oversight

Financial management systems compliance with OMB Circular A-127

Published by the Department of Housing and Urban Development, Office of Inspector General on 2010-12-03.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                                                                Issue Date
                                                                     December 3, 2010
                                                                Audit Report Number
                                                                     2011-DP-0003




TO:        Douglas A. Criscitello, Chief Financial Officer, F

             //s//
FROM:      Hanh Do, Director, Information Systems Audits Division, GAA

SUBJECT: HUD Did Not Fully Comply With the Requirements of OMB Circular A-127


                                   HIGHLIGHTS

 What We Audited and Why

            We audited the U.S. Department of Housing and Urban Development’s (HUD)
            ability to comply with the requirements of Office of Management and Budget
            (OMB) Circular A-127, which was revised in January 2009 and became effective
            on October 1, 2009. We conducted the audit as a component of the audit of
            HUD’s consolidated financial statements for fiscal year 2010 under the Chief
            Financial Officer’s Act of 1990.


 What We Found


            HUD did not fully comply with the requirements of OMB Circular A-127.
            Specifically, HUD had not (1) initiated plans to review financial management
            systems for compliance with computer security and internal control guidelines;
            and (2) accurately identified HUD’s financial management systems within its
            financial system inventory listing. Additionally, although progress has been
            made, we continue to have concerns regarding HUD’s integrated core financial
            system.
What We Recommend


           We recommend that the Office of the Chief Financial Officer take appropriate
           steps to move into compliance with the requirements of OMB Circular A-127.

           For each recommendation without a management decision, please respond and
           provide status reports in accordance with HUD Handbook 2000.06, REV-3.
           Please furnish us copies of any correspondence or directives issued because of the
           audit.


Auditee’s Response


           The draft audit report was issued on October 19, 2010, and written comments
           were requested by October 26, 2010. We received written comments dated
           October 28, 2010. The addressee generally agreed with the recommendations in
           our report.

           The complete text of the auditee’s response, along with our evaluation of that
           response, can be found in appendix A of this report.




                                            2
                        TABLE OF CONTENTS

Background and Objective                                            4

Results of Audit

      Finding 1: HUD Did Not Fully Comply With OMB Circular A-127   6
      Requirements

      Finding 2: Concerns Remain Regarding HUD’s Integrated Core    11
      Financial System

Scope and Methodology                                               17

Internal Controls                                                   18

Follow-up on Prior Audits                                           19

Appendixes

      A. Auditee Comments and OIG’s Evaluation                      20




                                     3
                           BACKGROUND AND OBJECTIVE

Office of Management and Budget (OMB) Circular A-127 prescribes policies and standards for
executive departments and agencies to follow concerning their financial management systems.
Circular A-127 was issued in 1984 and revised periodically to update policies and procedures,
remove outdated information, and provide clarification as needed. The most recent revision to
Circular A-127 was issued in January 2009 and became effective October 1, 2009. The revisions
were intended to provide greater consistency in determining Federal Financial Management
Improvement Act of 1996 (FFMIA) compliance and further strengthen financial management.
OMB pointed out that the revised circular should be used for financial reports and audits for
fiscal year 2010 and thereafter. Early implementation was encouraged.

The January 2009 revision of Circular A-127 incorporated new requirements for agencies to use
financial management shared service providers to implement and maintain their core financial
systems. Additionally, agencies were required to use certified configurations for their core
financial systems and adopt standard government business processes established by the Financial
Systems Integration Office 1 (FSIO). Further, pursuant to FFMIA, 2 the circular now includes and
clarifies the guidance for reporting substantial compliance with FFMIA. While the revised
circular introduced these new requirements, it did not eliminate requirements pertaining to
computer security, 3 internal controls, 4 and maintaining financial management system plans and
an agency wide inventory of financial management systems. Within HUD, the Office of the
Chief Financial Officer (OCFO) is responsible for ensuring compliance with OMB Circular A-
127.

HUD has three separate program areas with financial information that must be consolidated to
produce financial statements that reflect its financial condition. These three areas, (1) the
Federal Housing Administration (FHA), (2) the Government National Mortgage Association
(Ginnie Mae), and (3) the remaining HUD program areas summarized by the OCFO (i.e., Public
and Indian Housing (PIH) and Community Planning and Development (CPD)), each use separate
financial applications to accomplish the required financial functions.

For several years, we have reported a significant deficiency in the consolidated financial
statement audit report regarding HUD’s lack of full compliance with Federal financial
management system requirements. To address this deficiency, HUD initiated the HUD

1
  The Financial Systems Integration Office (FSIO), within the General Services Administration, was formerly
known as the Joint Financial Management Improvement Program (JFMIP) staff office. FSIO’s major areas of
responsibility included requirements development, testing and product certification for core financial systems.
2
 FFMIA is intended to advance Federal financial management by ensuring that Federal financial management
systems can routinely provide reliable financial information uniformly across the Federal Government following
professionally accepted accounting.
3
 Security controls requirements are defined by the Federal Information Security Management Act and Circular A-
130 and/or successor documents.
4
  Internal controls requirements are the internal control objectives of Circular A-123, which ensure that resource use
is consistent with laws, regulations, and policies; resources are safeguarded against waste, loss, and misuse; and
reliable data are obtained, maintained, and disclosed in reports.


