Issue Date
February 26, 2010
Audit Report Number
2010-PH-0001
TO: Vicki B. Bott, Deputy Assistant Secretary for Single Family Housing, HU
//signed//
FROM: John P. Buck, Regional Inspector General for Audit, Philadelphia Region,
3AGA
SUBJECT: HUD’s Philadelphia, PA, Homeownership Center Did Not Always Ensure
That Required Background Investigations Were Completed for Its Contracted
Employees
HIGHLIGHTS
What We Audited and Why
In accordance with our annual audit plan and due to concerns regarding the U.S.
Department of Housing and Urban Development’s (HUD) capacity to handle the
increasing demand for loans insured by the Federal Housing Administration
(FHA), we initiated an audit of HUD’s Philadelphia, PA, Homeownership Center
(Center). This is the first of two audit reports that we plan to issue on the Center’s
capacity to process current demand for FHA loans. The audit objective addressed
in this report was to determine whether the Center processed FHA loan
applications in accordance with applicable policies and procedures and ensured
that required background investigations were completed for its contracted
employees that performed functions associated with FHA loans.
What We Found
The Center generally processed FHA loans in accordance with applicable policies
and procedures. However, it did not always ensure that required background
investigations were completed for its contracted employees that were responsible
for processing FHA loan applications and monitoring the quality of lenders’
underwriting. The Center had 29 contracted employees that were responsible for
performing functions associated with FHA loans. Of the 29 contracted
employees, 16, or 55 percent, had not been through minimum background
investigations required by contract clauses and HUD’s policies on personnel
security/suitability. HUD spent more than $5.4 million on services from
contracted employees that may not have been eligible to access its computer
systems and other information sources containing sensitive personally identifiable
information.
What We Recommend
We recommend that the Deputy Assistant Secretary for Single Family Housing
direct the Center to (1) initiate and follow up on the required minimum
background investigations for its contracted employees that have not been
investigated to justify more than $5.4 million spent on the related contracts and
(2) develop and implement controls to ensure that its contracted employees
comply with contract terms and applicable HUD security policies.
For each recommendation without a management decision, please respond and
provide status reports in accordance with HUD Handbook 2000.06, REV-3.
Please furnish us copies of any correspondence or directives issued because of the
audit.
Auditee’s Response
We discussed the report with HUD during the audit and at an exit conference on
February 2, 2010. HUD provided written comments to our draft report on
February 23, 2010. HUD agreed with the finding and recommendations. The
complete text of HUD’s response is in appendix B of this report.
2
TABLE OF CONTENTS
Background and Objective 4
Results of Audit
Finding: HUD’s Philadelphia Homeownership Center Did Not Always Ensure 5
That Required Background Investigations Were Completed for Its Contracted
Employees
Scope and Methodology 10
Internal Controls 11
Appendixes
A. Schedule of Questioned Costs and Funds To Be Put to Better Use 12
B. Auditee Comments 13
C. Schedule of Contractors’ Training Status
19
D. Schedule of Contracts and Related Expenditures
20
3
BACKGROUND AND OBJECTIVE
The U.S. Department of Housing and Urban Development’s (HUD) strategic plan states that part
of its mission is to increase homeownership, support community development, and increase
access to affordable housing free from discrimination. HUD’s overall strategy to advance this
goal is to carefully apply public-sector dollars, whether through mortgage insurance, grants,
loans, or direct subsidies, to leverage the private market and make it easier for low- and
moderate-income Americans to buy and keep their own homes.
The National Housing Act, as amended, established the Federal Housing Administration (FHA),
an organizational unit within HUD. FHA provides insurance for lenders against loss on single-
family home mortgages. FHA insurance helps first-time home buyers and other families who
could have difficulties in obtaining a mortgage by reducing the risk to private lenders.
