oversight

Additional Details to Supplement our Report on HUD's Fiscal Years 2009 and 2008 Financial Statements

Published by the Department of Housing and Urban Development, Office of Inspector General on 2009-11-16.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                                                                               Issue Date
                                                                                    November 16, 2009
                                                                                
                                                                               Audit Case Number
                                                                                    2010-FO-0003




TO:             Anthony P. Scardino, Acting Deputy Chief Financial Officer, F




FROM:           Thomas R. McEnanly, Director, Financial Audits Division, GAF

SUBJECT: Additional Details to Supplement Our Report on HUD’s Fiscal Years 2009 and
         2008 Financial Statements

                                           HIGHLIGHTS

 What We Audited and Why

                 We are required to annually audit the consolidated financial statements of the U.S.
                 Department of Housing and Urban Development (HUD) in accordance with the
                 Chief Financial Officers Act of 1990, as amended. Our report on HUD’s fiscal
                 years 2009 and 2008 financial statements are included in HUD’s Fiscal Year 2009
                 Performance and Accountability Report. This report supplements our report on
                 the results of our audit of HUD’s principal financial statements for the fiscal years
                 ending September 30, 2009, and September 30, 2008. Also provided are
                 assessments of HUD’s internal controls and our findings with respect to HUD’s
                 compliance with applicable laws, regulations, and government-wide policy
                 requirements and provisions of contracts and grant agreements.1 In addition, we

    1
       Additional details relating to the Federal Housing Administration (FHA), a HUD component, are not included
in this report but are included in the accounting firm of Urbach Kahn and Werlin LLP’s audit of FHA’s financial
statements. That report has been published in our report, Audit of Federal Housing Administration Financial
Statements for Fiscal Years 2009 and 2008 (2010-FO-0002, dated November 13, 2009).

    Additional details relating to the Government National Mortgage Association, (Ginnie Mae), another HUD
component, are not included in this report but are included in the accounting firm of Carmichael Brasher Tuvell and
Company’s audit of Ginnie Mae’s financial statements. That report has been published in our report, Audit of
Government National Mortgage Association Financial Statements for Fiscal Years 2009 and 2008 (2010-FO-0001),
dated November 06, 2009).
         plan to issue a letter to management on or before January 16, 2010, describing
         other issues of concern that came to our attention during the audit.


What We Found


                In our opinion, HUD’s fiscal years 2009 and 2008 financial statements
                were fairly presented. Our opinion on HUD’s fiscal years 2009 and 2008
                financial statements is reported in HUD’S Fiscal Year 2009 Performance
                and Accountability Report. The other auditors and our audit also
                disclosed the following 11 significant deficiencies in internal controls
                related to the need to:

             Adequately monitor Office of Community Planning and Development
              (CPD) grantees’ compliance with program regulations;
             Continue improvements in the oversight and monitoring of subsidy
              calculations, intermediaries’ program performance, and Housing Choice
              Voucher program funds;
             Improve the processes for reviewing obligation balances;
             Comply with Federal financial management systems requirements;
             Further strengthen controls over HUD’s computing environment;
             Improve personnel security practices for access to the Department’s
              critical financial systems;
             Strengthen the Government National Mortgage Association’s (Ginnie
              Mae) monitoring and management controls in regard to the Mortgage-
              Backed Securities program;
             Implement short-term capacity management plans for Federal Housing
              Administration (FHA) systems;
             Effect FHA modernization to address system risks;
             Address increased risk to management’s estimate of the Loan Guarantee
              Liability brought about by economic conditions and inherent model
              design risks; and
             Enhance user access management processes for the FHA subsidiary
              ledger.

         Our findings include the following four instances of noncompliance with
         applicable laws and regulations:

             HUD did not substantially comply with the Federal Financial Management
              Improvement Act regarding system requirements;
             HUD did not substantially comply with the Antideficiency Act;
             FHA’s Mutual Mortgage Insurance fund capitalization was not maintained
              at a minimum capital ratio of two percent, which is required under the
              Cranston-Gonzalez National Affordable Housing Act of 1990; and
             Ginnie Mae did not comply with the Federal Information Management
              Security Act.


                                          2
          The audit also identified $199.1 million in excess obligations recorded in HUD’s
          records. We also are recommending that HUD seek legislative authority to
          implement $ 317 million in offsets against public housing agencies’ (PHA) excess
          unusable funding held in Net Restricted Assets Accounts at the PHAs. These
          amounts represent funds that HUD could put to better use.

What We Recommend


          Most of the issues described in this report represent long-standing weaknesses.
          We understand that implementing sufficient change to mitigate these matters is a
          multiyear task due to the complexity of the issues, insufficient information,
          technology systems funding, and other impediments to change. In this and in
          prior years’ audits of HUD’s financial statements, we have made
          recommendations to HUD’s management to address these issues. Our
          recommendations from the current audit, as well as those from prior years’ audits
          that remain open, are listed in appendix B of this report.

          For each recommendation without a management decision, please respond and
          provide status reports in accordance with HUD Handbook 2000.06, REV-3.


HUD’s Response


          The complete text of the agency’s response can be found in appendix E. This
          response, along with additional informal comments, was considered in preparing
          the final version of this report.




                                          3
                             TABLE OF CONTENTS



Highlights                                                                 1

Internal Control                                                           5

Compliance With Laws and Regulations                                      39

Appendixes
   A. Objectives, Scope, and Methodology                                  42
   B. Recommendations                                                     45
   C. FFMIA Noncompliance, Responsible Program Offices, and Recommended   50
      Remedial Actions
   D. Schedule of Questioned Costs and Funds To Be Put to Better Use      67
   E. Agency Comments                                                     68
   F. OIG Evaluation of Agency Comments                                   71




                                        4
                                   Internal Control

Significant Deficiency: Office of Community Planning and Development
(CPD) Needs to Adequately Monitor Grantees’ Compliance with Program
Requirements

CPD seeks to develop viable communities by promoting integrated approaches that provide
decent housing and a suitable living environment and expand economic opportunities for low-
and moderate-income persons. The primary means toward this end is the development of
partnerships among all levels of government and the private sector, including for-profit and
nonprofit organizations. To carry out its mission, CPD utilizes a mixture of competitive and
formula-based grants. Program offices have a responsibility to ensure that the funds provided
are adequately monitored to ensure that programs are meeting their goals and objectives in
accordance with program requirements.

Grantee oversight is an ongoing process that assesses the quality of a program participant’s
performance over a period of time. Monitoring provides information about program participants
that is critical for making informed judgments about program effectiveness and management
efficiency. Consistent monitoring efforts also help to identify instances of fraud, waste, and
abuse within HUD’s programs and facilitate the correction of control deficiencies before they
materially affect the achievement of the organization’s objectives.

Based upon our review of HUD’s HOME, Community Development Block Grant (CDBG), and
Homeless Assistance programs, we noted control deficiencies regarding monitoring of timely
obligation and expenditure of grant funds. The combination of the control deficiencies we
noted during our audit have adversely affected the organization's ability to meet its internal
control objectives, which are to determine grantee compliance with applicable laws and
regulations, to timely identify deficiencies, and to design corrective actions to improve or
reinforce program participant performance.



 Compliance With Obligation Requirements by State
 CDBG Programs Not Consistently Monitored or Enforced



              CPD did not consistently monitor and ensure that CDBG non-entitlement funds
              were obligated and announced in accordance with the timeliness requirements in
              the Code of Federal Regulations (CFR). Part 570 of the CFR requires that States
              obligate and announce 100 percent of their annual grants (excluding State
              administration) to units of general local government within 15 months of the State
              signing its grant agreement with HUD.




                                               5
          CPD completed its latest timeliness review of obligations for grant years 2000-
          2004 in 2006. It did not begin its review of the programs’ timeliness requirement
          for grant years 2005-2007 until September 2008, which is still ongoing. No
          review had been performed for States that signed grant agreements in 2008.

          The results of the review for grant years 2000-2004 were published in CPD
          Notice 06-12, dated November 2, 2006. CPD’s review revealed that for grant
          years 2000-2004, 25 of 50 States had not met the 100 percent standard for
          obligating and announcing their grants to the local governments within 15 months
          of HUD’s date of award for at least 1 of the years reviewed. We determined that
          over the course of these 5 years, about $53 million was not distributed in a timely
          manner. In our initial discussions, CPD was unsure of the follow-up and/or
          remedial actions taken by the field offices regarding States that were in
          noncompliance with the distribution requirements. Documentation was later
          provided by CPD for a sample of 6 of the 25 States, indicating that field offices
          did perform follow-up regarding their noncompliance.

          CPD’s policy is to review data from the Line of Credit Control System (LOCCS)
          and the Grants Management Process (GMP) System within 15 months after the
          beginning of each State’s program year and request field offices to verify that
          States have obligated and announced funds in compliance with the timely
          distribution requirement. We found that the data used by CPD to determine
          compliance with the timeliness requirements were sometimes incomplete or
          contained errors. CPD’s ability to monitor the obligation requirement appeared to
          have been hampered because the data used to measure compliance with this
          requirement were not maintained in one system. Officials added that the timely
          distribution requirement was only one element subject to monitoring review and
          may or may not have been included in any given monitoring review conducted by
          a field office.

          When States do not obligate and announce grant funds in a timely manner, units
          of local government cannot make the most effective and efficient use of their
          funding. In addition, noncompliance with the timely obligation requirement may
          indicate that there are other performance issues within the State. As a result, a
          State’s annual funding amount for the following grant year may need to be
          reduced or suspended.

          We recommend that CPD follow existing policies and regulations regarding
          annual review of the distribution requirements for the State program and followup
          with remedial actions against States that are in noncompliance. In addition, we
          recommend that the office ensure that the most complete and accurate data are
          used to conduct the review and to consider modifying an existing system that
          would create an automated process to house all of the data needed for the review.



Subgrantees and Community Housing Development
Organizations for the HOME Program Do Not Always
Expend Grant Funds in a Timely Manner

                                           6
The HOME Expiring Funds Report maintained by the Office of Affordable
Housing Programs, dated September 24, 2009, contained unexpended HOME
Investment Partnerships Program (HOME) funds on grants from 1992 through
2001 that totaled $24.7 million. We found that these funds had accumulated
mainly due to poorly performing community housing development organizations
(CHDO) and subgrantees that did not expend funds in a timely manner. We also
found that these funds had accumulated due to the programs’ cumulative
accounting requirements that allow one grantee’s poor performance within a
participating jurisdiction to be hidden or go undiscovered.

HOME program regulations state that funds that are not expended in a timely
manner can be reallocated in the next year’s formula allocation to further the
mission of the program. It is the field offices’ responsibility to ensure that funds
from fiscal years 2001 and earlier that were not spent in a timely manner are
recaptured and used in the next year’s formula allocation.

HOME program regulations do not penalize or highlight poorly performing
subgrantees or CHDOs for two reasons. First, the commitment, reservation, and
disbursement deadlines are determined on an aggregate/cumulative basis versus a
grant year basis. This process has created a situation in which older funds can
remain available for drawdown because compliance with the disbursement
deadline is determined cumulatively. Therefore, if a subgrantee or CHDO is not
performing as it should, or not spending funds to complete its projects, the
cumulative program requirements may allow one grantee’s poor performance to
be hidden or go undiscovered.

Second, the funds that are subgranted or reserved to a CHDO are held to the five
year disbursement deadline, but it is the participating jurisdiction that is ultimately
responsible for meeting the disbursement deadline. Only the participating
jurisdiction can draw funds, not the subgrantee or CHDO. In addition, it appears
that the large number of subgrantees and CHDOs per participating jurisdiction
within the HOME program makes it difficult for the field offices to sufficiently
monitor the status of subgranted funds.

Since $24.7 million in HOME grant funds for fiscal years 2001 and earlier has
been reserved or committed but not expended, these funds had not been used to
expand the supply of decent, safe, sanitary, and affordable housing for low- and
very low-income families.

We recommend that CPD ensure that field offices encourage participating
jurisdictions to review the Expiring Funds Report as well as the performance of
CHDOs and subgrantees to determine whether the $24.7 million should be
deobligated. We also recommend that CPD develop a policy that would track
expenditure deadlines for funds reserved and committed to CHDOs and
subgrantees separately.



                                  7
Funds From Expired Contracts Not Always Recaptured
for Homeless Assistance Programs



            Reports from HUD’s Financial Data Mart show approximately $48 million in
            undisbursed obligations recorded for expired contracts that were funded with
            grants during 1997-2001 for homeless assistance programs. These contracts
            expired on or before September 30, 2009. Of the $48 million, approximately $6
            million relates to contracts that expired 90 days before the fiscal year-end. CPD’s
            Funds Control Plan allows a 90-day closeout period for expired contracts.

            According to the Appropriations Law, these funds are available until expended
            and do not return to the U.S. Treasury when the contracts expire. However, the
            field offices are responsible for reviewing the status of contracts and
            recommending that funds that have been obligated but not disbursed in the
            appropriate timeframes be deobligated and included in the next year’s Continuum
            of Care competition to be redistributed to eligible grantees. The competitive
            programs under homeless assistance include (1) Shelter Plus Care, (2) Supportive
            Housing, and (3) Section 8 Moderate Rehabilitation Single Room Occupancy.

            CPD officials stated that when a contract expires, the excess funding should be
            locked, and the grantees should have no access to the funds. CPD has instructed
            the field offices to review these contracts and recommend that the remaining
            funds be recaptured. Special emphasis has been placed on this review process
            before the annual funding competition. However, the field offices have been
            overwhelmed with American Recovery and Reinvestment Act of 2009 (Recovery
            Act) funding requirements and other requirements. As a result, many of these
            expired contract reviews have not been performed.

            In addition, it appears that it is difficult for CPD to consistently track contract
            expiration dates because there is no report that shows all of the necessary
            information. Project data from the Financial Data Mart must be merged with
            LOCCS data because LOCCS stores the contract expiration dates.

            The $42 million identified as excess funding on expired contracts can be included
            in the next year’s Continuum of Care competition as announced in the notice of
            funding availability and redistributed to eligible grantees. The excess funds
            should be recaptured and used to further accomplish the objectives of the
            program, which are to reduce the incidence of homelessness in Continuum of
            Care communities by assisting homeless individuals and families to move to self-
            sufficiency and permanent housing.

            We recommend that CPD develop a policy to ensure that an annual review of the
            status of each of its homeless assistance contracts is conducted, which may
            include recommending deobligation and recapture of excess funds when
            applicable. To effectively track its homeless assistance program expiration dates,


                                               8
                we recommend that CPD develop the management reports needed to effectively
                track its homeless assistance program expiration dates. We also recommend that
                field offices review the status of the identified contracts and recapture up to the
                $42 million identified in undisbursed obligations for expired contracts that were
                funded with grants during 1997-2001 for homeless assistance programs and
                consider such funds for inclusion in the fiscal year 2010 Continuum of Care
                competition.


    Completed Projects for the HOME
    Program Not Always Closed Out in IDIS
    in a Timely Manner


                The Open Activities Report is issued monthly and used by CPD field offices and
                participating jurisdictions within the HOME program to review open activities in
                the Integrated Disbursement and Information System (IDIS). Open activities are
                those that have not been closed in the system.

                A review of HUD’s Open Activities Report, dated August 31, 2009, showed
                5,972 of 29,216 open activities (20 percent), in which the participating
                jurisdiction had made its final draw but the activity was still listed on the Open
                Activities Report. Thus, these projects had not been closed in the system
                although all funds had been drawn. HOME program regulations require
                participating jurisdictions to enter project completion information into IDIS
                within 120 days of making a final draw for a project. A similar finding 2 was
                reported by the Office of Inspector General (OIG) concerning HUD’s needs to
                improve efforts to require participating jurisdictions to cancel HOME fund
                balances for open activities.

                The Open Activities Report also allows participating jurisdictions to view
                activities that have been open for several years with little or no HOME funds
                drawn. Field offices can use this report as a desk-monitoring tool to view each
                participating jurisdiction’s open activities in need of completion or possibly
                cancellation in IDIS. If the report indicates that funds have not been drawn for an
                extended period, the field office can use the report to follow up with the
                participating jurisdiction to determine the reason for the slow progress on the
                project and whether it should be cancelled.