                                                          4
Integrated Financial Management Improvement Project (HIFMIP) to move to an integrated core
financial system (ICFS). HIFMIP was initially intended to replace the five financial applications
that currently perform the core financial functions (collecting, processing, maintaining,
transmitting, and reporting data regarding financial events) with one integrated financial system
solution. HUD expected that HIFMIP would:

    •   Provide direct access to standardized, accurate, timely information;
    •   Reduce the number of systems;
    •   Provide efficient reporting and fiscal year end closings; and
    •   Provide efficient programmatic data for budget formulation.

The base period of performance for the HIFMIP contract was planned to last 18 months. Plans
also called for eight 12- month options and one six month option. However, due to multiple
protests and changes in requirements by OMB, a contract for HIFMIP was not awarded until
September 2010.

This audit was performed as a component of our annual consolidated financial statements audit
for fiscal year 2010 under the Chief Financial Officer’s Act of 1990 5. Our overall objective was
to evaluate HUD’s compliance with the requirements of OMB Circular A-127, which was
revised in January 2009 and became effective October 1, 2009.




5
  The CFO Act requires that annual financial statements be prepared and audited for each CFO Act agency covering
all accounts and associated activities of each office, bureau, and activity of the agency. The CFO Act also requires
that the financial statements prepared pursuant to the act be audited in accordance with applicable generally
accepted government auditing standards.


                                                         5
                                      RESULTS OF AUDIT

Finding 1: HUD Did Not Fully Comply With OMB Circular A-127
Requirements
HUD did not fully comply with all requirements specified in OMB Circular A-127. Specifically,
HUD had not (1) initiated plans to review financial management systems for compliance with
computer security and internal control guidelines; and (2) accurately identified HUD’s financial
management systems within its financial system inventory listing. Changes in requirements by
OMB led HUD to change its position regarding its financial management systems. By not
meeting the financial system requirements of OMB Circular A-127, HUD could not be assured
that its financial management systems were reasonably secured and met Federal internal control
requirements. This increases the risk that the annual financial statements would not be
effectively and reliably produced.



    HUD Did Not Perform
    Required Reviews of Its
    Financial Management Systems



                 Both the older and revised versions of OMB Circular A-127 require that financial
                 management systems 6 be reviewed for compliance with Federal computer
                 security and internal control requirements. Before FY 2005, HUD used
                 contractors to perform the Circular A-127 reviews of its financial management
                 systems. During FY 2005, HUD conducted an A-76 streamlined competition 7 to
                 determine whether it was more cost efficient to perform A-127 compliance
                 reviews with government staff resources. In 2006, HUD won the right to perform
                 the A-127 compliance reviews. Since then, however, HUD had not performed the
                 required number of A-127 compliance reviews. The HUD Office of Inspector
                 General (OIG) reported this condition in its FY 2008 financial statement audit
                 report. 8 HUD had not taken corrective action to address this weakness and ensure
6
 A financial management system includes the core financial systems and the financial portions of mixed systems
necessary to support financial management, including automated and manual processes, procedures, and controls,
data, hardware, software, and support personnel dedicated to the operation and maintenance of system functions.
Examples of financial management systems include: core financial systems, procurement systems, loan systems,
grants systems, payroll systems, budget formulation systems, billing systems, and travel systems.
7
 The A-76 streamlined competition allows an agency to perform a cost-based public vs. private competition to
determine whether a commercial activity should be performed by government personnel when the number of
personnel required to complete the task is fewer than 65. The purpose of the competition is to ensure that the
American people receive maximum value for their tax dollars.
8
 OIG Audit Report number 2009-FO-0003, “Additional Details to Supplement Our Report on HUD’s Fiscal Years
2008 and 2007 Financial Statements,” issued November 14, 2008.


                                                         6
             that A-127 compliance reviews were conducted. HUD’s policy was to complete
             Circular A-127 compliance reviews of all of its financial systems within a 3-year
             cycle. The tables below identify the number of Circular A-127 compliance
             reviews required and completed since FY 2007 and when HUD’s core financial
             systems were last reviewed.


