Issue Date February 26, 2010 Audit Report Number 2010-PH-0001 TO: Vicki B. Bott, Deputy Assistant Secretary for Single Family Housing, HU //signed// FROM: John P. Buck, Regional Inspector General for Audit, Philadelphia Region, 3AGA SUBJECT: HUD’s Philadelphia, PA, Homeownership Center Did Not Always Ensure That Required Background Investigations Were Completed for Its Contracted Employees HIGHLIGHTS What We Audited and Why In accordance with our annual audit plan and due to concerns regarding the U.S. Department of Housing and Urban Development’s (HUD) capacity to handle the increasing demand for loans insured by the Federal Housing Administration (FHA), we initiated an audit of HUD’s Philadelphia, PA, Homeownership Center (Center). This is the first of two audit reports that we plan to issue on the Center’s capacity to process current demand for FHA loans. The audit objective addressed in this report was to determine whether the Center processed FHA loan applications in accordance with applicable policies and procedures and ensured that required background investigations were completed for its contracted employees that performed functions associated with FHA loans. What We Found The Center generally processed FHA loans in accordance with applicable policies and procedures. However, it did not always ensure that required background investigations were completed for its contracted employees that were responsible for processing FHA loan applications and monitoring the quality of lenders’ underwriting. The Center had 29 contracted employees that were responsible for performing functions associated with FHA loans. Of the 29 contracted employees, 16, or 55 percent, had not been through minimum background investigations required by contract clauses and HUD’s policies on personnel security/suitability. HUD spent more than $5.4 million on services from contracted employees that may not have been eligible to access its computer systems and other information sources containing sensitive personally identifiable information. What We Recommend We recommend that the Deputy Assistant Secretary for Single Family Housing direct the Center to (1) initiate and follow up on the required minimum background investigations for its contracted employees that have not been investigated to justify more than $5.4 million spent on the related contracts and (2) develop and implement controls to ensure that its contracted employees comply with contract terms and applicable HUD security policies. For each recommendation without a management decision, please respond and provide status reports in accordance with HUD Handbook 2000.06, REV-3. Please furnish us copies of any correspondence or directives issued because of the audit. Auditee’s Response We discussed the report with HUD during the audit and at an exit conference on February 2, 2010. HUD provided written comments to our draft report on February 23, 2010. HUD agreed with the finding and recommendations. The complete text of HUD’s response is in appendix B of this report. 2 TABLE OF CONTENTS Background and Objective 4 Results of Audit Finding: HUD’s Philadelphia Homeownership Center Did Not Always Ensure 5 That Required Background Investigations Were Completed for Its Contracted Employees Scope and Methodology 10 Internal Controls 11 Appendixes A. Schedule of Questioned Costs and Funds To Be Put to Better Use 12 B. Auditee Comments 13 C. Schedule of Contractors’ Training Status 19 D. Schedule of Contracts and Related Expenditures 20 3 BACKGROUND AND OBJECTIVE The U.S. Department of Housing and Urban Development’s (HUD) strategic plan states that part of its mission is to increase homeownership, support community development, and increase access to affordable housing free from discrimination. HUD’s overall strategy to advance this goal is to carefully apply public-sector dollars, whether through mortgage insurance, grants, loans, or direct subsidies, to leverage the private market and make it easier for low- and moderate-income Americans to buy and keep their own homes. The National Housing Act, as amended, established the Federal Housing Administration (FHA), an organizational unit within HUD. FHA provides insurance for lenders against loss on single- family home mortgages. FHA insurance helps first-time home buyers and other families who could have difficulties in obtaining a mortgage by reducing the risk to private lenders. HUD’s Office of Single Family Housing handles the overall management, policy direction and administration of all single family insurance programs. Policy development and oversight are performed in three offices: Program Development, Asset Management, and Lender Activities and Program Compliance, located in Washington, DC. Program policy is implemented by HUD’s four Homeownership Centers in Philadelphia, PA; Santa Ana, CA; Atlanta, GA; and Denver, CO. The Homeownership Centers insure single-family FHA mortgages and oversee the selling of HUD homes. They implement underwriting and insuring standards; monitor loan origination and servicing; administer nonprofit/housing counseling grant programs; and provide training, guidance, and technical assistance to HUD staff and customers. The Philadelphia Homeownership Center (Center) employs 218 staff members, 79 of whom are located in its Processing and Underwriting Division. Part of the division’s responsibilities include overseeing contracted employees that perform data entry, endorsement, and post endorsement technical review functions associated with FHA loans. The data entry function primarily involves entries into HUD’s Computerized Homes Underwriting Management System to reflect the receipt and assignment loan case files submitted to HUD for insurance endorsement. The endorsement process entails a review to determine whether loan files submitted for insurance endorsement include all documents required by HUD. The post endorsement technical review is performed to monitor the quality of lenders’ underwriting and to identify the degree of risk associated with each loan insured. HUD contracted with Horizon Consulting, Inc. (Horizon), headquartered in Lansdowne, VA, to perform data entry, endorsements, and post endorsement technical reviews. The Horizon employees process all of the Center’s data entry and endorsements and some of its post endorsement technical reviews. The Center had two government technical representatives that were responsible for the technical administration of the contracts. Our audit objective was to determine whether the Center processed FHA loan applications in accordance with applicable policies and procedures and ensured that required background investigations were completed for its contracted employees that performed functions associated with FHA loans. 