                However, it appeared that the field offices were not using the Open Activities
                Report to follow up with participating jurisdictions on slow-moving projects listed
                on the report. It also appeared that participating jurisdictions were not using the
                report as a reference to determine projects that should be cancelled or closed in
                IDIS. The report was created to alleviate the widespread problem of participating
                jurisdictions not entering project completion data into IDIS in a timely manner.

2
 OIG audit report entitled ―HUD Lacked Adequate Controls to Ensure the Timely Commitment and Expenditure of
HOME Funds (2009-AT-0001, dated September 28, 2009).


                                                     9
              Participating jurisdictions that do not enter completion data in a timely manner are
              in violation of the HOME regulations. Failure to enter project completion data in
              IDIS negatively affects a participating jurisdiction’s score on several HOME
              performance SNAPSHOTS indicators, understating actual accomplishments and
              reducing the participating jurisdiction’s statewide and national overall rankings.

              The widespread failure of participating jurisdictions to enter completion and
              beneficiary data in a timely manner results nationally in underreporting of actual
              HOME program accomplishments to Congress and the Office of Management and
              Budget (OMB) and may negatively impact future funding for the program.

              We recommend that CPD require field offices to monitor participating
              jurisdictions to ensure that project completion information and beneficiary data
              are complete, accurate, and entered into IDIS monthly and to follow up with
              participating jurisdictions on slow-moving projects to determine the reason for the
              delay. We also recommend that CPD require participating jurisdictions to have a
              quality control systems in place to ensure that the required project completion
              information and beneficiary data are complete, accurate, and entered into IDIS
              monthly.




Significant Deficiency: HUD Management Must Continue To Improve
Oversight and Monitoring of Subsidy Calculations, Intermediaries’
Performance, and Utilization of Housing Choice Voucher Funds

Under the provisions of the U.S. Housing Act of 1937, HUD provides housing assistance funds
through various grant and subsidy programs to multifamily project owners (both nonprofit and
for profit) and housing agencies. These intermediaries, acting for HUD, provide housing
assistance to benefit primarily low-income families and individuals (households) that live in
public housing, Section 8 and Section 202/811 assisted housing, and Native American housing.
In fiscal year 2009, HUD spent about $29 billion to provide rent and operating subsidies that
benefited more than 4.7 million households.
Since 1996, we have reported on weaknesses with the monitoring of the housing assistance
program’s delivery and the verification of subsidy payments. We focused on the impact these
weaknesses had on HUD’s ability to (1) ensure intermediaries are correctly calculating housing
subsidies and (2) verify tenant income and billings for subsidies. During the past several years,
HUD has made progress in correcting this deficiency. In 2009, HUD continued utilizing the
comprehensive consolidated reviews in the Office of Public and Indian Housing’s (PIH) efforts
to address public housing agencies’ (PHA) improper payments and other high-risk elements.
HUD’s continued commitment to the implementation of a comprehensive program to reduce
erroneous payments will be essential to ensuring that HUD’s intermediaries are properly carrying
out their responsibility to administer assisted housing programs according to HUD requirements.




                                               10
The Department has demonstrated improvements in its internal control structure to address the
significant risk that HUD’s intermediaries are not properly carrying out their responsibility to
administer assisted housing programs according to HUD requirements. HUD’s increased and
improved monitoring has resulted in a significant decline in improper payment estimates over the
last several years. However, HUD needs to continue to place emphasis on its on-site monitoring
and technical assistance to ensure that acceptable levels of performance and compliance are
achieved and periodically assess the accuracy of intermediaries rent determinations, tenant
income verifications, and billings.
Tenant income is the primary factor affecting eligibility for housing assistance, the amount of
assistance a family receives, and the amount of subsidy HUD pays. Generally, HUD’s subsidy
payment makes up the difference between 30 percent of a household’s adjusted income and the
housing unit’s actual rent or, under the Section 8 voucher program, a payment standard. The
admission of a household to these rental assistance programs and the size of the subsidy the
household receives depend directly on the household’s self-reported income. However,
significant amounts of excess subsidy payments occur because of errors in intermediaries’ rent
determinations and undetected, unreported, or underreported income. By overpaying rent
subsidies, HUD serves fewer families. Every dollar paid in excess subsidies represents funds
that could have been used to subsidize other eligible families in need of assistance.



 HUD’s Gross Estimate of Erroneous Payments Increased
 in Fiscal Year 2009


              The estimate of erroneous payments that HUD reports in its Performance and
              Accountability Report relates to HUD’s inability to ensure or verify the accuracy
              of subsidy payments being determined and paid to assisted households. This
              year’s contracted study of HUD’s three major assisted housing programs
              estimated that the rent determination errors made by the intermediaries resulted in
              substantial subsidy overpayments and underpayments. The study was based on
              analyses of a statistical sample of tenant files, tenant interviews, and income
              verification data for activity that occurred during fiscal year 2008. However, the
              amounts reported in the study have been adjusted due to recent program structure
              changes.
              The Public Housing programs switched to Asset Management and began
              calculating formula income for PHAs as noted in 24 CFR 990.195 Calculating
              Formula Income. This change eliminated the 3 types of improper payment errors
              for the Public Housing program. This new process was implemented in January
              2007. Therefore for FY 2007 this process was in place for the last 3 quarters of
              the year and HUD subsidy errors occurred only in the first quarter. Errors could
              still be made by PHAs in their calculation of the amount of tenant rent or tenants
              could still be under reporting their income, however beginning January 2007 this
              no longer affected HUD's subsidy. The Quality Control (QC) study and Income
              Match Reporting study estimated these errors for the entire fiscal year because
              this information is useful to management of both PIH and the PHAs. However,
              based on the conversion to asset management and the change in calculating


                                               11
formula income becoming effective in January 2007, none of the amounts
calculated in the QC study for the Public Housing Administrator, Income
Reporting, and Billing errors will be reported for FY 2008 as this change was in
effect for all of FY 2008. In addition, the establishment of a budget based
funding methodology was implemented for the Housing Choice Voucher Program
to eliminate the opportunity for billing errors in that program. Budget based
means that each PHA will have a set annual budget for vouchers to serve their
clients’ needs. The PHA will receive the annual budget in 12 equal monthly
payments – thus eliminating the need to bill HUD and eliminating the Housing
Choice Voucher Program Billing Error.
The estimate of erroneous payments is reported in HUD’s Fiscal Year 2009
Performance and Accountability Report as Other Accompanying Information and
will reflect the adjusted error estimates. Based on the previously mentioned
program structure changes, HUD is reporting subsidy payment inconsistencies in
which HUD incorrectly paid $592 million in annual housing subsidies. This is a
12 percent decrease in the gross erroneous payments in comparison to the prior
year.
The estimate of erroneous payments this year also includes overpaid subsides
from underreported and unreported income and intermediaries’ billings errors.
HUD estimated that housing subsidy overpayments from tenants misreporting
their income totaled an additional $364 million in overpayments during Fiscal
year 2008 before making adjustments for the program structure changes.
However, during our testing of the initial error estimate results, we found
additional cases resulting in valid errors. In addition, we also determined that the
contractor performing the review of the income match was not following the rules
properly for some of the cases. As a result, the contractor re-reviewed the cases
to apply the rules correctly and issued a revised income match report with a total
estimate of $416 million. Therefore, including the subsidy error associated with
the income from these cases and making adjustments for the program structural
changes, the revised estimate is $370.7 million.
HUD did not conduct a billings study during fiscal year 2009. Therefore, the
results of prior year’s study will carryover for this year’s billings error estimate
and have been adjusted according to the previously mentioned program structural
changes. Based on the payment errors that were identified for the Office of
Housing’s project-based Section 8 housing program, HUD reported an estimated
$59 million in program billings errors for fiscal year 2006. In addition, PIH’s
billings error estimate has been reduced to zero for the Housing Choice Voucher
program. Additionally, the operating subsidy estimate was reduced to zero for the
PIH billings estimate based on the previously mentioned structural changes.
Therefore, only the Office of Housing’s estimate of $59 million will be included
in the estimate of erroneous payments for billings errors.

In totality, HUD has increased the combined gross improper rental housing
assistance payment estimates to $1.022 billion in Fiscal Year 2008. This is a total
increase of 3 percent in comparison to the prior year estimates of $993 million.




                                 12
Need To Continue Initiatives To Detect
Unreported Tenant Income


           The computer matching agreement between HUD’s Office of Housing and the
           Department of Health and Human Services (HHS) for use of the National
           Directory of New Hires in the Enterprise Income Verification system (EIV) was
           finalized in fiscal year 2008. HUD successfully expanded its computer matching
           program with the HHS data to all of its rental assistance programs (public
           housing, housing vouchers, and project-based housing) when HUD s project-
           based program gained access to the HHS database on January 15, 2008. The
           other programs had gained access previously. HUD had intended to issue a final
           rule mandating the use of this matching data by the end of calendar year 2008.
           However, the final rule revising HUD's public and assisted housing program
           regulations to implement the up-front income verification process for program
           participants was published on January 27, 2009. Consequently, the final rule was
           scheduled to become effective on September 30, 2009, but it has now been
           postponed and will not become effective until January 31, 2010. This rule would
           require the use of HUD's EIV system by PHAs and owners and management
           agents.

           EIV is a web-based system that compiles tenant income information and makes it
           available online to HUD business partners to assist in determining accurate tenant
           income as part of the process of setting rental subsidy. Currently, EIV matches
           tenant data against Social Security Administration information, including Social
           Security benefits and Supplemental Security Income, and with the HHS National
           Directory of New Hires (NDNH) database, which provides information such as
           wages, unemployment benefits, and W-4 (―new hires‖) data, on behalf of PIH and
           Multifamily Housing programs. The EIV System is available to PHAs
           nationwide and to Owner Administered project-based assistance programs and
           they are encouraged to use and implement the EIV System in their day-to-day
           operations.

           During our fiscal year 2008 audit, we noted that the Department was also in the
           process of implementing the Multifamily Housing Error Tracking Log (ETL)
           initiative. The ETL initiative was supposed to document whether and to what
           extent owners are accurately, thoroughly, and clearly determining family income
           and rents in the Office of Multifamily Housing Subsidy Programs, and was to
           track the specific dollar impact of income and rent discrepancies and the
           corresponding resolution of such errors. However, we determined during our
           fiscal year 2009 audit that ETL has not been implemented yet. In addition, it has
           been renamed ISERS (Integrated Subsidy Error Reduction System) and is
           currently going through the procurement process.




                                           13
Need To Continue Progress on RHIIP Initiatives



           HUD initiated the RHIIP as part of an effort in fiscal year 2001 to develop tools
           and the capability to minimize erroneous payments. The type of erroneous
           payments targeted includes the excess rental subsidy caused by unreported and
           underreported tenant income. Since our last report, HUD has continued to make
           progress in addressing the problems surrounding housing authorities’ rental
           subsidy determinations, underreported income, and assistance billings. However,
           HUD still needs to ensure that it fully uses automated tools to detect rent subsidy
           processing deficiencies and identify and measure erroneous payments.


Monitoring of Intermediaries’ Performance


           During fiscal year 2006, HUD implemented a 5-year plan to perform consolidated
           reviews to reinforce PIH’s efforts in addressing PHAs’ improper payments and
           other high-risk elements. These reviews were also implemented to ensure the
           continuation of PIH’s comprehensive monitoring and oversight of PHAs. The 5-
           year plan required HUD to perform tier 1 comprehensive reviews on
           approximately 20 percent or 490 of the PHAs that manage 80 percent of HUD’s
           funds. According to the Fiscal Year 2009 Management Plan directive, PIH
           identified 100 PHAs that receive 80 percent of HUD’s funding for the priority tier
           1 comprehensive reviews. Tier 2 reviews, chosen by field offices based on
           availability of resources, are optional comprehensive reviews of the remaining
           PHAs. The comprehensive reviews included rental integrity monitoring (RIM),
           RIM follow-up on corrective action plans, EIV implementation and security,
           Section 8 Management Assessment Program (SEMAP) confirmatory reviews,
           SEMAP quality control reviews, exigent health and safety spot checks,
           Management Assessment Subsystem certifications, and civil rights limited front-
           end reviews.

           Documentation provided during our review showed that 105 Tier I reviews were
           performed during fiscal year 2009. Because of the deficiencies identified in the
           consolidated reviews, corrective action plans were implemented at 12 PHAs from
           Tier I reviews completed as of June 30, 2009. More corrective action plans may
           be implemented from reviews completed in the last quarter. At the end of our
           fieldwork, six PHAs had corrective action plans still open. Additionally, from
           prior Tier I reviews, we noted that corrective action plans for 5 PHAs were still
           open. HUD must continue to ensure that corrective action plans are implemented
           and closed out, thereby ensuring that the systemic errors identified during the
           reviews have been corrected.

           In prior years, we reported that information contained in the PIH Inventory
           Management System (PIC-IMS) was incomplete and/or inaccurate because
           housing authority reporting requirements were discretionary. As a result PHAs


                                            14
          have been mandated to submit 100 percent of their family records to HUD. HUD
          annually evaluates those PHAs not meeting the 95 percent requirement. In fiscal
          year 2009, there were 190 PHAs of 3,121 that did not meet the minimum
          reporting rate. We performed spot checks at the Chicago, San Francisco, and
          Atlanta PIH field offices and found that for the most part, PHAs were meeting
          HUD’s reporting requirements. Since HUD uses the tenant data from its PIC-
          IMS for the income-matching program and program monitoring, it is essential that
          the database have complete and accurate tenant information. Therefore, until a
          more efficient and effective means of verifying the accuracy of the data is
          developed, HUD needs to continue to emphasize the importance of accurate
          reporting and proactively enforce sanctions against those PHAs that do not follow
          the requirement.

          HUD has made substantial progress in taking steps to reduce erroneous payments.
          However, it must continue its regular on-site and remote monitoring of the PHAs
          and use the results from the monitoring efforts to focus on corrective actions
          when needed. We are encouraged by the on-going actions to focus on improving
          controls regarding income verification, as well as HUD’S plans regarding
          corrective action plans, consolidated reviews, and the continual income and rent
          training for HUD staff, owners, management agents, and PHAs.


Monitoring Public Housing Agencies’
Utilization of Excess Funds


          Congress, in an attempt to limit the cost of the Housing Choice Voucher program
          and to provide flexibility to the PHAs in the administration of available program
          funding, enacted provisions in the fiscal year 2005 Appropriation Act (Public Law
          108-447) that significantly changed the way HUD provides and monitors the
          subsidies paid to PHAs. Starting January 1, 2005, Congress changed the basis of
          the program funding from a ―unit-based‖ process to a ―budget-based‖ process that
          limits the Federal funding to a fixed amount.

          Under the legislation, HUD distributes Federal funding using a formula based on
          the prior-year cost that is self-reported by housing agencies in the Voucher
          Management System (VMS). HUD records the funding allocated to the PHA as
          an expense and no longer records a receivable for any under-utilized funds
          because the PHAs retain and are expected to use the funds in their entirety for
          authorized program activities and expenses within the time allowed. Program
          guidance states that any budget authority provided to PHAs that exceeds actual
          program expenses for the same period must be maintained in a housing agencies’
          net restricted assets account (NRA). Although these funds are retained by the
          PHA and not HUD, HUD relies on the PHAs for maintaining the excess budget
          authority reserve available for program cost increases. If the excess budget
          authority accumulated in the PHAs’ NRA account is not needed to lease up to 100
          percent of the vouchers, then the excess funds are considered ―unusable‖
          according to program regulations. According to HUD’s records, as of June 30,


                                         15
                    2009, the PHAs’ NRA account showed a total of $840 million in total excess
                    funding. Of the $840 million, $317 million has been categorized as unusable.

                    HUD has the responsibility to ensure that these funds are properly accounted for
                    and are used for authorized program activities. HUD is also responsible for
                    monitoring intermediaries’ performance. Consequently, the VMS cost data are
                    critical to (1) determining over- and under utilization of funds and excess budget
                    authority available for cost increases and budget offsets and (2) evaluating PHAs’
                    performance in ensuring that funds are used to serve the maximum number of
                    families.

                    In our fiscal year 2008 report,3 we recommended increased monitoring efforts
                    regarding the excess budget authority held by PHAs to include the $1.9 billion
                    NRA account balance as part of HUD’s on-site monitoring review of PHAs. In
                    addition, we recommended seeking legislative authority for offsetting $1.4 billion
                    in PHAs’ unusable excess budget authority. During April 2009, HUD completed
                    a $780 million offset from those PHAs having large NRA balances.