                                                              Total Number of Number of A-127
                               Number of A-127                   Financial    Reviews Required
                             Reviews Completed by              Management      to Meet 3 year
     Fiscal Year
                                the OCFO Risk                Systems in HUD’s  Requirement to
                             Management Division             Financial System    Review all
                                                                 Inventory        Systems *
2007                                      2                          42              14
2008                                      2                          42              14
2009                                      3                          40              13
2010 (through March
                                          1                            40                       13
2010)
Totals                                    8                                                     54
               Table 1 - Number of Circular A-127 compliance reviews completed/required
                * Calculated as one-third of the financial management systems inventory



          Core Financial Application                     Date of Last OMB Circular A-127 Review
HUD’s Centralized Accounting and Program
                                                                         October 2003
System (HUDCAPS)
Line of Credit Control System (LOCCS)                                     July 2005
Program Accounting System (PAS)                                           July 2005
Hyperion                                                                 October 2003
Financial Data Mart                                                      Not reviewed
         Table 2 – Date of last Circular A-127 compliance review for HUD’s core financial systems



             As shown in Table 1, only eight A-127 reviews were completed since 2007.
             Table 2 points out that of the financial applications performing HUD’s core
             financial functions, two have not been reviewed for compliance with computer
             security and internal controls within the last seven years, two have not been
             reviewed within the last five years, and one application was never assessed.
              OCFO no longer intends to assess all of HUD’s financial management systems
             for compliance with computer security and internal control requirements as stated
             in OMB Circular A-127. Instead, OCFO plans to perform a self-assessment on
             the HUDCAPS application and rely on the results of the OMB Circular A-123




                                                    7
                  compliance reviews 9 and the annual Federal Information Security Management
                  Act (FISMA) review. Circular A-127 points out that agencies can leverage the
                  results of the A-123 and FISMA reviews. However, the circular does not indicate
                  that those reviews alone are sufficient to meet the A-127 review requirement.
                  Neither the annual FISMA review nor the A-123 reviews adequately verify
                  compliance with computer security and internal controls for all of HUD’s
                  financial management applications.

                  OCFO officials stated that the evaluation of internal controls is not just an
                  evaluation through one review; it is based on a series of ongoing actions, activities
                  and events that occur throughout HUD’s operations. The OIG agrees with this
                  assessment and believes that this should include HUDCAPS as well as other
                  financial management systems. OIG has reported for the last several years a
                  significant deficiency on HUD’s computing environment. OIG consistently
                  identifies weaknesses in computer security controls over HUD’s systems, and
                  these weaknesses are typically not identified during A-123 and FISMA reviews.

                  OMB Circular A-127, section 8, part E, states that agencies should perform an
                  annual review of their financial management systems to verify compliance with
                  computer security and internal controls. The circular suggests that agencies
                  leverage the results of related reviews such as those required by FISMA and
                  Circular A-123. Additionally, the circular states that agencies not using the latest
                  version of a FSIO-certified system 10 may be required to perform self-assessments
                  of their core financial system.

                  OCFO officials stated that they were unable to find individuals with the necessary
                  knowledge, skills, and abilities to perform the A-127 reviews. However, a
                  contractor was not hired to perform the required reviews. Further, OCFO officials
                  interpreted the term “leverage” in the revised Circular A-127 criteria as
                  permission to rely on the FISMA and Circular A-123 reviews. OMB Circular A-
                  123 reviews do not cover all the financial management systems. The OMB
                  Circular A-127 statement, “Agencies that do not use the latest version of the FSIO
                  certified system may be required to perform self assessments of their core
                  financial system,” was interpreted to mean that only the core financial system
                  needed to be reviewed. OCFO referred to HUDCAPS as its core financial
                  system, and stated that it planned to perform a self assessment this system.
                  However, there are five financial management systems (HUDCAPS, LOCCS,
                  PAS, Hyperion, and the Financial Data Mart) that perform the key functions of a
                  core financial management system. Because OCFO did not consider LOCCS,
                  PAS, Hyperion and the Financial Data Mart to be core financial systems, it did
                  not plan to perform self assessments for these systems.

9
  Circular A-123 compliance reviews ensure that resource use is consistent with laws, regulations, and policies;
resources are safeguarded against waste, loss, and misuse; and reliable data are obtained, maintained, and disclosed
in reports.
10
  A FSIO-certified system refers to the OMB Circular A-127 requirement that agencies use a core financial system
that is a COTS system that has been certified by FSIO as meeting the core financial system requirements.


                                                          8
           HUD’s financial management systems process billions of dollars in housing
           transactions. By not performing annual reviews of its financial management
           systems to verify compliance with computer security and internal controls, HUD
           increased its risk that monetary resources, such as payments and collections,
           could be lost or stolen. Since at least 2007, OCFO has not completed a full cycle
           of A-127 reviews, so the true security and internal control status of HUD’s
           financial systems is not known. As previously mentioned, HUD OIG reported
           this issue in its FY 2008 financial statement audit report, but corrective action had
           not been taken. Consequently, we are not including a new recommendation in
           this report for this ongoing issue.


Financial Data Mart Was Not
Classified as a Financial
Management System


           OCFO did not include the Financial Data Mart in its inventory of financial
           management systems and did not classify it as a financial management system
           although it meets OMB Circular A-127’s definition of a financial system. The
           Financial Data Mart is a database application used by HUD for financial reporting
           and to transfer data between HUDCAPS and Hyperion to produce HUD’s
           consolidated financial statements. Based upon the current data transfer process,
           HUD’s consolidated financial statements cannot be produced without the
           Financial Data Mart.

