oversight

HUD's Philadelphia, PA, Homeownership Center Did Not Always Ensure That Required Background Investigations Were Completed for Its Contracted Employees

Published by the Department of Housing and Urban Development, Office of Inspector General on 2010-02-26.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                                                                 Issue Date
                                                                         February 26, 2010
                                                                 Audit Report Number
                                                                         2010-PH-0001




TO:        Vicki B. Bott, Deputy Assistant Secretary for Single Family Housing, HU
           //signed//
FROM:      John P. Buck, Regional Inspector General for Audit, Philadelphia Region,
             3AGA

SUBJECT:   HUD’s Philadelphia, PA, Homeownership Center Did Not Always Ensure
            That Required Background Investigations Were Completed for Its Contracted
            Employees



                                  HIGHLIGHTS

 What We Audited and Why

           In accordance with our annual audit plan and due to concerns regarding the U.S.
           Department of Housing and Urban Development’s (HUD) capacity to handle the
           increasing demand for loans insured by the Federal Housing Administration
           (FHA), we initiated an audit of HUD’s Philadelphia, PA, Homeownership Center
           (Center). This is the first of two audit reports that we plan to issue on the Center’s
           capacity to process current demand for FHA loans. The audit objective addressed
           in this report was to determine whether the Center processed FHA loan
           applications in accordance with applicable policies and procedures and ensured
           that required background investigations were completed for its contracted
           employees that performed functions associated with FHA loans.

 What We Found

           The Center generally processed FHA loans in accordance with applicable policies
           and procedures. However, it did not always ensure that required background
           investigations were completed for its contracted employees that were responsible
           for processing FHA loan applications and monitoring the quality of lenders’
           underwriting. The Center had 29 contracted employees that were responsible for
           performing functions associated with FHA loans. Of the 29 contracted
           employees, 16, or 55 percent, had not been through minimum background
           investigations required by contract clauses and HUD’s policies on personnel
           security/suitability. HUD spent more than $5.4 million on services from
           contracted employees that may not have been eligible to access its computer
           systems and other information sources containing sensitive personally identifiable
           information.

What We Recommend

           We recommend that the Deputy Assistant Secretary for Single Family Housing
           direct the Center to (1) initiate and follow up on the required minimum
           background investigations for its contracted employees that have not been
           investigated to justify more than $5.4 million spent on the related contracts and
           (2) develop and implement controls to ensure that its contracted employees
           comply with contract terms and applicable HUD security policies.

           For each recommendation without a management decision, please respond and
           provide status reports in accordance with HUD Handbook 2000.06, REV-3.
           Please furnish us copies of any correspondence or directives issued because of the
           audit.

Auditee’s Response

           We discussed the report with HUD during the audit and at an exit conference on
           February 2, 2010. HUD provided written comments to our draft report on
           February 23, 2010. HUD agreed with the finding and recommendations. The
           complete text of HUD’s response is in appendix B of this report.




                                            2
                             TABLE OF CONTENTS

Background and Objective                                                              4

Results of Audit
        Finding: HUD’s Philadelphia Homeownership Center Did Not Always Ensure        5
          That Required Background Investigations Were Completed for Its Contracted
          Employees

Scope and Methodology                                                                 10

Internal Controls                                                                     11

Appendixes
   A.   Schedule of Questioned Costs and Funds To Be Put to Better Use                12
   B.   Auditee Comments                                                              13
   C.   Schedule of Contractors’ Training Status
                                                                                      19
   D.   Schedule of Contracts and Related Expenditures
                                                                                      20




                                              3
                      BACKGROUND AND OBJECTIVE

The U.S. Department of Housing and Urban Development’s (HUD) strategic plan states that part
of its mission is to increase homeownership, support community development, and increase
access to affordable housing free from discrimination. HUD’s overall strategy to advance this
goal is to carefully apply public-sector dollars, whether through mortgage insurance, grants,
loans, or direct subsidies, to leverage the private market and make it easier for low- and
moderate-income Americans to buy and keep their own homes.