                    HUD’s monitoring of the PHAs’ expenditures and excess budget authority is a
                    critical internal control to ensure the accuracy of the estimated annual $15 billion
                    for the Housing Choice Voucher program and to ensure an adequate level of
                    reserves for PHAs’ operations. HUD’s Real Estate Assessment Center performs a
                    desk review of the PHAs’ financial statements but does not validate and ensure
                    the accuracy the PHAs’ NRA excess funds.

                    In conjunction with our audit, we learned that more than 370 PHAs were
                    requesting additional funding in fiscal year 2009. The extra funding would be
                    needed to cover anticipated funding shortfalls, which placed many families at risk
                    of losing the subsidy. We performed reviews of the accounting records at 11
                    PHAs from the list of 370 PHAs. For the 11 PHAs, we tested whether HUD’s
                    calculated NRA balances as of December 2008 were in agreement with PHAs’
                    records and whether excess funds were available for program use. Our review
                    showed differences between PHAs’ actual NRA balances and HUD’s calculated
                    NRA balances for all 11 PHAs reviewed.

                    Our review of the DeKalb, GA, PHA showed that the PHA NRA balance was $5
                    million or $4 million less than HUD’s $9 million NRA calculated balance.
                    DeKalb officials explained that excess funding from the NRA was used to cover
                    administrative fee increases incurred for processing a higher than expected
                    number of portability and disaster vouchers. In addition, DeKalb indicated that
                    expenditures in VMS were understated by $2.5 million, causing a reduction of the
                    funding received for 2009.




3
 Additional Details to Supplement Our Report on HUD’s Fiscal Year 2008 and 2007 Financial Statements, 2009-FO-0003, dated November 14,
2008



                                                                 16
The San Francisco PHA showed an NRA balance of $17 million, or $2 million
higher than HUD’s $15 million calculated NRA. This difference was a result of
the PHA using $2 million less from its NRA to cover the 2008 budget offset.

For the nine other PHAs reviewed, we found that two PHAs showed $1 million
and $8 million more in their respective NRA accounts than HUD recorded. The
remaining seven PHAs showed less funding in their NRA accounts than HUD
estimates, ranging from $214,000 to $18 million.

We attribute the differences in the HUD-calculated NRAs to the following
factors:

      VMS has no mechanism to (1) compare what the PHAs spend and receive
       in administrative fee expenses and (2) capture transfers between housing
       assistance and the funds for administrative fees,
      PHAs lacked an understanding of how to report expenditures in VMS,
      HUD failed to detect PHAs’ noncompliance with financial requirements
       due to its delays in implementing procedures for validating and
       reconciling the NRA, and
      HUD did not include the NRA balances as part of its on-site monitoring
       review of PHAs. HUD’s Quality Assurance Division plans to include
       NRA validation procedures in fiscal year 2010.

Regarding the funding shortfalls at the 370 PHAs, the following factors
contributed to the shortfalls:

      The current state of the economy with higher than expected
       unemployment rates has resulted in less income earned by families,
       thereby shifting a larger share of the rent to be paid by the PHAs and
       resulting in funds being consumed more rapidly than anticipated;
      PHAs were not always aware of the cost-saving measures available to
       them. For example, decreasing rent payment standards, changing tenant
       income standards, lowering utility payments, and restructuring repayment
       agreements could result in cost savings to the PHAs;
      PHAs’ lacked knowledge or misunderstood program rules for allowing the
       use of administrative fee reserves for housing assistance in helping to
       alleviate their funding shortfalls; and
      There were inaccuracies between the PHAs’ actual NRA per book balance
       and the calculated NRA balance used by HUD to process the funding
       offsets; and
      Some PHAs did not have the excess funding available for program use to
       supplement the funding offsets.

HUD responded to the reported shortfalls by providing PHAs with technical
assistance on cost-saving measures and a reconciling of PHAs’ accounting
records to HUD’s calculated NRA balance. After HUD’s review, a majority of
the PHA requests for additional funding were denied because HUD found that the



                                17
               PHAs were either over leasing vouchers or had sufficient funding. However,
               HUD did identify 104 PHAs that needed $42.4 million in additional funding.
               HUD plans to provide additional funding (1) using $11 million left over from the
               $100 million set aside in the 2009 Appropriation Act (PL 111-18), (2) by
               obtaining authorization from OMB to use part of the advance fiscal year 2010
               appropriation, and (3) shifting $30 million from the remaining administrative fee
               reserves in HUD’s books. HUD is continuing to evaluate the financial status of
               the PHAs and making adjustments as needed. In regard to the $317 million in
               excess funding categorized as unusable, we recommend that HUD seek legislative
               authority to perform additional offsets on PHAs having excess funding at year-
               end. In addition, as recommended in last year’s audit, (1) efforts to reconcile the
               NRA accounts should start earlier in the year to ensure that PHAs have funds
               available for program use, and (2) HUD needs to increase its on-site monitoring
               by including the validation of the NRA as part of the VMS reviews.




Significant Deficiency: HUD Needs To Improve Its Processes for Reviewing
Obligation Balances
HUD needs to improve controls over the monitoring of obligation balances to ensure that they
remain needed and legally valid as of the end of the fiscal year. HUD’s procedures for
identifying and deobligating funds that are no longer needed to meet its obligations were not
always effective. This has been a long-standing weakness.

Annually, HUD performs a review of unliquidated obligations to determine whether the
obligations should be continued, reduced, or canceled. We evaluated HUD’s internal controls
for monitoring obligated balances and found that HUD has made progress in implementing
improved procedures and information systems. However, additional improvement is needed.
Our review of the 2009 year-end obligation balances showed that timely reviews of unexpended
obligations for Section 8 project-based, Sections 202 and 811, rental assistance payment, rent
supplement, interest reduction payment program, and administrative and other program
obligations were not being performed. As a result, $132.4 million in excess funds had not been
recaptured.

In addition, we identified more than $ 1.7 billion in obligations tied to more than 3,500 capital
advances or contracts awarded under Section 8 project-based and Sections 202 and 811 programs
that were reported in the subsidiary ledgers with no contract expiration dates. As a result, there
was no assurance that these contracts, as recorded in the system of record, were all active and
that obligations associated with these contracts were all valid. We recommend that HUD design
and implement procedures to ensure that an expiration date is entered into the subsidiary ledger
and perform a detailed review of these contracts to determine whether they are active contracts.
Excess funds associated with contracts, later determined to be expired, should be recaptured.
Also, we recommend that HUD implement a long-term financial management strategy and
improvement plan to better manage and accurately report its obligation balances.



                                               18
Project-Based Section 8 Contracts



            HUD’s systems and controls for processing payments, monitoring, budgeting,
            accounting, and reporting for Section 8 project-based contracts needs to be
            improved. HUD has been hampered in its ability to estimate funding
            requirements, process timely payments to project-based landlords, and recapture
            excess funds in a timely manner. This problem is evidenced in HUD’s long-term
            challenges in paying Section 8 project-based landlords on a timely basis; properly
            monitoring, budgeting, and accurately accounting for contract renewals; and
            reporting obligation balances.

            HUD administers 18,235 housing assistance payments contracts to provide about
            1.25 million low-income housing units. A total of 14,459 contracts, covering
            more than 1 million housing units, are currently subject to annual renewal. In
            fiscal year 2008, obligations incurred for the 14,459 renewed contracts totaled
            more than $6 billion. HUD’s estimated $9.6 billion in budget authority for
            Section 8 project-based contracts in fiscal year 2009 included $2.0 billion in
            supplemental Recovery Act funds and a $221 million carryover from prior years.

            Section 8 budget authority is generally available until expended. As a result,
            HUD should periodically assess budget needs and identify excess program
            reserves in the Section 8 programs as an offset to future budget requirements.
            Excess program reserves represent budget authority originally received, which
            will not be needed to fund the related contracts to their expiration. While HUD
            had taken actions to identify and recapture excess budget authority in the Section
            8 project-based program, weaknesses in the review process and inadequate
            financial systems continued to hamper HUD’s efforts. There was a lack of
            automated interfaces between the Office of Housing subsidiary records and
            HUD’s general ledger for the control of program funds. This condition
            necessitated that HUD and its contractors make extensive use of ad hoc analyses
            and special projects to review Section 8 contracts for excess funds, which has
            hampered HUD’s ability to identify excess funds remaining on Section 8
            contracts in a timely manner.

            We have been reporting weaknesses in HUD’s financial management systems
            areas for many years, including making a recommendation that HUD develop a
            long-term financial management system solution to automate and streamline its
            processes. This year, as part of HUD’s effort to improve the quality of services
            within the rental housing assistance business areas, HUD conducted a study of its
            performance gap and developed a long-term information technology (IT) strategy
            and improvement plan to address the performance gap. However, as of the end of
            fiscal year, it had not been implemented. Meanwhile, the shortcomings in the
            financial management system continued to impair HUD’s abilities to properly
            monitor and accurately account for contract renewals and report obligation



                                            19
            balances. This problem is evidenced by the deficiencies found during our current
            review.

            This fiscal year, the Office of Housing recaptured approximately $288.7 million
            in unliquidated obligation balances from 7,969 contracts in the Section 8 project-
            based program. Our review of the Section 8 project-based contracts showed an
            additional 692 contracts that had expired on or before January 1, 2009, or were
            inactive with available contract/budget authority. These 692 contracts had $75.3
            million in excess funds potentially available for recapture.

            In addition, our review result raised concerns about the reliability of Program
            Accounting System (PAS) data in providing accurate information with regard to
            Section 8 project-based obligations and recapture of expired obligations balances.
            Specifically, we noted that

               Contracts with 562 funding lines/increments and obligation balances totaling
                more than $130 million were reported in PAS with no contract expiration
                dates. As a result, there is no assurance that these 562 contracts are active and
                the remaining obligation balances associated with these contracts remain
                legally valid. HUD needs to review these contracts and recapture any excess
                funds on contracts determined to be expired. These funds, up to $130 million,
                could be put to better use to fund projects that require funding.

               Contracts with 325 funding lines/increments, expiration dates before January
                1, 2009, and totaling more than $70 million were reported in PAS. Review of
                these contracts by Office of Housing staff disclosed that the contracts were
                ―fully disbursed,‖ thus overstating the PAS obligation balance by the same
                amount. Funds associated with these contracts should be reviewed and
                adjusted in PAS accordingly. These funds, up to $70 million, could be put to
                better use to fund other projects requiring funding.

Supportive Housing for the
Elderly and Disabled - Sections
202 and 811 Programs

            HUD is required by the Federal Managers’ Financial Integrity Act to establish
            internal controls to ensure that obligations are properly accounted for to permit
            the preparation of accounts and reliable financial and statistical reports and to
            maintain accountability over its obligations. Our review, however, showed that
            HUD’s subsidiary ledger supporting the obligation balances did not provide
            reliable or complete information with regard to capital advances and/or contracts
            awarded under the Sections 202 and 811 programs. As a result, there was no
            assurance provided by the information system of record that information on
            program obligations was accurately reported and legally valid.

            HUD’s Sections 202 and 811 programs provide affordable housing and supportive
            services for elderly families and families with disabilities. These programs


                                             20
provide capital advances to private nonprofit organizations to finance the
construction of new facilities or acquisition or rehabilitation of existing facilities.
The capital advance is interest free and does not have to be repaid if the housing
remains available for very low-income elderly or disabled families for at least 40
years.

After the facility has been constructed and occupied, HUD provides additional
project rental assistance contract (PRAC) funds to owners to cover the difference
between the HUD-approved operating cost for the project and the tenants’
contribution toward rents.

Funds for the capital advance and PRAC are obligated when the Section 202 or
811 agreement letter is signed by the hub/program center director and the
sponsor(s). An authorized signature memorandum from the Assistant Secretary
for Housing/Federal Housing Commissioner or designee to the Fort Worth
Accounting Center completes the obligation. The Fort Worth Accounting Center
verifies that funds are in LOCCS and records the obligation in PAS. Generally,
funds appropriated for capital advance and PRAC are available for three years.
After three years, the funds expire and will not be available for obligation, thus
necessitating the need to track funds obligated under the program.

At the beginning of fiscal year 2009, the Sections 202 and 811 programs had
unliquidated obligation balances of $ 3.7 billion and 1.0 billion, respectively. We
reviewed the PAS subsidiary ledger supporting the current Sections 202 and 811
program unliquidated obligation to determine whether unliquidated program
obligations reported were valid and whether invalid obligations had been
cancelled and recaptured in PAS. We found that HUD’s PAS subsidiary ledger
did not provide reliable information with regard to capital advances and/or
contracts awarded under the Sections 202 and 811 programs. Specifically, we
found that

   Obligations data totaling $ 20.2 million associated with 1,232 contracts were
    reported in PAS as expired as of January 1, 2009. Funds associated with these
    expired contracts could be deobligated and put to better use to fund other
    projects that required funding.

   Obligations data totaling more than $1.6 billion associated with 3,500
    contracts for capital advances and other grants were reported in PAS with no
    contract expiration dates. As a result, there was no assurance that obligations
    on these contracts were accurately reported and legally valid. Funds
    associated with expired contracts could potentially be deobligated and put to
    better use to fund other projects that required funding.

The deficiencies in the Sections 202 and 811 programs occurred because of
limited resources. In addition, expiration dates on capital advances and grants
were not entered into the subsidiary ledger because of a lack of understanding that
once funds are obligated for capital advances and grants, they remain available to
the project. HUD needs to allocate additional resources to Sections 202 and 811


                                  21
          programs and develop and implement procedures to ensure that information on
          program obligations was accurately reported and legally valid.



Section 236 Interest Reduction Program



          The Section 236 Interest Reduction Program (IRP) was created in 1968; however,
          new program activity ceased in the mid-1970s. The multifamily activities carried
          out by this program include making interest reduction payments directly to
          mortgage companies on behalf of multifamily project owners. The contracts
          entered into were typically up to 40 years, and HUD was required to fund these
          contracts for their duration. At the time it entered into the contracts, HUD was to
          record obligations for the entire amount. The obligations were established based
          upon permanent indefinite appropriation authority. This budget authority is
          included in the statement of budgetary resources and other consolidated financial
          statements as ―other programs.‖

          Although the Section 236 IRP is not a major program, program deficiencies have
          been reported by OIG in prior reports on the financial statements. The Offices of
          Housing and the Chief Financial Officer have been hampered by historically poor
          record keeping in their attempt to accurately account for unexpended Section 236
          budget authority balances and estimated future payments. These estimated
          payments were the basis for HUD’s recorded obligation balances necessary to
          fully fund the contracts to their expiration. HUD adjusts the recorded obligations
          as it proceeds through the term of the contracts to reflect best estimates of the
          financial commitment. Factors that can change the budgetary requirements over
          time include contract terminations, refinancing, and restructuring of the contracts.

          In recent years, OIG noted that HUD had made a series of corrective actions to
          address these deficiencies. However, improvement in the timing of its quarterly
          reconciliation is needed to ensure that Section 236 IRP obligations are valid and
          can be more accurately estimated and reported.

          In fiscal year 2009, we identified 37 inactive Section 236 IRP contracts with more
          than $49.6 million in excess contract and budget authority that could be
          deobligated. These 37 contracts had been prepaid and terminated from the
          program. HUD processed adjustments to deobligate more than $26.2 million for
          5 of the 37 terminated projects. HUD agreed and processed adjustments to
          deobligate an additional $23.4 million for the remaining 32 terminated projects in
          this fiscal year.

          HUD took corrective action to develop and implement revised quarterly
          reconciliation procedures in the third quarter of the current fiscal year.




                                           22
Rent Supplement and         Rental
Assistance Payments


           HUD was not recapturing excess undisbursed contract authority from the rent
           supplement and rental assistance payments programs in a timely manner.
           Although, HUD continues to make progress in this area, improvement is still
           needed to ensure the timely recapture of excess funds.

           The rent supplement and rental assistance payments programs have been in
           existence since the mid 1960’s and 1970’s, respectively. The rent supplement
           program and rental assistance payments operate much like the current project-
           based Section 8 rental assistance program. Rental assistance is paid directly to
           multifamily housing owners on behalf of eligible tenants

           HUD’s subsidiary ledgers show, on a fiscal year basis, the amount authorized for
           disbursement and the amount that was disbursed under each project account.
           Funds remain in these accounts until they are paid out or deobligated by HUD. If
           the funds are not paid out or deobligated, the funds remain on the books,
           overstating the needed contract authority, the excess of which should be
           recaptured. Our prior audit reports showed that these funds were not being
           recaptured in a timely manner.