           OMB Circular A-127, section 9, part a, item 3, requires agencies to develop and
           maintain an agency wide inventory of their existing and proposed financial
           management systems and to provide FSIO with an annual inventory of their
           financial management systems.

           Section 5 of the circular defines a financial system as an information system that
           may perform all of the financial functions, including general ledger management,
           funds management, payment management, receivable management, and cost
           management. It is also known as the system of record that maintains all
           transactions resulting from financial events. It may be integrated through a
           common database or interfaced electronically to meet defined data and processing
           requirements. The core financial system is specifically used for collecting,
           processing, maintaining, transmitting, and reporting data regarding financial
           events. Other uses include supporting financial planning, budgeting activities,
           and preparing financial statements. Any data transfers to the core financial
           system must be traceable to the transaction source, posted to the core financial
           system in accordance with applicable guidance from the Federal Accounting




                                             9
                  Standards Advisory Board 11 (FASAB), and configured in the data format of the
                  core financial system.

                  OCFO did not consider the Financial Data Mart to be a financial management
                  system. After our specific inquiries regarding the rationale for this decision,
                  OCFO reversed its longstanding position and decided that the Financial Data Mart
                  was a financial management system.

                  Because the Financial Data Mart was not included in HUD’s inventory of
                  financial management systems or classified as a financial management system, it
                  was not assessed for compliance with computer security and internal controls as
                  required by OMB Circular A-127, and inaccurate information regarding HUD’s
                  financial systems was provided to the Government Accountability Office (GAO),
                  OMB, and FSIO. Further, financial management system inventory listings
                  developed and maintained by OCFO were inaccurate.


     Conclusion


                  HUD did not fully comply with the requirements of OMB Circular A-127. HUD
                  had not conducted all required reviews of its financial management systems, and
                  accurately identified all of its financial management systems. These weaknesses
                  occurred because of changes in requirements by OMB and misinterpretation of
                  those requirements. By not meeting the financial system requirements of OMB
                  Circular A-127, HUD could not be assured that its financial management systems
                  were reasonably secured, met Federal internal control requirements, and
                  effectively and reliably produced its annual financial statements.

     Recommendations


                  We recommend that the Office of the Chief Financial Officer
                  1A.     Revise the financial management system inventory listing to include the
                          Financial Data Mart as a financial management system.
                  1B.     Review the Financial Data Mart for compliance with computer security
                          and internal controls as required by OMB Circular A-127.




11
  The mission of the FASAB is to promulgate federal accounting standards after considering the financial and
budgetary information needs of citizens, congressional oversight groups, executive agencies, and the needs of other
users of federal financial information.


                                                        10
Finding 2: Concerns Remain Regarding HUD’s Integrated Core
Financial System
Although progress has been made, concerns remain regarding HUD’s integrated core financial
system. The contract for HIFMIP was awarded on September 23, 2010. However, lack of
updated planning documents could impact the18-month timeframe for completing the initial
implementation. Additionally, HUD’s interpretation of its core financial system could impact
future option periods for the HIFMIP contract. OCFO officials did not see a need to update the
HIFMIP planning documents, and changes in OMB definitions led HUD to conclude that only
HUDCAPS should be listed as its core financial system. This interpretation could prevent HUD
from achieving its overall vision of completing a fully integrated core financial system.



     HIFMIP Planning Documents
     Were Not Updated to Reflect
     Current Conditions


                  In 2003, HUD initiated the HUD Integrated Financial Management Improvement
                  Project (HIFMIP) to move to an integrated core financial system (ICFS) using
                  PeopleSoft. 12 The original scope of the HIFMIP project was identified as a multi-
                  year project to replace HUD’s core financial system with a solution that integrated
                  financial information HUD-wide. The plans affected 34 separate applications
                  within the agency and 73 existing interfaces between computer systems, not
                  including the interfaces that would need to be built for FHA and Ginnie Mae.

                  The recommendations that resulted from the initial phase of the project were
                  summarized within the document “HUD’s Financial Management Vision,” which
                  was issued in July 2005. The original project vision called for the replacement of
                  HUD’s Centralized Accounting and Program System (HUDCAPS) 13, Program
                  Accounting System (PAS) 14, Hyperion 15, the Financial Data Mart 16 and the

12
  PeopleSoft is an integrated software package that provides a wide variety of business applications to assist in the
day-to-day execution and operation of business processes. Each individual application, such as Financials,
Customer Relationship Management, and Human Resources, interacts with others to offer an effective and efficient
means of working and reporting in an integrated fashion across the enterprise.
13
  HUDCAPS captures, reports, controls, and summarizes the results of the accounting processes, including budget
execution and funds control, accounts receivable and collections, accounts payable and general ledger.
14
  PAS is an integrated subsidiary ledger for HUD’s grant, subsidy, and loan programs. PAS maintains accounting
records based on receipt of funding authorizations from HUDCAPS, which generates transaction activity at different
levels.
15
   Hyperion is HUD’s consolidated financial statement system. It captures, records, and summarizes HUD’s
financial results of operations across all business areas in accordance with the requirements defined by OMB, GAO,
Treasury, Congress, and HUD program offices to fulfill HUD’s quarterly and annual Treasury reporting
requirements.



