oversight

Additional Details to Supplement Our Report on HUD's Fiscal Years 2010 and 2009 Financial Statements

Published by the Department of Housing and Urban Development, Office of Inspector General on 2010-11-15.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                                                                             Issue Date
                                                                                      November 15, 2010
                                                                             Audit Report Number
                                                                                          2011-FO-0003




TO:             Douglas Criscitello, Chief Financial Officer, F

                //s//
FROM:           Thomas R. McEnanly, Director, Financial Audits Division, GAF


SUBJECT: Additional Details to Supplement Our Report on HUD’s Fiscal Years 2010 and
         2009 Financial Statements


                                             HIGHLIGHTS

 What We Audited and Why

                 We are required to annually audit the consolidated financial statements of the U.S.
                 Department of Housing and Urban Development (HUD) in accordance with the
                 Chief Financial Officers Act of 1990, as amended. Our report on HUD’s fiscal
                 years 2010 and 2009 financial statements are included in HUD’s Fiscal Year 2010
                 Annual Financial Report. This report supplements our report on the results of our
                 audit of HUD’s principal financial statements for the fiscal years ending
                 September 30, 2010, and September 30, 2009. Also provided are assessments of
                 HUD’s internal controls and our findings with respect to HUD’s compliance with
                 applicable laws, regulations, and government-wide policy requirements and
                 provisions of contracts and grant agreements.1 In addition, we plan to issue a


    1
       Additional details relating to the Federal Housing Administration (FHA), a HUD component, are not included
in this report but are included in the accounting firm of Clifton Gunderson LLP’s audit of FHA’s financial
statements. That report has been published in our report, Audit of Federal Housing Administration Financial
Statements for Fiscal Years 2010 and 2009 (2011-FO-0002, dated November 5, 2010).

   Additional details relating to the Government National Mortgage Association, (Ginnie Mae), another HUD
component, are not included in this report but are included in the accounting firm of Carmichael Brasher Tuvell and
Company’s audit of Ginnie Mae’s financial statements. That report has been published in our report, Audit of
                letter to management on or before January 15, 2011, describing other issues of
                concern that came to our attention during the audit.

 What We Found


                In our opinion, HUD’s fiscal years 2010 and 2009 financial statements were fairly
                presented. Our opinion on HUD’s fiscal years 2010 and 2009 financial
                statements is reported in HUD’S Fiscal Year 2010 Agency Financial Report. The
                other auditors and our audit also disclosed the following nine significant
                deficiencies in internal controls related to the need to:

                         Have financial management systems comply with the Federal Financial
                         Management Improvement Act of 1996 (FFMIA);
                         Improve the processes for reviewing obligation balances;
                         Continue improvements in the oversight and monitoring of subsidy
                         calculations, intermediaries’ program performance, and Utilization of
                         Housing Choice Voucher program funds;
                         Establish internal controls over Office of Community Planning and
                         Development (CPD) grantees’ compliance with program requirements;
                         Improve administrative control of funds;
                         Further strengthen controls over HUD’s computing environment;
                         Improve personnel security practices for access to the Department’s
                         critical financial systems;
                         Effectively monitor modernization efforts and existing systems to mitigate
                         near term financial reporting risks; and
                         Mitigate increased risks to management estimates caused by economic
                         conditions and inherent model design.

                Our findings include the following four instances of noncompliance with
                applicable laws and regulations:

                         HUD did not substantially comply with the Federal Financial Management
                         Improvement Act regarding system requirements;
                         HUD did not substantially comply with the Antideficiency Act;
                         HUD did not substantially comply with Laws and Regulations Governing
                         Claims of the United States Government; and
                         FHA’s Mutual Mortgage Insurance fund capitalization was not maintained
                         at a minimum capital ratio of two percent, which is required under the
                         Cranston-Gonzalez National Affordable Housing Act of 1990



Government National Mortgage Association Financial Statements for Fiscal Years 2010 and 2009 (2011-FO-0001),
dated November 5, 2010).




                                                     2
           The audit also identified $341 million in excess obligations recorded in HUD’s
           records. We are also recommending that $27.5 million not be expended as
           originally intended and reprogrammed by the grantee. Lastly, we are
           recommending that HUD seek legislative authority to implement $385 million in
           offsets against public housing agencies’ (PHA) excess unusable funding held in
           Net Restricted Assets Accounts at the PHAs. These amounts represent funds that
           HUD could put to better use.


What We Recommend


           Most of the issues described in this report represent long-standing weaknesses.
           We understand that implementing sufficient change to mitigate these matters is a
           multiyear task due to the complexity of the issues, insufficient information,
           technology systems funding, and other impediments to change. In this and in
           prior years’ audits of HUD’s financial statements, we have made
           recommendations to HUD’s management to address these issues. Our
           recommendations from the current audit, as well as those from prior years’ audits
           that remain open, are listed in appendix B of this report.

           For each recommendation without a management decision, please respond and
           provide status reports in accordance with HUD Handbook 2000.06, REV-3.
           Please furnish us copies of any correspondence or directives issued because of the
           audit.


Auditee’s Response



           The complete text of the auditee’s response, along with our evaluation of that
           response, can be found in appendix E and F of this report.




                                            3
                          TABLE OF CONTENTS

Highlights                                                                1

Internal Control                                                          5

Compliance with Laws and Regulations                                      55

Appendixes
   A. Objectives, Scope, and Methodology                                  60
   B. Recommendations                                                     63
   C. FFMIA Noncompliance, Responsible Program Offices, and Recommended   71
      Remedial Actions
   D. Schedule of Questioned Costs and Funds To Be Put to Better Use      77
   E. Agency Comments                                                     78
   F. OIG Evaluation of Agency Comments                                   81




                                        4
                                 INTERNAL CONTROL

Significant Deficiency 1: HUD Financial Management Systems Do
Not Comply With the Federal Financial Management Improvement
Act of 1996 (FFMIA)
As reported in prior years, HUD’s financial management systems were not in full compliance
with federal financial management system requirements. We determined that HUD did not fully
comply with the requirements of OMB Circular A-127, in addition to our prior year finding that
HUD is not in full compliance with federal financial management system requirements
generally. Specifically, HUD did not (1) initiate plans to review financial management systems
for compliance with computer security and internal control guidelines; (2) develop an adequate
agency-wide financial management systems plan and (3) accurately identify HUD’s financial
management systems within its financial system inventory listing. In addition, we determined
that the Community Planning and Development (CPD) formula grant process does not comply
with U.S. Generally Accepted Accounting Principles, (GAAP), and as a result has weaknesses in
the internal controls over financial reporting.

Additionally, HUD has not completed development of an adequate integrated financial
management system. HUD's financial systems, many of which were developed and
implemented before the issue date of current standards, were not designed to perform or provide
the range of financial and performance data currently required. The result is that HUD, on a
department-wide basis, does not have integrated financial management systems that are
compliant with current Federal requirements or provide HUD the information needed to
effectively manage its operations on a daily basis. This situation could negatively impact
management's ability to perform required financial management functions; efficiently manage
the financial operations of the agency; and report, on a timely basis, the agency's financial
results, performance measures, and cost information.


 CPD Formula Grants Reporting is
 not in Compliance with FFMIA
 and GAAP

              Our review found that CPD’s formula grant process does not comply with
              FFMIA, nor is it compliant with GAAP, which resulted in weaknesses in the
              internal controls over financial reporting. These deficiencies are the result of
              CPD’s decision to charge grant disbursement draw downs from the oldest budget
              fiscal year (BFY) appropriation funding source available at the time of draw
              down. CPD refers to this practice as FIFO (First-in, First-out). This process
              results in a mismatching of obligations and outlays and is a departure from U.S.
              GAAP.




                                               5
                 We found that the monetary impact of using FIFO and incorrectly mismatching
                 BFY fund sources to be significant; with over 30 percent of the draw downs from
                 HOME and CDBG program grants citing the mismatched BFY appropriation as a
                 source of funds for disbursement.

                 The IDIS is a system used by CPD to support both the financial and non-financial
                 functions necessary for the management of CPD’s formula grant programs.
                 Grantees use the system to track and drawdown CPD funds, report program
                 income, and record the results of CPD funded activities. The financial portions of
                 IDIS are interfaced with HUD’s core financial systems.2 As part of HUD’s
                 financial management system, IDIS is responsible for complying with the
                 standards included within OMB A-127. As such, data coming from IDIS must be
                 posted to LOCCS using proper US general ledger accounts and accounting
                 standards. Additionally, in order to be compliant with Federal accounting
                 standards, management of grants must be compliant with Federal Appropriations
                 Law.

    Internal controls over Financial
    Reporting for CPD Formula
    Grants is Not Adequate

                 CPD management did not maintain effective internal controls over financial
                 reporting. Our review found that the CPD formula grant process design and
                 implementation of adequate budget controls was deficient. Budget controls are
                 compliance controls that provide reasonable assurance that transactions are
                 executed in accordance with laws governing the use of budget authority and are
                 used to manage and control the use of appropriated funds. Based on our review a
                 significant percentage of CPD formula grants were not properly recorded,
                 processed, or summarized to permit the preparation in conformity with GAAP.

                 CPD’s HOME and CDBG programs are formula based block grants. Grantees,
                 nearly all of whom have received annual grant allocations and awards for many
                 consecutive years, will receive funding, if they submit an acceptable annual plan
                 CPD. The annual plan describes the proposed activities, to include demonstrating
                 a bona fide need for funding for their allocation of the BFY’s appropriation.

                 However, each year’s grant is a standalone agreement, which is only complete
                 when the grantee submits an acceptable annual plan describing what the purpose
                 and need for the funds, and executing an agreement committing to complete the
                 projects. According to GAO’s Title 23, the accounting for a federal assistance

2
  Line of Credit Controls System (LOCCS), which is one of HUD’s core financial systems, is used to disburse funds.
LOCCS then passes the disbursement information to Program Accounting System (PAS) and HUDCAPS which are
the accounting systems used to generate the financial statements.
3
   Accounting Principles, Standards and Requirements; Title 2 Standards Not Superseded by FASAB Issuances,
from GAO Policy and Procedures Manual for Guidance of Federal Agencies


                                                        6
                  award begins with the execution of an agreement or the approval of an application
                  in which the amount and purposes of the grant, the performance periods, the
                  obligations of the parties to the award, and other terms are set out.

                  According to the HOME and CDBG Funds Control Plans, the point of obligation
                  is when an acceptable annual plan is submitted- establishing what should be the
                  BFY projects and activities - and the assistance award/amendment is signed. The
                  point of obligation using the BFY defines the source of funds and establishes the
                  time frames for sub-allocation, expenditures, and when the funds are returned to
                  the US Treasury, if not expended.

                  The grantees, to be in compliance with their generally accepted accounting
                  principles, are required to account for these grants on a BFY appropriation and
                  grant year basis. According to CPD program rules, if the grantees want to make
                  changes to proposed activities and funded projects, they are required to go
                  through a formal process to amend their plans. These programmatic changes are
                  proper and necessary to permit the flexibility to ensure smooth program operation
                  and completely allowable if made within three years as allowed by the fund year
                  appropriation bill. Yearly audits ensure that grantees stay in compliance with
                  their formula grant requirements.

                  Our review of seven grantees4 for CPD’s HOME and CDBG formula grant
                  programs, indicated that for the HOME program for fiscal and grant years 2002-
                  2010, approximately forty percent and for the CDBG program for fiscal and grant
                  years 1999-2010, approximately fifty percent of the funds disbursed for activities
                  set up5 under a given grant’s BFY appropriation were disbursed from grants
                  awarded with BFY appropriations prior to that grant year. Additionally, we noted
                  that activities are also set up and funds are allocated to these activities on a FIFO
                  basis similar to the disbursements and also mismatches the BFY fund source. We
                  also noted that grantees are not required to identify and plan activities related to a
                  given grant’s BFY award equal to the amount of the award received for the year,
                  thus leaving unused balances to be mismatched to another BFY’s activities.

                  We obtained the disbursement transactions for seven HOME grantees and found
                  that for the 2002-2010 BFY appropriations, of the approximately $1.9 billion of
                  the $3.0 billion (63 percent) that was set up for activities for the BFY
                  appropriation, $748 million (39 percent) was disbursed from grant awards and
                  BFY appropriations made prior to the award and BFY of the activity, due to the
                  FIFO process. The amounts were disbursed from the BFY appropriations 2002-
                  2009, which were fixed multi-year appropriations and decreased the amount that
                  would be returned to Treasury under the Defense Authorization Act (DAA) when

4
  The seven grantees: New York City, State of New York, State of Ohio, State of Pennsylvania, State of Texas, City
of Chicago, and City of Los Angeles were selected because for the fiscal years 2003-2010 they received the largest
grant awards for both programs.
5
  For purposes of the analysis, set up refers to the process of specifically identifying an activity under a specific
BFY appropriation grant award and allocating estimated amounts expected to complete an activity within IDIS.


                                                          7
                  the appropriation is cancelled.6The amounts and discrepancies vary amongst each
                  individual fiscal grant year.

                                                         The HOME Program Results
                                                                  Amounts
                                                               Disbursed for          Amounts         % of Fixed Year
                                                              Activities Set Up    Mismatched to      Appropriations
                                             Authorized for    for Fiscal Year    Prior Year Grants    (2002-2009)
                              Fiscal Year     Grant Year            Grant            due to FIFO       Mismatched
                                      2002      330,158,990        284,814,945                  -                0.00%
                                      2003      352,784,640        295,346,415           70,243,013            23.78%
                                      2004      380,155,262        265,291,994           78,149,510            29.46%
                                      2005      346,781,784        314,478,586         147,910,262             47.03%
                                      2006      321,842,211        313,871,149         175,009,471             55.76%
                                      2007      321,107,837        266,185,193         160,652,776             60.35%
                                      2008      308,568,884        142,718,001           86,678,747            60.73%
                                      2009      342,045,079          38,249,746          27,639,812            72.26%
                                      2010      341,653,418           2,629,044           1,914,250            72.81%
                            Total             3,045,098,105      1,923,585,074         748,197,841             38.90%


                  In addition, we obtained the disbursement transactions for seven CDBG grantees
                  and found that for the 1999-2010 BFY appropriations, of the approximately
                  $4.2billion of the $7.4 billion (57 percent) that was set up for activities for the
                  BFY appropriation, $2.0 billion (48 percent) was disbursed from grant awards and
                  BFY appropriations made prior to the award and BFY of the activity, due to the
                  FIFO process. The amounts were disbursed from the BFY appropriations 1994-
                  2009, which were fixed multi-year appropriations and decreased the amount that
                  would be returned to Treasury under the DAA when the appropriation is
                  cancelled. The amounts and discrepancies vary amongst each individual fiscal
                  grant year.




6
  The National Defense Authorization Act of 1991(Public Law 101-510, November 5, 1990) established rules
governing the availability of appropriations for expenditure. This legislation mandates that on September 30th of the
fifth fiscal year after the period of availability for obligation of a fixed appropriation account ends, the account shall
be closed and any remaining balance (whether obligated or unobligated) in the account shall be canceled and
thereafter shall not be available for obligation or expenditure for any purpose. Beginning with the 2002 fiscal year
Annual Appropriation, HOME’s fixed multi-year appropriations are affected by this Act. CDBG was receiving
fixed multi-year appropriations prior to the Act and thus was affected when the Act was enacted.



                                                              8
                                The CDBG Program Results
                                         Amounts
                                      Disbursed for          Amounts         % of Fixed Year
                                     Activities Set Up    Mismatched to      Appropriations
                    Authorized for    for Fiscal Year    Prior Year Grants    (1994-2009)
     Fiscal Year     Grant Year            Grant            due to FIFO       Mismatched
             1999      588,548,151        355,226,626         150,361,555             42.33%
             2000      668,863,937        455,760,261         185,681,985             40.74%
             2001      696,892,931        447,720,167         189,885,811             42.41%
             2002      675,919,940        447,108,087         205,357,924             45.93%
             2003      672,823,306        427,222,895         189,035,221             44.25%
             2004      668,206,115        429,073,395         214,160,718             49.91%
             2005      632,244,955        388,301,414         201,316,529             51.85%
             2006      566,798,872        406,788,812         200,543,483             49.30%
             2007      564,048,650        366,829,645         177,423,857             48.37%
             2008      545,030,719        301,127,604         157,765,162             52.39%
             2009      552,034,905        196,023,924         109,011,342             55.61%
             2010      597,932,026          52,822,165          49,616,455            93.93%
   Total             7,429,344,507      4,274,004,994       2,030,160,043             47.50%


Based on the work performed, we found that CPD and IDIS is not recording,
processing, reporting, or providing accurate information in accordance with
federal financial management requirements or accounting standards. The logic
used by IDIS and CPD to select the source of funds for use in activity funding and
disbursement was faulty. CPD’s definition of ―source of funds‖ takes only into
account the source of funding being that of either a State grantee or entitlement
grantee and the type of money (program income versus entitlement grant funds,
etc.). It disregards the Federal budgetary fiscal year source of funds. CPD
describes how FIFO is applied in a procurement document in this manner,

       The FIFO technique is applied to funds having the same grant
       program, source of funds, recipient of funds, and type of funds.
       The grant year is used to order the funds from oldest year to
       newest year. When a grantee commits funds to an activity (by
       funding an activity using the activity funding function), the funds
       are committed from the oldest funds having the same source of
       funds, recipient of funds, and type of funds. The grantee is
       unaware of the year from which the funds are committed.
       Similarly, when a grantee draws funds, the funds are drawn from
       the oldest funds having the same source of funds, recipient of
       funds, and type of funds.