           In response to our concern, in fiscal year 2006, HUD developed and implemented
           procedures to review quarterly and annually the programs and associated contract
           authority requirements. Although progress has been made in this area,
           improvement in the timing of its recently revised quarterly reconciliation review
           is still needed to ensure the timely recapture of excess funds.

           We performed a review in fiscal year 2009 of unliquidated obligations for the
           multifamily projects’ accounts under the rent supplement and rental assistance
           programs. Our review found $11.2 million in undisbursed contract authority from
           prior fiscal years on 259 multifamily projects that should be recaptured. HUD
           later determined that more than $4.7 million of the $11.2 million could be
           recaptured this year.


Administrative/Other Program Obligations



           Annually, the Chief Financial Officer forwards requests for obligation reviews to
           various administrative and programs offices. The focus of the review is on
           administrative and program obligations that exceed threshold amounts established
           by the Chief Financial Officer. In this year’s review, the focus is on
           administrative obligations that exceeded a balance of $17,000 and program
           obligations that exceeded $217,000. Excluding the Section 8 and Sections 235


                                            23
              and 236 programs, which undergo separate review processes, HUD identified
              1,184 obligations with remaining balances totaling $22.1 million for deobligation.
              We tested the 1,184 obligations HUD identified to determine whether the
              associated $22.1 million had been deobligated in HUD’s Central Accounting
              System and PAS. We found that, as of September 30, 2009, a total of 820
              obligations with remaining balances totaling $8.8 million had not been
              deobligated. HUD has initiated the process of closing these contracts, and the
              associated funding should be recaptured in fiscal year 2009.

              With respect to project-based Section 8 contracts, we recommended in our audit
              of HUD’s fiscal year 1999 financial statements that systems be enhanced to
              facilitate timely closeout and recapture of funds. In addition, we recommended
              that the closeout and recapture process occur periodically during the fiscal year
              and not just at year-end. Implementation of the recommendations and the long-
              term financial management system improvement plan is critical so that excess
              budget authority can be recaptured in a timely manner and considered in
              formulating requests for new budget authority.

              With respect to Sections 202 and 811 programs, we recommend that HUD
              develop and implement procedures for entering contract expiration dates into the
              subsidiary ledger. The procedures should include entering contract expiration
              dates and performing a detailed review of more than 3,500 contracts identified in
              our review to determine whether more than $1.7 billion in obligations associated
              with these contracts are all active and valid. Excess funds associated with
              contracts later determined to be expired should be recaptured or deobligated.
              These funds could be put to better use to fund other projects that need funding.

              For HUD’s administrative and other program funds, HUD needs to promptly
              perform contract closeout reviews and recapture the associated excess contract
              authority and imputed budget authority. In addition, HUD needs to address data
              and system weaknesses to ensure that all contracts are considered in the
              recapture/shortfall budget process including Section 236 IRP, rent supplement,
              and rental assistance payment programs.




Significant Deficiency: HUD Financial Management Systems Need To
Comply With Federal Financial Management System Requirements
In fiscal year 2009 we determined that HUD’s Office of Community Planning and (CPD)
formula grant process specifically is not compliant with Federal financial management
requirements, in addition to our prior year finding that HUD is not in full compliance with
Federal financial management requirements generally. CPD formula grant management process
was found not compliant due to the HUD grant management system implemented design which


                                              24
can shift the funding year source entered by grantee to the oldest funds available in the system.
HUD is required by federal financial management requirements to be able to reconcile the
performance data entered by the grantee in the grants management system to the accounting and
budget information in other financial management systems. However, according to CPD the
funding year information entered by the grantee is not provided in the interface to the disbursing
financial management application or the core financial system. Also, HUD has not completed
development of an adequate integrated financial management system. HUD is required to
implement a unified set of financial systems. This requirement includes the financial portions of
mixed systems encompassing the software, hardware, personnel, processes (manual and
automated), procedures, controls, and data necessary to carry out financial management
functions, manage financial operations of the agency, and report on the agency’s financial status
to central agencies, Congress, and the public. As currently configured, HUD financial
management systems do not meet the test of being unified. The term ―unified‖ is defined as
meaning that systems are planned for and managed together, operated in an integrated fashion,
and linked electronically to efficiently and effectively provide agency-wide financial system
support necessary to carry out the agency’s mission and support the agency’s financial
management needs.

HUD’s financial systems, many of which were developed and implemented before the issue date
of current standards, were not designed to perform or provide the range of financial and
performance data currently required. The result is that HUD, on a department-wide basis, does
not have unified and integrated financial management systems that are compliant with current
Federal requirements or provide HUD the information needed to effectively manage its
operations on a daily basis. This situation could negatively impact management’s ability to
perform required financial management functions; efficiently manage the financial operations of
the agency; and report, on a timely basis, the agency’s financial results, performance measures,
and cost information.


 CPD Formula Grants Reporting is
 not in Compliance with FFMIA



               HUD’s design and implementation of the integrated financial management system
               that supports the CPD formula grant programs is not in compliance with federal
               financial management system requirements. The system does not provide the
               required information related to the source and use of formula grants funding at the
               transaction level. Federal financial management requirements expect that budget,
               performance, and financial information are drawn from the same source, apply
               consistent U.S. Standard General Ledger (USSGL) elements throughout the
               recording, performance measurement, and financial reporting cycles. Federal
               accounting standards require that cost information developed for different
               purposes are drawn from a common data source and output reports should be
               reconcilable to each other.

               HUD uses its Integrated Disbursement and Information System (IDIS Online) to
               support the financial management of CPD’s formula grant programs. Grantees use


                                                25
           the system to track and drawdown CPD funds, report program income, and record
           the results of CPD-funded activities. Annually, the grant recipient, based on a
           Consolidated Plan, records information on approved activities in IDIS Online.
           The fiscal year appropriation associated with a particular activity should be
           accounted for within the system. As the grantees provide services or accomplish
           activities, they report specific activity accomplishment information to the IDIS
           Online system and create requests for reimbursement. While a grantee’s program
           year may not line up with a federal fiscal year due to when agreements are signed,
           the achievements, and projects and activity costs recorded in IDIS Online must be
           reconcilable with the appropriation year in which the funding was approved.

           When processing a payment request for a given activity, IDIS Online selects the
           oldest available funding source for the fund type associated with that activity.
           CPD refers to this accounting practice as FIFO (first in first out). This method of
           disbursement is used for all CPD formula grants. IDIS Online then interfaces with
           Line of Credit Controls System (LOCCS), which is one of HUD’s core financial
           systems, to disburse the funds. LOCCS then passes the disbursement information
           to Program Accounting System (PAS), which is the accounting system used to
           generate the financial statements.

           Since disbursements for activity performance and accomplishments reported in
           IDIS are not reconcilable to appropriation specific accounting information in
           LOCCS or PAS, the system is not in compliance with FFMIA. The Chief
           Financial Officers Act of 1990 requires the agency to develop and maintain an
           integrated agency accounting and financial management system, including
           financial reporting and internal controls to incorporate integration of accounting
           and budgetary information. In addition, OMB A-127 requires that financial
           events be recorded by agencies throughout the financial management system
           applying the requirements of the USSGL at the transaction level. It further states
           that to be compliant with this requirement, the financial management systems
           must have transaction detail supporting USSGL accounts available in the financial
           management systems and directly traceable to specific USSGL account codes.



HUD Required To Implement a
Compliant Financial Management
System


           The Federal Financial Management Improvement Act of 1996 (FFMIA) requires,
           among other things, that HUD implement and maintain financial management
           systems that substantially comply with Federal financial management system
           requirements. The financial management system requirements also include
           implementing information system security controls. These requirements are
           detailed in the Federal Financial Management System Requirements series issued
           by the Joint Financial Management Improvement Program/Financial System
           Integration Office (JFMIP/FISO). The requirements are also included in OMB


                                           26
           Circular A-127, ―Financial Management Systems.‖ Circular A-127 defines a
           single integrated financial management system as a unified set of financial
           systems and the financial portions of mixed systems (e.g., acquisition)
           encompassing the software, hardware, personnel, processes (manual and
           automated), procedures, controls, and data necessary to carry out financial
           management functions, manage the financial operations of the agency, and report
           on the agency’s financial status.

           As in previous audits of HUD’s financial statements, in fiscal year 2009, there
           continued to be instances of noncompliance with Federal financial management
           system requirements. These instances of noncompliance have given rise to
           significant management challenges that have (1) impaired management’s ability
           to prepare financial statements and other financial information without extensive
           compensating procedures, (2) resulted in the lack of reliable, comprehensive
           managerial cost information on its activities and outputs, and (3) limited the
           availability of information to assist management in effectively managing
           operations on an ongoing basis.


HUD’s Financial Systems Not
Adequate


           As reported in prior years, HUD does not have financial management systems that
           enable it to generate and report the information needed to both prepare financial
           statements and manage operations on an ongoing basis accurately and in a timely
           manner. To prepare consolidated department-wide financial statements, HUD
           required the Federal Housing Administration (FHA) and the Government
           National Mortgage Association (Ginnie Mae) to submit financial statement
           information on spreadsheet templates, which were loaded into a software
           application. In addition, all consolidating notes and supporting schedules had to
           be manually posted, verified, reconciled, and traced. To overcome these systemic
           deficiencies with respect to preparation of its annual financial statements, HUD
           was compelled to rely on extensive compensating procedures that were costly,
           labor intensive, and not always efficient.

           Due to a lengthy HUD Integrated Financial Management Improvement Project
           (HIFMIP) procurement process and lack of funding for other financial application
           initiatives, there were no significant changes made in fiscal year 2009 to HUD’s
           financial management processes. As a result, the underlying system limitations
           identified in past years remained. The functional limitations of the three
           applications (HUD’s Central Accounting and Program System (HUDCAPS),
           LOCCS and PAS) performing the core financial system function for HUD are
           dependent on its data mart and reporting tool to complete the accumulation and
           summarization of data needed for U.S. Department of the Treasury and OMB
           reporting.




                                           27
HUD’s Financial Systems
Lacking Managerial Cost Data



          In fiscal year 2006, the Government Accountability Office (GAO) reported in
          GAO-06-1002R Managerial Cost Accounting Practices that HUD’s financial
          systems did not have the functionality to provide managerial cost accounting
          across its programs and activities. This lack of functionality has resulted in the
          lack of reliable and comprehensive managerial cost information on its activities
          and outputs. HUD lacks an effective cost accounting system that is capable of
          tracking and reporting costs of HUD’s programs in a timely manner to assist in
          managing its daily operations. This condition renders HUD unable to produce
          reliable cost-based performance information.

          HUD officials have indicated that various cost allocation studies and resource
          management analyses are required to determine the cost of various activities
          needed for mandatory financial reporting. However, this information is widely
          distributed among a variety of information systems, which are not linked and,
          therefore, cannot share data. This situation makes the accumulation of cost
          information time consuming, labor intensive, and untimely and ultimately makes
          that cost information not readily available. Budget, cost management, and
          performance measurement data are not integrated because HUD

             Did not interface its budget formulation system with its core financial system;

             Lacks the data and system feeds to automate a process to accumulate, allocate,
              and report costs of activities on a regular basis for financial reporting needs, as
              well as internal use in managing programs and activities;
             Does not have the capability to derive current full cost for use in the daily
              management of HUD operations; and
             Requires an ongoing extensive quality initiative to ensure the accuracy of the
              cost aspects of its performance measures as they are derived from sources
              outside the core financial system.

          While HUD has modified its resource management application to enhance its cost
          and performance reporting for program offices and activities, the application does
          not use core financial system processed data as a source. Instead, HUD uses a
          variety of applications, studies, and models to estimate the cost of its program
          management activities. One of these applications, Total Estimation and
          Allocation Mechanism/Resource Estimation and Allocation Process
          (TEAM/REAP), was designed for use in budget formulation and execution,
          strategic planning, organizational and management analyses, and ongoing
          management of staff resources. It was enhanced to include an allocation module
          that added the capability to tie staff distribution to strategic objectives, the
          President’s Management Agenda, and HUD program offices’ management plans.


                                            28
            Additionally, HUD has developed time codes and an associated activity for nearly
            all HUD program offices to allow automated cost allocation to the program office
            activity level. HUD has indicated that the labor costs that will be allocated to
            these activities will be obtained from the HUD payroll service provider.
            However, because the cost information does not pass through the general ledger,
            current Federal financial management requirements are not met.



Financial Systems Not Providing for
Effective and Efficient Financial
Management


            During fiscal year 2009, HUD’s financial information systems did not allow it to
            achieve its financial management goals in an effective and efficient manner in
            accordance with current Federal requirements. To perform core financial system
            functions, HUD depends on three major applications, in addition to a data
            warehouse and a report-writing tool. Two of the three applications that perform
            core financial system functions require significant management oversight and
            manual reconciliations to ensure accurate and complete information. HUD’s use
            of multiple applications to perform core financial system functions further
            complicates financial management and increases the cost and time expended.
            Extensive effort is required to manage and coordinate the processing of
            transactions to ensure the completeness and reliability of information.

            Additionally, the interface between the core financial system and HUD’s
            procurement system does not provide the required financial information. The
            procurement system interface with HUDCAPS does not contain data elements to
            support the payment and closeout processes. Also, the procurement system does
            not interface with LOCCS and PAS. Therefore, the processes of fund
            certification, obligation, deobligation, payment, and closeout of transactions that
            are paid out of the LOCCS system are all completed separately, within either PAS
            or LOCCS. This lack of compliance with Federal requirements impairs HUD’s
            ability to effectively monitor and manage its procurement actions.



HUD Planning To Implement a Department-
wide Core Financial System


            HUD plans to implement a commercial Federal certified core financial system
            and integrate the current core financial system into one department-wide core
            financial system. HUD is initiating business process reengineering work to
            ensure a smooth transition to a single integrated core financial system. FHA and
            Ginnie Mae have already implemented a compatible and compliant system to


                                            29
               support the transition to the enterprise core financial system. HUD plans to select
               a qualified shared service provider to host the enterprise system and integrate the
               three financial systems (HUD, FHA, and Ginnie Mae) into a single system by
               fiscal year 2015. Achieving integrated financial management for HUD will result
               in a reduction in the total number of systems maintained, provide online, real-time
               information for management decision making, enable HUD to participate in E-
               Government initiatives, and align with HUD’s IT modernization goals.

               However, HIFMIP, launched in fiscal year 2003, has been plagued by delays, and
               implementation of the core financial system has not yet begun. HIFMIP was
               intended to modernize HUD’s financial management systems in accordance with
               a vision consistent with administration priorities, legislation, OMB directives,
               modern business practices, customer service, and technology. HIFMIP will
               encompass all of HUD’s financial systems, including those supporting FHA and
               Ginnie Mae. HUD had intended to begin the implementation in fiscal year 2006.
               Due to delays with the procurement process, however, HUD anticipates that it
               will not be able to begin the implementation of its core financial system until
               fiscal year 2010. Until its core financial system is implemented, we believe that
               the following weaknesses with HUD’s financial management systems will
               continue:

                  HUD’s ability to prepare financial statements and other financial information
                   requires extensive compensating procedures.

                  HUD has limited availability of information to assist management in
                   effectively managing operations on an ongoing basis.




Significant Deficiency: Controls Over HUD’s Computing Environment Can
Be Further Strengthened

HUD’s computing environment, data centers, networks, and servers provide critical support to
all facets of its programs, mortgage insurance, financial management, and administrative
operations. In prior years, we reported on various weaknesses with general system controls and
controls over certain applications, as well as weak security management. These deficiencies
increase risks associated with safeguarding funds, property, and assets from waste, loss,
unauthorized use, or misappropriation.

We evaluated selected information systems general controls of HUD’s computer systems on
which HUD’s financial systems reside. Our review found information systems control
weaknesses that could negatively affect HUD’s ability to accomplish its assigned mission,
protect its data and IT assets, fulfill its legal responsibilities, and maintain its day-to-day
functions. Presented below is a summary of the control weaknesses found during the review.