                                                         11
                 portions of the Line of Credit Control System (LOCCS) 17 that related to core
                 financial functions. The document included specific information regarding the
                 justification for each application. It concluded that HUDCAPS, PAS, and
                 LOCCS were not Office of Federal Financial Management 18 (OFFM) compliant
                 applications and that they ran on outdated technology that was costly to maintain.
                 It also included information regarding the fact that the reconciliation of
                 HUDCAPS requires an “extraordinary effort” from HUD staff to accomplish
                 monthly and at year end, and that the batch processing of financial transactions
                 between PAS and HUDCAPS results in untimely financial information. In
                 addition, the results of HUD’s analysis concluded that the functionality provided
                 by both Hyperion and the Financial Data Mart would be accomplished in a more
                 efficient and integrated manner through replacement. The HIFMIP Vision
                 document defined an integrated financial system for HUD as one that “should
                 ensure accountability and control of resources and produce accurate, consistent,
                 timely and useful financial information while linking to program information.” It
                 also stated that the system “should also be able to measure performance and
                 support informed decision making at all levels.”

                 In addition, vision and requirements documents developed through FY 2005 had
                 not been updated. Since then, a number of significant changes had been made
                 within the HUD financial system environment. The table below provides
                 examples of changes to HUD’s financial system environment:


System/Office             Acronym                             Description                          Type of Change
Name                                                                                               Made
Disaster Recovery and     DRGR            HUD receives funds from Congress to assist               Added to the HUD
Grants System                             communities and States in recovering from housing        financial system
                                          and community problems due to Presidentially             environment
                                          declared disasters. The DRGR system is used for
                                          monitoring and tracking performance under the
                                          Disaster Recovery Program.
Subsidy and Grants        SAGIS           SAGIS automates the competitive and formula-based        Added to the HUD
Information System                        processes for allocating Public and Indian Housing       financial system
                                          Office (PIH) program funds.                              environment




16
   The Financial Data Mart was created to provide a consolidated reporting environment of HUD’s financial data to
users to create ad hoc queries and reports for analysis and execute canned financial reports.
17
  LOCCS supports OCFO and all HUD program offices in coordinating and controlling grant, loan, and subsidy
disbursements. The system is the CFO’s primary vehicle for cash management while monitoring disbursements
according to the individual control requirements used by HUD program offices to ensure program compliance.
LOCCS is both a payment control tool and a HUD post-award financial grants management system. LOCCS is also
the link that connects HUD’s program management information systems to its program accounting data.
18
  The Office of Federal Financial Management (OFFM) within OMB is responsible for the financial management
policy of the Federal Government. OFFM responsibilities include implementing the financial management
improvement priorities of the President, establishing government-wide financial management policies of executive
agencies, and carrying out the financial management functions of the CFO Act.


                                                       12
System/Office          Acronym                            Description                             Type of Change
Name                                                                                              Made
Hyperion               Hyperion       Hyperion is HUD’s consolidated financial statement          Application was upgraded
                                      system. It captures, records, and summarizes HUD’s
                                      financial results of operations across all business areas
                                      in accordance with the requirements defined by OMB,
                                      the Government Accountability Office, the U.S.
                                      Department of the Treasury (Treasury), Congress, and
                                      HUD program offices to fulfill HUD’s quarterly and
                                      annual Treasury reporting requirements.
Loan Accounting        LAS/NLS        LAS/NLS performs the direct loan servicing activities       LAS/NLS replaced the
System/ Northridge                    required to support HUD’s Section 202 Housing for           Loan Accounting System
Loan System                           the Elderly and Handicapped Loan Program and the            (LAS)
                                      Section 201 Flexible Subsidy Programs.
Fed Traveler           Fed Traveler   FED Traveler is the travel system for government            Fed Traveler replaced the
                                      travelers.                                                  HUD Travel Management
                                                                                                  System (HTMS)
Departmental           DARTS          DARTS establishes, tracks, and collects account             DARTS was retired, and
Accounts Receivable                   receivables for residual receipts, excess financing, and    its functionality was
Tracking/Collection                   miscellaneous payments for the Public Housing               integrated into LAS/NLS
System                                Agencies/Indian Housing Authorities and Section 236
                                      program receivables for Multifamily Excess Rental
                                      Income.
Office of Federal      OFHEO          OFHEO required a separate interface with the                OFHEO was abolished in
Housing Enterprise                    Financial Information and Management System                 2008.
Oversight                             (FIMS) for reporting.



                OCFO officials did not see a need to update the vision and requirements
                documents developed through FY 2005 because they believed that neither the
                amount of time elapsed nor detail changes would alter the objectives that the
                contractor would agree to perform for a fixed price. Further, OCFO officials
                stated that the contract would include objectives to verify that HUD was current
                with Federal requirements and to maintain that currency throughout the life of the
                contract.