The National Housing Act, as amended, established the Federal Housing Administration (FHA),
an organizational unit within HUD. FHA provides insurance for lenders against loss on single-
family home mortgages. FHA insurance helps first-time home buyers and other families who
could have difficulties in obtaining a mortgage by reducing the risk to private lenders.

HUD’s Office of Single Family Housing handles the overall management, policy direction and
administration of all single family insurance programs. Policy development and oversight are
performed in three offices: Program Development, Asset Management, and Lender Activities
and Program Compliance, located in Washington, DC. Program policy is implemented by
HUD’s four Homeownership Centers in Philadelphia, PA; Santa Ana, CA; Atlanta, GA; and
Denver, CO. The Homeownership Centers insure single-family FHA mortgages and oversee the
selling of HUD homes. They implement underwriting and insuring standards; monitor loan
origination and servicing; administer nonprofit/housing counseling grant programs; and provide
training, guidance, and technical assistance to HUD staff and customers.

The Philadelphia Homeownership Center (Center) employs 218 staff members, 79 of whom are
located in its Processing and Underwriting Division. Part of the division’s responsibilities
include overseeing contracted employees that perform data entry, endorsement, and post
endorsement technical review functions associated with FHA loans. The data entry function
primarily involves entries into HUD’s Computerized Homes Underwriting Management System
to reflect the receipt and assignment loan case files submitted to HUD for insurance
endorsement. The endorsement process entails a review to determine whether loan files
submitted for insurance endorsement include all documents required by HUD. The post
endorsement technical review is performed to monitor the quality of lenders’ underwriting and to
identify the degree of risk associated with each loan insured.

HUD contracted with Horizon Consulting, Inc. (Horizon), headquartered in Lansdowne, VA, to
perform data entry, endorsements, and post endorsement technical reviews. The Horizon
employees process all of the Center’s data entry and endorsements and some of its post
endorsement technical reviews. The Center had two government technical representatives that
were responsible for the technical administration of the contracts.

Our audit objective was to determine whether the Center processed FHA loan applications in
accordance with applicable policies and procedures and ensured that required background
investigations were completed for its contracted employees that performed functions associated
with FHA loans.

                                               4
                                        RESULTS OF AUDIT

Finding: HUD’s Philadelphia Homeownership Center Did Not Always
Ensure That Required Background Investigations Were Completed for
Its Contracted Employees
The Center did not ensure that background investigations were completed as required for more
than half its contracted employees that were responsible for processing FHA loan applications
and reviewing approved FHA loan files to monitor the quality of lenders’ underwriting. Also,
more than one-third of the contracted employees had not taken security awareness training
required by HUD’s information technology (IT) security policy. The deficiencies occurred
because the Center lacked controls to ensure that its contracted employees complied with HUD’s
security policies related to employee background investigations and IT security awareness. As a
result, HUD spent more than $5.4 million on services from contracted employees that may not
have been eligible to access its computer systems and other information sources containing
sensitive personally identifiable information.




    Minimum Background
    Investigations Were Not Always
    Completed


                  HUD entered into separate contracts with Horizon, headquartered in Lansdowne,
                  VA, to perform data entry, endorsement, and postendorsement technical review
                  functions associated with FHA loans. There were 29 Horizon employees that
                  performed these functions for the Center. The breakdown of the employees under
                  the contracts was as follows: 3 for data entry, 18 for endorsements, and 8 for
                  postendorsement technical reviews.

                  Our review of records on the 29 employees indicated that 16, or 55 percent, had
                  not been through the minimum background investigation required via clauses
                  incorporated into the contracts. These employees included all of the employees
                  that performed the data entry and postendorsement technical reviews and 5 of the
                  18 that performed the endorsements. The employees had access to HUD systems
                  and other sources of information with personally identifiable information1 on
                  FHA loan applicants including names, addresses, Social Security numbers, dates
                  of birth, bank account numbers, credit reports, Internal Revenue Service W-2

1
  The term “personally identifiable information” refers to information which can be used to distinguish or trace an
individual’s identity, such as name, Social Security number, biometric records, etc., alone, or when combined with
other personal or identifying information which is linked or linkable to a specific individual, such as date and place
of birth, mother’s maiden name, etc. (Office of Management and Budget Memorandum M-07-16)

                                                           5
                  statements, and tax returns. According to Office of Management and Budget
                  Memorandum M-07-16, safeguarding personally identifiable information in the
                  possession of the government and preventing its breach are essential to ensure that
                  the government retains the trust of the American public.