4 RESULTS OF AUDIT Finding: HUD’s Philadelphia Homeownership Center Did Not Always Ensure That Required Background Investigations Were Completed for Its Contracted Employees The Center did not ensure that background investigations were completed as required for more than half its contracted employees that were responsible for processing FHA loan applications and reviewing approved FHA loan files to monitor the quality of lenders’ underwriting. Also, more than one-third of the contracted employees had not taken security awareness training required by HUD’s information technology (IT) security policy. The deficiencies occurred because the Center lacked controls to ensure that its contracted employees complied with HUD’s security policies related to employee background investigations and IT security awareness. As a result, HUD spent more than $5.4 million on services from contracted employees that may not have been eligible to access its computer systems and other information sources containing sensitive personally identifiable information. Minimum Background Investigations Were Not Always Completed HUD entered into separate contracts with Horizon, headquartered in Lansdowne, VA, to perform data entry, endorsement, and postendorsement technical review functions associated with FHA loans. There were 29 Horizon employees that performed these functions for the Center. The breakdown of the employees under the contracts was as follows: 3 for data entry, 18 for endorsements, and 8 for postendorsement technical reviews. Our review of records on the 29 employees indicated that 16, or 55 percent, had not been through the minimum background investigation required via clauses incorporated into the contracts. These employees included all of the employees that performed the data entry and postendorsement technical reviews and 5 of the 18 that performed the endorsements. The employees had access to HUD systems and other sources of information with personally identifiable information1 on FHA loan applicants including names, addresses, Social Security numbers, dates of birth, bank account numbers, credit reports, Internal Revenue Service W-2 1 The term “personally identifiable information” refers to information which can be used to distinguish or trace an individual’s identity, such as name, Social Security number, biometric records, etc., alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc. (Office of Management and Budget Memorandum M-07-16) 5 statements, and tax returns. According to Office of Management and Budget Memorandum M-07-16, safeguarding personally identifiable information in the possession of the government and preventing its breach are essential to ensure that the government retains the trust of the American public. All three contracts with Horizon contained a clause stating that contracted employees would be required to have access to HUD systems and that they would be required to provide personal information and undergo background investigations before being permitted access to HUD systems in performance of the contracts. The clause stated that more extensive background investigations would be required for contracted employees requiring access to mission-critical2 systems or sensitive information contained within HUD systems or applications. Also, according to HUD’s handbook on personnel security/suitability,3 a minimum background investigation is required for all contractors working on behalf of HUD. The minimum investigation includes searches of the Office of Personnel Management’s Security/Suitability Investigations Index, the Federal Bureau of Investigation’s arrest and investigation records, and written inquiries covering specific areas of a person’s background during the most recent 5 years. As stated above, the contracted employees had access to sensitive personally identifiable information. The Center’s failure to ensure the suitability of the employees to access such information could lead to potential abuses of HUD computer systems and access to sensitive information, which could seriously compromise data. Contracted Employees Did Not Complete Required IT Security Awareness Training Based on the requirements of the Federal Information Systems Management Act (FISMA) as incorporated into HUD’s IT security policy, the Center’s contracted employees should have taken IT security awareness training annually. FISMA requires each Federal agency to develop, document, and implement an agency- wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. HUD’s IT security policy states that basic security awareness training is required at orientation and annually by the determined date established by the Office of Management and Budget to meet the FISMA legislation requirement. We 2 HUD defines mission critical systems or functions as “those functions that enable Federal Executive Branch agencies to provide vital services, exercise civil authority, maintain the safety and well-being of the general public, and sustain the industrial/economic base during an emergency.” 