and conclusions based on our audit objective.
7
INTERNAL CONTROLS
Internal control is an integral component of an organization’s management that provides
reasonable assurance that the following controls are achieved:
• Program operations,
• Relevance and reliability of information,
• Compliance with applicable laws and regulations, and
• Safeguarding of assets and resources.
Internal controls relate to management’s plans, methods, and procedures used to meet its
mission, goals, and objectives. They include the processes and procedures for planning,
organizing, directing, and controlling program operations as well as the systems for measuring,
reporting, and monitoring program performance.
Relevant Internal Controls
We determined that the following internal controls were relevant to our audit
objectives:
• Policies and procedures that management has implemented to ensure that
CPD staff members are made aware of and trained/supervised regarding
any changes to existing programs, the addition of new programs, and any
revisions to existing worksheets/factors or new worksheets/factors, as they
relate to the risk assessment evaluation, to ensure compliance with HUD
requirements.
• Policies and procedures that management has implemented to ensure that
risk assessments are reviewed for accuracy and completeness to minimize
errors and omissions that may result in an inaccurate risk assessment.
We assessed the relevant controls identified above.
A significant weakness exists if management controls do not provide reasonable
assurance that the process for planning, organizing, directing, and controlling
program operations will meet the organization’s objectives.
Significant Weaknesses
Based on our review, no significant weakness was noted.
8
HUD's Office of Community Planning and Development Had Established and Implemented an Appropriate Risk Assessment Process
Published by the Department of Housing and Urban Development, Office of Inspector General on 2010-03-18.
Below is a raw (and likely hideous) rendition of the original report. (PDF)