HUD’s Office of Single Family Housing handles the overall management, policy direction and
administration of all single family insurance programs. Policy development and oversight are
performed in three offices: Program Development, Asset Management, and Lender Activities
and Program Compliance, located in Washington, DC. Program policy is implemented by
HUD’s four Homeownership Centers in Philadelphia, PA; Santa Ana, CA; Atlanta, GA; and
Denver, CO. The Homeownership Centers insure single-family FHA mortgages and oversee the
selling of HUD homes. They implement underwriting and insuring standards; monitor loan
origination and servicing; administer nonprofit/housing counseling grant programs; and provide
training, guidance, and technical assistance to HUD staff and customers.
The Philadelphia Homeownership Center (Center) employs 218 staff members, 79 of whom are
located in its Processing and Underwriting Division. Part of the division’s responsibilities
include overseeing contracted employees that perform data entry, endorsement, and post
endorsement technical review functions associated with FHA loans. The data entry function
primarily involves entries into HUD’s Computerized Homes Underwriting Management System
to reflect the receipt and assignment loan case files submitted to HUD for insurance
endorsement. The endorsement process entails a review to determine whether loan files
submitted for insurance endorsement include all documents required by HUD. The post
endorsement technical review is performed to monitor the quality of lenders’ underwriting and to
identify the degree of risk associated with each loan insured.
HUD contracted with Horizon Consulting, Inc. (Horizon), headquartered in Lansdowne, VA, to
perform data entry, endorsements, and post endorsement technical reviews. The Horizon
employees process all of the Center’s data entry and endorsements and some of its post
endorsement technical reviews. The Center had two government technical representatives that
were responsible for the technical administration of the contracts.
Our audit objective was to determine whether the Center processed FHA loan applications in
accordance with applicable policies and procedures and ensured that required background
investigations were completed for its contracted employees that performed functions associated
with FHA loans.
4
RESULTS OF AUDIT
Finding: HUD’s Philadelphia Homeownership Center Did Not Always
Ensure That Required Background Investigations Were Completed for
Its Contracted Employees
The Center did not ensure that background investigations were completed as required for more
than half its contracted employees that were responsible for processing FHA loan applications
and reviewing approved FHA loan files to monitor the quality of lenders’ underwriting. Also,
more than one-third of the contracted employees had not taken security awareness training
required by HUD’s information technology (IT) security policy. The deficiencies occurred
because the Center lacked controls to ensure that its contracted employees complied with HUD’s
security policies related to employee background investigations and IT security awareness. As a
result, HUD spent more than $5.4 million on services from contracted employees that may not
have been eligible to access its computer systems and other information sources containing
sensitive personally identifiable information.
Minimum Background
Investigations Were Not Always
Completed
HUD entered into separate contracts with Horizon, headquartered in Lansdowne,
VA, to perform data entry, endorsement, and postendorsement technical review
functions associated with FHA loans. There were 29 Horizon employees that
performed these functions for the Center. The breakdown of the employees under
the contracts was as follows: 3 for data entry, 18 for endorsements, and 8 for
postendorsement technical reviews.
Our review of records on the 29 employees indicated that 16, or 55 percent, had
not been through the minimum background investigation required via clauses
incorporated into the contracts. These employees included all of the employees
that performed the data entry and postendorsement technical reviews and 5 of the
18 that performed the endorsements. The employees had access to HUD systems
and other sources of information with personally identifiable information1 on
FHA loan applicants including names, addresses, Social Security numbers, dates
of birth, bank account numbers, credit reports, Internal Revenue Service W-2
1
The term “personally identifiable information” refers to information which can be used to distinguish or trace an
individual’s identity, such as name, Social Security number, biometric records, etc., alone, or when combined with
other personal or identifying information which is linked or linkable to a specific individual, such as date and place
of birth, mother’s maiden name, etc. (Office of Management and Budget Memorandum M-07-16)
5
statements, and tax returns. According to Office of Management and Budget
Memorandum M-07-16, safeguarding personally identifiable information in the
possession of the government and preventing its breach are essential to ensure that
the government retains the trust of the American public.
