Issue Date March 18, 2010 Audit Report Number 2010 BO 0002 TO: William H. Eargle, Jr., Deputy Assistant Secretary for Operations, Office of Community Planning and Development, DO FROM: John A. Dvorak, Regional Inspector General for Audit, (Boston) Region 1, 1AGA SUBJECT: HUD’s Office of Community Planning and Development Had Established and Implemented an Appropriate Risk Assessment Process HIGHLIGHTS What We Audited and Why We reviewed the U.S. Department of Housing and Urban Development’s (HUD) Office of Community Planning and Development’s (CPD) risk assessment process. We initiated the review as part of the activities in our fiscal year 2010 annual audit plan. Our objective was to determine whether CPD had established and properly implemented a risk assessment process that used appropriate measures to determine risk and identify grantees for monitoring. What We Found CPD had established and implemented a risk assessment process that used relevant assessment factors to determine risk and identify grantees for monitoring. We identified and reviewed risk assessment factors in existence, evaluated 1 whether they were adequate, and considered additional factors required under the American Recovery and Reinvestment Act 0f 2009. The risk assessment factors in place were adequate to identify grantees for appropriate monitoring. Additionally, the risk analyses prepared annually were used to select grantees for later monitoring. What We Recommend There are no recommendations made in this report since no reportable deficiencies were identified. Auditee’s Response We provided our discussion draft audit report to the Deputy Assistant Secretary for Operations, CPD, on March 2, 2010. An exit conference was held on March 16, 2010. This report did not require a response from the auditee and no formal comments were received. 2 TABLE OF CONTENTS Background and Objective 4 Results of Audit 5 Scope and Methodology 7 Internal Controls 8 3 BACKGROUND AND OBJECTIVE The U.S. Department of Housing and Urban Development’s (HUD) Office of Community Planning and Development (CPD) each year issues a notice providing a methodology for conducting risk analyses for formula and competitive grantees and establishes monitoring priorities within available resources. For fiscal years 2010 and 2011, CPD issued Notice 09-04 (Implementing Risk Analyses for Monitoring Community Planning and Development Grant Programs in FY 2010 and 2011). This risk analysis process was incorporated into CPD’s Grants Management Process system, a computer-based information system that is used to provide a documented record of conclusions and results. The notice is intended to augment the departmental policy contained in Handbook 1840.1, REV- 3, Departmental Management Control Program Handbook, which requires the development of risk-based rating systems for all programs and is incorporated into Handbook 6509.2, REV-5, Community Planning and Development Monitoring Handbook. The major steps for implementing risk-based monitoring include • Developing risk-based rating systems for program grantees, • Rating and selecting grantees for monitoring, • Identifying program risks and setting monitoring objectives, and • Documenting the process and recording the rationale for choosing grantees. Each CPD field office is responsible for conducting risk analyses and developing monitoring strategies and an office work plan encompassing grantees and programs to be monitored during the fiscal year. Headquarters establishes the completion dates for risk analyses and work plans each fiscal year. The purpose of a monitoring strategy is to define the scope and focus the monitoring efforts, including establishing a framework for determining the appropriate level of monitoring for grantees consistent within available resources. The work plan documents the field office decisions regarding where to apply staff and travel resources for monitoring, training, and/or technical assistance. Risk analysis preformed is intended to provide the information needed for CPD to target its resources to grantees that pose the greatest risk to the integrity of its programs, including identification of the grantees to be monitored on site and remotely, the program areas to be covered, and the depth of the review. The selection process should result in identifying those grantees and activities that represent the greatest vulnerability to fraud, waste, and mismanagement. For monitoring the administration of CPD programs, HUD uses Handbook 6509.2, rev 5. To address the requirements of the American Recovery and Reinvestment Act of 2009 (ARRA) funded CPD programs, HUD has outlined its monitoring steps in its draft revision 6 to HUD Handbook 6509.2, chapter 8. This draft specifically addresses ARRA requirements for all CPD programs funded under ARRA. Our objective was to determine whether CPD had established and properly implemented a risk assessment process that used appropriate measures to determine risk and identify grantees for monitoring. 4 RESULTS OF AUDIT CPD Had Established and Implemented an Appropriate Risk Assessment Process To Determine Risk and Identify Grantees for Monitoring CPD had established and implemented a risk assessment process that used appropriate assessment factors to determine risk and identify grantees for monitoring. The risk analyses prepared were directly related to the grantees selected for later monitoring. Additionally, HUD’s Office of Policy Development and Research (PD & R) recently reviewed the effectiveness of the risk analysis process used by CPD and recommended adjustments to the process to save time and maintain a standardized system for assessing risk. Although we were not involved in the work performed by PD & R, we acknowledge the potential benefit that its assessment may have when considered and implemented by CPD. CPD Had Established an Appropriate Risk Assessment Process CPD had established and implemented a risk assessment process that used appropriate assessment factors to determine risk and identify grantees for monitoring. We