At issue is CPD and IDIS’s treatment of the source of grant funds. Based on our
review and discussion with CPD staff, we found that CPD uses a different
meaning and application technique for source of funds depending on what action
is being taken. At the point of obligation, a BFY appropriation source year is
used to obligate the funds to a State or entitlement grantee. When an activity is
established and funded, CPD will match the State or entitlement grantee source
and type of funding, and may use the oldest BFY appropriation source of funds to
allocate funds for the estimated costs for the activity. At disbursement, CPD and



                                        9
IDIS will match the State or entitlement grantee source and type of funding, and
use the oldest BFY appropriation source of funds to disburse funding to pay for an
activity.

While a grantee’s program year may not line up with a federal fiscal year due to
when agreements are signed, the achievements, and projects and activity costs
recorded in IDIS Online must be reconcilable with the BFY appropriation source
year in which the funding was approved. Arbitrarily liquidating the funding from
the older available BFY appropriation source for the fund type associated with the
activity is not in line with Federal GAAP and Federal financial management
requirements.

As noted in CPD’s definition and application of FIFO, the BFY appropriation is
excluded, as they exclude this detail as being the identification for the source of
funds. They describe the BFY as the grant year and its only purpose is to order
the funds from oldest to newest. CPD’s position of excluding the BFY as the
identification and mingling all of the grant year (BFY appropriation) funds
together and simply ordering them from oldest to newest and using FIFO is
appropriate is based on their belief that the purpose of block grants is to provide
the grantees a great deal of flexibility in managing their projects. While this may
have been the most simple way to manage grants at the start of the programs,
which was prior to FASAB, budget controls, the DAA, and other recently
implemented Federal financial management Acts, it ignores how FIFO effects
these aspects of financial reporting and is also non-compliant with these
requirements.

CPD and the Department take exception to OIG’s position that IDIS and the use
of FIFO being non-compliant with FFMIA, OMB A-127, and U.S. GAAP. They
point to a legal opinion received from HUD’s Office of General Counsel (OGC)
and a system review performed by an independent contractor.

OGC stated that due to the nature of this block grant program they believed that
the FIFO accounting method for expenditures is consistent with Federal
accounting requirements. One factor the OGC did not address in their memo is
that the information submitted by grantees and reported in their financial
statements is altered by IDIS, at potentially two steps in processing (1) in the
identification of a BFY appropriation for commitments and (2) the selection of a
BFY for disbursements. This altering of the source BFY appropriation
information is inconsistent with proper internal controls and furthermore, the
inability to match revenues with expenditures is at odds with GAAP’s matching
concept and budget control objectives to match outlays to the underlying
obligation.

In response to the prior year’s finding that IDIS was not in compliance with
Federal financial management requirements, CPD hired a contractor to determine
whether the FIFO method used by IDIS complied with the requirements of



                                 10
FFMIA. While the review found that IDIS provided the required data to HUD’s
core financial management system; the review itself had limitations. OIG’s
evaluation of the review noted (1) the contractor improperly excluded IDIS as part
of HUD’s financial management system and subject to the requirements of
FFMIA, (2) did not support its conclusion that FIFO was compliant with Federal
systems requirements with criteria or procedures, and (3) did not consider the
FIFO mismatch effect prior to being posted to the core financial system. The
contractor examined IDIS’s compliance with Federal financial management
requirements after IDIS had inappropriately used FIFO and a BFY appropriation
inconsistent and mismatched from the obligating BFY appropriation.

Federal GAAP, appropriation law, federal financial management requirements
consistently point to the source of funds for programs like CPD grants as a BFY
appropriation. The BFY appropriation source of funds is required to remain
constant with the funds and the fiscal year appropriation linked. This link
originates when grant funds are committed and includes, with other data elements,
the following information (a) funding dollar amount,( b) fund code(s), (c)
appropriation code(s), (d) accounting code, and (e) budget year(s) of funding in
the financial management system. When the funds are obligated to a specific
grantee, additional required information is entered ( a) grant number, (b) grantee
or recipient name, (c) grantee identifier, (d) grant purpose, (e) dollar amount, and
(f) accounting classification data, which incorporates the appropriation code,
accounting code, and budget year of funding. When grants funds are disbursed,
the disbursement request required data elements includes (a) grantee name and
identifier, (b) amount of funds authorized, (c) amount approved, (d) program
funding codes, and (e) appropriation code(s) which are matched to information
already indentified with the funds.

Accurate data on which to base crucial program and resource decisions is critical.
Statement of Federal Financial Accounting Standards 4: Managerial Cost
Accounting Standards and Concepts requirement for Cost Accounting is: each
reporting entity should accumulate and report the cost of its activities on a regular
basis for management information purposes. Costs may be accumulated either
through the use of cost accounting systems or through the use of cost finding
techniques. To address the long-standing weaknesses in the availability of
reliable, accurate, and comparable financial data, Congress mandated financial
management systems reform within the federal government by enacting the
Federal Financial Management Improvement Act of 1996 (FFMIA). FFMIA
requires the departments and agencies covered by the Chief Financial Officers
(CFO) Act of 1990 to implement and maintain financial management systems that
comply substantially with (1) federal financial management systems
requirements, (2) applicable federal accounting standards, and (3) the U.S.
Government Standard General Ledger (SGL) at the transaction level. FFMIA
builds on the foundation laid by the CFO Act, which has the goal of modern
financial management systems that enable the systematic measurement of
performance; the development of cost information; and the integration of



                                 11
program, budget, and financial information for management reporting. FFMIA
also requires auditors to state in their audit reports whether the agencies’ financial
management systems comply with the act’s requirements

GAO, Principles of Federal Appropriations Law, Third Edition, Volume II,
Chapter 10, Federal Assistance: Grants and Cooperative Agreements define and
clarify the proper treatment of grants in accordance with Federal Appropriations
Law, and describes the three elements of legal availability—purpose, time, and
amount as they specifically apply equally to assistance funds. An ―authorized
grant purpose‖ is determined by examining the relevant program legislation,
legislative history, and appropriation acts. Funds must be obligated by the grantor
agency within their period of availability. The ―bona fide needs rule,‖ which is a
basic principle of time availability, holds that an appropriation is available for
obligation only to fulfill a genuine or bona fide need of the period of availability
for which the appropriation was made. This rule applies to grants and cooperative
agreements as well as to other types of obligations or expenditures.

The overall management of CPD formula grants, including the financial system
which they are managed in, IDIS, was non-compliant with the principals of
Appropriation Law for Grants and Federal accounting standards and
requirements. We found that determination of a bona fide need was not being
taken into account over the formula grants. To that end, the grant funds which
were managed were not maintained in the system in a manner in which the bona
fide need can be determined and the funds can be maintained in accordance with
the bona fide need in which the grant was awarded. This is through the programs
use of FIFO to commit and disburse funds. CPD has mistaken the fact that while
block grants reduce federal involvement in that they transfer much of the
decision-making to the grantee and reduce the number of separate grants that must
be administered by the federal government there is a continuing responsibility to
account for and report program results in accordance with BFY funding. It is a
misconception, however, to think that block grants are ―free money‖ in the sense
of being totally free from federal ―strings.‖

HUD’s design and implementation of the integrated financial management system
that supports the CPD formula grant programs is not in compliance with federal
financial management system requirements. The system arbitrarily liquidates
obligations on a First-In, First-Out (FIFO) basis, irrespective of the budget fiscal
year funding source. This process is not in compliance with Federal financial
accounting and federal appropriations laws, which are explicitly and indirectly,
included in the federal financial management system requirements. Additionally,
with the enactment of the Defense Authorization Act of 1991, liquidating the
funds on this FIFO basis also intentionally decreases the amounts that HUD
would be required to return to Treasury after fixed-year appropriations cancel and
is in direct contradiction with congressional intent.




                                  12
    Agency wide Financial
    Management Systems Plan Did
    Not Meet Circular A-127
    Requirements

                We performed an audit to assess the Department’s compliance with the
                requirements specified in OMB Circular A-127. We found that HUD is not in full
                compliance with the requirements. The OIG reported in its FY 2008 financial
                statement audit report7 that HUD had not performed the OMB Circular A-127
                required reviews of its financial management systems for compliance with
                computer security and internal control guidelines. HUD has not taken corrective
                action to address this weakness and ensure that A-127 compliance reviews were
                conducted. HUD’s policy was to review all of its financial systems within a 3-
                year cycle. Only eight of the 54 reviews required have been completed by the
                Department since 2007.

                The agency-wide Financial Management Systems Plan developed by the Chief
                Financial Officer (CFO) did not fully meet requirements of OMB Circular A-127.
                Although, the Financial Management System Plan developed for FY 2010
                contained headers and or specific sections for each of the required pieces of
                information per the Circular, the information included within the document was
                not sufficient to meet the requirements. For example, the Plan contains a ―Target
                Architecture‖ section which explains HUD’s Integrated Financial Management
                Improvement Project (HIFMIP). However, it does not contain specifics that
                explain how each application will be affected by or included in the project.
                Similarly, many of the other A-127 required sections discuss Integrated Core
                Financial System implementation at a high level and do not provide details that
                describe an actual migration strategy, milestones for equipment acquisitions,
                personnel needs, and estimated costs. Additionally, in the ―Existing Financial
                Management System Architecture‖ section the Plan only provides general
                planned upgrades for a 5 year time period. There is no detail on funding
                requirements and no projection of a reasonable useful life for the applications.

                HUD has not maintained a complete inventory of its financial management
                systems. The CFO did not classify the Financial Data Mart (FDM) or Personnel
                Services Cost Reporting Subsystem (PSCRS) as financial management systems
                and therefore has not included them in its inventory of financial management
                systems. The Financial Data Mart is a database application used by HUD for
                financial reporting and to transfer data between HUDCAPS and Hyperion to
                produce HUD’s consolidated financial statements. Based upon the current data
                transfer process, HUD’s consolidated financial statements cannot be produced
                without the Financial Data Mart. The Financial Data Mart has been operational
                since February 1999. PSCRS is used to support HUD’s interface with the payroll

7
 OIG Audit Report number 2009-FO-0003, ―Additional Details to Supplement Our Report on HUD’s Fiscal Years
2008 and 2007 Financial Statements,‖ issued November 14, 2008.


                                                   13
           system and acts as a batch processor/translator for HUD. The application
           generates the journal voucher batches and transactions required to post the HUD
           pay and leave cost data to the department’s general ledger. PSCRS has been
           operational since October 1994. Both applications are classified as major
           applications.

HUD Required To Implement a
Compliant Financial
Management System


           FFMIA requires, among other things, that HUD Implement and maintain financial
           management systems that substantially comply with federal financial management
           system requirements. The financial management system requirements include
           implementing information system security controls. The requirements are also
           included in OMB Circular A-127, ―Financial Management Systems.‖ Circular
           A-127 defines a core financial system as an information system that may perform
           all financial functions including general ledger management, funds management,
           payment management, receivable management, and cost management. The core
           financial system is the system of record that maintains all transactions resulting
           from financial events. It may be integrated through a common database or
           interfaced electronically to meet defined data and processing requirements. The
           core financial system is specifically used for collecting, processing, maintaining,
           transmitting, and reporting data regarding financial events. Other uses include
           supporting financial planning, budgeting activities, and preparing financial
           statements.

           As in previous audits of HUD’s financial statements, in fiscal year 2010 there
           continued to be instances of noncompliance with federal financial management
           system requirements. These instances of noncompliance have given rise to
           significant management challenges that have: (1) impaired management’s ability
           to prepare financial statements and other financial information without extensive
           compensating procedures, (2) resulted in the lack of reliable, comprehensive
           managerial cost information on its activities and outputs, and (3) limited the
           availability of information to assist management in effectively managing
           operations on an ongoing basis.

  HUD's Financial Systems Are
  Not Adequate


           As reported in prior years, HUD does not have financial management systems that
           enable it to generate and report the information needed to both prepare financial
           statements and manage operations on an ongoing basis accurately and timely. To
           prepare consolidated department wide financial statements, HUD required Federal
           Housing Administration (FHA) and the Government National Mortgage



                                           14
          Association (Ginnie Mae) to submit financial statement information on
          spreadsheet templates, which were loaded into a software application. In
          addition, all consolidating notes and supporting schedules had to be manually
          posted, verified, reconciled, and traced. To overcome these systemic deficiencies
          with respect to preparation of its annual financial statements, HUD was compelled
          to rely on extensive compensating procedures that were costly, labor intensive,
          and not always efficient.

          Due to a lengthy HUD Integrated Financial Management Improvement Project
          (HIFMIP) procurement process and lack of funding for other financial application
          initiatives, there were no significant changes made in fiscal year 2010 to HUD’s
          financial management processes. As a result, the underlying system limitations
          identified in past years remain. The functional limitations of the three
          applications (HUDCAPS, LOCCS and PAS) performing the core financial system
          function for HUD are dependent on its data mart and reporting tool to complete
          the accumulation and summarization of data needed for U.S. Department of the
          Treasury and OMB reporting.

HUD’s Financial Systems do not
Provide Managerial Cost Data


          In fiscal year 2006, the Government Accountability Office (GAO) reported in
          GAO-06-1002R Managerial Cost Accounting Practices that HUD’s financial
          systems do not have the functionality to provide managerial cost accounting
          across its programs and activities. This lack of functionality has resulted in the
          lack of reliable and comprehensive managerial cost information on its activities
          and outputs. HUD lacks an effective cost accounting system that is capable of
          tracking and reporting costs of HUD’s programs in a timely manner to assist in
          managing its daily operations. This condition renders HUD unable to produce
          reliable cost-based performance information.

          HUD officials have indicated that various cost allocation studies and resource
          management analyses are required to determine the cost of various activities
          needed for mandatory financial reporting. However, this information is widely
          distributed among a variety of information systems, which are not linked and
          therefore cannot share data. This makes the accumulation of cost information
          time consuming, labor intensive, untimely, and ultimately makes that cost
          information not readily available. Budget, cost management, and performance
          measurement data are not integrated because HUD:

             Did not interface its budget formulation system with its core financial system;

             Lacks the data and system feeds to automate a process to accumulate, allocate,
             and report costs of activities on a regular basis for financial reporting needs, as
             well as internal use in managing programs and activities;



                                           15
               Does not have the capability to derive current full cost for use in the daily
               management of Department operations; and
               Requires an ongoing extensive quality initiative to ensure the accuracy of the
               cost aspects of its performance measures as they are derived from sources
               outside the core financial system.

            While HUD has modified its resource management application to enhance its cost
            and performance reporting for program offices and activities, the application does
            not use core financial system processed data as a source. Instead, HUD uses a
            variety of applications, studies, and models to estimate the cost of its program
            management activities. One of these applications, TEAM/REAP, was designed
            for use in budget formulation and execution, strategic planning, organizational
            and management analyses, and ongoing management of staff resources. It was
            enhanced to include an allocation module that added the capability to tie staff
            distribution to strategic objectives, the President’s Management Agenda, and
            HUD program offices’ management plans.

            Additionally, HUD has developed time codes and an associated activity for nearly
            all HUD program offices to allow automated cost allocation to the program office
            activity level. HUD has indicated that the labor costs that will be allocated to
            these activities will be obtained from the HUD payroll service provider.
            However, because the cost information does not pass through the general ledger,
            current federal financial management requirements are not met.


Financial Systems do not
Provide for Effective and
Efficient Financial Management

            During fiscal year 2010, HUD’s financial information systems did not allow it to
            achieve its financial management goals in an effective and efficient manner in
            accordance with current federal requirements. To perform core financial system
            functions, HUD depends on three major applications, in addition to a data
            warehouse and a report-writing tool. Two of the three applications that perform
            core financial system functions require significant management oversight and
            manual reconciliations to ensure accurate and complete information. HUD’s use
            of multiple applications to perform core financial system functions further
            complicates financial management and increases the cost and time expended.
            Extensive effort is required to manage and coordinate the processing of
            transactions to ensure the completeness and reliability of information.

            Additionally, the interface between the core financial system and HUD’s
            procurement system does not provide the required financial information. The
            procurement system interface with HUDCAPS does not contain data elements to
            support the payment and closeout processes. Also, the procurement system does



                                             16
           not interface with LOCCS and PAS. Therefore, the processes of fund
           certification, obligation, de-obligation, payment, and close out of transactions that
           are paid out of the LOCCS system are all completed separately, within either PAS
           or LOCCS. This lack of compliance with federal requirements impairs HUD’s
           ability to effectively monitor and manage its procurement actions.