                The vendor who won the HIFMIP contract will have to redefine the project plan
                to detail how it will comply with current laws and regulations and establish the
                corresponding implementation schedule. We are concerned however, that
                timelines will slip and contract modifications will be requested since the contract
                has only an 18-month window for accomplishing the initial implementation.
                Within the 18-month window for accomplishing the initial implementation, the
                contractor will have to update project documentation, reevaluate system interfaces
                due to changes in HUD’s computing environment over the years, and assess
                changes in Federal requirements. Further, the contractor will need to determine
                how the change of systems to be included in the project will impact this
                implementation (HIFMIP originally called for the replacement of HUDCAPS,
                PAS, LOCCS, Hyperion and the Financial Data Mart). Then there is the actual
                implementation of the new integrated financial system.



                                                   13
OIG and OCFO Disagree on
How HUD’s Core Financial
System Should Be
Characterized



          In the responses to GAO, OMB, and FSIO, OCFO listed the HUDCAPS
          application as HUD’s core financial system. However, we found that OCFO uses
          five separate financial management systems to accomplish the core financial
          system functions (collecting, processing, maintaining, transmitting, and reporting
          data regarding financial events). These five financial management applications
          are LOCCS, Hyperion, the Financial Data Mart, PAS, and HUDCAPS. LOCCS
          provides grants management processing and authorized payment transactions to
          the U.S. Department of the Treasury (Treasury); Hyperion transmits financial
          information for treasury reporting, including the consolidated financial
          statements; the Financial Data Mart receives vendor payee information from the
          Central Contract Registration, which is used for standardized and ad hoc
          reporting, and is the interface for financial transactions to be recorded in
          Hyperion; and PAS transmits financial transaction information to HUDCAPS
          through batch interfaces that occur nightly.

          Although information referencing HUDCAPS, LOCCS, PAS, and Hyperion was
          included within the write-up for HUDCAPS, the responses gave the impression
          that there was only one financial system to produce the financial statements of the
          program areas reported on by HUD’s OCFO. We also noted that in
          correspondence between OCFO and HUD OIG, dated January 2010, OCFO
          identified the core financial applications as HUDCAPS, PAS, LOCCS, and
          Hyperion. The Financial Data Mart was omitted.

          The January 2009 version of OMB Circular A-127 defines a core financial system
          as an information system that may perform all of the financial functions,
          including general ledger management, funds management, payment management,
          receivable management, and cost management. It is also known as the system of
          record that maintains all transactions resulting from financial events. It may be
          integrated through a common database or interfaced electronically to meet defined
          data and processing requirements. The core financial system is specifically used
          for collecting, processing, maintaining, transmitting, and reporting data regarding
          financial events. Other uses include supporting financial planning, budgeting
          activities, and preparing financial statements. Any data transfers to the core
          financial system must be traceable to the transaction source, posted to the core
          financial system in accordance with applicable guidance from the FASAB, and
          configured in the data format of the core financial system.

          The FSIO “Core Financial System Requirements Exposure Draft,” dated February
          22, 2010, defines the capabilities of the core financial system as system



                                          14
management, reimbursable management, fund balance with treasury management,
cost management, receivable management, payment management, funds
management, general ledger management, and reporting management. It further
states that these capabilities may be tightly integrated as a single system or may
be stand-alone systems with information transferred among them.

OIG disagrees with OCFO’s interpretation of the revised definition for core
financial applications contained in the 2009 version of OMB Circular A-127.
OCFO maintained that because HUDCAPS was the official record of all financial
transactions at the conclusion of the fiscal yearend processing, it met the
definition of core financial system. However, the core financial system
requirements relate to functionality. Financial transactions are entered into
HUDCAPS nightly through batch processing. As a result, HUDCAPS alone does
not contain accurate data regarding HUD’s financial transactions on a daily basis.
Financial data required on a daily basis must be obtained through multiple
applications.

OCFO acknowledged that HUDCAPS relies heavily on PAS, LOCCS, Hyperion
and the Financial Data Mart to accomplish the core financial system functions,
but disputes OIG’s interpretation that all five systems should be considered
together as HUD’s core financial system. OCFO also expressed concern that if all
five systems were classified as core, then once the base period of the HIFMIP
contract was completed, HUD would still be non-compliant with requirements to
have an integrated core financial system. The base period of the HIFMIP contract
will only replace HUDCAPS and PAS; LOCCS, Hyperion and the Financial Data
Mart will still exist. OCFO believes that reliance on these three remaining
systems will be significantly reduced upon completion of the base performance
period of the HIFMIP contract, and that HUD will have a fully complaint
integrated core financial system as a result.

The roles that these applications will perform have not yet been officially defined
by either HUD or the newly hired contractor. HUD has not conducted any further
analysis since it completed the work to identify the original scope of the HIFMIP
project and supporting documentation. Modifications to HUD’s computing
environment and the financial system software being utilized have not been taken
into consideration or analyzed. Consequently, the OIG remains concerned
regarding the HIFMIP project.