                                                30
                                      Security Management Program

HUD has made significant progress with implementing security management as it relates to the
Federal Information Security Management Act of 2002 (FISMA). For instance, HUD developed
guidance for its Blackberry users, conducted regular meetings with information systems security
officers to discuss current issues and trends, and improved its process for monitoring and
correcting information security weaknesses by more effectively using the plans of action and
milestones. However, additional progress is needed. Specifically, in fiscal year 2009, we found
that

        HUD did not properly categorize those systems containing personally identifiable
         information (PII). HUD’s inventory of automated systems was not current and did not
         contain all systems with PII.

        HUD did not properly report 5 of 34 category I4 security incidents to the proper
         authorities within the mandated timeframes.


                           Security Controls Over HUD’s Web Applications

We audited security controls over HUD’s Web applications5 and identified weaknesses in the
areas of security configurations and technical controls. For instance, HUD did not ensure that
access controls followed the principle of least privilege for Web application configurations.
Weak Web application security configurations disclose potentially sensitive information that
may enable a malicious user to devise exploits of the application and the resources it accesses.
This weakness could also potentially expose sensitive or confidential information as well as
useful information that may enable a malicious user to devise effective and efficient exploits of
the application and the resources it accesses.

HUD did not adequately implement controls to ensure confidentiality and privacy for Web
applications. These weaknesses were not exploitable vulnerabilities, but they were a violation of
security policy because the configurations potentially allowed access to data that are required to
be confidential by law. When weak privacy controls exist, they breach confidentiality
requirements to protect sensitive information. An attacker can take advantage of these
vulnerabilities to discover and access sensitive and confidential data. Further, HUD did not
adequately review Web applications for vulnerabilities and patch them. Exploiting
vulnerabilities can breach confidentiality requirements to reveal sensitive information.




                               Disaster Recovery Grant Reporting System


4
  In this category, an individual gains logical or physical access without permission to a Federal agency network,
system, application, data, or other resource.
5
  Audit Report No. 2009-DP-0006, Review of HUD's Web Application Systems, issued September 29, 2009


                                                         31
We audited selected controls within the Disaster Recovery Grant Reporting System (DRGR)6
related to Neighborhood Stabilization Program (NSP) funding. We found that (1) access control
policies and procedures for DRGR violate HUD policy, (2) the system authorization to operate is
outdated and based upon inaccurate and untested documentation, (3) CPD did not adequately
separate the DRGR system and security administration functions, and (4) CPD has not
sufficiently tested interface transactions between DRGR and LOCCS. As a result, CPD cannot
ensure that only authorized users have access to the application, user access is limited to only the
data that are necessary for them to complete their jobs, and users who no longer require access to
the data in the system have had their access removed. Further, the failure to sufficiently test
interface transactions between DRGR and LOCCS leaves HUD with limited assurance that the
$5.9 billion in NSP funding was accurately processed.


                         Recovery Act Management and Reporting System

Our review of HUD’s management procedures, practices, and controls related to the Recovery
Act Management and Reporting System (RAMPS)7 found that while HUD has taken actions to
comply with the reporting requirements under the Recovery Act, it did not fully comply with the
reporting requirements to ensure that the recipients’ use of all recovery funds is transparent to the
public and that the public benefits of these funds are reported clearly, accurately, and in a timely
manner.

We reviewed the April 30 and July 15, 2009, National Environmental Policy Act (NEPA) reports
and found that HUD program offices did not have existing systems to collect the NEPA data,
were not able to use the newly developed RAMPS system, or were not provided training on how
to use the system. As a result, HUD was not able to provide the NEPA status to the public in an
accurate and timely manner for more than $2.9 billion in obligated funds. Additionally, HUD
did not complete required security and privacy documents before or during the early phase of
system development. HUD did not follow Federal and HUD security policies for implementing
these security requirements for RAMPS. As a result, HUD officials could not ensure that all
security controls were in place, implemented correctly, and operating as intended.


                              Security Controls Over HUD’s Databases

During fiscal year 2008, we evaluated security controls over HUD’s databases.8 We identified
security configuration and technical control deficiencies within HUD’s database security controls
in the areas of (1) passwords, (2) system patches, and (3) system configuration. We followed up
on the status of these weaknesses during fiscal year 2009 and determined that technical control
deficiencies relating to database passwords and database patches have been reviewed and
corrected as the Office of the Chief Information Officer (OCIO) deemed appropriate. OCIO has
not yet implemented secure configuration baselines for databases and the reviews for monitoring

6
  Audit Report No. 2009-DP-0007, Review of Selected Controls within the Disaster Recovery Grant Reporting
System, issued September 30, 2009.
7
  Audit Report No. 2009-DP-0008, Audit Report on the Review of Recovery Act Management and Reporting
System (RAMPS), issued September 30, 2009
8
  Audit Report No. 2008-DP-0007, Evaluation of HUD ’s Security Controls over Databases, issued September 11,
2008


                                                     32
those configurations. This corrective action is not scheduled to be completed until December 31,
2010.


                                       HUD’s Procurement System

We audited HUD’s procurement systems in fiscal year 2006.9 Through actions taken during
fiscal years 2007, 2008, and 2009, the Office of the Chief Procurement Officer (OCPO) has
made progress toward resolving the issues identified during the audit. However, two significant
recommendations made in the audit report remain open, and the procurement systems continue to
be noncompliant with Federal financial management requirements. OCPO has yet to complete
the corrective actions for the known open information security vulnerabilities. In addition,
OCPO has not yet implemented functionality to ensure that there is sufficient information within
HUD’s current procurement systems to support the primary acquisition functions of fund
certification, obligation, deobligation, payment, and closeout. OCPO plans to replace the current
acquisition systems and during fiscal year 2009, obtained $3.7 million in funding to purchase a
commercial off-the-shelf application. The acquisition of the new application is anticipated to be
complete by June 30, 2010. However, full funding to complete the project has not been
obtained; therefore, it is unclear when the new application will be fully implemented.


                                         HUD’s Financial Systems

As part of our review of HUD’s information systems controls, we evaluated information security
controls over the Nortridge Loan System (NLS), HUDCAPS, and Hyperion. We identified
control weaknesses that could negatively affect the integrity, confidentiality, and availability of
computerized financial data within two of HUD’s financial systems—NLS and HUDCAPS. We
also followed up on previously identified control weaknesses within LOCCS.


                            Loan Accounting System/Nortridge Loan System

HUD’s Loan Accounting System utilizes an off-the-shelf program entitled the Nortridge Loan
System (NLS). HUD utilizes this application to maintain loan portfolio information for the
Section 202 Housing for the Elderly and Handicapped Loan Program and the Flexible Subsidy
Program. During fiscal year 2009, we reviewed access controls for this application and found
that controls needed to be strengthened. We determined that controls over the NLS user
recertification process were not effective to ensure that all users with access to the production
data were properly recertified. In addition, HUD did not appropriately separate the functions of
system administration and system security within NLS. By not ensuring that the access levels of
all NLS users were reviewed, HUD was unable to ensure that users only had access to the data
that were necessary for them to complete their jobs, that only authorized users had access to the
system, and that users who no longer required access to the data in the system had their access
removed. Inadequately segregated duties increase the risk that erroneous or fraudulent
transactions could be processed, that improper program changes could be implemented, and that


9
    Audit Report No. 2007-DP-0003, Review of HUD’s Procurement Systems, issued January 25, 2007


                                                      33
computer resources could be damaged or destroyed. OCFO provided documentation to support
completion of planned corrective actions. We are reviewing this documentation.


                                            HUDCAPS

HUDCAPS is part of HUD’s core financial system. It captures, reports, controls, and
summarizes the results of the accounting processes including budget execution and funds
control, accounts receivable and collections, accounts payable, and general ledger. In our fiscal
year 2007 audit, we found that OCFO granted two contracted developers above-read access to
the HUDCAPS production data stored within the mainframe environment without documenting
either their acceptance of the risks associated with or the justification for this access level. The
documentation to support this access was not maintained by the system owner, and acceptance of
the risks associated with this access level was not documented in the system security plan.
Additionally, neither of the two developers received the required level of background
investigation. One developer received only a minimum background investigation. The other
developer was not investigated at all. OCFO has completed actions to address these issues.

During audit work completed in fiscal year 2009, however, we found that HUD did not take
steps to ensure that IT contractors were properly rescreened to ensure their continued eligibility
to access sensitive systems and application data in accordance with HUD guidelines.
Specifically, HUD did not initiate updated background investigations for contractor personnel
with access to HUDCAPS every five years as required by HUD policy. As of December 2008,
OCFO had not initiated updated background investigations for 10 of the 20 contractors with
above-read access to the HUDCAPS application. The background of one contractor employee
had not been reassessed since 1975. Background investigations ensure, to the extent possible,
that employees are suitable to perform their duties. By not performing required background
screenings, HUD increased its risk that unsuitable individuals would have access to sensitive
systems and data.


                                             LOCCS

During our fiscal year 2007 audit, we found that the controls over the LOCCS user recertification
process were not effective to verify the access of all users. Systemic deficiencies led to the
omission of more than 10,000 users from the LOCCS recertification process. An additional 199
users had last recertification dates within the application before March 31, 2006, indicating that
they also were not included in the fiscal year 2007 recertification process. During fiscal year
2008, OCFO made improvements to this process by generating a report from the system that
allowed it to identify users that only had approving authority within the application for the user
recertification process. During fiscal year 2009, OCFO made additional adjustments to the
report it created. Our review of the data from both 2008 and 2009 again identified LOCCS users
that were not recertified by the system. As a result, we concluded that further improvements are
necessary to ensure that all users of LOCCS are recertified in accordance with HUD policy and
that the corrective action taken in response to our 2007 finding did not fully address the problem.




                                                34
                              IBM Mainframe z/OS Operating System

In fiscal year 2008, we found that HUD had not ensured that (1) the account and sensitive access
privileges of a departed user were removed from the IBM mainframe and (2) libraries and data
files within the IBM mainframe environment were adequately secured. These weaknesses could
lead to unauthorized individuals using system software to circumvent security controls to read,
modify, or delete critical or sensitive information and programs.

During our fiscal year 2009 review, we determined that HUD had removed the account and
sensitive access privileges of a departed user from the IBM mainframe. However, HUD had not
completed the task of securing libraries and data files within the IBM mainframe environment.

                                Software Configuration Management

We previously reported that the configuration management10 plan for Institution Master File
(IMF) contained outdated information. We also reported that HUD did not ensure that its IT
support contractor provided the proper version of a configuration management tool used by five
of its applications. Without updated configuration management documentation, HUD risks that
outdated policies and plans may not address current risk and, therefore, be ineffective.

HUD has not yet fully resolved the issue of the outdated version of the configuration
management tool. HUD has made progress in updating the configuration management plan for
IMF. However, configuration management plans for several FHA applications identified in our
fiscal year 2007 review still have not been updated to include reported issues such as incomplete
or outdated information.

As part of our fiscal year 2009 audit, we reviewed the configuration management plan for the
Integrated Disbursement and Information System OnLine (IDIS OnLine). This configuration
management plan also lacked information and contained outdated information. Details of this
finding will be included in our report for our fiscal year 2009 review of information systems
controls in support of the financial statements audit to be issued during 2010.


                                          Contingency Planning

Since 2006, we have reported that HUD’s disaster recovery plan contained outdated information.
We recommended that HUD regularly review its disaster recovery plan to ensure that the
document reflects current conditions. HUD explained that a contract modification was required
to update the listing of critical applications and planned to accomplish this modification by
December 31, 2007. During our fiscal year 2009 review, we found that HUD had updated
listings for the recovery team and critical applications. However, the disaster recovery plan still
contained conflicting information. Additionally, we found that disaster recovery exercises did
not fully test system functionality because critical applications were not verified through
transaction and batch processing and the exercises did not include recovery of all applications
that interface with the critical systems. By not having current information in the disaster

10
  Configuration management is the control and documentation of changes made to a system’s hardware, software,
and documentation throughout the development and operational life of the system.


                                                      35
recovery plan and fully testing system functionality during disaster recovery exercises, HUD
cannot ensure that its systems and applications will function as intended in an actual emergency.

In 2008, we reported that contingency planning at third-party business sites was inadequate.
Staffs were unfamiliar with or had limited knowledge of contingency planning requirements, and
documentation was not readily available for use in case of emergency. We determined that HUD
had not specified contingency planning, continuity of operations, or disaster recovery
requirements in its agreements with third-party business partners. Such information is usually
included in the terms and conditions of a contract or service-level agreement with the external
business partner. Consequently, third-party business partners developed limited contingency
planning policies that did not meet HUD or National Institute of Standards and Technology
(NIST) requirements. Management generally agreed that corrective action was needed, but had
not yet taken action on any of OIG’s recommendations.

                                             Physical Security

This year, we performed on-site reviews of physical security controls in place at the network
operations center and the data center, both maintained by HUD’s two IT infrastructure
contractors. We concluded that physical security and environment controls at these facilities
were generally in place. We did not identify any significant control weaknesses.

During fiscal year 2008, we evaluated how HUD’s third-party business partners11 compensate
for the lack of physical security controls when information is removed from, maintained, or
accessed from outside the agency location. We reported that physical security at the third-party
business sites we visited was inadequate and weaknesses existed at those sites. We found
instances in which servers were located in common areas (i.e., lunch rooms, halls), case binders
with PII were left unattended, no guard or receptionist was at the entrance, access doors were
unlocked, and encryption of data residing on laptops or portable devices was not a requirement.
HUD had not specified the level of security controls and included it in the terms and conditions
of the contract or service-level agreement with the external business partner. As a result, third-
party business partners have developed various IT security controls and policies that do not meet
HUD or Federal requirements and, therefore, cannot be relied upon to provide adequate
protection of HUD’s sensitive data. Management generally agreed that corrective action was
needed but had not taken action on any of OIG’s recommendations.




11
  Third-party business partners are external business partners who contract to do business with HUD such as
housing authorities and mortgage lenders who use the PIH Inventory Management System (PIH-IMS), Tenant
Rental Assistance Certification System (TRACS), and Computerized Homes Underwriting Management System
(CHUMS).



                                                      36
Significant Deficiency: Weak Personnel Security Practices Continue To Pose
Risks of Unauthorized Access to HUD’s Critical Financial Systems
For several years, we have reported that HUD’s personnel security practices regarding access to
its systems and applications were inadequate. Deficiencies in HUD’s IT personnel security
program were found, and recommendations were made to correct the problems. However, the
risk of unauthorized access to HUD’s financial systems remains a critical issue. We followed up
on previously reported IT personnel security weaknesses and deficiencies and found that
deficiencies still existed. Specifically,

      Since 2004, we have reported that HUD did not have a complete list of all users with
       above-read access at the application level. Those users with above-read access to
       sensitive application systems are required to have a background investigation. Our
       review this year found that HUD still did not have a central repository that lists all users
       with access to HUD’s general support and application systems. Consequently, in fiscal
       year 2009, HUD still had no central listing for reconciling that all users who have access
       to HUD’s critical and sensitive systems have had the appropriate background
       investigation.

       While HUD’s implementation in 2007 of the Centralized HUD Account Management
       Process (CHAMP) was a step toward improving its user account management practices,
       CHAMP remains incomplete and does not fully address OIG’s concerns. Specifically,
       we noted that

           o CHAMP does not contain complete and accurate data. OCIO did not
             electronically migrate data from the HUD Online User Registration System
             (HOURS) into CHAMP. Instead, it chose to enter the legacy data manually.
             However, this process had not been completed. In a July 2008 audit report, we
             recommended that all offices within HUD provide the historical information
             necessary to populate CHAMP. OCIO agreed with our recommendation, and
             corrective action is scheduled for completion in December 2009.

           o CHAMP does not contain a mechanism to escalate or reassign tasks that have not
             been completed within a specified timeframe. In a July 2008 audit report, we
             recommended that OCIO develop and implement such a mechanism. OCIO
             agreed with the recommendation, and corrective action is scheduled for
             completion in December 2009.

           o HUD did not conduct a security categorization and a risk assessment for CHAMP
             as required by Federal Information Processing Standards (FIPS) Publications
             (PUB) 199 and 200. HUD’s OCIO chose not to conduct a security categorization
             and risk assessment for CHAMP because it believed that these items were not


                                                37
           required for CHAMP, which is listed as a process rather than a system. HUD also
           believed that since CHAMP was exclusively owned by its IT contractor, it was
           not subject to the requirements of a security categorization and a risk assessment.
           Without a security categorization and risk assessment of CHAMP, HUD cannot
           know the full extent of risks that the CHAMP process is vulnerable to or whether
           adequate levels of security controls have been put into place to protect data and
           applications impacted by CHAMP. OIG recommended that OCIO conduct a
           security categorization and a risk assessment for CHAMP. OCIO agreed with this
           recommendation; however, corrective action had not been taken.