identified and reviewed risk assessment factors in existence, evaluated whether they were adequate, and considered additional factors required under the American Recovery and Reinvestment Act of 2009 (ARRA). The risk assessment factors in place were adequate to identify grantees for appropriate monitoring. Additionally, the risk analyses prepared annually were used by the field office to identify and select the grantees for later monitoring. However, considering the number of subfactors needing assessment for each program and grantee, the time required to complete each risk analysis could be considerable. PD & R Reviewed CPD’s Risk Assessment Process CPD reviews the risk assessment process before issuing its notice to the field each year. However, this past year, PD & R was asked to review the risk-based monitoring of CPD’s formula grants. A December 2009 PD & R report for this review stated that the risk analysis process was successful and was identifying 5 programs that were more likely to have findings, but it noted some concerns and made recommendations. The report recommended some adjustments to the risk analysis process that could save time and maintain a standardized system for assessing risk including: • Use fewer subfactors, which simply and directly estimate staff capacity, program complexity, and past performance. • Develop a subfactor to explicitly incorporate the judgment of the evaluator and/or CPD management representative. • Ensure strict adherence to limited exception criteria. • Randomly sample low- and medium-risk grantees for monitoring. • Increase reliance on remote monitoring for low- and medium-risk grantees. The report stated that the greatest benefit of these changes would be a reduction in the time and resources required for risk analysis and monitoring. Although we did not independently assess the potential improvements put forth by PD & R, we believe that HUD is taking an active approach in continually seeking to improve the risk analysis process for identifying high-risk grantees for monitoring. We further recognize the potential benefit that PD & R’s assessment may have when considered by CPD. Conclusion CPD had established and implemented a risk assessment process that used appropriate assessment factors to determine risk and identify grantees for monitoring. HUD also evaluates the process periodically to determine whether improvements or changes are needed. Recommendations Our audit did not identify any reportable deficiencies, and therefore, there are no recommendations. 6 SCOPE AND METHODOLOGY Our survey generally covered the period July 1 through December 31, 2009. To accomplish the survey objectives, we • Obtained an understanding of the controls related to the audit objective and the controls significant to the audit objective. • Reviewed applicable criteria: the Housing and Economic Recovery Act of 2008 (HERA), ARRA, Office of Management and Budget guidance, headquarters CPD guidance regarding risk assessments/monitoring, and local CPD guidance regarding risk assessments/monitoring. • Contacted CPD office staff and discussed and documented the risk assessment process for programs and grantees. We also discussed with the Hartford, CT, and Boston, MA, CPD staff members their opinions on the risk assessment process. • Discussed and documented additional steps in the risk assessment process with respect to funding received from the two stimulus funding packages (i.e., HERA and ARRA). • Obtained and documented the risk analyses prepared by program/grantee for the Hartford, CT, CPD field office. • Identified and reviewed risk assessment factors in existence, evaluated whether they were adequate, and considered additional factors required under ARRA. • Determined the relationship between the risk assessments and grantees selected for later monitoring. • Obtained and reviewed the report prepared by PD&R regarding the effectiveness of the risk analysis process used by CPD. We conducted the audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective. 7 INTERNAL CONTROLS Internal control is an integral component of an organization’s management that provides reasonable assurance that the following controls are achieved: • Program operations, • Relevance and reliability of information, • Compliance with applicable laws and regulations, and • Safeguarding of assets and resources. Internal controls relate to management’s plans, methods, and procedures used to meet its mission, goals, and objectives. They include the processes and procedures for planning, organizing, directing, and controlling program operations as well as the systems for measuring, reporting, and monitoring program performance. Relevant Internal Controls We determined that the following internal controls were relevant to our audit objectives: • Policies and procedures that management has implemented to ensure that CPD staff members are made aware of and trained/supervised regarding any changes to existing programs, the addition of new programs, and any revisions to existing worksheets/factors or new worksheets/factors, as they relate to the risk assessment evaluation, to ensure compliance with HUD requirements. • Policies and procedures that management has implemented to ensure that risk assessments are reviewed for accuracy and completeness to minimize errors and omissions that may result in an inaccurate risk assessment. We assessed the relevant controls identified above. A significant weakness exists if management controls do not provide reasonable assurance that the process for planning, organizing, directing, and controlling program operations will meet the organization’s objectives. Significant Weaknesses Based on our review, no significant weakness was noted. 8
HUD's Office of Community Planning and Development Had Established and Implemented an Appropriate Risk Assessment Process
Published by the Department of Housing and Urban Development, Office of Inspector General on 2010-03-18.
Below is a raw (and likely hideous) rendition of the original report. (PDF)