In June 2010, OMB issued memorandum M-10-25, “Reforming the Federal
Government’s Efforts to Manage Information Technology Projects.” This
memorandum directed executive departments and agencies to refrain from
awarding new task orders or contracts for financial system modernization projects
pending review and approval by OMB. OMB reviewed HIFMIP and
recommended that HUD give additional consideration to its (1) categorization of
risk and mitigation strategies; (2) governance structure to ensure appropriate
leadership is in place to support the project; and (3) funding strategy to give more



                                 15
             time to assess whether the current approach is viable. As a result of OMB’s
             recommendations, HUD agreed to re-scope HIFMIP to address only the
             Department- level portion. Based on HUD’s agreement to re-scope the project,
             OMB approved the 18-month base period. Proposed changes to the scope of the
             HIFMIP project are subject to OMB review and additional approvals will be
             needed for the option periods associated with HIFMIP.



Conclusion


             OCFO did not update HIFMIP planning documents, and did not consider core
             financial system functionality when it interpreted OMB’s revised definition of a
             core financial system. These issues could prevent timely completion of the 18
             month base period of the HIFMIP contract and negatively impact future option
             periods.


Recommendations



             We recommend that the Office of the Chief Financial Officer
             2A.    Work with the winning HIFMIP contractor to update the gap analysis to
                    determine which applications should be maintained and update the
                    HIFMIP documentation to detail the changes to HUD’s financial system
                    environment.
             2B.    Ensure that the integrated core financial system (ICFS) addresses all core
                    system requirements.




                                             16
                         SCOPE AND METHODOLOGY

The review covered the period October 1, 2009 through August 31, 2010. We performed the
audit at HUD headquarters in Washington, DC, and from a remote location in Detroit, MI. Audit
work was conducted from March through August 2010.

HUD has three separate program areas with financial information that must be consolidated to
produce financial statements that reflect its financial condition. These three areas: (1) FHA, (2)
Ginnie Mae, and (3) the remaining HUD program areas summarized by OCFO (i.e., PIH and
CPD), each use separate financial applications to accomplish the required financial functions.
We limited the scope of our review to an assessment of the program areas with financial data
summarized by OCFO.

We reviewed the requirements of OMB Circular A-127, issued in January 2009, and compared
the requirements to those of the previously issued version, dated July 1993 and updated in 1999
and 2004. We assessed HUD’s compliance with the applicable OMB Circular A-127
requirements for the fiscal year ending September 30, 2009, and when possible, HUD’s ongoing
efforts to address the revised requirements that became effective October 1, 2009.

We conducted the audit in accordance with generally accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain sufficient, appropriate
evidence to provide a reasonable basis for our findings and conclusions based on our audit
objective. We believe that the evidence obtained provides a reasonable basis for our findings
and conclusions based on our audit objective.




                                                17
                              INTERNAL CONTROLS

Internal control is a process adopted by those charged with governance and management,
designed to provide reasonable assurance about the achievement of the organization’s mission,
goals, and objectives with regard to

   •   Effectiveness and efficiency of operations,
   •   Reliability of financial reporting, and
   •   Compliance with applicable laws and regulations.

Internal controls comprise the plans, policies, methods, and procedures used to meet the
organization’s mission, goals, and objectives. Internal controls include the processes and
procedures for planning, organizing, directing, and controlling program operations as well as the
systems for measuring, reporting, and monitoring program performance.



 Relevant Internal Controls
               We determined that the following internal controls were relevant to our audit
               objective:

               •      Adherence to policies and procedures
               •      Managerial oversight and monitoring
               •      Reporting

               We assessed the relevant controls identified above.

               A deficiency in internal control exists when the design or operation of a control does
               not allow management or employees, in the normal course of performing their
               assigned functions, the reasonable opportunity to prevent, detect, or correct (1)
               impairments to effectiveness or efficiency of operations, (2) misstatements in
               financial or performance information, or (3) violations of laws and regulations on a
               timely basis.

 Significant Deficiency
               Based on our review, we believe that the following item is a significant deficiency:
               •   HUD did not fully comply with OMB Circular A-127 requirements (finding
                   1).




                                                 18
                   FOLLOW-UP ON PRIOR AUDITS


Additional Details to
Supplement Our Report on
HUD’s Fiscal Years 2008 and
2007 Financial Statements –
Audit Report 2009-FO-0003


           HUD OIG is required to annually audit HUD’s consolidated financial statements in
           accordance with the Chief Financial Officers Act of 1990, as amended. The OIG
           audit of HUD’s FY 2008 and 2007 financial statements (audit report 2009-FO-0003)
           concluded that HUD did not comply with FFMIA. It concluded that although it was
           HUD’s policy to complete OMB A-127 reviews of all HUD financial systems
           within a 3-year cycle, HUD did not complete any of the planned 2007 and 2008
           independent reviews of its financial management systems to verify compliance with
           financial system requirements, identify system and procedural weaknesses, and
           develop the corrective actions to address identified weaknesses. Additionally, HUD
           only completed four independent reviews that were planned in 2006. As a result of
           the issues cited, OIG issued a recommendation that HUD develop a plan to comply
           with OMB A-127 review requirements, which results in the evaluation of all HUD
           financial management systems within a 3-year cycle. This recommendation
           remained unresolved as of August 31, 2010.