   Reconciliations to identify users with above-read (query) access to HUD mission-critical
    (sensitive) applications but without appropriate background checks were not routinely
    conducted. Officials from the Office of Security and Emergency Planning (OSEP) and
    OCIO asserted that with the implementation of CHAMP and the new security manager
    computer system, it would be impossible for an employee or contractor to obtain access
    to any of HUD’s systems without the appropriate background investigation. Thus, the
    reconciliation was no longer needed.

    Contrary to OSEP and OCIO’s assertions, a reconciliation performed by OSEP for
    second quarter 2009 identified 27 persons with the incorrect level of background
    investigation, including three persons with no record of a background investigation
    having been performed. In addition, although the HUD Personnel Security/Suitability
    Handbook contains policies to suspend, deny, and terminate access of users who do not
    meet its standards, we found no evidence that HUD OCIO had taken actions regarding
    users without appropriate background investigations having access to HUD’s sensitive
    systems. As a result, HUD cannot ensure that its critical and sensitive information can be
    protected from unauthorized access, loss, misuse, modification, or improper disclosure.

    We remain concerned because the reconciliation included users of only one of HUD’s
    mission-critical systems. We previously reported that users of HUD’s general support
    systems on which these mission-critical applications reside were not included in the
    reconciliations because they were not classified as mission critical. Having access to
    general support systems typically includes access to system tools, which provide the
    means to modify data and network configurations. We identified IT personnel, such as
    database administrators and network engineers, who had access to these types of system
    tools but did not have appropriate background checks. These persons were not identified
    as part of the CHAMP reconciliation process.




                                            38
                Compliance With Laws and Regulations

HUD Did Not Substantially Comply With the Federal Financial Management
Improvement Act
FFMIA requires auditors to report whether the agency’s financial management systems
substantially comply with the Federal financial management systems requirements and
applicable accounting standards and support the U.S. Standard General Ledger (SGL) at the
transaction level. We found that HUD was not in substantial compliance with FFMIA because
HUD’s financial management system did not substantially comply with Federal financial
management system requirements.

During fiscal year 2009, HUD made limited progress as it attempted to address its financial
management deficiencies to bring the agency’s financial management systems into compliance
with FFMIA. Deficiencies remained as HUD’s financial management systems continued to not
meet current requirements and were not operated in an integrated fashion and linked
electronically to efficiently and effectively provide agency-wide financial system support
necessary to carry out the agency’s mission and support the agency’s financial management
needs.

HUD is required by OMB Circular A-127 to perform reviews of all HUD financial management
systems within a three year cycle. For the current three fiscal year cycle, fiscal year 2007 to
2009, HUD only completed 7 of 40 required financial management system reviews.

 Federal Financial Management System
 Requirements

              In its Fiscal Year 2009 Performance and Accountability Report, HUD reported
              that 2 of its 40 financial management systems did not comply with the
              requirements of FFMIA and OMB Circular A-127, Financial Management
              Systems. Although 38 individual systems had been certified as compliant with
              Federal financial management systems requirements, HUD had not adequately
              performed independent reviews of these systems as required by OMB Circular A-
              127. Collectively and in the aggregate, deficiencies continued to exist.

              We continue to report as a significant deficiency that HUD financial management
              systems need to comply with Federal financial management systems requirements.
              The significant deficiency addresses how HUD’s financial management systems
              remain substantially noncompliant with Federal financial management
              requirements.

              FHA’s auditor reports as significant deficiencies that (1) financial system capacity
              limitations could impact business processing, (2) effective FHA modernization is
              necessary to address systems risks, and (3) FHA should enhance the general


                                               39
               ledger system user access management processes. These significant deficiencies
               address the challenges in FHA’s capacity to simultaneously address various
               system modernization initiatives and control deficiencies affecting the reliability
               and completeness of FHA’s financial information.

               We also continue to report as significant deficiencies that (1) controls over
               HUD’s computing environment can be further strengthened and (2) weak
               personnel security practices continue to pose risks of unauthorized access to the
               Department’s critical financial systems. These significant deficiencies discuss
               how weaknesses with general controls and certain application controls and weak
               security management increase risks associated with safeguarding funds, property,
               and assets from waste, loss, unauthorized use, or misappropriation.

               In addition, OIG audit reports have disclosed that security of financial information
               was not provided in accordance with OMB Circular A-130, Management of
               Federal Information Resources, appendix III, and FISMA.

We have included the specific nature of noncompliance issues, responsible program offices, and
recommended remedial actions in appendix C of this report.




HUD Did Not Substantially Comply With the Antideficiency Act

Although HUD’s OCFO has improved its process for conducting, completing, reporting, and
closing the investigation of potential Antideficiency Act (ADA) violations in a timely manner,
continued improvement is still needed. Our review determined that there were six ADA
violations that had not been reported immediately to the President through OMB, Congress, or
GAO, as required by 31 U.S.C. (United States Code) 1351.1517(b) (Antideficiency Act). In
addition, one potential ADA violation has been under review for two years without a final
determination as to whether or not a violation had occurred.

OCFO is responsible for investigating and reporting on violations of the ADA. Last year’s audit
concluded that OCFO was not conducting, completing, reporting, and closing the investigation
of potential ADA violations in a timely manner. As of the end of the fiscal year 2008 audit, six
cases were determined by OCFO investigators to be ADA violations that warranted reporting,
but the six violations had not been reported as required. Follow-up on these six cases during our
current audit showed that four of the six ADA violations were reported to the President,
Congress, and GAO on December 31, 2008. The remaining two ADA violations remained
unreported. These two cases had been under investigation for four years and in report stage for
one year. There are an additional four cases, which were determined by OCFO investigators to
be ADA violations in 2009, which had not been reported as of the end of the 2009 audit. Three
of these cases have been under investigation since 2006 and one since 2008.

OCFO has made progress in closing out its case backlog. As of the end of fiscal year 2009,
OCFO had closed 13 cases determined not to be ADA violations. However, our 2009 audit



                                                40
found that one investigation had not been conducted or closed in a timely manner. This case has
been under investigation since 2007 as OCFO continues to collect additional financial data for
review and analysis. To date, the investigator has not made a final determination as to whether
or not it is an ADA violation. In addition, there have been three new ADA cases, which opened
in January and June 2009, that were still in the preliminary data collection stage of the
investigation, as of September 30, 2009.




                                              41
Appendix A
                       Objectives, Scope, and Methodology

Management is responsible for

*      Preparing the principal financial statements in conformity with generally accepted
       accounting principles;
*      Establishing, maintaining, and evaluating internal controls and systems to provide
       reasonable assurance that the broad objectives of Federal Managers’ Financial Integrity
       Act are met; and
*      Complying with applicable laws and regulations.

In auditing HUD’s principal financial statements, we were required by Government Auditing
Standards to obtain reasonable assurance about whether HUD’s principal financial statements are
free of material misstatements and presented fairly in accordance with generally accepted
accounting principles. We believe that our audit provides a reasonable basis for our opinion.

In planning our audit of HUD’s principal financial statements, we considered internal controls
over financial reporting by obtaining an understanding of the design of HUD’s internal controls,
determined whether these internal controls had been placed into operation, assessed control risk,
and performed tests of controls to determine our auditing procedures for the purpose of
expressing our opinion on the principal financial statements. We are not providing assurance on
the internal control over financial reporting. Consequently, we do not provide an opinion on
internal controls. We also tested compliance with selected provisions of applicable laws,
regulations, and government policies that may materially affect the consolidated principal
financial statements. Providing an opinion on compliance with selected provisions of laws,
regulations, and government policies was not an objective, and, accordingly, we do not express
such an opinion.

We considered HUD’s internal control over required supplementary stewardship information
reported in HUD’s Fiscal Year 2009 Performance and Accountability Report by obtaining an
understanding of the design of HUD’s internal controls, determined whether these internal
controls had been placed into operation, assessed control risk, and performed limited testing
procedures as required by AU Section 558, Required Supplementary Information. The tests
performed were not to provide assurance on these internal controls, and, accordingly, we do not
provide assurance on such controls.

With respect to internal controls related to performance measures to be reported in the
Management’s Discussion and Analysis and HUD’s Fiscal Year 2009 Performance and
Accountability Report, we obtained an understanding of the design of significant internal
controls relating to the existence and completeness assertions as described in Section 230.5 of
OMB Circular A-11, Preparation, Submission and Execution of the Budget. We performed
limited testing procedures as required by AU Section 558, Required Supplementary Information,
and OMB Bulletin 07-04, Audit Requirements for Federal Financial Statements, as amended.
Our procedures were not designed to provide assurance on internal control over reported
performance measures, and, accordingly, we do not provide an opinion on such controls.


                                               42
To fulfill these responsibilities, we

*      Examined, on a test basis, evidence supporting the amounts and disclosures in the
       consolidated principal financial statements;
*      Assessed the accounting principles used and the significant estimates made by
       management;
*      Evaluated the overall presentation of the consolidated principal financial statements;
*      Obtained an understanding of internal controls over financial reporting, executing
       transactions in accordance with budget authority, compliance with laws and regulations,
       and safeguarding assets;
*      Tested and evaluated the design and operating effectiveness of relevant internal controls
       over significant cycles, classes of transactions, and account balances;
*      Tested HUD’s compliance with certain provisions of laws and regulations; government-
       wide policies, noncompliance with which could have a direct and material effect on the
       determination of financial statement amounts; and certain other laws and regulations
       specified in OMB Bulletin 07-04, as amended, including the requirements referred to in
       the Federal Managers’ Financial Integrity Act;
*      Considered compliance with the process required by the Federal Managers’ Financial
       Integrity Act for evaluating and reporting on internal control and accounting systems; and
*      Performed other procedures we considered necessary in the circumstances.

We did not evaluate the internal controls relevant to operating objectives as broadly defined by
the Federal Managers’ Financial Integrity Act. We limited our internal control testing to those
controls that are material in relation to HUD’s financial statements. Because of inherent
limitations in any internal control structure, misstatements may nevertheless occur and not be
detected. We also caution that projection of any evaluation of the structure to future periods is
subject to the risk that procedures may become inadequate because of changes in conditions or
that the effectiveness of the design and operation of policies and procedures may deteriorate.

Our consideration of the internal controls over financial reporting would not necessarily disclose
all matters in the internal controls over financial reporting that might be significant deficiencies.
We noted certain matters in the internal control structure and its operation that we consider
significant deficiencies under OMB Bulletin 07-04, as amended. Under standards issued by the
American Institute of Certified Public Accountants, a significant deficiency is a deficiency or a
combination of deficiencies, in internal control such that there is more than a reasonable
possibility that a misstatement of the entity’s financial statements will not be prevented or
detected.. It is less severe than a material weakness, yet important enough to merit attention by
those charged with governance.

A material weakness is a significant deficiency, or combination of significant deficiencies, that
result in a reasonable possibility that a material misstatement of the financial statements will not
be prevented, or detected and corrected on a timely basis.

Our work was performed in accordance with generally accepted government auditing standards
and OMB Bulletin 07-04, as amended.




                                                 43
This report is intended solely for the use of HUD management, OMB, and the Congress.
However, this report is a matter of public record, and its distribution is not limited.




                                              44
Appendix B
                                    Recommendations


To facilitate tracking recommendations in the Audit Resolution and Corrective Action Tracking
System (ARCATS), this appendix lists the newly developed recommendations resulting from our
report on HUD’S fiscal year 2009 financial statements. Also listed are recommendations from
prior years’ reports that have not been fully implemented. This appendix does not include
recommendations pertaining to FHA and Ginnie Mae issues because they are tracked under
separate financial statement audit reports of that entity.


                 Recommendations From the Current Report
With respect to the significant deficiency that the Office of Community Planning and
Development (CPD) needs to improve its oversight of grantees, we recommend that CPD

       1.a.   Follow existing policies and regulations to conduct an annual review of whether the
              States obligated and announced 100 percent of their grant award within 15 months
              of signing the grant agreement with HUD.

       1.b.   Follow existing policies and regulations that require follow-up and remedial action
              against States that are in noncompliance.

       1.c.   Ensure that the most complete and accurate data is used to conduct the review of
              the timeliness requirement for the State Community Development Block Grant
              (CDBG) program.

       1.d.   Consider modifying an existing system to create an automated process that will
              house all of the data needed to review the timeliness requirement for the State
              CDBG program to create a more effective and efficient process.

       1.e.   Determine whether the $24.7 million in unexpended funds for the HOME program
              from fiscal years 2001 and earlier that are not spent in a timely manner should be
              recaptured and reallocated in next year’s formula allocation.

       1.f.    Develop a policy for the HOME program that would track expenditure deadlines
              for funds reserved and committed to community housing development
              organizations and subgrantees separately.

       1.g.   Ensure that its field offices review the status of the identified contracts and
              recapture up to the $42 million identified in undisbursed obligations for expired
              contracts that were funded with grants during 1997-2001 for homeless assistance
              programs and consider the funds for inclusion in the fiscal year 2010 Continuum of
              Care competition.




                                               45
       1.h.   Develop policy and procedures that ensure an annual review of the status of each of
              its homeless assistance contracts and recommend deobligations and recapture of
              excess funds when applicable.

       1.i.   Develop the management reports needed to effectively track its homeless
              assistance program contract expiration dates.

       1.j.   Require field offices to monitor participating jurisdictions to ensure that project
              completion information and beneficiary data are complete, accurate, and entered
              into HUD’s Integrated Disbursement and Information System (IDIS) monthly for
              the HOME program.

       1.k. Require participating jurisdictions for the HOME program to have quality control
            systems in place to ensure that the required project completion information and
            beneficiary data are complete, accurate, and entered into IDIS monthly.

       1.l.   Require field offices to follow up with participating jurisdictions on slow-moving
              projects to determine the reason for the delays in the HOME program.

With respect to the significant deficiency that HUD management must continue to improve
oversight and monitoring of subsidy calculations, intermediaries’ performance, and Housing
Choice Voucher funds, we recommend that the Office of Public and Indian Housing, in
coordination with the Office of General Counsel,

       2.a.   Seek legislative authority to implement $317 million or the balance categorized as
              unusable as of December 2010 in offsets against public housing agencies’ (PHA)
              excess unusable funding held in the net restricted assets account.

       2.b. Seek legislative authority to retain such funding offsets as a resource to create
            reserves that will enable HUD to quickly reallocate resources where needed to
            supplement any future deficiencies and/or to provide funding required due to a late
            enactment of appropriation.

With respect to the significant deficiency that HUD management must continue to improve
oversight and monitoring of subsidy calculations, intermediaries’ performance, and Housing
Choice Voucher funds, we recommend that the Office of Public and Indian Housing

       2.c. Develop a mechanism in the Voucher Management System that enables HUD to (1)
            track and compare what the PHAs spend and receive in administrative fee expenses
            and (2) capture transfers between housing assistance and the funds for
            administrative fees, resulting in better estimates of net restricted assets account
            calculated balances.

       2.d. Develop procedures to validate the net restricted assets account balances as part of
            its on-site monitoring review of PHAs and initiate reviews earlier in the year to
            ensure that excess funding in PHAs’ net restricted assets account is accurate before
            funding decisions are made.



                                                46
With respect to the significant deficiency that HUD needs to improve the process for reviewing
obligation balances, we recommend that the Chief Financial Officer, in coordination with the
appropriate program offices,

       3.a. Deobligate the $8.8 million in administrative and program unliquidated obligations
            that were marked for deobligation.

       3.b. Promptly perform contract closeout reviews and recapture of invalid obligations.

With respect to the significant deficiency that HUD needs to improve the process for reviewing
obligation balances, we recommend that the Chief Financial Officer, in coordination with the
Office of Housing,

       3.c.   Deobligate $4.7 million in excess unexpended rental assistance and rent
              supplement funds identified by HUD’s fiscal year 2009 financial statement audit.

       3.d.   Fully implement quarterly scheduled recapture review and reconciliation
              procedures to ensure that excess undisbursed contract authority from rental
              assistance payments and rent supplement projects is recaptured in a timely manner.