HUD Plans to Implement a
Department-wide Core
Financial System

           HUD plans to implement a commercial federal certified core financial system and
           integrate the current core financial system into one Department-wide core
           financial system. FHA and Ginnie Mae have already implemented a compatible
           and compliant system to support the transition to the enterprise core financial
           system. HUD originally planned to select a qualified shared service provider to
           host the enterprise system and integrate the three financial systems (HUD, FHA,
           and Ginnie Mae) into a single system by fiscal year 2015. Achieving integrated
           financial management for HUD will result in a reduction in the total number of
           systems maintained, provide online, real-time information for management
           decision-making, enable HUD to participate in E-government initiatives, and
           align with HUD's information technology modernization goals.

           HIFMIP, launched in fiscal year 2003, has been plagued by delays. HUD
           believes that at some point, HIFMIP will encompass all of HUD’s financial
           systems, including those supporting FHA and Ginnie Mae. Due to delays with the
           procurement process, however, the contract for HIFMIP was not awarded until
           September 2010.

           OMB reviewed HIFMIP and recommended that HUD give additional
           consideration to its (1) categorization of risk and mitigation strategies; (2)
           governance structure to ensure appropriate leadership is in place to support the
           project; and (3) funding strategy to give more time to assess whether the current
           approach is viable. As a result of OMB’s recommendations, HUD agreed to re-
           scope HIFMIP to address only the Department- level portion. Based on HUD’s
           agreement to re-scope the project, OMB approved the 18-month base period.
           Additional approvals will be needed for the option periods associated with
           HIFMIP. Until its core financial system is implemented, we believe the following
           weaknesses with HUD’s financial management systems will continue:

                  HUD’s ability to prepare financial statements and other financial
                  information requires extensive compensating procedures.
                  HUD has limited availability of information to assist management in
                  effectively managing operations on an ongoing basis.

           We are requesting that CPD use the current commitment budget fiscal year


                                            17
currently in the IDIS for making all future disbursements for its HOME, CDBG,
HOPA, and other formula grant plans. We are requesting that CPD use the plan
year identified in the setup process for establishing the commitment budget fiscal
year.




                                18
Significant Deficiency 2: HUD Needs To Improve Its Processes for
Reviewing Obligation Balances
HUD needs to improve controls over the monitoring of obligation balances to ensure that they
remain needed and legally valid as of the end of the fiscal year. HUD’s procedures for
identifying and deobligating funds that are no longer needed to meet its obligations were not
always effective. This has been a long-standing weakness.

In fiscal year 2010, HUD’S CFO coordinated a review of unliquidated obligations to determine
whether the obligations should be continued, reduced, or canceled. The review encompasses all
of HUD’s unliquidated obligations except those for the Section 8 project-based and tenant-based
mod-rehab programs and Sections 235/236 interest reduction and rental assistance/rent
supplement programs, which were subjected to separate reviews led by the program offices. We
evaluated HUD’s internal controls for monitoring obligated balances and found that HUD has
continued its progress in implementing improved procedures and information systems.
However, additional improvements are needed. Our review of the fiscal year 2010 year-end
obligation balances showed that timely reviews and recaptures of unexpended obligations for
Section 8 project-based, Sections 202 and 811 supportive housing programs, and administrative
and other program obligations were not being performed. As a result, $69.2 million in excess
funds had not been recaptured. In addition, we identified $36.4 million in unliquidated
obligations that were not subjected to a review process, 434 Low Rent Development grants that
have not been closed out amounting to $174 million of invalid obligations outstanding, and an
additional $1.62 billion in program obligations under CPD that were not properly reviewed.


 Administrative/Other Program
 Obligations

              Annually, the CFO forwards requests for obligation reviews to HUD’s
              administrative and program offices. The focus of the review is on administrative
              and program obligations that exceed threshold amounts established by the CFO.
              For this year’s review, the thresholds were set at $23,000 for administrative
              obligations and $243,000 for program obligations. HUD identified 1,275
              obligations with remaining balances totaling $45.5 million for deobligation. We
              tested the 1,275 obligations HUD identified to determine whether the associated
              $45.5 million had been deobligated in HUD’s Central Accounting and Program
              System and PAS. We found that, as of September 30, 2010, a total of 91
              obligations with remaining balances totaling $3.2 million had not been
              deobligated. HUD has initiated the process of closing these contracts, and the
              associated funding should be recaptured in fiscal year 2011.

              In addition, we reviewed the database used for the open obligation review to
              determine if all of HUD’s obligations were subjected to a review process. We
              identified 506 obligations with available balances totaling $37 million that were
              not distributed to the program offices for review. These obligations were not
              distributed to the program offices as they were made using funds under Treasury


                                              19
           Account Fund Symbols (TAFS) typically used for Section 8 project-based
           obligations, and therefore thought to be part of the separate Section 8 project-
           based obligation review process. However, these obligations are related to
           programs not subject to the Section 8 review and thus the CFO should distribute
           them to the appropriate program offices for review. Of these 506 obligations, we
           determined that 437 with available balances totaling $27.5 million were either
           expired or inactive as of June 30, 2010.

           For HUD’s administrative and other program obligations, HUD needs to promptly
           perform contract closeout reviews and recapture the associated excess contract
           authority and imputed budget authority. The administrative and program offices
           need to actively monitor all of their open obligations throughout the fiscal year,
           including those under the threshold amounts, to ensure that all obligations on
           HUD’s books remain valid. Active monitoring is also needed to decrease the
           number of obligations identified for recapture during the CFO’s department-wide
           review of obligations. When a large number of obligations are identified during
           this review it takes a significant amount of time to process all of the contract
           close-outs and deobligations. This resulted in obligations that were marked for
           deobligation remaining on HUD’s books after the end of the fiscal year.

The CPD’s Field Offices are not
Reviewing Underlying Support
During the CFO Department-
wide Open Obligation Review

           We reviewed CPD’s results of their March 31, 2010 review of outstanding
           obligations and found that the internal controls for monitoring obligations were
           not effective. We found that open obligations were being retained without
           adequate review as to whether the funds were still needed. We found that CPD
           retained over $1.62 billion in undisbursed obligations which were originally
           obligated from 1989 through 2005. Further review of the $1.62 billion showed
           that $243.93 million of undisbursed obligations had no disbursement actions since
           2008. Additionally, included in the $243.93 million, was $98.85 million of
           undisbursed obligations with no disbursement actions made against the original
           obligation.

           In addition, we reviewed the results of the Chief Financial Officer’s Department–
           wide Annual Open Obligation Review for FY10, specifically the results and open
           obligations related to CPD. CPD retained 24,313 of 24,564 (98.98 percent) of
           obligations for a total of $32.023 billion of $32.032 billion (99.97 percent) and
           deobligated 251 (1.02 percent) obligations for a total of $9.13 million (0.03
           percent).

           We provided a questionnaire to the CPD Field Office Directors (Directors),
           inquiring of their implementation of the CFO Annual Department-wide Open



                                           20
                Obligations Review. The responses received to our questionnaire revealed that
                for CPD’s formula and mandatory entitlement grant programs, where the grant
                agreement did not contain an expiration date, the open obligation amounts were
                retained by the Directors without having their underlying supporting
                documentation reviewed. Reviewers were focusing their obligation review on the
                competitive grants and grant agreements which have an expiration date.

                Additionally, some Directors relied on the recaptures identified and processed
                through the review for compliance with program regulatory requirements.
                Specifically for the HOME and CDBG programs, compliance with the program
                regulations are calculated and assessed on a cumulative basis based upon the
                grantee’s overall, cumulative grant balances since inception, and the recapture
                amount is based on those results. OIG does not agree with this cumulative
                method. By relying on the cumulative method to account for the obligation
                validity, amounts that could be individually determined as a valid or invalid
                obligation are not being reviewed. In fiscal year 2009, we issued OIG audit8
                which contained a finding related to the cumulative method for computing
                compliance. The report pointed out that the HOME program had $7 million in
                obligations for 77 open activities that were more than five years old, for which no
                amounts were drawn against and were not recaptured, as a result of this
                cumulative method. A similar finding was reported in the fiscal year 2010
                Consolidated Financial Statement Audit.

                Although the actual performance of the review is performed at the Field Office
                level, direction, guidelines, procedures, or expectations have not been clearly
                communicated or documented by CFO, CPD, or the individual program offices
                within CPD. Control procedures have not been established or implemented and
                evaluations of the operating effectiveness of the controls for implementing the
                review have not been conducted, allowing inconsistent and inadequate
                performance to go undetected and old, unused balances to remain in the Financial
                Statements for years without any activity or individual review.

    Project-Based Section 8
    Contracts

                HUD’s systems and controls for processing payments, monitoring, budgeting,
                accounting, and reporting for Section 8 project-based contracts needs to be
                improved. HUD has been hampered in its ability to estimate funding
                requirements, process timely payments to project-based landlords, and recapture
                excess funds in a timely manner. This problem is evidenced in HUD’s long-term
                challenges in paying Section 8 project-based landlords on a timely basis; properly
                monitoring, budgeting, and accurately accounting for contract renewals; and
                reporting obligation balances.


8
  (HUD Lacked Adequate Controls to Ensure the Timely Commitment and Expenditure of HOME funds, Audit
report 2009-AT—0001


                                                   21
HUD administers 17,649 housing assistance payments contracts to provide about
1.25 million low-income housing units. A total of 14,737 contracts, covering
more than 1 million housing units, are currently subject to annual renewal.
HUD’s $8.9 billion in budget authority for Section 8 project-based contracts in
fiscal year 2010 included $168 million in carryover from prior years, $8.8 million
of which was from the $2 billion in supplemental funding appropriated under the
Recovery Act in fiscal year 2009.

Section 8 budget authority is generally available until expended. As a result,
HUD should periodically assess budget needs and identify excess program
reserves in the Section 8 programs as an offset to future budget requirements.
Excess program reserves represent budget authority originally received, which
will not be needed to fund the related contracts to their expiration. While HUD
had taken actions to identify and recapture excess budget authority in the Section
8 project-based program, weaknesses in the review process and inadequate
financial systems continued to hamper HUD’s efforts. There was a lack of
automated interfaces between the Office of Housing subsidiary records and
HUD’s general ledger for the control of program funds. This condition
necessitated that HUD and its contractors make extensive use of ad hoc analyses
and special projects to review Section 8 contracts for excess funds, which has
hampered HUD’s ability to identify excess funds remaining on Section 8
contracts in a timely manner.

This fiscal year, the Office of Housing recaptured approximately $144.3 million
in unliquidated obligation balances from 2,291 projects in the Section 8 project-
based program. However, their 2010 recapture methodology did not take into
account funds remaining on funding lines for expired annual renewal contracts.
Our review of the Section 8 project-based obligations identified 4,886 funding
lines with remaining balances totaling $188 million tied to annual renewal
contracts that expired in fiscal year 2010 or earlier. Under past recapture
methodologies, $38.5 million from 936 of the 4,886 funding lines would have
been recaptured in fiscal year 2010, or earlier. The $149.5 million from the
remaining 3,950 funding lines would be subject to recapture in future years. The
Office of Housing needs to include funds remaining on expired annual renewal
contracts in their recapture methodology and consider them when formulating
future budget requests, to keep from over-estimating their funding needs.

We recommended in our audit of HUD’s fiscal year 1999 financial statements that
systems be enhanced to facilitate timely closeout and recapture of funds. In
addition, we recommended that the closeout and recapture process occur
periodically during the fiscal year and not just at year-end. For fiscal year 2010
the Office of Housing implemented a quarterly review and recapture
methodology. However, deficiencies in HUD’s systems and the monitoring and
review processes for Section 8 project-based obligations led to 936 funding lines
with balances totaling $38.5 million for expired annual renewal contracts
remaining on HUD’s books. Implementation of the recommendations and the



                                22
            long-term financial management system improvement plan is critical so that
            excess budget authority can be recaptured in a timely manner and considered in
            formulating requests for new budget authority.

Supportive Housing for the
Elderly and Disabled - Sections
202 and 811 Programs

            HUD’s Sections 202 and 811 programs provide affordable housing and supportive
            services for elderly families and families with disabilities. These programs
            provide capital advances to private nonprofit organizations to finance the
            construction of new facilities or acquisition or rehabilitation of existing facilities.
            The capital advance is interest free and does not have to be repaid if the housing
            remains available for very low-income elderly or disabled families for at least 40
            years. After the facility has been constructed and occupied, HUD provides
            additional project rental assistance contract (PRAC) funds to owners to cover the
            difference between the HUD-approved operating cost for the project and the
            tenants’ contribution toward rents.

            The point of obligation of the initial award amount for the Section 202 and
            Section 811 programs is the agreement letter that obligates funds for both capital
            advances and PRAC. The hub/program center director signs first, the sponsor(s)
            signs second and an authorized signature memo from the Assistant Secretary for
            Housing/Federal Housing Commissioner or designee to the Fort Worth
            Accounting Center completes the obligation. The Fort Worth Accounting Center
            verified that funds are in LOCCS and recorded the obligation in PAS. Generally,
            funds appropriated for capital advances and PRAC are available for three years.
            After three years, the funds expire and will not be available for obligation, thus
            necessitating the need to track funds obligated under the program.

            At the beginning of fiscal year 2010, the Sections 202 and 811 programs had
            unliquidated obligation balances of $3.5 billion and $954 million, respectively.
            We reviewed the PAS subsidiary ledger supporting the current Sections 202 and
            811 program unliquidated obligations to determine whether unliquidated program
            obligations reported were valid and whether invalid obligations had been
            cancelled and recaptured in PAS. Our review identified 57 Section 202 and 811
            projects with available obligation balances totaling $25.3 million that had expired
            according to HUD’s accounting systems, PAS/LOCCS. According to Office of
            Housing staff, 55 of these projects were active and had the incorrect expiration
            dates in the accounting systems. Controls within PAS/LOCCS do not allow
            disbursements to be made for projects that have expired. Accordingly, the Office
            of Housing is working to correct the expiration dates in PAS/LOCCS.

            It is imperative that a project’s expiration date is kept up to date to ensure HUD is
            able to process disbursements to project owners in a timely manner. Additionally,



                                              23
         data within HUD’s accounting systems needs to be reliable to ensure adequate
         monitoring and reviews of HUD’s unliquidated obligations are performed.

Low Rent Development Grant
(LRP) Obligations Not Reviewed
and Financial Statements
Overstated by $174 Million

         The Low-Rent Public Housing Loan Fund was established to provide direct
         Federal Loans to fund remaining PHAs and Indian Housing Authority
         construction, acquisition, and modernization activities reserved under the Annual
         Contributions appropriation. In fiscal year 1986, Congress passed legislation
         changing the financing of the LRP from direct loans to grants. The legislation
         resulted in the forgiveness of all outstanding LRP direct loans made to PHAs.

         During our review of the unliquidated obligations, we found that HUD did not
         include the LRP grants in the annually required HUD-wide open obligations
         review. In addition, HUD reported inaccurate and duplicate data in HUD’s
         financial systems for the LRP program which resulted in unsupported balances on
         the financial statements.

         The lack of an open obligation review resulted in the undelivered orders line item
         on HUD’s consolidated financial statements were overstated by as much as $174
         million. This condition has existed since 1997 and was previously identified in a
         1997 HUD OIG audit. That audit report recommended HUD develop procedures
         for performing and monitoring the close-out of 419 LRP grants and for the
         recapture of unused funds.

         During fiscal year 2010, we reviewed the LRP subsidiary records and found 351
         grants open since 1997 that have not been closed out and funds recaptured. In
         addition, we identified a total of $174 million in outstanding obligations for a total
         of 434 LRP grants that have not been reviewed and closed out. We tested the 20
         of the 434 grants with the largest outstanding obligation balances and found that
         grants were no longer valid and the general ledger was overstated by $87 million.
         The grants tested were not closed in the financial system due to IT system
         problems and the lack of a coordinated effort between PIH and the CFO to resolve
         the issues.

         As a result of OIG’s review in this area, CFO and PIH began reviewing these
         outstanding obligations and are drafting enhanced closeout procedures for the
         LRP grant program. As of September 2010, PIH has identified 242 grants for
         close out and deobligated $71.6 million. We recommend PIH continue their
         review of the remaining grants and associated outstanding obligations. We also
         recommend PIH update their funds control plans by adding procedures to ensure




                                          24
          that that any unexpended obligation portfolios are not excluded from the open
          obligation review.


Long-Term Financial
Management System Needs to
be Implemented

          We have been reporting weaknesses in HUD’s financial management systems
          areas for many years, including making a recommendation that HUD develop a
          long-term financial management system solution to automate and streamline its
          processes. Last year, as part of HUD’s effort to improve the quality of services
          within the rental housing assistance business areas, HUD conducted a study of its
          performance gap and developed a long-term information technology (IT) strategy
          and improvement plan to address the performance gap. However, as of the end of
          fiscal year 2010, it had not been fully implemented. Meanwhile, the
          shortcomings in the financial management systems continued to impair HUD’s
          abilities to properly monitor and accurately account for contract renewals and
          report obligation balances.