                                           19
                        APPENDIXES

Appendix A

        AUDITEE COMMENTS AND OIG’S EVALUATION


Ref to OIG Evaluation      Auditee Comments




Comment 1




                            20
Ref to OIG Evaluation   Auditee Comments



Comment 2




Comment 3




Comment 4




Comment 5




Comment 6




                         21
Ref to OIG Evaluation   Auditee Comments


Comment 7




Comment 8




Comment 9




Comment 10




Comment 11




                         22
Ref to OIG Evaluation   Auditee Comments




Comment 12




Comment 13



Comment 14




Comment 15




                         23
Ref to OIG Evaluation   Auditee Comments




                         24
                         OIG Evaluation of Auditee Comments

Comment 1   We agree that OMB Circular A-127 allows agencies to leverage the results of the
            OMB Circular A-123 and FISMA reviews. However, the circular does not
            indicate that those reviews alone are sufficient to meet the A-127 review
            requirement. OIG consistently identifies weaknesses in computer security
            controls over HUD’s systems, and these weaknesses are typically not identified
            during A-123 and FISMA reviews.

Comment 2   The OIG’s independent evaluation of HUD’s overall information security
            program is performed annually as part of its responsibility to address OMB’s
            FISMA questions.

Comment 3   OMB Circular A-127 requires that financial management systems be reviewed for
            compliance with Federal computer security and internal control requirements.
            While Circular A-123 reviews do assess internal controls, they are not performed
            annually for each financial system. The OCFO stated in its response to this report
            that HUD evaluated ten financial management systems in FY 2010 under its A-
            123 annual assessment reviews. However, HUD has 43 financial management
            systems. And as noted in the audit report, only eight A-127 reviews were
            completed since 2007.

Comment 4   The OIG agrees with OCFO’s assessment that the evaluation of internal controls
            and security controls are not just an evaluation through one review, but a series of
            ongoing actions, activities and events. The OIG believes that this should include
            HUDCAPS as well as other financial management systems. OIG has reported for
            the last several years a significant deficiency on HUD’s computing environment.
            OIG consistently identifies weaknesses in computer security controls over HUD’s
            systems, and these weaknesses are typically not identified during A-123 and
            FISMA reviews.

Comment 5   Since at least 2007, OCFO has not completed a full cycle of A-127 reviews, so
            the true security and internal control status of HUD’s financial systems is not
            known. As previously mentioned, HUD OIG reported this issue in its FY 2008
            financial statement audit report, but corrective action had not been taken. We
            hope that the OCFO will assess all of its financial management systems to comply
            with the requirements of OMB Circular A-127.

Comment 6   The Director of OIG’s Financial Audit Division advised OCFO on September 24,
            2010 that HUD OIG does not consider the actions taken by the Department to be
            sufficient. Consequently, he did not agree with closing the original
            recommendation. Thus, there is no need to issue a new recommendation.

Comment 7   Although the OCFO has already taken action for these recommendations, the
            findings were valid during the audit, and contributed to our determination of a
            significant deficiency on HUD’s computing environment. However, because



                                             25
              OCFO has already taken corrective action, and supporting documentation has
              already been provided, the recommendation can be closed concurrently with the
              management decision.

Comment 8     We commend the OCFO for taking corrective action once the deficiency was
              brought to its attention. Supporting documentation can be submitted as part of the
              management decision process, and if the documentation is sufficient, we can close
              the recommendation concurrently.

Comment 9     Again, we commend the OCFO for taking corrective action once the deficiency
              was brought to its attention.

Comment 10 Although the OCFO states that it does not concur with Finding 2, the concerns
           raised by the OIG are legitimate concerns. OCFO acknowledges this in its
           response and further states that any “core financial system implementation should
           raise concerns.” Finding 2 is appropriately titled “Concerns Remain Regarding
           HUD’s Integrated Core Financial System” because it expresses the OIG concerns
           pertaining to HIFMIP. Therefore, we will not remove the finding and its
           associated headings.

Comment 11 The OIG is pleased that OCFO will be incorporating each of the OIG’s
           recommendations.

Comment 12 It would be inappropriate to not present the full discussion of the concerns and
           disagreements regarding the characterization of HUD’s core financial system.
           Therefore, as stated in OIG comment 10, we will not remove finding 2 or any of
           its associated headings. We are pleased that OCFO agrees with our
           recommendation.

Comment 13 See comment 12.

Comment 14 See comment 12.

Comment 15 As stated in OIG comment 10, we will not remove finding 2 or any of its
           associated headings. We are pleased that OCFO agrees with our
           recommendation.




                                              26