All three contracts with Horizon contained a clause stating that contracted
employees would be required to have access to HUD systems and that they would
be required to provide personal information and undergo background
investigations before being permitted access to HUD systems in performance of
the contracts. The clause stated that more extensive background investigations
would be required for contracted employees requiring access to mission-critical2
systems or sensitive information contained within HUD systems or applications.
Also, according to HUD’s handbook on personnel security/suitability,3 a
minimum background investigation is required for all contractors working on
behalf of HUD. The minimum investigation includes searches of the Office of
Personnel Management’s Security/Suitability Investigations Index, the Federal
Bureau of Investigation’s arrest and investigation records, and written inquiries
covering specific areas of a person’s background during the most recent 5 years.
As stated above, the contracted employees had access to sensitive personally
identifiable information. The Center’s failure to ensure the suitability of the
employees to access such information could lead to potential abuses of HUD
computer systems and access to sensitive information, which could seriously
compromise data.
Contracted Employees Did Not
Complete Required IT Security
Awareness Training
Based on the requirements of the Federal Information Systems Management Act
(FISMA) as incorporated into HUD’s IT security policy, the Center’s contracted
employees should have taken IT security awareness training annually. FISMA
requires each Federal agency to develop, document, and implement an agency-
wide program to provide information security for the information and information
systems that support the operations and assets of the agency, including those
provided or managed by another agency, contractor, or other source. HUD’s IT
security policy states that basic security awareness training is required at
orientation and annually by the determined date established by the Office of
Management and Budget to meet the FISMA legislation requirement. We
2
HUD defines mission critical systems or functions as “those functions that enable Federal Executive Branch
agencies to provide vital services, exercise civil authority, maintain the safety and well-being of the general public,
and sustain the industrial/economic base during an emergency.”
3
HUD Handbook 732.3, REV-1, paragraphs 3-1B and 4-5B
6
requested training certificates for the 29 Horizon employees to test the Center’s
compliance with the requirement.
Of the 18 Horizon employees performing the endorsements, only one had taken
the required training before our request for the training certificates. Sixteen of the
endorsement employees and all three of the data entry employees took the training
after we requested the training certificates. The employees took the training
between October 9 and October 14, 2009. The remaining endorsement employee
had not taken the training as of the completion of our fieldwork. Also, none of
the eight contracted employees working on the postendorsement technical reviews
was up to date on the training requirement. One employee last took the training
in June 2006, and three employees last took the training in August 2007. For the
remaining four employees, there was no documentation to indicate that they had
ever taken the training. As of the completion of our fieldwork, nine, or one-third,
of the contracted employees had not completed the required annual security
awareness training (see appendix C).
A key objective of an effective IT security program is to ensure that all employees
and contractors understand their roles and responsibilities and are adequately
trained to perform them. HUD cannot protect the confidentiality, integrity, and
availability of its information systems and the information they contain without
the knowledge and active participation of its employees and contractors in the
implementation of sound security principles. To ensure that its contracted
employees understand their roles and responsibilities in protecting IT and related
data, the Center must ensure that its contracted employees take the required
annual security awareness training in accordance with HUD’s IT security policy.
The Center Lacked Controls To
Ensure That It Complied With
Security Policies
The Center lacked controls to ensure that its contracted personnel complied with
HUD’s security policies related to background investigations and IT security
awareness. Although the contracts with Horizon included clauses that indicated
background investigations were required, government technical representatives
(representatives) responsible for administering the contracts were not aware of
contract requirements pertaining to background investigations or that all contracted
employees had not been through the required investigations. The representatives’
duties included ensuring that the contractor established and complied with HUD’s
personnel security requirements. In certain cases, background investigations had
been initiated; however, the initial background information forms submitted were
returned to the employees because they were incomplete. The employees did not
resubmit the forms, and the representatives did not follow up and take action to
ensure that the investigations were completed. They also did not ensure that the
7
contracted employees had completed annual security awareness training as
required.