                                          25
Significant Deficiency 3: HUD Management Must Continue To
Improve Oversight and Monitoring of Subsidy Calculations,
Intermediaries’ Performance, and Utilization of Housing Choice
Voucher Funds
Under the provisions of the U.S. Housing Act of 1937, HUD provides housing assistance funds
through various grant and subsidy programs to multifamily project owners (both nonprofit and
for profit) and housing agencies. These intermediaries, acting for HUD, provide housing
assistance to benefit primarily low-income families and individuals (households) that live in
public housing, Section 8 and Section 202/811 assisted housing, and Native American housing.
In fiscal year 2010, HUD spent about $30 billion to provide rent and operating subsidies that
benefited more than 4.8 million households.
Since 1996, we have reported on weaknesses with the monitoring of the housing assistance
program’s delivery and the verification of subsidy payments. We focused on the impact these
weaknesses had on HUD’s ability to (1) ensure intermediaries are correctly calculating housing
subsidies and (2) verify tenant income and billings for subsidies. During the past several years,
HUD has made progress in correcting this deficiency. Since fiscal year 2006, HUD has utilized
the comprehensive consolidated reviews in the Office of Public and Indian Housing’s (PIH)
efforts to address public housing agencies’ (PHA) improper payments and other high-risk
elements. HUD’s continued commitment to the implementation of a comprehensive program to
reduce erroneous payments will be essential to ensuring that HUD’s intermediaries are properly
carrying out their responsibility to administer assisted housing programs according to HUD
requirements.

The Department has demonstrated improvements in its internal control structure to address the
significant risk that HUD’s intermediaries are not properly carrying out their responsibility to
administer assisted housing programs according to HUD requirements. HUD’s increased and
improved monitoring has resulted in a significant decline in improper payment estimates over the
last several years. However, HUD needs to continue to place emphasis on its on-site monitoring
and technical assistance to ensure that acceptable levels of performance and compliance are
achieved and periodically assess the accuracy of intermediaries rent determinations, tenant
income verifications, and billings.
Tenant income is the primary factor affecting eligibility for housing assistance, the amount of
assistance a family receives, and the amount of subsidy HUD pays. Generally, HUD’s subsidy
payment makes up the difference between 30 percent of a household’s adjusted income and the
housing unit’s actual rent or, under the Section 8 voucher program, a payment standard. The
admission of a household to these rental assistance programs and the size of the subsidy the
household receives depend directly on the household’s self-reported income. However,
significant amounts of excess subsidy payments occur because of errors in intermediaries’ rent
determinations and undetected, unreported, or underreported income. By overpaying rent
subsidies, HUD serves fewer families. Every dollar paid in excess subsidies represents funds
that could have been used to subsidize other eligible families in need of assistance.




                                               26
    HUD’s Gross Estimate of
    Erroneous Payments Decreased in
    Fiscal Year 2010


                  The estimate of erroneous payments that HUD reports in its Agency Financial
                  Report (AFR) relates to HUD’s inability to ensure or verify the accuracy of
                  subsidy payments being determined and paid to assisted households. This year’s
                  contracted study of HUD’s three major assisted housing programs estimated that
                  the rent determination errors made by the intermediaries and intentional
                  underreporting of income by the tenants resulted in substantial subsidy
                  overpayments and underpayments. The study was based on analyses of a
                  statistical sample of tenant files, tenant interviews, and income verification data
                  for activity that occurred during fiscal year 2009. Since January 2007 the
                  amounts reported in the study were being adjusted due to program structure
                  changes9 .

                  While HUD's improper payment rate decreased from 3.5 percent in fiscal year
                  2009 to 3.1 percent in fiscal year 2010, HUD continues to report substantial
                  amount of gross dollar erroneous payments in the rental housing assistance
                  program. In fiscal year 2010, HUD reported in its AFR a combined gross
                  improper payment estimate of $925 million in fiscal year 2009. This is a decrease
                  of 10 percent compared to the prior year estimate of $1.02 billion. As noted
                  above, the gross erroneous payments reported by the department in fiscal year
                  2010 excluded $215 million in gross erroneous payments attributable to PHA's
                  administrator ($130 million) and income reporting ($85 million) errors. In fiscal
                  year 2010, in response to section 3(b) of the Presidential Executive Order 13520,
                  Reducing Improper Payments, we also noted specific areas for improvements
                  which would strengthen HUD's improper payment reduction strategies. We also
                  recommended HUD to consider full disclosure of HUD's statistical estimates of
                  erroneous payments in PIH’s rental assistance program to provide the required



9
  The Public Housing programs switched to Asset Management and began calculating formula income for PHAs as
noted in 24 CFR 990.195 Calculating Formula Income. This change eliminated the 3 types of improper payment
errors for the Public Housing program. This new process was implemented in January 2007. Therefore for FY
2007 this process was in place for the last 3 quarters of the year and HUD subsidy errors occurred only in the first
quarter. Errors could still be made by PHAs in their calculation of the amount of tenant rent or tenants could still be
under reporting their income, however beginning January 2007 this no longer affected HUD's subsidy. The Quality
Control (QC) study and Income Match Reporting study estimated these errors for the entire fiscal year because this
information is useful to management of both PIH and the PHAs. However, based on the conversion to asset
management and the change in calculating formula income becoming effective in January 2007, none of the
amounts calculated in the QC study for the Public Housing Administrator, Income Reporting, and Billing errors will
be reported for FY 2008 as this change was in effect for all of FY 2008. In addition, the establishment of a budget
based funding methodology was implemented for the Housing Choice Voucher Program to eliminate the
opportunity for billing errors in that program. Budget based means that each PHA will have a set annual budget for
vouchers to serve their clients’ needs. The PHA will receive the annual budget in 12 equal monthly payments – thus
eliminating the need to bill HUD and eliminating the Housing Choice Voucher Program Billing Error.


                                                          27
           transparency under this order. Our analysis of the payment error estimates
           reported by HUD in fiscal years 2010 and 2009 is provided in detail below.

                  Administrator Error - This error represents the program administrators'
                  failure to properly apply income exclusions and deductions and correctly
                  determine income, rent, and subsidy levels. HUD reported $440 million
                  (net of adjustments) in estimates of erroneous payments due to
                  administrator error in fiscal year 2010. This is a 10 percent increase
                  compared to prior year estimates of $400 million.

                  Income Reporting Error - This error represents the tenant beneficiary's
                  failure to properly disclose all income sources and amounts upon which
                  subsidies are determined. HUD reported $218 million (net of
                  adjustments) estimates of erroneous payments due to income reporting
                  error in fiscal year 2010. This is a 41 percent decrease compared to prior
                  year estimates of $371 million.

                  Billing Error - This error represents errors in the billing and payment of
                  subsidies between HUD and third party program administrators and/or
                  housing providers. HUD reported $57 million in estimates of erroneous
                  payments due to billing error in fiscal year 2010. This is 4 percent
                  decrease compared to the $59 million estimates in fiscal year 2009. The
                  fiscal year 2009 estimates were carried over from the 2006 billings study.
                  HUD conducted billings study during fiscal year 2010 to update the 2006
                  billings study. As in prior years, PIH's billings error estimates had been
                  reduced to zero for the Housing Choice Voucher program. Therefore,
                  only the Office of Housing's estimate of $57 million was included in the
                  estimate of erroneous payments for billing errors.

Need To Continue Initiatives to
Mitigate Risks Due to
Unreported Tenant Income


           HUD has implemented several initiatives, including Enterprise Income
           Verification (EIV), supplemental measures, and Integrated Subsidy Error
           Reduction System (ISERS), to mitigate the improper payment risks due to
           unreported tenant income.

                      The computer matching agreement between HUD’s Office of Housing
                      and the Department of Health and Human Services (HHS) for use of
                      the National Directory of New Hires in the Enterprise Income
                      Verification system (EIV) was finalized in fiscal year 2008. HUD
                      successfully expanded its computer matching program with the HHS
                      data to all of its rental assistance programs (public housing, housing
                      vouchers, and project-based housing) when HUD’s project-based



                                           28
program gained access to the HHS database on January 15, 2008. The
other programs had gained access previously. Effective January 31,
2010, HUD required all public housing agencies and owners and
management agents to use EIV in verifying the employment and
income of program participants in order to improve the accuracy of
income and rent determinations in the assisted housing programs. EIV
is a web-based system that compiles tenant income information and
makes it available online to HUD business partners to assist in
determining accurate tenant income as part of the process of setting
rental subsidy. Currently, EIV matches tenant data against Social
Security Administration information, including Social Security
benefits and Supplemental Security Income, and with the HHS
National Directory of New Hires (NDNH) database, which provides
information such as wages, unemployment benefits, and W-4 (―new
hires‖) data, on behalf of PIH and Multifamily Housing programs.
The EIV System is available to PHAs nationwide and to Owner
Administered project-based assistance programs and they are
encouraged to use and implement the EIV System in their day-to-day
operations.

In addition, both the PIH and Office of Housing established
supplemental measures, in response to Presidential Executive Order
13520, to manage the risk from other sources of payment errors such
as deceased tenants or those tenants who failed identity verifications
due to an invalid social security number and to monitor and track
compliance with the mandatory use of EIV. These supplemental
measures by design are capable of achieving HUD's control objective
of mitigating improper payment risks but it needs to ensure that they
are tested as part of HUD's annual OMB Circular A-123 assessment
reviews to provide them reasonable assurance that these controls are
working properly.

In our fiscal year 2009 audit, we noted that ISERS (previously known
as Multifamily Error Tracking Log) was going through the
procurement process. The ISERS system was intended to document
whether and to what extent owners are accurately, thoroughly, and
clearly determining family income and rents in the Office of
Multifamily Housing Subsidy Programs, and also to track the specific
dollar impact of income and rent discrepancies and the corresponding
resolution of such errors. In fiscal year 2010, a contract to build the
system was in place and a contractor has been selected. To date, the
system is currently in its early stages of system development life cycle
and its full implementation is not expected until April.




                     29
Need To Continue Progress on
RHIIP Initiatives for Monitoring
Intermediaries Performance


         HUD initiated the RHIIP as part of an effort in fiscal year 2001 to develop tools
         and the capability to minimize erroneous payments. The type of erroneous
         payments targeted includes the excess rental subsidy caused by unreported and
         underreported tenant income. HUD has continued to make progress in addressing
         the problems surrounding housing authorities’ rental subsidy determinations,
         underreported income, and assistance billings. However, HUD still needs to
         ensure that it fully uses automated tools to detect rent subsidy processing
         deficiencies and identify and measure erroneous payments.

         During fiscal year 2006, HUD implemented a 5-year plan to perform consolidated
         reviews to reinforce PIH’s efforts in addressing housing authorities’ improper
         payments and other high-risk elements. These reviews were also implemented to
         ensure the continuation of PIH’s comprehensive monitoring and oversight of
         housing authorities. The 5-year plan required HUD to perform tier 1
         comprehensive reviews on approximately 20 percent or 490 of the housing
         authorities that manage 80 percent of HUD’s funds. The comprehensive reviews
         included rental integrity monitoring (RIM), RIM follow-up on corrective action
         plans, EIV implementation and security, Section 8 Management Assessment
         Program (SEMAP) confirmatory reviews, SEMAP quality control reviews,
         exigent health and safety spot checks, Management Assessment Subsystem
         (MASS) certifications, and civil rights limited front-end reviews.
         In fiscal year 2010, HUD deemphasized the RHIIP initiative as a priority and
         focused its resources on the review of American Recovery and Reinvestments Act
         (ARRA) activities. PIH did not plan, set goals, or perform as many consolidated
         reviews. In prior years, the PIH required the field offices to perform about 100
         tier 1 reviews in conjunction with the RHIIP initiative and outlined the goals for
         performing those reviews in the HUD Management Plan. In fiscal year 2010,
         HUD did not prepare a Management Plan to document its planned efforts or set
         goals for RHIIP reviews. PIH stated that for fiscal year 2010, they would initiate
         RIM reviews in response to specific concerns. We found that in fiscal year 2010,
         HUD only performed 19 tier 1 reviews of its highest at risk housing authorities,
         which was significantly lower than the 105 reviews completed in fiscal year 2009.
         In addition, we noted corrective action plans implemented as a result of the
         reviews performed in prior years were not being tracked and monitored.

         In prior years, we reported that information contained in the PIH Inventory
         Management System (PIC-IMS) was incomplete and/or inaccurate because PHAs
         reporting requirements were discretionary. As a result, PHAs have been
         mandated to submit 100 percent of their family records to HUD. HUD annually
         evaluates those PHAs not meeting the 95 percent requirement. Based on the PIC-


                                         30
             IMS data, as of April 2010, nine percent (489 out of the 5,491) of the PHAs did
             not meet HUD’s minimum reporting rate requirements. PIH is required to
             annually evaluate PHA’s reporting rates and may impose sanctions for failure to
             meet the minimum reporting requirements. We found no sanctions imposed on
             the PHAs for the past two years. Complete and accurate data within the PIC-IMS
             is essential to perform EIV computer matching analysis, which detects
             underreported income as well as other fraud factors. We believe that PIH should
             be consistent in its annual review process and impose sanctions when warranted
             on PHAs that are not meeting the required minimum reporting rates.

             HUD has made substantial progress in taking steps to reduce erroneous payments.
             However, it must continue its regular on-site and remote monitoring of the PHAs
             and use the results from the monitoring efforts to focus on corrective actions
             when needed. We are encouraged by the on-going actions to focus on improving
             controls regarding income verification.


Monitoring Public Housing
Agencies’ Utilization of Section 8
Housing Choice Voucher
Program Funds


             The Section 8 Housing Choice Program is HUD’s largest housing assistance
             program with an annual appropriation of $18 billion and provides assistance to
             2.1 million families. In fiscal year 2005, Congress in an effort to control the cost
             of the program and to provide PHAs flexibility in the administration of available
             program funding, significantly changed the way HUD provides subsidies and
             monitors the subsidies paid to PHAs. The basis of the program funding went from
             a ―unit-based‖ process to a ―budget-based‖ process that limits the Federal funding
             to a fixed amount.

             HUD distributes funding using a formula based on the housing agencies’ self-
             reported prior-year costs by in the Voucher Management System (VMS). PHAs
             retain and are expected to use the funds in their entirety for authorized program
             activities and expenses within the time allowed. Program guidance states that any
             budget authority provided to PHAs that exceeds actual program expenses for the
             same period must be accounted for as restricted cash and maintained separately
             and available for program operations. Although these funds are retained by the
             PHA and not HUD, HUD relies on the PHAs to hold excess budget authority in
             reserve and available for program cost increases. According to HUD’s
             monitoring systems, as of June 30, 2010, PHAs’ Net Restricted Assets (NRA)
             accounts showed an estimated balance of $1.04 billion in excess funding held by
             PHAs.




                                              31
                    HUD’s monitoring of PHAs’ budget authority utilization is an essential internal
                    control to ensure PHAs properly account for program resources and excess funds
                    are used for authorized program activities. Consequently, accurate VMS cost data
                    is essential to (1) correctly calculate the $18 billion annual PHAs budget
                    allocations; (2) determining over and under utilization of funds and excess budget
                    authority available for unanticipated cost increases and budget offsets; and (3)
                    evaluating PHAs’ performance in ensuring the maximum number of families
                    served.

                    In our fiscal year 2009 report,10 we recommended (1) increased monitoring efforts
                    regarding the excess budget authority held by PHAs; (2) HUD seek legislative
                    authority to perform additional offsets on PHAs with large balances of excess
                    funding and put unused funds into better use; (3) HUD reconcile PHAs excess
                    restricted funds accounts to ensure funds available for program use; and lastly (4)
                    HUD increase its on-site monitoring by including the confirmation of the excess
                    budget authority as part of the VMS expenditure reviews.

                    Last year, we also reported that approximately 370 PHAs requested additional
                    funding in fiscal year 2009 to cover anticipated funding shortfalls, which placed
                    many families at risk of losing the subsidy. During fiscal year 2010, Congress
                    allowed HUD to use up to $200 million to provide additional funding to PHAs
                    experiencing housing assistance and administrative fees funding shortfalls in
                    2009. With those funds 182 PHAs received a total of $78 million of additional
                    funding.

                    As a proactive measure, HUD established the shortfall prevention team (SPT) to
                    prevent assisted families from being terminated from the Housing Choice
                    Voucher (HCV) program due to PHAs’ failure to adequately manage their funds.
                    This team reviewed updated funding utilization from reports that combining
                    funding, leasing and expense data from various HUD systems, and used the data
                    to project the funding utilization rate for the 2,347 PHAs administering HCV
                    programs. Their goal was to identify PHAs at risk of running out of funds before
                    the end of the year.

                    According to the SPT, in fiscal year 2010 there are 34 PHAs identified at risk.
                    The total projected shortfall at this time is $1.4 million and 1,466 families are
                    potentially at risk of losing their housing assistance. The SPT is currently
                    working with the 34 PHAs to identify cost savings measures to maximize the
                    current funding utilization levels without having to terminate families from
                    receiving assistance.

                    HUD has made improvements for tracking PHAs funds utilization by
                    comprehensibly analyzing the expenditure data collected in VMS. HUD’s
                    monitoring reports shows that overall dollar utilization rate is 100 percent as of

10
  Additional Details to Supplement Our Report on HUD’s Fiscal Year 2009 and 2008 Financial Statements, 2010-FO-0003, dated November 16,
2009



                                                                 32
                 June 30, 2010, however some PHAs continue to accumulate excess funds reserves
                 accumulated because they are not maximizing their leasing vouchers rate.