                  All three contracts with Horizon contained a clause stating that contracted
                  employees would be required to have access to HUD systems and that they would
                  be required to provide personal information and undergo background
                  investigations before being permitted access to HUD systems in performance of
                  the contracts. The clause stated that more extensive background investigations
                  would be required for contracted employees requiring access to mission-critical2
                  systems or sensitive information contained within HUD systems or applications.
                  Also, according to HUD’s handbook on personnel security/suitability,3 a
                  minimum background investigation is required for all contractors working on
                  behalf of HUD. The minimum investigation includes searches of the Office of
                  Personnel Management’s Security/Suitability Investigations Index, the Federal
                  Bureau of Investigation’s arrest and investigation records, and written inquiries
                  covering specific areas of a person’s background during the most recent 5 years.

                  As stated above, the contracted employees had access to sensitive personally
                  identifiable information. The Center’s failure to ensure the suitability of the
                  employees to access such information could lead to potential abuses of HUD
                  computer systems and access to sensitive information, which could seriously
                  compromise data.

    Contracted Employees Did Not
    Complete Required IT Security
    Awareness Training


                  Based on the requirements of the Federal Information Systems Management Act
                  (FISMA) as incorporated into HUD’s IT security policy, the Center’s contracted
                  employees should have taken IT security awareness training annually. FISMA
                  requires each Federal agency to develop, document, and implement an agency-
                  wide program to provide information security for the information and information
                  systems that support the operations and assets of the agency, including those
                  provided or managed by another agency, contractor, or other source. HUD’s IT
                  security policy states that basic security awareness training is required at
                  orientation and annually by the determined date established by the Office of
                  Management and Budget to meet the FISMA legislation requirement. We


2
  HUD defines mission critical systems or functions as “those functions that enable Federal Executive Branch
agencies to provide vital services, exercise civil authority, maintain the safety and well-being of the general public,
and sustain the industrial/economic base during an emergency.”
3
  HUD Handbook 732.3, REV-1, paragraphs 3-1B and 4-5B



                                                           6
           requested training certificates for the 29 Horizon employees to test the Center’s
           compliance with the requirement.

           Of the 18 Horizon employees performing the endorsements, only one had taken
           the required training before our request for the training certificates. Sixteen of the
           endorsement employees and all three of the data entry employees took the training
           after we requested the training certificates. The employees took the training
           between October 9 and October 14, 2009. The remaining endorsement employee
           had not taken the training as of the completion of our fieldwork. Also, none of
           the eight contracted employees working on the postendorsement technical reviews
           was up to date on the training requirement. One employee last took the training
           in June 2006, and three employees last took the training in August 2007. For the
           remaining four employees, there was no documentation to indicate that they had
           ever taken the training. As of the completion of our fieldwork, nine, or one-third,
           of the contracted employees had not completed the required annual security
           awareness training (see appendix C).

           A key objective of an effective IT security program is to ensure that all employees
           and contractors understand their roles and responsibilities and are adequately
           trained to perform them. HUD cannot protect the confidentiality, integrity, and
           availability of its information systems and the information they contain without
           the knowledge and active participation of its employees and contractors in the
           implementation of sound security principles. To ensure that its contracted
           employees understand their roles and responsibilities in protecting IT and related
           data, the Center must ensure that its contracted employees take the required
           annual security awareness training in accordance with HUD’s IT security policy.

The Center Lacked Controls To
Ensure That It Complied With
Security Policies


          The Center lacked controls to ensure that its contracted personnel complied with
          HUD’s security policies related to background investigations and IT security
          awareness. Although the contracts with Horizon included clauses that indicated
          background investigations were required, government technical representatives
          (representatives) responsible for administering the contracts were not aware of
          contract requirements pertaining to background investigations or that all contracted
          employees had not been through the required investigations. The representatives’
          duties included ensuring that the contractor established and complied with HUD’s
          personnel security requirements. In certain cases, background investigations had
          been initiated; however, the initial background information forms submitted were
          returned to the employees because they were incomplete. The employees did not
          resubmit the forms, and the representatives did not follow up and take action to
          ensure that the investigations were completed. They also did not ensure that the



                                             7
             contracted employees had completed annual security awareness training as
             required.