3 HUD Handbook 732.3, REV-1, paragraphs 3-1B and 4-5B 6 requested training certificates for the 29 Horizon employees to test the Center’s compliance with the requirement. Of the 18 Horizon employees performing the endorsements, only one had taken the required training before our request for the training certificates. Sixteen of the endorsement employees and all three of the data entry employees took the training after we requested the training certificates. The employees took the training between October 9 and October 14, 2009. The remaining endorsement employee had not taken the training as of the completion of our fieldwork. Also, none of the eight contracted employees working on the postendorsement technical reviews was up to date on the training requirement. One employee last took the training in June 2006, and three employees last took the training in August 2007. For the remaining four employees, there was no documentation to indicate that they had ever taken the training. As of the completion of our fieldwork, nine, or one-third, of the contracted employees had not completed the required annual security awareness training (see appendix C). A key objective of an effective IT security program is to ensure that all employees and contractors understand their roles and responsibilities and are adequately trained to perform them. HUD cannot protect the confidentiality, integrity, and availability of its information systems and the information they contain without the knowledge and active participation of its employees and contractors in the implementation of sound security principles. To ensure that its contracted employees understand their roles and responsibilities in protecting IT and related data, the Center must ensure that its contracted employees take the required annual security awareness training in accordance with HUD’s IT security policy. The Center Lacked Controls To Ensure That It Complied With Security Policies The Center lacked controls to ensure that its contracted personnel complied with HUD’s security policies related to background investigations and IT security awareness. Although the contracts with Horizon included clauses that indicated background investigations were required, government technical representatives (representatives) responsible for administering the contracts were not aware of contract requirements pertaining to background investigations or that all contracted employees had not been through the required investigations. The representatives’ duties included ensuring that the contractor established and complied with HUD’s personnel security requirements. In certain cases, background investigations had been initiated; however, the initial background information forms submitted were returned to the employees because they were incomplete. The employees did not resubmit the forms, and the representatives did not follow up and take action to ensure that the investigations were completed. They also did not ensure that the 7 contracted employees had completed annual security awareness training as required. As stated above, the representatives were responsible for ensuring the contractor’s compliance with HUD’s personnel security requirements and should have ensured that the contracted employees had been through the necessary background investigations and completed the required security awareness training. The Center needs to develop and implement controls to ensure that the representatives responsible for administering the contracts are aware of all contract terms and requirements and ensure that the requirements are enforced. Conclusion The Center did not ensure that required background investigations were completed for all of its contracted employees that were responsible for processing FHA loan applications and monitoring the quality of lenders’ underwriting. It also did not ensure that all of the employees had taken IT security awareness training in accordance with HUD’s IT security policy. These deficiencies occurred because the Center lacked controls to ensure that its contracted employees complied with HUD’s security policies related to employee background investigations and IT security awareness. Horizon breached its contract with HUD when it did not ensure that all its employees complied with HUD’s personnel security requirements. Therefore HUD needs to justify more than $5.4 million (see appendix D) in funds already spent on the related contracts by providing documentation to show that it has performed the required background investigations to determine the suitability of the contracted employees for their duties and responsibilities. HUD also needs to ensure that the Center implements sufficient controls to prevent approximately $2.2 million from being spent annually on contracted employees that may not be eligible to access its computer systems and other information sources containing sensitive personally identifiable information. Recommendations We recommend that the Deputy Assistant Secretary for Single Family Housing direct the Philadelphia Homeownership Center to 1A. Initiate the minimum required background investigations for its contracted employees and conduct monthly follow-ups to monitor the status of the investigations to ensure that HUD security requirements are met and to justify $5,438,372 awarded for the related contracts. In cases where the contractor(s) fail to submit the necessary required paperwork, terminate all 8 HUD systems access for the employees within 30 days of the request for the paperwork. 1B. Develop and implement procedures for tracking the status of background investigations for its contracted employees and ensure that they are completed to prevent $2,175,348 from being spent annually on employees that may not be suitable for their duties. 1C. Ensure that all contracted employees in the Center annually take mandatory IT security awareness training as described in HUD’s IT security policy. 1D. Emphasize HUD’s security policies to the Center’s government technical representatives to ensure that they are aware of their responsibility to ensure that contracted employees undergo background investigations and complete IT security awareness training as required. 