                 According to HUD’s monitoring report the total unit-voucher available for lease
                 utilization rate for the 2,347 PHAs is 93 percent as of June 30, 2010. Of that,
                 1,431 PHAs have less than the desirable rate of 95 percent utilization of unit
                 voucher rate. Those PHAs have a total of $640 million in estimated excess funds
                 unused. The voucher utilization rates for the other 916 PHAs are at 95 percent or
                 above with NRA estimated account balances of $403 million in excess unused
                 funds.

                 Last year, we recommended that HUD to seek legislative authority to implement
                 $317 million in offsets against PHA’s excess unusable. HUD included language
                 in the FY 2011 congressional budget justification seeking authority to reduce a
                 PHA’s annual budget allocation by an amount in excess of 6 percent of a PHA’s
                 accumulated NRA balance. Based on the annualized rate of BA and NRA
                 balance as of June 30, 2010, we calculated that 1,459 PHAs will be eligible for
                 offsets amounting to $385 million. Therefore, we recommend that HUD execute
                 an offset of the $385 million in excess funds.

                 In 2010, HUD began efforts to address prior year recommendations to ensure that
                 PHAs excess funds are reconciled with HUD’s estimated excess funds in order to
                 maintain control and to better manage the program’s budgetary resources. This
                 effort11 consisted on a reconciling the excess funds balance reported by the PHAs
                 into HUD FASS12 against the VMS13 data to ensure that accurate account balance
                 data will be available for financial management and budget decisions.

                 We made a site visit to Section 8 Financial Management Center in Kansas City
                 and performed a walkthrough of the financial statements reconciliations process.
                 We selected a sample of 20 reconciliations from the 223 PHAs reconciliations
                 completed at the time. We reviewed the reconciliations to determine whether the
                 HUD’s estimated excess funds were accurate when compared with the PHAs
                 financial statements as of December 31, 2009. Our review showed 16 PHAs had
                 a total of $50 million more than the $25 million excess estimated by HUD. The
                 other 4 PHAs had $53 million less than $57 million estimated by HUD. We did
11
   The reconciliation effort will encompass the correction of discrepancies and the taking of actions against PHAs
that are not in compliance with the HCV program financial requirements. HUD plans to reconcile the PHA excess
unused budgetary resources accounted in the restricted (NRA) and non-restricted (UNA) equity fund balance
accounts for all 2,400 PHAs. The Section 8 Financial Management Center and Real Estate Assessment Center will
continue this process to maintain the accuracy of the NRA and NUA balances going forward. HUD also added
fields to VMS to capture both excess unused NRA and NUA balances on a monthly basis to be able to more
efficiency and effectively monitor PHAs utilization of NRA and NUA.
12
   Real Estate Assessment Center Financial Assessment Subsystem (FASS) is used to electronically receive and
evaluate unaudited and audited financial statements from the housing authorities as required by OMB Circular A-
133 Single Audit Act.
13
   Voucher Management System (VMS) is a web portal where housing authorities report HUD the monthly
expenditures and units voucher utilized. HUD used these data to monitor expenditures and determine over-under
utilization, over leasing and excess unused funds that housing authorities maintain in their accounts.


                                                        33
note that improvements could be made to the reconciliation process in order to
ensure that a proper audit trail of changes made by PHAs in VMS during the
reconciliation project. We recommend that HUD develop procedures to ensure an
audit trail is maintained of changes made in the reconciliation process.




                              34
Significant Deficiency 4: Office of Community Planning and
Development (CPD) Needs to Establish an Adequate System of
Internal Controls to Properly Monitor Grantees’ Compliance with
Program Requirements
CPD seeks to develop viable communities by promoting integrated approaches that provide
decent housing and a suitable living environment and expand economic opportunities for low-
and moderate-income persons. The primary means toward this end is the development of
partnerships among all levels of government and the private sector, including for-profit and
nonprofit organizations. To carry out its mission, CPD utilizes a mixture of competitive and
formula-based grants. OMB Circular A-123, Management’s Responsibility for Internal Controls,
requires that program offices implement an effective system of internal controls in order to ensure
that grantees for which funds are provided are meeting their goals and objectives and carrying
out the program in accordance with program requirements. These responsibilities include
developing and maintaining internal control activities that comply with standards to meet the three
objectives of internal control (1) effectiveness and efficiency of operations, (2) reliability of financial
reporting, and (3) compliance with applicable laws and regulations.

In carrying out its internal control responsibility of grantee oversight, management is responsible
for assessing the risk of grantee non-compliance with program regulations and developing
control activities which collect and distribute timely and relevant information to those charged
with making informed decisions. Control procedures developed should be clearly
communicated, written, provide an audit trail and located where they can be obtained by those
carrying out the activities. Proper design of control activities is important; however, monitoring
and evaluating the effectiveness of the procedures is critical to facilitate the correction of control
deficiencies before they materially affect the achievement of the organization’s objectives.

Based upon our review of HUD’s HOME and Homeless Assistance programs, we noted control
deficiencies regarding the programs’ timely deobligation and recapture of grantee funds, for
grantees which were non-compliant in obligating and expending funds in accordance with
program regulations. The combination of the control deficiencies we noted during our audit
have adversely affected the organization's ability to meet its internal control objectives, which
are to not only determine grantee compliance with applicable laws and regulations, but to also
timely identify deficiencies, and to design and implement corrective actions to improve or
reinforce program participant performance.




                                                    35
Subgrantees and Community
Housing Development
Organizations for the HOME
Program Do Not Always Expend
Grantee Funds in a Timely
Manner

          Our review of the HOME Investment Partnerships Program found $20.8 million
          in unexpended grants funded with no-year expiration funds and dated from 1992
          through 2001. In addition, $10.3 million of the $20.8 million were uncommitted
          funds. These no-year funds had accumulated due to poor performing community
          housing development organizations (CHDO) and subgrantees (1) that did not
          expend funds in a timely manner and (2) a cumulative accounting process which
          allowed poor performance to go undetected.

          Current HOME program regulations state that funds not expended in a timely
          manner can be reallocated in the next year’s formula allocation to further the
          mission of the program. It is the field offices’ responsibility to ensure that funds
          from fiscal years 2001 and earlier that were not spent in a timely manner were
          recaptured and used in the next year’s formula allocation.

          HOME program regulations do not penalize or highlight poorly performing
          subgrantees or CHDOs for two reasons.

                 First, the commitment, reservation, and disbursement deadlines were
                 determined on an aggregate/cumulative basis versus a grant year basis.
                 This process created a situation in which older funds remain available for
                 drawdown because compliance with the disbursement deadline is
                 determined cumulatively. Therefore, if a subgrantee or CHDO were not
                 performing as it should, or not spending funds to complete its projects, the
                 cumulative program requirements allow one grantee’s poor performance
                 to remain undetected.

                 Second, CHDO subgranted or reserved funds that are subgranted or
                 reserved to a CHDO are held to the five year disbursement deadline, but it
                 is the participating jurisdiction that was ultimately responsible for meeting
                 the disbursement deadline. Only the participating jurisdiction can draw
                 funds, not the subgrantee or CHDO. In addition, it appears that the large
                 number of subgrantees and CHDOs per participating jurisdiction within
                 the HOME program and lack of field office staff, made it difficult for the
                 field offices to sufficiently monitor the status of subgranted funds.

          The $20.8 million in HOME grant funds for fiscal years 2001 and earlier which
          have not been expended and the $10.3 million in unreserved and uncommitted
          HOME grant funds for fiscal years 2001 and earlier, were not used to expand the




                                           36
                  supply of decent, safe, sanitary, and affordable housing for low- and very low-
                  income families.

                  In addition, our review also showed $3.7 million in unexpended fiscal year 2003
                  HOME funds and $1.4 million in uncommitted funds. These funds, due to
                  provisions of the Defense Authorization Act14 should be cancelled and the
                  remaining amounts remitted to Treasury on September 30, 2010.

                  During the fiscal year 2009 audit15, OIG recommended that CPD ensure that field
                  offices encourage participating jurisdictions to review the Expiring Funds Report
                  as well as the performance of CHDOs and subgrantees to determine whether the
                  unused funds should be deobligated. We also recommended that CPD develop a
                  policy that would track expenditure deadlines for funds reserved and committed
                  to CHDOs and subgrantees separately.

                  However, as part of the fiscal year 2010 audit, CPD informed the OIG that in
                  order to rectify this problem and in response to our recommendations, they
                  contracted with an independent company to modify the Integrated Disbursement
                  Information System (IDIS)16 so that one CHDO or subgrantee’s funds under one
                  PJ can be used by another in the event of untimely use of funds by another CHDO
                  or subgrantee. CPD terms this process as ―true-FIFO.‖ CPD officials stated this
                  will eliminate unused funds from being ―held‖ to one CHDO. The Department
                  estimates that the proposed change in IDIS will result in the drawdown of grant
                  funds on a true-FIFO basis, will eliminate the current fiscal years 1992 – 2001
                  HOME grant balances in less than one fiscal year. The project is currently in the
                  design phase, and is expected to be implemented by December 31, 2010. These
                  amounts would be disbursed after changes are made to FIFO rules in IDIS.

                  We believe that the modifications to IDIS are inappropriate and would further
                  erode CPD ability to monitor actual performance by its participating jurisdictions
                  and CHDOs. HUD should suspend work on this task immediately until a review
                  of how appropriate compliant business processes can be integrated into IDIS’s
                  programming.



14
   The National Defense Authorization Act of 1991(Public Law 101-510, November 5, 1990) established rules
governing the availability of appropriations for expenditure. This legislation mandates that on September 30th of the
fifth fiscal year after the period of availability for obligation of a fixed appropriation account ends, the account shall
be closed and any remaining balance (whether obligated or unobligated) in the account shall be canceled and
thereafter shall not be available for obligation or expenditure for any purpose.
15
   Audit Report number 2010-FO-003 – Subgrantees and Community Housing Development Organizations for the
HOME Program Do Not Always Expend Grant Funds in a Timely Manner – identified $24.7 million in undisbursed
HOME funds on grants from 1992 through 2001.
16
   As a nationwide database, IDIS provides HUD with current information regarding the program activities
underway across the Nation, including funding data. HUD uses this information to report to Congress and to monitor
grantees. IDIS is the draw down and reporting system for the four CPD formula grant programs: CDBG, HOME,
ESG, and HOPWA and Recovery Act programs: CDBG-R, TCAP and HPRP. The system allows grantees to request
their grant funding from HUD and report on what is accomplished with these funds.


                                                           37
     Funds from Expired Contracts
     Not Timely Recaptured for
     Homeless Assistance Programs

                 Our review of the obligation balances for the Office of Special Needs Assistance
                 Programs (SNAPS) as of September 30, 2010, showed approximately $97.8
                 million in undisbursed obligations recorded for expired contracts for Shelter Plus
                 Care and Supportive Housing Program homeless assistance programs. These
                 contracts expired on or before June 30, 2010. CPD’s Funds Control Plan allows a
                 90-day closeout period for expired contracts. HUD regulations also state that
                 HUD may authorize an extension for a recipient to complete the closeout process
                 and liquidate all obligations incurred under the award.

                 Field offices were responsible for reviewing the status of contracts and
                 recommending that funds that have been obligated but not disbursed in the
                 appropriate timeframes be deobligated and included in the next year’s Continuum
                 of Care competition to be redistributed to eligible grantees, if they are deobligated
                 during the unexpired phase of the budget authority17. The competitive programs
                 under homeless assistance included Shelter Plus Care, Supportive Housing, and
                 Section 8 Moderate Rehabilitation Single Room Occupancy.

                 CPD officials stated that when a contract expires, the excess funding should be
                 locked and the grantees access to the funds curtailed. CPD instructed the field
                 offices to review these contracts and recommended that remaining funds be
                 recaptured. Special emphasis was placed on this review process before the annual
                 funding competition. However, we found that many of these expired contract
                 reviews were not performed. SNAPs did not have an effective system of internal
                 controls with published control activities that include specific policies, procedures
                 and mechanisms in place to help ensure that grants were closed out and remaining
                 balances recaptured, including appropriate documentation of extensions granted
                 and follow-up efforts with the grantees.

                 Excess funding on the expired contracts included in the $97.8 million identified,
                 which have not been extended and are still within the unexpired phase of the
                 budget authority, can be included in the next continuum of care competition as
                 announced in the notice of funding availability and redistributed to eligible
                 grantees. The excess funds should be recaptured and used to further accomplish
                 the objectives of the program, which are to reduce the incidence of homelessness

17
   Period of availability for making disbursements: Under a general law, annual budget authority and multi-year
budget authority may disburse during the first two phases of the life cycle of the budget authority.
During the unexpired phase, the budget authority is available for incurring "new" obligations. You may make "new"
grants or sign "new" contracts during this phase and you may make disbursements to liquidate the obligations. This
phase lasts for a set number of years. Annual budget authority lasts for up to one fiscal year. Multi-year authority
lasts for longer periods, currently from over one fiscal year up to 15 fiscal years, and no-year authority lasts
indefinitely.


                                                        38
                 in Continuum of Care communities by assisting homeless individuals and families
                 to move to self-sufficiency and permanent housing.

     Completed Projects for the HOME
     Program Not Always Closed Out
     in IDIS in a Timely Manner

                 A review of the Home program Open Activities Report18 (Report) dated August
                 31, 2010, showed 5,437of 19,552 open activities (28 percent), in which the
                 participating jurisdiction had made its final draw but the activity was still listed on
                 the Open Activities Report. Thus, these projects were not closed in the system
                 although all funds had been drawn. HOME program regulations required
                 participating jurisdictions enter project completion information into IDIS within
                 120 days of making a final draw for a project. A similar finding was reported by
                 the Office of Inspector General (OIG) during the FY09 audit19.

                 The Report also showed 350 activities with funding dates 2005 and prior wherein
                 the percentage of amounts drawn on the activity was 50 percent or less. These
                 activities had a funded amount of $35M with $27.5M still available to draw at
                 August 31, 2010, or at least five years after they were originally funded. The
                 Report also showed 1,270 activities which were funded between 1993 and 2009
                 that have a funded and remaining amount of $189M, as no draws have been made
                 against the activity since they were initially funded.

                 The Open Activities Report also allows participating jurisdictions to view
                 activities that have been open for several years with little or no HOME funds
                 drawn. Field offices can use this report as a desk-monitoring tool to view each
                 participating jurisdiction’s open activities in need of completion or possibly
                 cancellation in IDIS. If the report indicates that funds have not been drawn for an
                 extended period, the field office can use the report to follow up with the
                 participating jurisdiction to determine the reason for the slow progress on the
                 project and whether it should be cancelled.

                 However, it appeared that the field offices were not using the Open Activities
                 Report to follow up with participating jurisdictions on slow-moving projects listed
                 on the report. It also appeared that participating jurisdictions were not using the
                 report as a reference to determine projects that should be cancelled or closed in
                 IDIS. The report was created to alleviate the widespread problem of participating
                 jurisdictions not entering project completion data into IDIS in a timely manner. A

18
   The Open Activities Report is issued monthly and used by CPD field offices and participating jurisdictions within
the HOME program to review open activities in the Integrated Disbursement and Information System (IDIS). Open
activities are those that have not been closed in the system.
19
   2010-FO-003 – Completed Projects for the HOME Program Not Always Closed Out in IDIS in a Timely Manner
– identified 5,972 of 29,216 (20 percent), in which the participating jurisdiction had made its final draw but the
activity was still listed on the August 31, 2009 Open Activities Report.


                                                        39
                similar finding was reported by the Office of Inspector General (OIG) concerning
                HUD’s needs to improve efforts to require participating jurisdictions to cancel
                HOME fund balances for open activities20.

                As a response to the two OIG findings, HOME published a new HOME FACTS
                policy (HOME FACTS - Vol. 3 No. 1, June, 2010). The HOME FACTS
                announces and explains the change in HUD’s treatment of HOME activities with
                commitments in the IDIS that are over 12 months old with no funds disbursed.
                Effective January 1, 2011, these activities will be automatically cancelled by
                HUD. Once the activity is cancelled, any funds that were committed to that
                activity will no longer be considered committed HOME funds; however, they will
                be available to the PJ for commitment to other projects. Additionally, HUD will
                be reviewing the Open Activities Report on an annual basis for stalled activities
                and following up on them until resolution.

                However, the HOME FACTS does not address PJs entering completion data into
                IDIS in a timely manner and the annual review for stalled activities has not been
                implemented in a formal policy. Moreover, documentation of a system of
                internal controls, wherein control activities that have been established and
                implemented to ensure compliance with Title 24 CFR 92.502(d)(1) and that
                instances of non-compliance is being communicated to the level of management
                in a timely manner to effect change, does not exist. During the annual monitoring
                process if a grantee is determined to be non-compliant and if a Finding is issued,
                CPD does not maintain documentation or require any follow-up procedures for
                these instances of non-compliance.

                Participating jurisdictions that do not enter completion data in a timely manner are
                in violation of the HOME regulations. Failure to enter project completion data in
                IDIS negatively affects a participating jurisdiction’s score on several HOME
                performance SNAPSHOTS indicators, understating actual accomplishments and
                reducing the participating jurisdiction’s statewide and national overall rankings.