As stated above, the representatives were responsible for ensuring the contractor’s
compliance with HUD’s personnel security requirements and should have ensured
that the contracted employees had been through the necessary background
investigations and completed the required security awareness training. The Center
needs to develop and implement controls to ensure that the representatives
responsible for administering the contracts are aware of all contract terms and
requirements and ensure that the requirements are enforced.
Conclusion
The Center did not ensure that required background investigations were
completed for all of its contracted employees that were responsible for processing
FHA loan applications and monitoring the quality of lenders’ underwriting. It
also did not ensure that all of the employees had taken IT security awareness
training in accordance with HUD’s IT security policy. These deficiencies
occurred because the Center lacked controls to ensure that its contracted
employees complied with HUD’s security policies related to employee
background investigations and IT security awareness. Horizon breached its
contract with HUD when it did not ensure that all its employees complied with
HUD’s personnel security requirements. Therefore HUD needs to justify more
than $5.4 million (see appendix D) in funds already spent on the related contracts
by providing documentation to show that it has performed the required
background investigations to determine the suitability of the contracted
employees for their duties and responsibilities. HUD also needs to ensure that the
Center implements sufficient controls to prevent approximately $2.2 million from
being spent annually on contracted employees that may not be eligible to access
its computer systems and other information sources containing sensitive
personally identifiable information.
Recommendations
We recommend that the Deputy Assistant Secretary for Single Family Housing
direct the Philadelphia Homeownership Center to
1A. Initiate the minimum required background investigations for its contracted
employees and conduct monthly follow-ups to monitor the status of the
investigations to ensure that HUD security requirements are met and to
justify $5,438,372 awarded for the related contracts. In cases where the
contractor(s) fail to submit the necessary required paperwork, terminate all
8
HUD systems access for the employees within 30 days of the request for
the paperwork.
1B. Develop and implement procedures for tracking the status of background
investigations for its contracted employees and ensure that they are
completed to prevent $2,175,348 from being spent annually on employees
that may not be suitable for their duties.
1C. Ensure that all contracted employees in the Center annually take
mandatory IT security awareness training as described in HUD’s IT
security policy.
1D. Emphasize HUD’s security policies to the Center’s government technical
representatives to ensure that they are aware of their responsibility to
ensure that contracted employees undergo background investigations and
complete IT security awareness training as required.
9
SCOPE AND METHODOLOGY
We performed our audit at HUD’s Philadelphia, PA, Center offices from April through
November 2009. The audit covered the period October 2006 through March 2009; however, we
expanded the scope when necessary to include other periods.
We used computer-processed data only in conjunction with other supporting documents and
information to reach our conclusions and determined that the data were sufficiently reliable for
our purposes.
To accomplish our objective to determine whether the Center processed FHA loan applications
in accordance with applicable policies and procedures and ensured that required background
investigations were completed for its contracted employees that performed functions associated
with FHA loans, we
Analyzed a random sample of five loan case files to determine whether the Center
performed endorsements in accordance with HUD policies and procedures.
Analyzed a random sample of five loan files to determine whether the Center performed
postendorsement technical reviews in accordance with HUD policies and procedures.
Conducted interviews with various division directors and staff in the Center, as well as
contracted employees.
Interviewed key functional managers and/or staff of the Office of Single Family Housing
and the Office of Security and Emergency Planning at HUD headquarters.
Reviewed and analyzed the background check summaries for the Horizon contract
employees that performed data entry, endorsements, and postendorsement technical
reviews for the Center.
Reviewed HUD policies on personnel suitability and IT security; mortgagee letters; and
other applicable HUD policies, procedures, and regulations.
We calculated the funds to be put to better use by dividing the total unsupported costs
($5,438,372) by the number of months (30) in our review period and multiplying the result
(181,279) by 12 months to obtain the potential annual savings ($2,175,348).