9 SCOPE AND METHODOLOGY We performed our audit at HUD’s Philadelphia, PA, Center offices from April through November 2009. The audit covered the period October 2006 through March 2009; however, we expanded the scope when necessary to include other periods. We used computer-processed data only in conjunction with other supporting documents and information to reach our conclusions and determined that the data were sufficiently reliable for our purposes. To accomplish our objective to determine whether the Center processed FHA loan applications in accordance with applicable policies and procedures and ensured that required background investigations were completed for its contracted employees that performed functions associated with FHA loans, we Analyzed a random sample of five loan case files to determine whether the Center performed endorsements in accordance with HUD policies and procedures. Analyzed a random sample of five loan files to determine whether the Center performed postendorsement technical reviews in accordance with HUD policies and procedures. Conducted interviews with various division directors and staff in the Center, as well as contracted employees. Interviewed key functional managers and/or staff of the Office of Single Family Housing and the Office of Security and Emergency Planning at HUD headquarters. Reviewed and analyzed the background check summaries for the Horizon contract employees that performed data entry, endorsements, and postendorsement technical reviews for the Center. Reviewed HUD policies on personnel suitability and IT security; mortgagee letters; and other applicable HUD policies, procedures, and regulations. We calculated the funds to be put to better use by dividing the total unsupported costs ($5,438,372) by the number of months (30) in our review period and multiplying the result (181,279) by 12 months to obtain the potential annual savings ($2,175,348). We conducted the audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective. 10 INTERNAL CONTROLS Internal control is an integral component of an organization’s management that provides reasonable assurance that the following controls are achieved: Program operations, Relevance and reliability of information, Compliance with applicable laws and regulations, and Safeguarding of assets and resources. Internal controls relate to management’s plans, methods, and procedures used to meet its mission, goals, and objectives. They include the processes and procedures for planning, organizing, directing, and controlling program operations as well as the systems for measuring, reporting, and monitoring program performance. Relevant Internal Controls We determined that the following internal controls were relevant to our audit objective: Program operations – Policies and procedures that management has implemented to reasonably ensure that a program meets its objectives. Compliance with laws and regulations – Policies and procedures that management has implemented to reasonably ensure that resource use is consistent with laws and regulations. We assessed the relevant controls identified above. A significant weakness exists if management controls do not provide reasonable assurance that the process for planning, organizing, directing, and controlling program operations will meet the organization’s objectives. Significant Weaknesses Based on our review, we believe that the following item is a significant weakness: The Center lacked controls to ensure that its contracted personnel complied with HUD’s security policies related to employee background investigations and IT security awareness. 11 APPENDIXES Appendix A SCHEDULE OF QUESTIONED COSTS AND FUNDS TO BE PUT TO BETTER USE Recommendation Unsupported 1/ Funds to be put number to better use 2/ 1A $5,438,372 1B $2,175,348 1/ Unsupported costs are those costs charged to a HUD-financed or HUD-insured program or activity when we cannot determine eligibility at the time of the audit. Unsupported costs require a decision by HUD program officials. This decision, in addition to obtaining supporting documentation, might involve a legal interpretation or clarification of departmental policies and procedures. 2/ Recommendations that funds be put to better use are estimates of amounts that could be used more efficiently if an Office of Inspector General (OIG) recommendation is implemented. These amounts include reductions in outlays, deobligation of funds, withdrawal of interest, costs not incurred by implementing recommended improvements, avoidance of unnecessary expenditures noted in preaward reviews, and any other savings that are specifically identified. In this instance, if HUD implements our recommendation, it will cease to incur contract costs for contractors that have not been determined to be suitable for their duties and, instead, will expend those funds for contracts that meet HUD’s standards, thereby putting approximately $2.2 million in funds to better use. Once HUD successfully implements our recommendation, this will be a recurring benefit. Our estimate reflects only the initial year of this benefit. 12 Appendix B AUDITEE COMMENTS 13 14 15 16 17 18 Appendix C SCHEDULE OF CONTRACTORS’ TRAINING STATUS Completed IT Completed IT Remaining Number of training before training after OIG employees Contract employees OIG request for request for lacking certificates certificates training Data entry 3 0 3 0 Endorsements 18 1 16 1 Postendorsement technical reviews 8 0 0 8 Summary 29 1 19 9 19 Appendix D SCHEDULE OF CONTRACTS AND RELATED EXPENDITURES Contract number Contract description Amount expended* C-PHI-00974 Data entry $ 480,698 C-PHI-00943 C-CHI-00949 Endorsements 3,736,848 C-PHI-00973 C-CHI-01018 Postendorsement technical reviews 1,220,826 $5,438,372 * These amounts include the base contracts and related modifications with terms ranging between September 2006 and September 2009. 20
HUD's Philadelphia, PA, Homeownership Center Did Not Always Ensure That Required Background Investigations Were Completed for Its Contracted Employees
Published by the Department of Housing and Urban Development, Office of Inspector General on 2010-02-26.
Below is a raw (and likely hideous) rendition of the original report. (PDF)