       3.e.   Deobligate $23.4 million in excess unexpended Section 236 funds identified by
              HUD’s fiscal year 2009 financial statement audit.

       3.f.   Fully implement the revised quarterly contract reconciliation procedure to ensure
              that Section 236 obligations reported are valid and can be more accurately
              estimated and reported.

       3.g.   Review supporting contracts to support $75.3 million in undisbursed Section 8
              project-based contract/budget authority associated with 692 expired or inactive
              contracts that we identified during our review or recapture funds if they cannot be
              supported.

        3.h. Enter expiration dates and perform a detailed review of 562 Section 8 project-based
             contracts with no expiration dates reported in the Program Accounting System
             (PAS) to determine whether they are active contracts. Excess funds associated with
             contracts later determined to be expired should be recaptured. These funds could
             be put to better use to fund other projects that need funding.

       3.i.   Section 8 project-based contracts with 325 funding lines/increments, expiration
              dates before January 1, 2009, and totaling more than $70 million reported in PAS
              should be reviewed and adjusted accordingly in PAS. These funds, up to $70
              million, could be put to better use to fund other projects requiring funding.

       3.j.   Implement a long-term financial management strategy and improvement plan and
              address data and systems weaknesses to ensure that all Section 8 project-based
              contracts are considered in the recapture/shortfall budget process.




                                                47
       3.k.   Research the expired Sections 202 and 811 contracts identified in our audit to
              determine whether these are active contracts and/or recapture up to $20.2 million
              associated with these expired contracts if they cannot be supported.

       3.l.   Allocate additional resources to Sections 202 and 811 programs and design and
              implement procedures to ensure that expiration dates are entered into the PAS
              subsidiary ledger.

       3.m. Enter expiration dates and perform a detailed review of approximately 3,500
            Sections 202 and 811 contracts with no expiration dates reported in PAS to
            determine whether they are active. Excess funds, associated with contracts
            reported in PAS with no expiration dates that are later determined to be expired,
            should be recaptured. These funds could be put to better use to fund other projects
            that needed funding.

With respect to the significant deficiency that HUD's Financial Management Systems Need to
Comply with Federal Financial Management System Requirements, we recommend that the
Office of Community Planning and Development:

       4.a.   Ensure that its programs are accounting for and reporting their financial and
              performance information in accordance with federal financial management system
              requirements.

With respect to HUD’s substantial noncompliance with the Antideficiency Act (ADA), we
recommend that the Chief Financial Officer, in coordination with the appropriate program
offices,

       5.a.   Complete the investigations and determine whether or not ADA violations have
              occurred, and if an ADA violation has occurred, immediately report to the
              President, Congress, and GAO.

       5.b.   Report the six ADA violations immediately to the President, Congress, and GAO,
              as required by 31 U.S.C and OMB Circular A-11, upon receiving OCFO legal staff
              concurrence with the investigation results.

       5.c.   Develop and establish timeframes for reporting ADA violations once it is
              determined a violation exists.




         Unimplemented Recommendations From Prior Years’ Reports

Not included in the recommendations listed above are recommendations from prior years’
reports on HUD’s financial statements that have not been fully implemented based on the status
reported in ARCATS. HUD should continue to track these under the prior years’ report numbers
in accordance with departmental procedures. Each of these open recommendations and its status


                                               48
is shown below. Where appropriate, we have updated the prior recommendations to reflect
changes in emphasis resulting from recent work or management decisions.


OIG Report Number 2009-FO-0003 (Fiscal Year 2008 Financial Statements)

With respect to the significant deficiency that HUD management must continue to improve
oversight and monitoring of subsidy calculations and intermediaries’ program performance and
promote full utilization of Housing Choice Voucher funds, we recommend that the Office of
Public and Indian Housing, in coordination with the Office of General Counsel,

       1.a. Seek legislative authority to eliminate or modify the leasing restrictions placed on
            the Housing Choice Voucher program (Final Action Target Date is December 31,
            2011; reported in ARCATS as recommendation 1B).

With respect to the significant deficiency that HUD management must continue to improve
oversight and monitoring of subsidy calculations and intermediaries’ program performance and
promote full utilization of Housing Choice Voucher funds, we recommend that the Office of
Public and Indian Housing,

       1.b. Increase the monitoring efforts over the Net Restricted Asset Account held by
            PHAs (Final Action Target Date is December 31, 2011; reported in ARCATS as
            recommendation 1C).

With respect to HUD’s substantial noncompliance with the Federal Financial Management
Improvement Act, we recommend that the Chief Financial Officer,

       2.a. Develop a plan to comply with OMB A-127 review requirements, which results in
            the evaluation of all HUD financial management systems within a 3-year cycle
            (Final Action Target Date is November 30, 2009; reported in ARCATS as
            recommendation 3A).




                                               49
Appendix C

Federal Financial Management Improvement Act Noncompliance,
Responsible Program Offices, and Recommended Remedial Actions

This appendix provides details required under Federal Financial Management Improvement Act
(FFMIA) reporting requirements. To meet those requirements, we performed tests of
compliance using the implementation guidance for FFMIA issued by OMB and GAO’s Financial
Audit Manual. The results of our tests disclosed that HUD’s systems did not substantially
comply with the foregoing requirements. The details for our basis of reporting substantial
noncompliance, responsible parties, primary causes, and HUD’s intended remedial actions are
included in the following sections.

Federal Financial Management Systems Requirements
1. HUD’s annual assurance statement, issued pursuant to Section 4 of the Financial Manager’s
Integrity Act, will report two nonconforming systems.12

          The organizations responsible for systems that were found not to comply with the
          requirements of OMB Circular A-127 based on HUD’s assessments are as follows:


      Responsible office                               Number of systems     Nonconforming systems
      Office of Housing                                       18                        0
      Office of the Chief Financial Officer                   12                        0
      Office of Administration                                 2                        0
      Office of the Chief Procurement Officer                  2                        2
      Office of Community Planning and Development             3                        0
      Office of Public and Indian Housing                      2                        0
      Government National Mortgage Association                 1                        0
      Totals                                                  40                        2




The following section outlines HUD’s plan to correct noncompliance with OMB Circular A-127
as submitted to us as of September 30, 2009, and unedited by us.




12
     The two nonconforming systems are A35-HUD Procurement System and P035-Small Purchase System.


                                                     50
51
52
53
54
55
2. Our audit disclosed significant deficiencies regarding the security over financial
information. Similar conditions have also been noted in other OIG audit reports. We are
including security issues as a basis for noncompliance with FFMIA because of the
collective effect of the issue and noncompliance with Circular A-130, appendix 3, and the
Federal Information Security Management Act (FISMA). The responsible office, nature of
the problem, and primary causes are summarized below:

Responsible office       Nature of the problem

Office of Housing and    Financial system capacity limitations could impact business processing.
OCIO
                         To address the degradation on processing performance and high workload
                         on business-critical housing systems, HUD increased capacity on the
                         Unisys host platform. In addition, HUD upgraded network circuits and
                         expanded Internet capacity critical to supporting FHA business activities.

                         HUD also planned to migrate several large applications from the Unisys
                         mainframe platform to an ―open systems‖ platform in 2009; however, the
                         implementation did not occur as scheduled. Additional application and
                         processing changes, (e.g., improved batch process scheduling and search
                         databases) were also implemented to optimize the use of the processing
                         resources.

                         Throughout 2009, FHA and HUD closely monitored system use levels and
                         increased data/processing capacity. HUD also recently contracted for the
                         delivery of a new, larger mainframe (scheduled for full implementation
                         November 30, 2009) to replace the existing IBM mainframe. FHA
                         believes system use is now within acceptable levels, and management
                         projects gradual declines in business volume for the next few years.

                         The Office of the Chief Information Officer (OCIO) developed an informal
                         written short-term capacity management plan at the end of fiscal year 2009
                         that identifies the actions that have been taken and future activities required.
                         However, because this growth in volume developed so quickly, the plan does
                         not document (1) use benchmarks and required responses and (2) clear
                         organizational and staff roles and responsibilities. Without a formalized plan,
                         FHA and OCIO may not be able to sufficiently address further capacity
                         issues effectively or in a timely manner, which may impact FHA’s ability to
                         process and record financial transactions reliably and in a timely manner.

These conditions occurred because of the increase in loan application and endorsement volume. And
the Unisys mainframe began to approach its operating capacity in the fall of 2008.

Office of Housing and Effective FHA modernization is necessary to address systems risks.
OCIO
                      In 2009, HUD commissioned a study to develop an IT strategy and
                      improvement plan, which would identify strategic IT solutions to meet the
                      agency’s long-term programmatic objectives. This study served as a
                      comprehensive IT systems risk assessment for FHA and thoroughly
                      illustrates the many inefficiencies and limitations of the current system
                      architecture. It examined operations at other Federal agencies and several
                      mortgage, banking, and mortgage insurance operations. The study


                                              56
Responsible office        Nature of the problem

                          recommended 33 technology and architecture approaches and 25 specific
                          initiatives, including replacement of several of FHA’s largest and most
                          critical business systems. Critical objectives of the initiatives were to
                                 Improve fraud detection
                                 Improve risk management and loss mitigation
                                 Improve program operations
                                 Limit mission constraints related to dated technology

                          Each initiative was reviewed, evaluated, and prioritized based on
                          established risk criteria. The efforts to address these system
                          recommendations are expected to take several years and cost hundreds of
                          millions of dollars. FHA has taken a first step by appointing a full-time
                          project management officer. In fiscal year 2010, FHA plans to perform a
                          comprehensive risk assessment to ensure that this plan is consistent with
                          the current OCIO strategic plan. Given their current state, FHA’s financial
                          systems will continue to require expensive maintenance and monitoring
                          and are likely to pose increasing risks to the reliability of FHA’s financial
                          reporting and business operations until the modernization efforts are
                          completed. The proposed plan should include an effective implementation
                          plan and leadership team to ensure that the current systems are replaced
                          within a timeframe that does not put FHA’s financial operations at further
                          risk.

These conditions occurred because FHA did not conduct a risk assessment of the various system
initiatives and required corrective actions in connection with the OCIO strategic plan and the IT
strategy and improvement plan.

Office of Housing         FHA should enhance the general ledger system user access management
and OCIO                  processes.

                          As indicated in the FHA Office of Housing IT strategy and improvement
                          plan, ―FHA IT systems are a significant constraint on FHA’s ability to
                          rapidly and effectively adjust to this new environment. Over the last
                          decade, little investment has been made in modernizing FHA’s
                          technology.‖ An initial step of system modernization was implemented in
                          fiscal year 2009, with the integration of the Multifamily
                          Endorsement/Premium and Claims processes into FHASL. During this
                          implementation, additional developers and end-users were provided access
                          to FHASL environments to perform various development activities,
                          testing, and training functions. We noted that developers had access to the
                          production environment in a greater than read-only capacity and end-users
                          had access to the development environment. Additionally, we noted that
                          four employees had excessive rights within the Multifamily Premiums
                          module of FHASL (i.e., endorsement entry, premium reviewer,
                          termination clerk, and mortgage servicer role) and compensating controls
                          preventing the same user from performing incompatible functions on the
                          same transaction were not effective. While granting these access levels
                          may appear to improve the efficiency of system implementation, it
                          increases the risk of transactions being inappropriately authorized and
                          processed.



                                              57
Responsible office        Nature of the problem


                          The monitoring of user business process functions within an application,
                          audit logging, is essential in ensuring that only personnel with proper
                          access rights are performing job functions. During fiscal year 2009, we
                          noted that limited audit logging is performed over business functions; and
                          the data elements that are being logged do not appear to be consequential
                          to the process. Additionally, the audit logs produced are not reviewed to
                          ensure that appropriate actions have been taken as required by HUD
                          policy. A plan has been developed by the system owner that incorporates
                          identifying the data elements to be audited, selecting the capture
                          mechanism, defining reports and filters, and establishing the review
                          process; however, this plan has not been implemented completely. The
                          recording of auditable events and the periodic review of audit logs is
                          essential to mitigate the risk of unauthorized access attempts or
                          inappropriate personnel actions.

                          A final component of user access management is the process of removing
                          access no longer required by users. One method for completing this
                          process is the disabling or removal of accounts after a specified period of
                          inactivity. HUD policy mandates that inactive users be deleted after 90
                          days of inactivity. We noted that approximately 30 user accounts with
                          active access to FHASL had not logged into the application in more than
                          90 days. FHASL is configured to have passwords automatically expire
                          after 90 days of inactivity; however, these accounts are not permanently
                          locked and can be reset by the user contacting the Help Desk. Accounts
                          are manually deleted if they have been inactive for more than twelve
                          months since the beginning of the previous year. In this situation, users do
                          not have the ability to contact the Help Desk to reactivate their accounts.
                          We noted that this process is manual because FHASL does not have an
                          automated mechanism for disabling or removing accounts. By not
                          disabling unused accounts timely, there is an increased risk that accounts
                          may be used to gain unauthorized access to FHASL.

These conditions occurred because HUD’s management did not consistently enforce policies and
procedures.

OCIO                      Weaknesses existed in HUD’s security management program. Specifically,

                                 HUD did not properly categorize those systems containing
                                  personally identifiable information (PII). HUD’s inventory of
                                  automated systems was not current and did not contain all systems
                                  with PII.

                                 HUD did not properly report 5 of 34 category I security incidents
                                  to the proper authorities within the mandated timeframes.

These conditions occurred because HUD’s management did not consistently enforce policies and
procedures.

OCIO                      Weaknesses existed in security controls over HUD’s Web applications and
                          identified weaknesses in the areas of security configurations and technical


                                              58
Responsible office        Nature of the problem

                          controls.

                          For instance, HUD did not ensure that access controls followed the
                          principle of least privilege for Web application configurations. Weak Web
                          application security configurations disclose potentially sensitive
                          information that may enable a malicious user to devise exploits of the
                          application and the resources it accesses. This weakness could also
                          potentially expose sensitive or confidential information as well as useful
                          information that may enable a malicious user to devise effective and
                          efficient exploits of the application and the resources it accesses.

                          HUD did not adequately implement controls to ensure confidentiality and
                          privacy for Web applications. These weaknesses were not exploitable
                          vulnerabilities, but they were a violation of security policy because the
                          configurations potentially allowed access to data that are required to be
                          confidential by law. When weak privacy controls exist, they breach
                          confidentiality requirements to protect sensitive information. An attacker
                          can take advantage of these vulnerabilities to discover and access sensitive
                          and confidential data. Further, HUD did not adequately review Web
                          applications for vulnerabilities and patch them. Exploiting vulnerabilities
                          can breach confidentiality requirements to reveal sensitive information.

These conditions occurred because HUD’s management did not consistently enforce policies and
procedures.

OCIO                      Weaknesses existed in controls over HUD’s Disaster Recovery Grant
                          Reporting System (DRGR) related to the Neighborhood Stabilization
                          Program (NSP) funding.

                          We found that (1) access control policies and procedures for DRGR violated
                          HUD policy, (2) the system authorization to operate is outdated and based
                          upon inaccurate and untested documentation, (3) CPD did not adequately
                          separate the DRGR system and security administration functions, and (4)
                          CPD had not sufficiently tested interface transactions between DRGR and the
                          Line of Credit Control System (LOCCS). As a result, CPD cannot ensure
                          that only authorized users have access to the application, user access is
                          limited to only the data that are necessary for them to complete their jobs, and
                          users who no longer require access to the data in the system have had their
                          access removed. Further, the failure to sufficiently test interface transactions
                          between DRGR and LOCCS leaves HUD with limited assurance that the
                          $5.9 billion in NSP funding was accurately processed.

These conditions occurred because HUD’s management did not consistently enforce policies and
procedures.

OCIO                      Weaknesses existed in HUD’s management procedures, practices, and
                          controls related to the Recovery Act Management and Reporting System
                          (RAMPS)

                          We found that while HUD has taken actions to comply with the reporting
                          requirements under the Recovery Act, it did not fully comply with the


                                               59
Responsible office        Nature of the problem

                          reporting requirements to ensure that the recipients’ use of all recovery
                          funds is transparent to the public and that the public benefits of these
                          funds are reported clearly, accurately, and in a timely manner.