             As stated above, the representatives were responsible for ensuring the contractor’s
             compliance with HUD’s personnel security requirements and should have ensured
             that the contracted employees had been through the necessary background
             investigations and completed the required security awareness training. The Center
             needs to develop and implement controls to ensure that the representatives
             responsible for administering the contracts are aware of all contract terms and
             requirements and ensure that the requirements are enforced.

Conclusion


             The Center did not ensure that required background investigations were
             completed for all of its contracted employees that were responsible for processing
             FHA loan applications and monitoring the quality of lenders’ underwriting. It
             also did not ensure that all of the employees had taken IT security awareness
             training in accordance with HUD’s IT security policy. These deficiencies
             occurred because the Center lacked controls to ensure that its contracted
             employees complied with HUD’s security policies related to employee
             background investigations and IT security awareness. Horizon breached its
             contract with HUD when it did not ensure that all its employees complied with
             HUD’s personnel security requirements. Therefore HUD needs to justify more
             than $5.4 million (see appendix D) in funds already spent on the related contracts
             by providing documentation to show that it has performed the required
             background investigations to determine the suitability of the contracted
             employees for their duties and responsibilities. HUD also needs to ensure that the
             Center implements sufficient controls to prevent approximately $2.2 million from
             being spent annually on contracted employees that may not be eligible to access
             its computer systems and other information sources containing sensitive
             personally identifiable information.

Recommendations



             We recommend that the Deputy Assistant Secretary for Single Family Housing
             direct the Philadelphia Homeownership Center to

             1A.     Initiate the minimum required background investigations for its contracted
                     employees and conduct monthly follow-ups to monitor the status of the
                     investigations to ensure that HUD security requirements are met and to
                     justify $5,438,372 awarded for the related contracts. In cases where the
                     contractor(s) fail to submit the necessary required paperwork, terminate all



                                               8
      HUD systems access for the employees within 30 days of the request for
      the paperwork.

1B.   Develop and implement procedures for tracking the status of background
      investigations for its contracted employees and ensure that they are
      completed to prevent $2,175,348 from being spent annually on employees
      that may not be suitable for their duties.

1C.   Ensure that all contracted employees in the Center annually take
      mandatory IT security awareness training as described in HUD’s IT
      security policy.

1D.   Emphasize HUD’s security policies to the Center’s government technical
      representatives to ensure that they are aware of their responsibility to
      ensure that contracted employees undergo background investigations and
      complete IT security awareness training as required.




                               9
                         SCOPE AND METHODOLOGY

We performed our audit at HUD’s Philadelphia, PA, Center offices from April through
November 2009. The audit covered the period October 2006 through March 2009; however, we
expanded the scope when necessary to include other periods.

We used computer-processed data only in conjunction with other supporting documents and
information to reach our conclusions and determined that the data were sufficiently reliable for
our purposes.

To accomplish our objective to determine whether the Center processed FHA loan applications
in accordance with applicable policies and procedures and ensured that required background
investigations were completed for its contracted employees that performed functions associated
with FHA loans, we

       Analyzed a random sample of five loan case files to determine whether the Center
       performed endorsements in accordance with HUD policies and procedures.

       Analyzed a random sample of five loan files to determine whether the Center performed
       postendorsement technical reviews in accordance with HUD policies and procedures.

       Conducted interviews with various division directors and staff in the Center, as well as
       contracted employees.

       Interviewed key functional managers and/or staff of the Office of Single Family Housing
       and the Office of Security and Emergency Planning at HUD headquarters.

       Reviewed and analyzed the background check summaries for the Horizon contract
       employees that performed data entry, endorsements, and postendorsement technical
       reviews for the Center.

       Reviewed HUD policies on personnel suitability and IT security; mortgagee letters; and
       other applicable HUD policies, procedures, and regulations.