We conducted the audit in accordance with generally accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain sufficient, appropriate
evidence to provide a reasonable basis for our findings and conclusions based on our audit
objective. We believe that the evidence obtained provides a reasonable basis for our findings
and conclusions based on our audit objective.
10
INTERNAL CONTROLS
Internal control is an integral component of an organization’s management that provides
reasonable assurance that the following controls are achieved:
Program operations,
Relevance and reliability of information,
Compliance with applicable laws and regulations, and
Safeguarding of assets and resources.
Internal controls relate to management’s plans, methods, and procedures used to meet its
mission, goals, and objectives. They include the processes and procedures for planning,
organizing, directing, and controlling program operations as well as the systems for measuring,
reporting, and monitoring program performance.
Relevant Internal Controls
We determined that the following internal controls were relevant to our audit
objective:
Program operations – Policies and procedures that management has
implemented to reasonably ensure that a program meets its objectives.
Compliance with laws and regulations – Policies and procedures that
management has implemented to reasonably ensure that resource use is
consistent with laws and regulations.
We assessed the relevant controls identified above.
A significant weakness exists if management controls do not provide reasonable
assurance that the process for planning, organizing, directing, and controlling
program operations will meet the organization’s objectives.
Significant Weaknesses
Based on our review, we believe that the following item is a significant weakness:
The Center lacked controls to ensure that its contracted personnel
complied with HUD’s security policies related to employee background
investigations and IT security awareness.
11
APPENDIXES
Appendix A
SCHEDULE OF QUESTIONED COSTS
AND FUNDS TO BE PUT TO BETTER USE
Recommendation Unsupported 1/ Funds to be put
number to better use 2/
1A $5,438,372
1B $2,175,348
1/ Unsupported costs are those costs charged to a HUD-financed or HUD-insured program
or activity when we cannot determine eligibility at the time of the audit. Unsupported
costs require a decision by HUD program officials. This decision, in addition to
obtaining supporting documentation, might involve a legal interpretation or clarification
of departmental policies and procedures.
2/ Recommendations that funds be put to better use are estimates of amounts that could be
used more efficiently if an Office of Inspector General (OIG) recommendation is
implemented. These amounts include reductions in outlays, deobligation of funds,
withdrawal of interest, costs not incurred by implementing recommended improvements,
avoidance of unnecessary expenditures noted in preaward reviews, and any other savings
that are specifically identified. In this instance, if HUD implements our recommendation,
it will cease to incur contract costs for contractors that have not been determined to be
suitable for their duties and, instead, will expend those funds for contracts that meet
HUD’s standards, thereby putting approximately $2.2 million in funds to better use.
Once HUD successfully implements our recommendation, this will be a recurring benefit.
Our estimate reflects only the initial year of this benefit.
12
Appendix B
AUDITEE COMMENTS
13
14
15
16
17
18
Appendix C
SCHEDULE OF CONTRACTORS’ TRAINING STATUS
Completed IT Completed IT Remaining
Number of training before training after OIG employees
Contract
employees OIG request for request for lacking
certificates certificates training
Data entry 3 0 3 0
Endorsements 18 1 16 1
Postendorsement
technical reviews 8 0 0 8
Summary 29 1 19 9
19
Appendix D
SCHEDULE OF CONTRACTS AND RELATED
EXPENDITURES
Contract number Contract description Amount expended*
C-PHI-00974 Data entry $ 480,698
C-PHI-00943
C-CHI-00949 Endorsements 3,736,848
C-PHI-00973
C-CHI-01018 Postendorsement technical reviews 1,220,826
$5,438,372
* These amounts include the base contracts and related modifications with terms ranging
between September 2006 and September 2009.
20
HUD's Philadelphia, PA, Homeownership Center Did Not Always Ensure That Required Background Investigations Were Completed for Its Contracted Employees
Published by the Department of Housing and Urban Development, Office of Inspector General on 2010-02-26.
Below is a raw (and likely hideous) rendition of the original report. (PDF)