                          We reviewed the April 30 and July 15, 2009, National Environmental Policy
                          Act (NEPA) reports and found that HUD program offices did not have
                          existing systems to collect the NEPA data, were not able to use the newly
                          developed RAMPS system, or were not provided training on how to use the
                          system. As a result, HUD was not able to provide the NEPA status to the
                          public in an accurate and timely manner for more than $2.9 billion in
                          obligated funds. Additionally, HUD did not complete required security and
                          privacy documents before or during the early phase of system development.
                          HUD did not follow Federal and HUD security policies for implementing
                          these security requirements for RAMPS. As a result, HUD officials could
                          not ensure that all security controls were in place, implemented correctly,
                          and operating as intended.

These conditions occurred because HUD’s management did not consistently enforce policies and
procedures.

OCIO                      Weaknesses still existed in security controls over HUD’s databases.

                          During fiscal year 2008, we evaluated security controls over HUD’s
                          databases. We identified security configuration and technical control
                          deficiencies within HUD’s database security controls in the areas of (1)
                          passwords, (2) system patches, and (3) system configuration. We followed
                          up on the status of these weaknesses during fiscal year 2009 and determined
                          that technical control deficiencies relating to database passwords and
                          database patches had been reviewed and corrected as the Office of the Chief
                          Information Officer (OCIO) deemed appropriate. OCIO has not yet
                          implemented secure configuration baselines for databases and the reviews for
                          monitoring those configurations. This corrective action is not scheduled to
                          be completed until December 31, 2010.

These conditions occurred because HUD’s management did not consistently enforce policies and
procedures.

OCPO                      Control weaknesses still existed for HUD Procurement System (HPS) and
                          HUD Small Purchase System (SPS). Specifically,

                          Two significant recommendations made in the audit report remained open,
                          and the procurement systems continued to be noncompliant with Federal
                          financial management requirements. The Office of the Chief Procurement
                          Officer (OCPO) has yet to complete the corrective actions for the known
                          open information security vulnerabilities. In addition, OCPO had not
                          implemented functionality to ensure that there is sufficient information within
                          HUD’s current procurement systems to support the primary acquisition
                          functions of fund certification, obligation, deobligation, payment, and
                          closeout. OCPO plans to replace the current acquisition systems and during
                          fiscal year 2009, obtained $3.7million in funding to purchase a commercial
                          off-the-shelf application. The acquisition of the new application is


                                              60
Responsible office        Nature of the problem

                          anticipated to be complete by June 30, 2010. However, full funding to
                          complete the project had not been obtained; therefore, it is unclear when the
                          new application will be fully implemented.

These conditions occurred because OCPO had not been able to secure funding to complete the planned
corrective action.

OCIO and OCFO             Control weaknesses that could negatively affect the integrity,
                          confidentiality, and availability of computerized financial data within three
                          of HUD’s financial systems – Nortridge Loan System (NLS), HUD’s
                          Central Accounting and Program System (HUDCAPS), and Line of
                          Credit Control System (LOCCS) - still existed. Specifically,

                          Access controls over HUD’s NLS needed to be strengthened. We
                          determined that controls over the NLS user recertification process were not
                          effective to ensure that all users with access to the production data were
                          properly recertified. In addition, HUD did not appropriately separate the
                          functions of system administration and system security within NLS. By
                          not ensuring that the access levels of all NLS users were reviewed, HUD
                          was unable to ensure that users only had access to the data that were
                          necessary for them to complete their jobs, that only authorized users had
                          access to the system, and that users who no longer required access to the
                          data in the system had their access removed. Inadequately segregated
                          duties increase the risk that erroneous or fraudulent transactions could be
                          processed, that improper program changes could be implemented, and that
                          computer resources could be damaged or destroyed. OCFO provided
                          documentation to support completion of planned corrective actions.

                          In fiscal year 2009, we found that HUD did not take steps to ensure that IT
                          contractors were properly rescreened to ensure their continued eligibility
                          to access sensitive systems and application data in accordance with HUD
                          guidelines. Specifically, HUD did not initiate updated background
                          investigations for contractor personnel with access to HUDCAPS every 5
                          years as required by HUD policy. As of December 2008, OCFO had not
                          initiated updated background investigations for 10 of the 20 contractors
                          with above-read access to the HUDCAPS application. The background of
                          one contractor employee had not been reassessed since 1975. Background
                          investigations ensure, to the extent possible, that employees are suitable to
                          perform their duties. By not performing required background screenings,
                          HUD increased its risk that unsuitable individuals would have access to
                          sensitive systems and data.

                          Again in fiscal year 2009, we were able to identified LOCCS users that
                          were not recertified by the system. As a result, we concluded that further
                          improvements are necessary to ensure that all users of LOCCS are
                          recertified in accordance with HUD policy and that the corrective action
                          taken in response to our 2007 finding did not fully address the problem.


These conditions occurred because HUD’s management did not consistently enforce policies and



                                              61
Responsible office        Nature of the problem

procedures.

OCIO                      Weaknesses still existed in security controls over HUD’s IBM mainframe.

                          In fiscal year 2009, we determined that HUD had not completed the task
                          of securing libraries and data files within the IBM mainframe
                          environment.

These conditions occurred because HUD’s management did not consistently enforce policies and
procedures.

OCIO                      Weaknesses still existed in security controls over HUD’s software
                          configuration management.

                          We previously reported that the configuration management plan for
                          Institution Master File (IMF) contained outdated information. We also
                          reported that HUD did not ensure that its IT support contractor provided
                          the proper version of a configuration management tool used by five of its
                          applications. Without updated configuration management documentation,
                          HUD risks that outdated policies and plans may not address current risk
                          and, therefore, be ineffective.

                          HUD had not yet fully resolved the issue of the outdated version of the
                          configuration management tool. HUD had made progress in updating the
                          configuration management plan for IMF. However, configuration
                          management plans for several FHA applications identified in our fiscal
                          year 2007 review still have not been updated to include reported issues
                          such as incomplete or outdated information.

                          In fiscal year 2009, we found that the configuration management plan for
                          the Integrated Disbursement and Information System OnLine (IDIS
                          OnLine) also lacked information and contained outdated information.

These conditions occurred because management did not consistently enforce policies and procedures.




                                              62
Responsible office          Nature of the problem

OCIO                        Weaknesses still existed in controls over HUD’s contingency planning.

                            In fiscal year 2009, we found that HUD had updated listings for the
                            recovery team and critical applications. However, the disaster recovery
                            plan still contained conflicting information. Additionally, we found that
                            disaster recovery exercises did not fully test system functionality because
                            the critical applications were not verified through transaction and batch
                            processing and the exercises did not include recovery of all applications
                            that interface with the critical systems. By not having current information
                            in the disaster recovery plan and fully testing system functionality during
                            disaster recovery exercises, HUD cannot ensure that its systems and
                            applications will function as intended in an actual emergency.

                            In 2008, we reported that contingency planning at third-party business sites
                            was inadequate. Staffs were unfamiliar with or had limited knowledge of
                            contingency planning requirements, and documentation was not readily
                            available for use in case of emergency. We determined that HUD had not
                            specified contingency planning, continuity of operations, or disaster recovery
                            requirements in its agreements with third-party business partners. Such
                            information is usually included in the terms and conditions of a contract or
                            service-level agreement with the external business partner. Consequently,
                            third-party business partners developed limited contingency planning policies
                            that did not meet HUD or National Institute of Standards and Technology
                            (NIST) requirements. Management generally agreed that corrective action
                            was needed, but had not taken action on any of OIG’s recommendations.

These conditions occurred because management did not consistently enforce policies and procedures and
HUD had not specified contingency planning, continuity of operations, or disaster recovery requirements
in its agreements with third-party business partners. Consequently, third-party business partners had
developed limited contingency planning policies that did not meet HUD or NIST requirements.

OCIO                        Weaknesses still existed in controls over HUD’s physical security.

                            In fiscal year 2008, we reported that physical security at the third-party
                            business sites we visited was inadequate and weaknesses existed at those
                            sites. We found instances in which servers were located in common areas
                            (i.e., lunch rooms, halls), case binders with PII were left unattended, no guard
                            or receptionist was at the entrance, access doors were unlocked, and
                            encryption of data residing on laptops or portable devices was not a
                            requirement.

                            In fiscal year 2009, management generally agreed that corrective action was
                            needed but had not taken action on any of OIG’s recommendations.

This condition occurred because HUD had not specified the level of security controls and included it in
the terms and conditions of the contract or service-level agreement with the external business partner.
As a result, third-party business partners have developed various IT security controls and policies that do
not meet HUD or Federal requirements and, therefore, cannot be relied upon to provide adequate
protection of HUD’s sensitive data.




                                                 63
Responsible office   Nature of the problem

OCIO                 Personnel security weaknesses still existed. Specifically,

                     Since 2004, we have reported that HUD did not have a complete list of all
                     users with above-read access at the application level. Those users with
                     above-read access to sensitive application systems are required to have a
                     background investigation. Our review this year found that HUD still did
                     not have a central repository that lists all users with access to HUD’s
                     general support and application systems. Consequently, in fiscal year
                     2009, HUD still had no central listing for reconciling that all users who
                     have access to HUD’s critical and sensitive systems have had the
                     appropriate background investigation.

                     While HUD’s implementation, in 2007, of the Centralized HUD Account
                     Management Process (CHAMP) was a step toward improving its user
                     account management practices, CHAMP remained incomplete and does
                     not fully address OIG’s concerns. Specifically, we noted that

                            CHAMP does not contain complete and accurate data. OCIO did
                             not electronically migrate data from the HUD Online User
                             Registration System (HOURS) into CHAMP. Instead, it chose to
                             enter the legacy data manually. However, this process had not
                             been completed. In a July 2008 audit report, we recommended
                             that all offices within HUD provide the historical information
                             necessary to populate CHAMP. OCIO agreed with our
                             recommendation, and corrective action is scheduled for
                             completion in December 2009.

                            CHAMP does not contain a mechanism to escalate or reassign
                             tasks that have not been completed within a specified timeframe.
                             In a July 2008 audit report, we recommended that OCIO develop
                             and implement such a mechanism. OCIO agreed with the
                             recommendation, and corrective action is scheduled for
                             completion in December 2009.




                                         64
Responsible office   Nature of the problem

                            HUD did not conduct a security categorization and a risk
                             assessment for CHAMP as required by Federal Information
                             Processing Standards (FIPS) Publications (PUB) 199 and 200.
                             HUD’s OCIO chose not to conduct a security categorization and
                             risk assessment for CHAMP because it believed that these items
                             were not required for CHAMP, which is listed as a process rather
                             than a system. HUD also believed that since CHAMP was
                             exclusively owned by its IT contractor, it was not subject to the
                             requirements of a security categorization and a risk assessment.
                             Without a security categorization and risk assessment of CHAMP,
                             HUD cannot know the full extent of risks that the CHAMP
                             process is vulnerable to or whether adequate levels of security
                             controls have been put into place to protect data and applications
                             impacted by CHAMP. OIG recommended that OCIO conduct a
                             security categorization and a risk assessment for CHAMP. OCIO
                             agreed with this recommendation; however, corrective action had
                             not been taken.

                            Reconciliations to identify users with above-read (query) access to
                             HUD mission-critical (sensitive) applications but without
                             appropriate background checks were not routinely conducted.
                             Officials from the Office of Security and Emergency Planning
                             (OSEP) and OCIO asserted that with the implementation of
                             CHAMP and the new security manager computer system, it would
                             be impossible for an employee or contractor to obtain access to
                             any of HUD’s systems without the appropriate background
                             investigation. Thus, the reconciliation was no longer needed.

                     Contrary to OSEP and OCIO’s assertions, a reconciliation performed by
                     OSEP for second quarter 2009 identified 27 persons with the incorrect
                     level of background investigation, including three persons with no record
                     of a background investigation having been performed. In addition,
                     although the HUD Personnel Security/Suitability Handbook contains
                     policies to suspend, deny, and terminate access of users who do not meet
                     its standards, we found no evidence that HUD OCIO had taken actions
                     regarding users without appropriate background investigations having
                     access to HUD sensitive systems. As a result, HUD could not ensure that
                     its critical and sensitive information could be protected from unauthorized
                     access, loss, misuse, modification, or improper disclosure.




                                         65
Responsible office        Nature of the problem

                          We remain concerned because the reconciliation included users of only
                          one of HUD’s mission-critical systems. We previously reported that users
                          of HUD’s general support systems on which these mission-critical
                          applications reside were not included in the reconciliations because they
                          were not classified as mission critical. Having access to general support
                          systems typically includes access to system tools, which provide the means
                          to modify data and network configurations. We identified IT personnel,
                          such as database administrators and network engineers, who have access to
                          these types of system tools but do not have appropriate background
                          checks. These persons were not identified as part of the CHAMP
                          reconciliation process.

These conditions occurred because management did not consistently enforce policies and procedures.




                                              66
Appendix D

              SCHEDULE OF QUESTIONED COSTS
             AND FUNDS TO BE PUT TO BETTER USE

 Recommendation       Ineligible 1/      Unsupported      Unreasonable or     Funds to be put
     number                                  2/           unnecessary 3/      to better use 4/
      1.e                                                                         $24.7 M
      1.g                                                                            $42 M
      2.a                                                                          $317 M
      3.a                                                                           $8.8 M
      3.c                                                                           $4.7 M
      3.e                                                                         $23.4 M
      3.g                                                                         $75.3 M
      3.k                                                                         $20.2 M


1/   Ineligible costs are costs charged to a HUD-financed or HUD-insured program or activity
     that the auditor believes are not allowable by law; contract; or Federal, State, or local
     policies or regulations.

2/   Unsupported costs are those costs charged to a HUD-financed or HUD-insured program
     or activity when we cannot determine eligibility at the time of the audit. Unsupported
     costs require a decision by HUD program officials. This decision, in addition to
     obtaining supporting documentation, might involve a legal interpretation or clarification
     of departmental policies and procedures.

3/   Unnecessary/unreasonable costs are those costs not generally recognized as ordinary,
     prudent, relevant, and/or necessary within established practices. Unreasonable costs
     exceed the costs that would be incurred by a prudent person in conducting a competitive
     business.

4/   Recommendations that funds be put to better use are estimates of amounts that could be
     used more efficiently if an OIG recommendation is implemented. These amounts include
     reductions in outlays, deobligation of funds, withdrawal of interest, costs not incurred by
     implementing recommended improvements, avoidance of unnecessary expenditures
     noted in preaward reviews, and any other savings that are specifically identified.




                                             67
Appendix E
             Agency Comments




                   68
69
70
Appendix F

            OIG EVALUATION OF AGENCY COMMENTS

With the exception of the report’s conclusions related Federal Financial Management
Improvement Act (FFMIA) compliance, HUD management generally agrees with our
presentation of findings and recommendations subject to detail comments.

The disagreements to our FFMIA compliance conclusions related to formula grant reporting and
HUD’s integrated financial management system. HUD’s Office of Community Planning and
Development disagrees that their formula grant reporting is not incompliance with FFMIA.
Regarding overall financial management system compliance with FFMIA, HUD agrees that their
systems processes can be more efficiently integrated to eliminate the need for existing
compensating controls, but feel the existing environment is substantially compliant and not
representative of a material risk of misreporting.

We disagree with HUD’s conclusions regarding FFMIA compliance. In regards to the CPD
formula grants reporting, while FFMIA requires that budget, performance, and financial
information should be reconcilable to the grant year funds were approved, our reviews indicated
that CPD did not record information in a way that allowed such reconciliations. FFMIA
emphasizes the need for agencies to have systems that are able to generate reliable, useful, and
timely information for decision-making purposes and to ensure accountability on an ongoing
basis. The deficiencies noted in HUD’s financial management systems are due to the current
financial system being developed prior to the issuance of current requirements. It is also
technically obsolete, has inefficient multiple batch processes, and requires labor-intensive
manual reconciliations. Because of these inefficiencies, HUD’s management systems are unable
to routinely produce reliable, useful, and timely financial information. This weakness manifests
itself by limiting HUD’s capacity to manage with timely and objective data, and thereby hampers
its ability to effectively manage and oversee its major programs.

In addition, HUD is not fully compliant with one of the three indicators of compliance with
Federal financial management requirements. HUD has significant deficiencies related to security
over financial management information systems in accordance with FISMA and OMB Circular
A-130 Appendix III. The Department has not met the minimum set of automated information
resource controls relating to Entity-wide Security Program Planning and Management.

In regards to Anti deficiency Act Reporting and Erroneous Payments, we reviewed the
Department’s comments and made clarifying changes to the report.




                                              71