                The widespread failure of participating jurisdictions to enter completion and
                beneficiary data in a timely manner resulted nationally in underreporting of actual
                HOME program accomplishments to Congress and the Office of Management and
                Budget (OMB) and may negatively impact future funding for the program.
                Failure to timely cancel stalled or inactive activities leaves unused funds
                committed to activities and keeps them from being committed to new activities.




20
 OIG audit report entitled ―HUD Lacked Adequate Controls to Ensure the Timely Commitment and Expenditure of
HOME Funds (2009-AT-0001, dated September 28, 2009).


                                                    40
Significant Deficiency 5: HUD Needs to Improve Administrative
Control of Funds
HUD needs to improve accounting and administrative controls of funds to ensure funds control
plans are complete, accurate, updated and complied with by the program offices. During our
review, we noted funds control plans were not updated to reflect changes in accounting
procedures, allotment holders, or funds control officers and requirements were not always
followed to support obligations and disbursements of funds. This has been a long standing issue
and has been previously reported in our Management Letter to the Department since fiscal year
2005.

The Federal Managers’ Financial Integrity Act (FMFIA) of 1982 requires that ―internal
accounting and administrative controls of each executive agency shall be established to ensure
(1) obligations and costs are in compliance with applicable law; (2) funds, property, and other
assets are safeguarded against waste, loss, unauthorized use, or misappropriation; and (3)
revenues and expenditures applicable to agency operations are properly recorded and accounted
for to permit the preparation of accounts and reliable financial and statistical reports and to
maintain accountability over the assets.‖ HUD’s Handbook 1830.2 set forth the authorities and
responsibilities to administer control of HUD’s funds. The handbook states that Congress has
vested overall responsibility for establishing an effective administrative control of funds process
with the CFO. It provides the internal guidance for the preparation of the funds control plans to
comply with the Provisions of the Anti-deficiency Act and FMFIA as well as the overall process
for reviewing and approving the funds control plans. It also states that the OCFO will conduct
periodic reviews of compliance with funds control plans to assure adequate funds control is
being applied in actual practice.




 Funds Control Plans are not
 Complete and Accurate


               During our review of the Low Rent Program (LRP) unliquidated obligations, we
               noted that the funds control plan for the LRP was not updated to reflect changes
               made in accounting procedures that resulted from LRP’s 1986 legislative changes.
               At that time, Congress changed the financing of the LRP from Direct Loans to
               Grants. The legislation resulted in the forgiveness of all outstanding LRP direct
               loans made to PHAs converting those into grants that were used for the
               constructions of new housing projects. When that occurred, the funds control plan
               should have been revised to reflect the changed accounting processes necessary to
               capture, account and review the financial activity of the program as grants rather
               than loans. PIH did not make any updates to the funds control plan document to
               reflect the changes in the accounting procedures needed for account, review and
               recapture the resulting obligations of grants. Furthermore, the LRP funds control
               plan was approved year after year from 2003 until FY 2009 without the


                                                41
appropriate changes being made. This resulted in an overstatement of $174
million to the unliquidated obligations line item.

During our review, we noted that the LRP (appropriation 4098) had $587 million
in Treasury notes receivables and had $587 in payable balances to the Capital
Fund Program (0304) at the end of September 30, 2009 in the HUDCAPS trial
balance. These Treasury notes were bought with resources from the Capital Fund
program creating the payable amounts in appropriations 4098 and 0304. The
Treasury notes purchases were bought to offset part of the financing cost of the
long term debt accounted for in the Capital Fund Program. Yearly, the CFO
performed adjusting entries to eliminate the LRP receivable and payable balance
to present the correct balance of long term debt in the financial statements. In
March 2010, the CFO took steps to liquidate the intra-HUD receivables/payables
outstanding as well as liquidating the long term debt with Treasury. This
liquidation should have been accomplished when the loan program was converted
to a grant program. HUD needs to have procedures in place for comprehensively
analyzing program proprietary and budgetary financial conditions in connections
with the review of the funds control plans.

HUD’s Handbook 1830.2 Rev-5 relies solely on the program allotment holders
for preparing or updating the funds controls plan. The handbook also places the
responsibility on the program allotment holder for notifying the CFO of changes
made to the plan resulting from legislative changes. The Handbook does not
provide specific elements or requirements that a funds control plan should have to
comply with as well as steps for corroborating that the allotment holder has
considered the latest program legislation.

In addition, we reviewed the obligation and expenditure of the American
Recovery and Reinvestment Act (ARRA) funds to determine whether their
obligation and expenditure met legal and administrative requirements as required
by law. We obtained the funds control plans for the programs that received
ARRA funding to determine the funding amounts, obligation/disbursement time
limits for HUD and the grantees, HUD systems utilized to account for and allow
the authorized disbursement of ARRA funds, provisions for the payment of
administrative costs including appropriation codes, point of obligation
documentation, and payment request and validation procedures. We found that
ARRA funds control plans did not always include details to enable HUD staff to
monitor, properly account for, and process ARRA funding and reimbursement
requests. Specifically, we reviewed fifteen funds control plans, and found that
fourteen funds control plans did not always include information such as funding
codes, funding amounts, and obligation and expenditure time limit details.
Additionally, for the Green Retrofit loan program, we noted that the fund control
plans did not include the processes, procedures, and program code for obligations
and disbursements made to Treasury for interest payments.




                                42
HUD Needs to Comply with Its
Funds Control Plan Requirements

            During our testing of obligations and disbursements, we found that HUD did not
            always follow the procedures and requirements in the fund control plans. We
            reviewed 453 obligations and 526 disbursements to determine whether HUD
            followed the requirements of its funds control plans. Our review showed non-
            compliance with the funds control plans for 32 of the obligations and
            disbursement items sampled. Specifically, we found:

                   HUD and the grantee did not always sign the obligation documents in the
                   order required by the funds control plan;
                   HUD recorded ―date grantee notified‖ as the effective date and point of
                   obligation instead of the date the grantee signed the agreement;
                   Grant agreements were not signed/dated by an entity official;
                   Titles of signing officials were not noted in the grant agreement and the
                   signature of grantee not dated;
                   The obligation date in LOCCS PAS (Program Accounting System) Project
                   report was not the congressional release date as required by funds control
                   plan; and
                   HUD did not always execute the required documentation to obligate the
                   funds, and HAP Renewal Contracts were not always signed by HUD
                   officials.

            Additionally, our review of the Green Retrofit loan program determined that HUD
            did not always follow the procedures and requirements in the fund control plan.
            We noted that HUD did not execute the required documentation per the fund
            control plan authorizing the transfer of the credit subsidy. Additionally, we
            identified 11 disbursed loans which did not have the required credit subsidy
            transferred prior to disbursement of the loan, as required.

HUD Did Not Always Timely
Update Its Funds Control Plans

            We reviewed the funds control plans for 59 funds managed by the Community
            Planning and Development (CPD) and found that its funds control plans were not
            always updated timely. Specifically when there was a change in allotment
            holders or funds control officers for a program within the CPD, the names the
            responsible parties were not always updated and allotment holder certification
            signed.

            During our first and second phase testing covering the period from October 1,
            2009 to July 31, 2010 in support of the fiscal year 2010 nationwide statistical
            sample segment testing, the audit procedures within that segment call for the


                                            43
          review of funds control plans. We reviewed 35 Funds Control Plans (30
          associated with Financial Accounting Center (FAC), and 5 associated with
          Financial Management Center (FMC)) to determine whether HUD updated its
          funds control plans in a timely manner. We found that for 11 CPD programs,
          CPD did not update its funds control plans to show the new funds control officer
          and did not require the new funds control officer to sign the certification attached
          to the funds control plans.

Certain HUD’s Programs are
Operating without Funds
Control Plans

          Our review of 12 funds control plans for appropriation 0303 and 0319 has
          identified 16 program codes that are not included in a funds control plan. We
          have determined that these program codes are related to programs under at least
          three HUD offices, including the Offices of Housing, CPD, and Policy,
          Development, and Research (PD&R). The age of the obligations under these
          program codes combined with the lack of a funds control plan has made it
          difficult to positively identify the responsible program offices and divisions.

          Although it is the responsibility of the program office to timely notify and update
          the funds control plans for their program office, the overall responsibility for
          establishing an effective administrative control of funds process is vested in the
          CFO. This responsibility includes ensuring that program offices adhere to the
          policies effective over the administrative control of funds and the respective funds
          control plans.




                                           44
Significant Deficiency 6: Controls over HUD’s Computing
Environment Can Be Further Strengthened
HUD’s computing environment, data centers, networks, and servers provide critical support to
all facets of the Department’s programs, mortgage insurance, financial management, and
administrative operations. In prior years, we reported on various weaknesses with general system
controls and controls over certain applications, as well as weak security management. These
deficiencies increase risks associated with safeguarding funds, property, and assets from waste,
loss, unauthorized use, or misappropriation.

We evaluated selected information systems general controls of the Department’s computer
systems on which HUD’s financial systems reside. We also followed up on the status of
previously reported application control weaknesses. Our review found information systems
control weaknesses that could negatively affect HUD’s ability to accomplish its assigned
mission, protect its data and information technology assets, fulfill its legal responsibilities, and
maintain its day-to-day functions. Presented below is a summary of the control weaknesses
found during the review.



 Security Management Program


       HUD has continued its progress in implementing a comprehensive, entity-wide
       information system security program. Specifically, HUD’s Office of the Chief
       Information Officer (OCIO) has successfully certified and accredited its major
       application and general support systems, responded to and resolved reported computer
       incidents within a timely manner, conducted contingency plan testing, and tracked,
       prioritized and remediated weaknesses identified in the plan of actions and milestones
       (POA&M) reports.

       However, several matters require management’s attention. Specifically, HUD did not:
       (1) conduct vulnerability scans of its network in accordance with NIST guidance; (2)
       require those with significant information system responsibilities complete applicable
       training courses, although a specialized security training curriculum had been developed;
       (3) ensure that remote access procedures were in compliance with regulations; (4) ensure
       that it could identify all users who access HUD systems; (5) fully develop and implement
       a continuous monitoring program; and (6) ensure that interconnectivity service
       agreements and memorandums of understanding were in place for interfaces between
       contractor systems and those that it owns and operates.




                                                  45
     HUD’s Network Devices Have
     Security Weaknesses


                 We audited security controls over HUD’s network devices21 to determine whether
                 the security configurations implemented on the devices provided adequate controls
                 to prevent abuse or unauthorized access to HUD’s information resources. We
                 evaluated security measures that protect HUD information by scanning identified
                 network devices and identifying vulnerabilities and suspect configurations that place
                 sensitive information at risk.

                 Security configurations implemented on HUD’s network devices were weak.
                 Specifically, HUD did not (1) maintain a complete inventory of network devices, (2)
                 implement strong security configurations on network devices, and (3) implement
                 security configurations that sufficiently protected network paths. If HUD cannot
                 comprehensively identify devices within its network, it cannot determine when there
                 is unauthorized access to its network. An attacker could potentially exploit the weak
                 security configurations to obtain information on the network and gain access to
                 HUD’s systems and sensitive information. Failure to securely configure network
                 devices and analyze information flow within a network increases the chances of
                 sensitive information disclosure occurring without detection.


     Preventive Maintenance for the
     IBM Mainframe Operating
     System and Database Software
     was Not Performed


                 HUD’s information technology (IT) support contractor did not perform preventive
                 maintenance on the IBM mainframe system software22 to keep products up to date
                 and available for support and enhancements. Software patches were not always
                 installed, and software versions were not always upgraded to the minimum level that
                 is supported by IBM.

                 At least one issue was identified due to software patches not being applied as part of
                 preventive maintenance. Specifically, a HUD system owner requested installation
                 of the software to allow connectivity to databases on a HUD mainframe from
                 applications based on other platforms. The request was approved, but the
                 installation was delayed because software patches had not been installed up to the
                 minimum supported level.


21
   Audit report number 2010-DP-0004, ―Security Weaknesses on HUD’s Network Devices,‖ issued September 30,
2010
22
   Audit report number 2011-DP-0001, ―HUD Did Not Properly Manage HITS Contracts and Contractors To Fully
Comply With Contract Requirements and Acquisition Regulations,‖ issued October 6, 2010


                                                    46
                 In addition to the database software, we found two other system software products
                 that had reached or were close to reaching their end of support life. Software,
                 used to support the online transaction processing on the mainframe, was upgraded
                 in June 2010, but had reached its end of support life in September 2009. Also, the
                 mainframe operating system was upgraded in July 2010 or one month prior to the
                 software reaching its end of support life in September 2010.

                 Preventive maintenance is not generated and distributed for products that have
                 reached end of support life; therefore, preventive maintenance cannot be performed
                 to mitigate future potential problems as recommended by industry standards best
                 practices. The use of system software, which was not maintained at the
                 recommended level of service, could result in system outages, delays in service, and
                 the inability to implement changes required by new initiatives and/or legislation.


     IBM Mainframe Libraries and
     Program Properties Table
     Were Not Properly Managed


                 HUD’s IBM Mainframe libraries and program properties table were not
                 adequately controlled. We reviewed the IBM mainframe authorized libraries and
                 identified weaknesses that left HUD’s IBM mainframe vulnerable to unauthorized
                 access. Three libraries were not under HUD security software23 resource security
                 protection24. The resource level of protection is the most secure level of
                 protection because it prevents programmers from linking into protected programs
                 and files. Additionally, the mainframe library list included the names of libraries
                 that do not exist, increasing the risk that unauthorized programs could be inserted
                 and executed in the mainframe environment. This type of weakness could
                 seriously diminish the reliability of information produced by all of the
                 applications supported by the computer system and increase the risk of fraud and
                 sabotage.

                 The program properties table 25 is a list of programs that have been granted special
                 properties and privileges above those that are normally permitted by the operating
                 system. We reviewed the HUD’s mainframe program property table and
                 identified program modules that were not being used by any legitimate program
                 on the system. This creates vulnerability, in that, unscrupulous individuals could
                 create malicious code under the name of an unused program module and
                 circumvent security controls to read, modify, or delete critical or sensitive
                 information and programs. If unused program modules remain active in the
                 program property table, malicious code could be inserted and executed in HUD’s
                 mainframe environment.
23
   CA-Top Secret is the software used on the IBM mainframe to secure resources from unauthorized exposure.
24
   Resource security protection prevents unauthorized updates to programs within the libraries.
25
   The program properties table contains entries for special attributes of programs.


                                                      47
     Security Controls Over HUD's
     Web Applications Need
     Improvement

                During FY 2009, we audited security controls over HUD's Web applications and
                identified weaknesses in the areas of security configurations and technical
                controls. For instance, HUD did not ensure that access controls followed the
                principle of least privilege for Web application configurations. Weak Web
                application security configurations disclose potentially sensitive information that
                may enable a malicious user to devise exploits of the application and the
                resources it accesses. This weakness could also potentially expose sensitive or
                confidential information as well as useful information that may enable a malicious
                user to devise effective and efficient exploits of the application and the resources
                it accesses.

                Additionally, HUD did not adequately implement controls to ensure
                confidentiality and privacy for Web applications. These weaknesses were not
                exploitable vulnerabilities, but they were a violation of security policy because the
                configurations potentially allowed access to data that are required to be
                confidential by law. Further, HUD did not adequately review Web applications
                for vulnerabilities and patch them. Exploiting vulnerabilities can breach
                confidentiality requirements to reveal sensitive information.

                We followed up on the status of these weaknesses during fiscal year 2010 and
                determined that corrective actions have not yet been implemented for these
                weaknesses. HUD plans to complete corrective actions for these weaknesses
                between October 31, 2010 and September 30, 2011.

     Disaster Recovery Grant
     Reporting System


                In FY 2009, we reported on selected controls within the Disaster Recovery Grant
                Reporting System (DRGR)26 related to the Neighborhood Stabilization Program
                (NSP) funding. We found that (1) access control policies and procedures for
                DRGR violate HUD policy, (2) the system authorization to operate is outdated
                and based upon inaccurate and untested documentation, (3) the Office of
                Community Planning and Development (CPD) did not adequately separate the
                DRGR system and security administration functions, and (4) CPD has not
                sufficiently tested interface transactions between DRGR and the Line of Credit
                Control System (LOCCS). As a result, CPD cannot ensure that only authorized
                users have access to the application, user access is limited to only the data that is

26
  Audit Report No. 2009-DP-0007, Review of Selected Controls within the Disaster Recovery Grant Reporting
System, issued September 30, 2009.



                                                     48
                   necessary for them to complete their jobs, and users who no longer require access
                   to the data in the system have had their access removed. Further, the failure to
                   sufficiently test interface transactions between DRGR and LOCCS leaves the
                   department with limited assurance that the $5.9 billion in NSP funding are
                   accurately processed.

                   HUD has made progress toward resolving the issues identified last year. Policies
                   and procedures were established for requesting access to DRGR, the duties of
                   security administration and system administration for the DRGR application were
                   separated, and steps were taken to fund the use of the CPD contractor to perform
                   the help desk function for the DRGR application. However, significant
                   weaknesses remain unresolved. HUD still needs to take action to address the
                   weaknesses identified with system access controls, system documentation, and
                   inadequate separation of duties and insufficient testing of controls with LOCCS.