We calculated the funds to be put to better use by dividing the total unsupported costs
($5,438,372) by the number of months (30) in our review period and multiplying the result
(181,279) by 12 months to obtain the potential annual savings ($2,175,348).

We conducted the audit in accordance with generally accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain sufficient, appropriate
evidence to provide a reasonable basis for our findings and conclusions based on our audit
objective. We believe that the evidence obtained provides a reasonable basis for our findings
and conclusions based on our audit objective.



                                                10
                              INTERNAL CONTROLS

Internal control is an integral component of an organization’s management that provides
reasonable assurance that the following controls are achieved:

       Program operations,
       Relevance and reliability of information,
       Compliance with applicable laws and regulations, and
       Safeguarding of assets and resources.

Internal controls relate to management’s plans, methods, and procedures used to meet its
mission, goals, and objectives. They include the processes and procedures for planning,
organizing, directing, and controlling program operations as well as the systems for measuring,
reporting, and monitoring program performance.



 Relevant Internal Controls


              We determined that the following internal controls were relevant to our audit
              objective:

                      Program operations – Policies and procedures that management has
                      implemented to reasonably ensure that a program meets its objectives.

                      Compliance with laws and regulations – Policies and procedures that
                      management has implemented to reasonably ensure that resource use is
                      consistent with laws and regulations.

              We assessed the relevant controls identified above.

              A significant weakness exists if management controls do not provide reasonable
              assurance that the process for planning, organizing, directing, and controlling
              program operations will meet the organization’s objectives.


 Significant Weaknesses


              Based on our review, we believe that the following item is a significant weakness:

                      The Center lacked controls to ensure that its contracted personnel
                      complied with HUD’s security policies related to employee background
                      investigations and IT security awareness.

                                               11
                                   APPENDIXES

Appendix A
              SCHEDULE OF QUESTIONED COSTS
             AND FUNDS TO BE PUT TO BETTER USE


          Recommendation            Unsupported 1/              Funds to be put
                  number                                        to better use 2/
               1A                      $5,438,372
               1B                                                 $2,175,348

1/   Unsupported costs are those costs charged to a HUD-financed or HUD-insured program
     or activity when we cannot determine eligibility at the time of the audit. Unsupported
     costs require a decision by HUD program officials. This decision, in addition to
     obtaining supporting documentation, might involve a legal interpretation or clarification
     of departmental policies and procedures.

2/   Recommendations that funds be put to better use are estimates of amounts that could be
     used more efficiently if an Office of Inspector General (OIG) recommendation is
     implemented. These amounts include reductions in outlays, deobligation of funds,
     withdrawal of interest, costs not incurred by implementing recommended improvements,
     avoidance of unnecessary expenditures noted in preaward reviews, and any other savings
     that are specifically identified. In this instance, if HUD implements our recommendation,
     it will cease to incur contract costs for contractors that have not been determined to be
     suitable for their duties and, instead, will expend those funds for contracts that meet
     HUD’s standards, thereby putting approximately $2.2 million in funds to better use.
     Once HUD successfully implements our recommendation, this will be a recurring benefit.
     Our estimate reflects only the initial year of this benefit.




                                             12
Appendix B

             AUDITEE COMMENTS




                    13
14
15
16
17
18
Appendix C

     SCHEDULE OF CONTRACTORS’ TRAINING STATUS


                                 Completed IT       Completed IT       Remaining
                    Number of   training before   training after OIG   employees
   Contract
                    employees   OIG request for       request for       lacking
                                  certificates        certificates      training
Data entry              3             0                   3                0
Endorsements           18             1                  16                1
Postendorsement
technical reviews       8             0                   0                8

Summary                29             1                  19                9




                                       19
Appendix D

             SCHEDULE OF CONTRACTS AND RELATED
                       EXPENDITURES


Contract number              Contract description             Amount expended*

C-PHI-00974           Data entry                                $     480,698
C-PHI-00943
C-CHI-00949           Endorsements                                   3,736,848
C-PHI-00973
C-CHI-01018           Postendorsement technical reviews              1,220,826
                                                                    $5,438,372

* These amounts include the base contracts and related modifications with terms ranging
between September 2006 and September 2009.




                                              20