     HUD Procurement System

                   We audited HUD's procurement systems in fiscal year 200627. Through actions
                   taken during fiscal years 2007, 2008, and 2009, the Office of the Chief
                   Procurement Officer (OCPO) has made progress toward resolving the issues
                   identified during the audit. However, two significant recommendations made in
                   the audit report remain open, and the procurement systems continue to be
                   noncompliant with Federal financial management requirements. In addition, the
                   OCPO has not yet implemented functionality to ensure that there is sufficient
                   information within HUD’s current procurement systems to support the primary
                   acquisition functions of fund certification, obligation, de-obligation, payment, and
                   closeout. The OCPO plans to replace the current acquisition systems and during
                   fiscal year 2009 obtained $3.7 million in funding to purchase a commercial off the
                   shelf application. The selection and acquisition of the new application, PRISM,
                   was completed on September 30, 2010.


Security Controls Over HUD's
Databases


                   During fiscal year 2008, we evaluated security controls over HUD’s databases28.
                   We identified security configuration and technical control deficiencies within
                   HUD’s database security controls in the areas of (1) passwords, (2) system
                   patches, and (3) system configuration. We followed up on the status of these

27
     Audit Report No. 2007-DP-0003: Review of HUD’s Procurement Systems, issued January 25, 2007.
28
  Audit Report No. 2008-DP-0007, Evaluation of HUD 's Security Controls over Databases, issued September 11,
2008


                                                       49
           weaknesses during fiscal year 2010 and determined that technical control
           deficiencies relating to database passwords and database patches have been
           reviewed and corrected as the Office of the Chief Information Officer (OCIO)
           deemed appropriate. OCIO has not yet implemented secure configuration
           baselines for databases and the reviews for monitoring those configurations. This
           corrective action is not scheduled to be completed until December 31, 2010.


 LOCCS


           During our fiscal year 2007 audit, we found that the controls over the LOCCS
           user recertification process were not effective to verify the access of all users.
           Systemic deficiencies led to the omission of more than 10,000 users from the
           LOCCS recertification process. An additional 199 users had last recertification
           dates within the application prior to March 31, 2006, indicating that they also
           were not included in the fiscal year 2007 recertification process. During fiscal
           year 2008, the OCFO made improvements to this process by generating a report
           from the system that allowed them to identify users that only have approving
           authority within the application for the user recertification process. During fiscal
           year 2009, the OCFO made additional adjustments to the report. Our review of
           the data from both 2008 and 2009 again identified LOCCS users that were not
           recertified by the system. As a result, we concluded that further improvements
           are necessary to ensure that all users of LOCCS are recertified in accordance with
           HUD policy and that the corrective action taken in response to our 2007 finding
           did not fully address the problem.

           Our review of LOCCS user recertification data as of November 2009 identified 19
           users whose access was not recertified as required by HUD policy. None of these
           users were HUD employees, and all of them had data entry access to LOCCS.
           The condition described above existed because OCFO did not ensure that all
           LOCCS users were included in the recertification process. By not ensuring that
           the access for all LOCCS users was reviewed, HUD was unable to ensure that (1)
           users only had access to the data within the core financial systems that were
           necessary for them to complete their jobs, (2) only authorized users had access to
           the system, and (3) users who no longer required access to the data in the system
           had their access removed. The recommendation regarding this issue remains
           open.


Contingency Planning and
Physical Security

           In fiscal year 2009, we found that the disaster recovery plan contained conflicting
           information and that the disaster recovery exercises did not fully test system
           functionality because critical applications were not verified through transaction



                                            50
and batch processing and the exercises did not include recovery of all applications
that interface with the critical systems. By not having current information in the
disaster recovery plan and fully testing system functionality during disaster
recovery exercises, HUD cannot ensure that its systems and applications will
function as intended in an actual emergency.

We also determined that sensitive data stored on backup tapes, transported and
stored offsite, were not adequately protected. HUD’s information technology
support contractor is required to create backup tapes of HUD’s mission-critical
data and store the backup tapes at an offsite storage facility. These backup tapes
are created for use in contingency operations and disaster recovery events and
exercises. However, during the 2009 disaster recovery exercises, we observed
that backup tapes from the offsite storage facility were not in encrypted form. We
followed up on the status of these weaknesses during our fiscal year 2010 review
and determined that corrective actions have not yet been completed.

During our FY 2010 review, we evaluated contingency planning for core
telecommunications functions provided by one of HUD’s IT support contractors.
We found that the backup network control center (NCC) was not tested in a
disaster recovery scenario to ensure the equipment would be able to support the
contractor’s full network monitoring requirements in the event of a disaster that
renders the primary NCC unavailable. The NCC provides oversight and control
of HUD’s wide-area network (WAN) resources. By not testing the backup NCC,
HUD could not be assured that the NCC backup equipment would support the full
network monitoring requirements during an actual disaster recovery event where
the primary NCC is no longer available. Consequently, there is a high risk of poor
performance or failure of key business application processing and interruptions to
the business.




                                51
Significant Deficiency 7: Weak Personnel Security Practices
Continue to Pose Risks of Unauthorized Access to the Department’s
Critical Financial Systems
For several years, we have reported that HUD’s personnel security practices over access to its
systems and applications were inadequate. Deficiencies in HUD’s IT personnel security
program were found and recommendations were made to correct the problems. However, the
risk of unauthorized access to HUD’s financial systems remains a critical issue as the underlying
conditions have not been fully resolved. We followed up on previously reported IT personnel
security weaknesses and deficiencies and found that deficiencies still exist.




     HUD Does Not Have a Central
     Repository Listing of All Users
     with Access to HUD’s General
     Support and Application
     Systems


                   Since 2004, we have reported that HUD did not have a complete list of all users with
                   above-read access at the application level. Those users with above-read access to
                   sensitive application systems are required to have a background investigation. Our
                   review this year found that HUD still did not have a central repository that lists all
                   users with access to HUD's general support and application systems. Consequently,
                   in fiscal year 2010, HUD still had no central listing for reconciling that all users who
                   have access to HUD's critical and sensitive systems have had the appropriate
                   background investigation.

                   While HUD's implementation in 2007 of the Centralized HUD Account
                   Management Process (CHAMP) was a step toward improving its user account
                   management practices, CHAMP remains incomplete and does not fully address
                   OIG's concerns. Specifically, we noted that:

                           CHAMP does not contain complete and accurate data. OCIO did not
                           electronically migrate data from the HUD Online User Registration System
                           into CHAMP. Instead, it chose to enter the legacy data manually. However,
                           this process had not been completed. In a January 2009 audit report29, we
                           recommended that all offices within HUD provide the historical information
                           necessary to populate CHAMP. OCIO agreed with our recommendation,
                           and corrective action was scheduled for completion in December 2009. We
                           followed up on open recommendations and found that as of September 30,
                           2010, OCIO only completed entering user access data for 178 systems into
29
     Audit report #2009-DP-0003―Review of the Centralized HUD Account Management Process’ dated Jan 9, 2009.


                                                      52
                          CHAMP (out of the total number of 235 systems, which is approximately 76
                          percent). In addition, because input of CHAMP user data has not been
                          completed, HUD has not requested system owners to verify user access
                          authorization with CHAMP on a semi-annual basis and provide feedback to
                          OCIO as recommended. OCIO plans to complete the CHAMP user access
                          authorization verification process by December 31, 2010.

                          HUD did not conduct a security categorization and a risk assessment for
                          CHAMP as required by Federal Information Processing Standards
                          Publications 199 and 200. HUD's OCIO chose not to conduct a security
                          categorization and risk assessment for CHAMP because it believed that these
                          items were not required for CHAMP, which HUD considered to be a process
                          rather than a system. HUD also believed that since CHAMP was exclusively
                          owned by its IT contractor, it was not subject to the requirements of a
                          security categorization and a risk assessment. Without a security
                          categorization and risk assessment of CHAMP, HUD cannot know the full
                          extent of risks that the CHAMP process is vulnerable to or whether adequate
                          levels of security controls have been put into place to protect data and
                          applications impacted by CHAMP. In the January 2009 audit report, OIG
                          recommended that OCIO conduct a security categorization and a risk
                          assessment for CHAMP. OCIO agreed with this recommendation and
                          originally expected to complete the security categorization and risk
                          assessment of CHAMP by August 31, 2009 but did not meet this date.

     Reconciliations to Identify
     Sensitive System Users Without
     Appropriate Background
     Investigations Remains a Concern

                 In prior audits, we found that the reconciliations to identify users with above-read
                 access to HUD sensitive systems but without appropriate background checks were
                 not routinely conducted. Granting people access to HUD’s information and
                 resources without appropriate background investigations increases the risk that
                 unsuitable individuals could gain access to sensitive information and
                 inappropriately use, modify, or delete it. HUD’s Personnel Security Division30 is
                 required to reconcile listings of users with above-read access to HUD’s sensitive
                 systems to the database containing background investigation information to
                 ensure that each user has had the appropriate background investigation. In our
                 May 2010 audit report31, we recommended that the Office of the Chief Human
                 Capital Officer (OCHCO) develop and implement a plan to routinely perform the
                 quarterly reconciliation of users with above-read access to sensitive systems and

30
   The Personnel Security Division, within the Office of the Chief Human Capital Officer, has taken over the
responsibilities of the former Office of Security and Emergency Planning (OSEP).
31
   Audit report number 2010-DP-0002 ―Audit Report on the Fiscal Year 2009 Review of Information Systems
Controls in Support of the Financial Statements Audit,‖ dated May 14, 2010.


                                                       53
                 general support systems to identify those without appropriate background
                 investigations. We noted that OCHCO did perform the reconciliation of one
                 sensitive system for the period ending June 30, 2010 and identified 30 (out of 46)
                 users that did not have the appropriate background investigation level32. After
                 completing the reconciliation, OCHCO stated that the reconciliation results were
                 provided to OCIO for resolution.

                 We have reported since 2006 that the list of sensitive systems to be included in
                 the reconciliation was incomplete. In response to a recommendation in our fiscal
                 year 2008 audit report33, OCIO planned to update the sensitive system list by
                 April 30, 2010. For this year’s review, we found that OCIO listed two sensitive
                 systems but the Personnel Security Division received user information from only
                 one system for reconciliation.

                 In fiscal year 2007, we reported that the general support systems on which HUD’s
                 mission-critical and sensitive applications reside were not included in the
                 reconciliations because they were not classified as mission critical34. Granting
                 people access to general support systems without appropriate background
                 investigations increases the risk that unsuitable individuals could gain access to
                 sensitive information and inappropriately use, modify, or delete it. We
                 recommended that OSEP update its policies and procedures to include users of
                 HUD’s general support systems in the user access reconciliation process. OSEP
                 updated the personnel security and suitability handbook in September 2009 but
                 did not include language requiring general support systems to be included in the
                 reconciliation process. Having access to general support systems typically
                 includes access to system tools, which provide the means to modify data and
                 network configurations. We previously identified IT personnel, such as database
                 administrators and network engineers, who had access to these types of system
                 tools but did not have appropriate background checks. These persons were not
                 identified as part of the reconciliation process.




32
   Types of background investigations at HUD are: National Agency Check and Inquiries (NACI - for non sensitive
designation), Minimum Background Investigation (MBI) or Limited Background Investigation (LBI - for moderate
risk designation), and Background Investigation (BI - for high risk designation)
33
   Audit report number 2009-DP-0004 ―Fiscal Year 2008 Review of Information Systems Controls in Support of the
Financial Statements Audit‖, dated May 29, 2009
34
   Audit report number 2008-DP-0003, ―Fiscal Year 2007 Review of Information Systems Controls in Support of the
Financial Statements Audit,‖ date March 4, 2008


                                                      54
                    Compliance with Laws and Regulations

In fiscal year 2010 we found several instances where HUD did not ensure transactions were
executed in accordance with laws governing the use of budget authority and with other laws and
regulations that could have a direct and material effect on the financial statements and any other
laws, regulations, and governmentwide policies identified in OMB audit guidance.


HUD Did Not Substantially Comply With the Federal Financial Management
Improvement Act
FFMIA requires auditors to report whether the agency’s financial management systems
substantially comply with the Federal financial management systems requirements and
applicable accounting standards and support the U.S. Standard General Ledger (SGL) at the
transaction level. We found that HUD was not in substantial compliance with FFMIA because
CPD’s IDIS grant information system was not in compliance with Federal GAAP, FFMIA, and
its internal controls over financial reporting as well as HUD’s financial management systems non
compliance with Federal financial management system requirements.

During fiscal year 2010, we found that CPD’s IDIS was determined to be non compliant FFMIA
due to deficiencies in internal controls over financial reporting, and its ability to process
transactions that would Federal GAAP. These deficiencies are described in detail in Significant
Deficiency 1: HUD Financial Management Systems Do Not Comply With the Federal Financial
Management Improvement Act of 1996 (FFMIA)

HUD on an entity wide basis made limited progress as it attempted to address its financial
management deficiencies to bring the agency’s financial management systems into compliance
with FFMIA. Deficiencies remained as HUD’s financial management systems continued to not
meet current requirements and were not operated in an integrated fashion and linked
electronically to efficiently and effectively provide agency-wide financial system support
necessary to carry out the agency’s mission and support the agency’s financial management
needs.

HUD is not in full compliance with OMB Circular A-127. The Circular requires each agency to
perform reviews of its financial management systems. Since FY 2007, HUD completed 8 of the
54 required financial management system reviews. Only one of the eight reviews was completed
during FY 2010. HUD is required to maintain an accurate inventory of their financial
management systems. We determined that HUD has not accurately classified the Financial
DataMart (FDM) and the Personnel Services Cost Reporting Subsystem (PSCRS) within their
inventory listing. HUD is required to maintain financial management system plans for each of
their financial management applications. We determined that HUD’s financial management
systems plan document for FY 2010 does not meet the requirements specified in the circular.




                                                55
Federal Financial Management
System Requirements


           In its Fiscal Year 2010 Agency Financial Report, HUD reported that 3 of its 42
           financial management systems did not comply with the requirements of FFMIA
           and OMB Circular A-127, Financial Management Systems. Although 39
           individual systems had been certified as compliant with Federal financial
           management systems requirements, HUD had not adequately performed reviews
           of these systems as required by OMB Circular A-127. Collectively and in the
           aggregate, deficiencies continued to exist.

           We continue to report as a significant deficiency that HUD financial management
           systems need to comply with Federal financial management systems requirements.
           The significant deficiency addresses how HUD’s financial management systems
           remain substantially noncompliant with Federal financial management
           requirements.

           FHA’s auditor reports as significant deficiencies that effective FHA
           modernization is necessary to address systems risks. The significant deficiency
           addresses the challenge in FHA’s capacity to address various system
           modernization initiatives and control deficiencies affecting the reliability and
           completeness of FHA’s financial information.

           We also continue to report as significant deficiencies that (1) controls over
           HUD’s computing environment can be further strengthened and (2) weak
           personnel security practices continue to pose risks of unauthorized access to the
           Department’s critical financial systems. These significant deficiencies discuss
           how weaknesses with general controls and certain application controls and weak
           security management increase risks associated with safeguarding funds, property,
           and assets from waste, loss, unauthorized use, or misappropriation.

           In addition, OIG audit reports have disclosed that security of financial information
           was not provided in accordance with OMB Circular A-130, Management of
           Federal Information Resources, appendix III, and FISMA.

           We have included the specific nature of noncompliance issues, responsible
           program offices, and recommended remedial actions in appendix C of this report.




                                            56
HUD Did Not Substantially Comply with the Anti-Deficiency Act

HUD Has Not Made Progress In
Reporting ADA Violations As
Required

            Our fiscal year 2010 audit found that HUD had not improve its process for
            conducting, completing, reporting, and closing the investigation of potential
            31U.S.C. 1351.1517(b) Anti-Deficiency Act (ADA) violations. Our review
            found that none of the six cases identified as a potential deficiency in fiscal year
            2009 were reported to the President through OMB, Congress or GAO as required
            or determined not to be a violation. Of the six cases, for three of the six case files
            a determination of an ADA violation had occurred and a draft letter to the
            President and OMB was prepared but was not issued. In one of the six case tiles,
            the final report is still in draft and not submitted. For the two remaining case
            files, the individual listed as the approving authority for final report submission is
            no longer employed with the Department. Consequently, we did not find
            substantial improvement in HUD’s conducting, completing, reporting, or closing
            potential ADA violation investigations.

            OCFO is responsible for conducting investigations, and reporting on violations of
            the ADA. HUD’s continued delay in completing ADA investigations and
            reporting known violations results in ADA violators avoiding timely reprimands
            or punishments and prevents timely correction of violations.

HUD Entered Into an Interagency
Agreement that Potentially
Violated the Anti-Deficiency Act

            Our audit found that HUD potentially violated the Anti-Deficiency Act when
            HUD officials committed the Department to a financial obligation through an
            Interagency Agreement with the United States Bureau of the Census (Census)
            without fully funding the contracted obligation at the time the agreement was
            executed. HUD entered into the Interagency Agreement on September 30, 2009
            for housing surveys with a performance period covering September 30, 2009 to
            September 29, 2010 while only partially funding the contracted obligation created
            by the contract. HUD obligated only $453,000 at the time of the contract
            execution (September 30, 2009) and did not obligate the remaining $2,761,000
            until March 18, 2010. Additionally, the contract did not stipulate that the
            Department’s obligation under the contract was contingent upon the availability
            of appropriated funds as required by FAR 32.703-2 and 52.232-18.
            As a result, the Census was providing services without a fully funded contract
            which may not have had sufficient funds available to fulfill the entire contracted


                                              57
             obligation. Further, HUD financial systems and statements did not reflect the
             total resources needed to cover commitments resulting from this interagency
             agreement.


HUD Did Not Comply with Laws and Regulations Governing Claims of the
United States Government

Inadequate Efforts to Collect on
Delinquent Section 202 Loans

             Title 31 of the Code of Federal Regulations, Section 901, Standards for the
             Administration of Claims, holds the Department responsible for aggressively
             collecting all debts arising out of activities performed by the agency. These
             activities include notifying debtors of a delinquency and performing timely
             follow-up activities. Our review of the Section 202 loan portfolio determined that
             these activities were not being substantially and promptly performed as required
             by HUD Handbook 1900.25 REV-3 and 31 CFR 901. Eight of 14 delinquent
             loans (57 percent) reviewed indicated that follow-up and collection activities to
             cure the delinquency had not occurred prior to our review. These eight loans had
             delinquent payments that had aged between 117 days and 6 years.

             The Office of Housing is responsible for performing the notification and follow-
             up activities for projects with Section 202 loans. Our review concluded that the
             Office of Housing inadequately monitored delinquent Section 202 loans and did
             not aggressively attempt to cure the delinquency. Proper action was not taken
             when information identifying delinquent loans became available and policies and
             procedures for collecting delinquent debts set forth in HUD Handbook 1900.25
             REV-3 were not followed. Additionally, guidance drafted by the Office of
             Housing at the beginning of the fiscal year addressing collection procedures for
             delinquent loans was not formally issued as of September 30, 2010.

             Inadequate efforts to collect on delinquent loan balances resulted in a higher risk
             of HUD's assets becoming uncollectable. If insufficient follow-up continues, over
             time, more loans in the Section 202 loan portfolio may fall into delinquent status
             and be at a higher risk of becoming uncollectable. The anticipated collections
             from these delinquent loans could become unrealized, consequently, decreasing
             the total budgetary resources available for the program.

Non-reporting of Delinquent Loan
Information to Third Parties

             The Office of the Chief Financial Officer (OCFO) utilized a Commercial off the
             Shelf (COTS) application, entitled the Nortridge Loan System (NLS), to account for
             the Department’s direct loans, which included Section 202 (Housing for the


                                             58
                      Elderly), Section 201 (Flexible Subsidy), and Green Retrofit Program direct loans.
                      The functionality to report delinquent direct loans to third party entities, such as
                      credit bureaus and CAIVRS (Credit Alert Verification Reporting System)35, was not
                      activated by HUD and the Department did not report this information through
                      supplementary means. Therefore, the delinquent status of debt due to the
                      Department was not reported to credit bureaus as required by 31 U.S.C 3711. As a
                      result, the delinquent status of this debt was not available to other Federal Credit
                      agencies.

                      Consequently, other agencies did not have all delinquent information available to
                      perform prescreening procedures as required by 31 U.S.C 3711 and OMB. HUD's
                      failure to report its delinquent debtors might have resulted in other agencies
                      improperly qualifying these debtors for a federal loan, when they were actually
                      ineligible.   This prevents other agencies from effectively protecting the
                      Government’s assets and curtailing the losses in relation to government benefits
                      provided.




35
   CAIVRS is a Federal government database of delinquent Federal debtors that allows federal agencies to reduce the risk to federal loan and
loan guarantee programs. CAIVRS allows authorized employees of participating Federal agencies to access a database of delinquent Federal
borrowers for the purpose of pre-screening direct loan applicants for credit worthiness, and permits approved private lenders acting on the
Government’s behalf to access the delinquent borrower database for the purpose of pre-screening the credit worthiness of applicants for Federally
guaranteed loans.



                                                                      59
                                      APPENDIXES

Appendix A

                       Objectives, Scope, and Methodology

Management is responsible for

*      Preparing the financial statements in conformity with accounting principles generally
       accepted in the United States of America;
*      Establishing, maintaining, and evaluating internal controls and systems to provide
       reasonable assurance that the broad objectives of Federal Managers’ Financial Integrity
       Act are met; and
*      Complying with applicable laws and regulations.

In auditing HUD’s principal financial statements, we were required by Government Auditing
Standards to obtain reasonable assurance about whether HUD’s principal financial statements are
presented fairly in accordance with generally accepted accounting principles, in all material
respects. We believe that our audit provides a reasonable basis for our opinion.

In planning our audit of HUD’s principal financial statements, we considered internal controls
over financial reporting by obtaining an understanding of the design of HUD’s internal controls,
determined whether these internal controls had been placed into operation, assessed control risk,
and performed tests of controls to determine our auditing procedures for the purpose of
expressing our opinion on the principal financial statements. We are not providing assurance on
the internal control over financial reporting. Consequently, we do not provide an opinion on
internal controls. We also tested compliance with selected provisions of applicable laws,
regulations, and government policies that may materially affect the consolidated principal
financial statements. Providing an opinion on compliance with selected provisions of laws,
regulations, and government policies was not an objective, and, accordingly, we do not express
such an opinion.

We considered HUD’s internal control over required supplementary stewardship information
reported in HUD’s Fiscal Year 2010 Agency Financial Report by obtaining an understanding of
the design of HUD’s internal controls, determined whether these internal controls had been
placed into operation, assessed control risk, and performed limited testing procedures as required
by AU Section 558, Required Supplementary Information. The tests performed were not to
provide assurance on these internal controls, and, accordingly, we do not provide assurance on
such controls.

With respect to internal controls related to performance measures to be reported in the
Management’s Discussion and Analysis and HUD’s Fiscal Year 2010 Agency Financial Report,
we obtained an understanding of the design of significant internal controls relating to the
existence and completeness assertions as described in Section 230.5 of OMB Circular A-11,
Preparation, Submission and Execution of the Budget. We performed limited testing procedures


                                               60
as required by AU Section 558, Required Supplementary Information, and OMB Bulletin 07-04,
Audit Requirements for Federal Financial Statements, as amended. Our procedures were not
designed to provide assurance on internal control over reported performance measures, and,
accordingly, we do not provide an opinion on such controls.

To fulfill these responsibilities, we

*      Examined, on a test basis, evidence supporting the amounts and disclosures in the
       consolidated principal financial statements;
*      Assessed the accounting principles used and the significant estimates made by
       management;
*      Evaluated the overall presentation of the consolidated principal financial statements;
*      Obtained an understanding of internal controls over financial reporting (including
       safeguarding assets), and compliance with laws and regulations (including execution of
       transactions in accordance with budget authority);;
*      Tested and evaluated the design and operating effectiveness of relevant internal controls
       over significant cycles, classes of transactions, and account balances;
*      Tested HUD’s compliance with certain provisions of laws and regulations; government-
       wide policies, noncompliance with which could have a direct and material effect on the
       determination of financial statement amounts; and certain other laws and regulations
       specified in OMB Bulletin 07-04, as amended, including the requirements referred to in
       the Federal Managers’ Financial Integrity Act;
*      Considered compliance with the process required by the Federal Managers’ Financial
       Integrity Act for evaluating and reporting on internal control and accounting systems; and
*      Performed other procedures we considered necessary in the circumstances.

We did not evaluate the internal controls relevant to operating objectives as broadly defined by
the Federal Managers’ Financial Integrity Act. We limited our internal control testing to those
controls that are material in relation to HUD’s financial statements. Because of inherent
limitations in any internal control structure, misstatements may nevertheless occur and not be
detected. We also caution that projection of any evaluation of the structure to future periods is
subject to the risk that controls may become inadequate because of changes in conditions or that
the effectiveness of the design and operation of policies and procedures may deteriorate.

Our consideration of the internal controls over financial reporting would not necessarily disclose
all matters in the internal controls over financial reporting that might be significant deficiencies.
We noted certain matters in the internal control structure and its operation that we consider
significant deficiencies under OMB Bulletin 07-04, as amended.

Under standards issued by the American Institute of Certified Public Accountants, a significant
deficiency is a deficiency or a combination of deficiencies, in internal control such that is less
severe than a material weakness, yet important enough to merit attention by those charged with
governance.




                                                 61
A material weakness is a deficiency, or combination of deficiencies, in internal controls, such
that there is a reasonable possibility that a material misstatement of the financial statements will
not be prevented, or detected and corrected on a timely basis.

Our work was performed in accordance with generally accepted government auditing standards
and OMB Bulletin 07-04, as amended.

This report is intended solely for the use of HUD management, OMB, and the Congress.
However, this report is a matter of public record, and its distribution is not limited.




                                                 62
Appendix B

                                   Recommendations

To facilitate tracking recommendations in the Audit Resolution and Corrective Action Tracking
System (ARCATS), this appendix lists the newly developed recommendations resulting from our
report on HUD’S fiscal year 2010 financial statements. Also listed are recommendations from
prior years’ reports that have not been fully implemented. This appendix does not include
recommendations pertaining to FHA and Ginnie Mae issues because they are tracked under
separate financial statement audit reports of that entity.

                    Recommendations From the Current Report
With respect to the significant deficiency that HUD's Financial Management Systems Need to
Comply with Federal Financial Management System Requirements, we recommend CPD:

     1.a. Cease the changes being made to IDIS for the HOME program related to the FIFO
          rules until the cumulative effect of using FIFO can be quantified on the financial
          statements.

     1.b. Change IDIS so that the budget fiscal year source is identified and attached to each
          activity from the point of obligation to disbursement.

     1.c. Cease the use of FIFO to allocate funds (fund activities) within IDIS and disburse
          grant payments. Match outlays for activity disbursements to the obligation and
          budget fiscal source year in which the obligation was incurred, and in addition, match
          the allocation of funds (activity funding) to the budget fiscal year source of the
          obligation.

     1.d. Include as part of the annual CAPER, a reconciliation of HUD’s grant management
          system, IDIS, to grantee financial accounting records on an individual annual grant
          basis, not cumulatively, for each annual grant awarded to the grantee.

With respect to the significant deficiency that HUD needs to improve the process for reviewing
obligation balances, we recommend that the CFO, in coordination with the appropriate program
offices:

     2.a. Deobligate the $3.2 million in administrative and program unliquidated obligations
          that were marked for deobligation.

     2.b. Promptly perform contract closeout reviews and recapture of invalid obligations.

     2.c. Review the 510 obligations which were not distributed to the program offices during
          the open obligations review and deobligate amounts tied to closed or inactive



                                               63
           projects, including the $27.5 million we identified during our review as expired or
           inactive.

     2.d. Perform a review to determine whether any additional obligations that are currently
          excluded from the open obligations review should be included, to ensure that all of
          HUD’s obligations are being subjected to review procedures.

With respect to the significant deficiency that HUD needs to improve the process for reviewing
obligation balances, we recommend that the CPD,

     2.e. Investigate through reviewing each individual obligating document and contacting the
          grantee, the $1.62 billion in obligations, which were originally obligated in 2005 and
          prior, to obtain the intended use for open obligation amount (commitments, etc). For
          those which do not have a specific intended use, recapture the open obligation
          amount. Where applicable for non-fixed year funds, include the de-obligated
          amounts in next year’s formula allocation.

     2.f. For grantees which do not comply with program regulations, de-obligate the funds
          related to the non-compliance from the older applicable grant award and not the
          current available for obligation awards.

     2.g. In coordination with the CFO, develop and publish written guidance and policies to
          establish a bench mark for Field Directors to use to determine the validity of the open
          obligation. The guidance should include specific procedures for open obligation
          amounts, wherein the obligation was made prior to a specified amount of time, as
          well as disbursement inactivity beyond a specified amount of time.

     2.h. In coordination with the CFO, develop procedures to periodically evaluate HUD’s
          program financial activities and operations to ensure that current accounting policies
          are sufficient and appropriate and to ensure that they are implemented and operating
          by program and accounting staff as intended.

With respect to the significant deficiency that HUD needs to improve the process for reviewing
obligation balances, we recommend that Housing, in coordination with the CFO:

     2.i. Recapture the $38.5 million from the 936 funding lines for expired annual renewal
          contracts.

     2.j. Revise the Section 8 project-based recapture methodology to include
          reviews/recaptures from expired annual renewal contracts.

     2.k. Implement a long-term financial management strategy and improvement plan to
          address data and system weaknesses to ensure that information for the Office of
          Housing’s obligations is kept up to date and accurate.




                                               64
With respect to the significant deficiency HUD needs to improve the process for reviewing
obligation balances, we recommend that the CFO, in coordination with the PIH:

     2.l. Coordinate a review and close-out each of the 434 PIH Low Rent grants in PAS
          subsidiary and determine the status on any other grants included in the OIG audit
          report SF-1997-107-0001 that remain open.

     2.m. After reviewing and closing out these PIH Low Rent 434 grants, determine if there
          are any overpayments that need to be recovered from any Housing Authority grants
          that were overpaid.

     2.n. Recapture the full amount of obligations from these PIH Low Rent 434 grants
          totaling $174 million and return to Treasury the total balance of budgetary resources
          from invalid grants.

     2.o. Coordinate with PIH to update their funds control plans adding procedures to ensure
          that any unexpended obligation portfolios are excluded from the open obligation
          review and for accurately documenting the entire accounting process and
          responsibilities.

     2.p. Develop procedures for ensuring all material general ledger accounts balances are
          reconciled to subsidiary records so that general ledger accounts support amounts
          presented in the financial statement.

     2.q. Develop procedures to periodically evaluate HUD’s program financial activities and
          operations to ensure that current accounting policies are sufficient and appropriate
          and to ensure that are properly carried out by the program and accounting staff.

With respect to the significant deficiency that PIH needs more effectively monitor PHA
accumulation of excess funds we recommend that HUD

     3.a. Execute an offset of $385 million from PHAs that have more than six percent of
          budget authority accumulated in their Net Restricted Assets Account balance.

With respect to the significant deficiency that CPD needs to improve its oversight of grantees,
we recommend CPD:

     4.a. Review the status of each of its Homeless Assistance contracts that makes up the
          $97.8 million OIG identified as excess funding and recapture excess funds for expired
          contracts, which have not been granted extensions.

     4.b. Institute an annual review by Field Offices of the status of expiring Homeless
          Assistance contracts and recapture excess funds prior to the Continuum of Care
          competition, so that all amounts, within the unexpired phase, can be included in the
          NOFA.




                                               65
     4.c. Establish internal control procedures and control activities that include specific
          policies, procedures and mechanisms, including appropriate documentation of
          extensions granted and follow-up efforts with the grantees to obtain the close-out
          documents, to ensure that grants are closed out within the 90-day period after the
          contract expiration or after the extension period, so that remaining balances are
          recaptured on a periodic basis, but at least quarterly.

     4.d. Implement the guidance as instructed in the new HOME FACTS regarding activities
          that are over 12 months old with no funds disbursed, these activities will be
          automatically cancelled by HUD and the funds uncommitted.

     4.e. Establish internal control procedures or internal regulations that require field offices
          to perform follow-up measures for participating jurisdictions (PJs) with slow-moving
          projects on an annual basis, including contacting the PJs and requiring the PJs to
          respond with an action plan for disbursing the unused funds on slow-moving projects.

     4.f. Investigate the progress of the 350 stalled activities with funding dates 2005 and prior
          wherein the percentage of amounts drawn on the activity was 50 percent or less with
          a remaining undrawn amount $27.5M and recapture those amounts in which the
          activity can be cancelled.

With respect to the significant deficiency that HUD needs to improve its administrative control
of funds, we recommend the OCFO:

     5.a   Enhance the Low Rent funds control plans to Verify that the legislation changes are
           incorporated; ensure that the accounting treatment and policies employed are
           appropriate; and include the OCFO Accounting and Reporting staff in the review the
           classification, disclosure, and presentation of programmatic accounting information.

     5.b Establish and implement procedures to ensure accuracy and completeness of ARRA
         Fund Control Plans.

     5.c   Require changes and new signatures on the pages which name responsible parties for
           every funds control plan when new allotment holders, sub allotment holders, and/or
           funds control officers appointed.

     5.d Conduct periodic reviews of the program offices’ compliance with requirements of
         the funds control plans.

With respect to the significant deficiency that HUD needs to improve its administrative control
of funds, we recommend that HUD allotment holders,

     5.e   Ensure that their designated Funds Control Officer maintain and ensure adherence to
           the funds control plan.




                                               66
     5.f   Inform OCFO of any changes in law, policy, or procedure that has occurred that
           would be inconsistent with the existing fund control plan.

     5.g Ensure timely update of their funds control plans including when allotment holders
         and funds control officers change.

With respect to the significant deficiency that HUD needs to improve its administrative control
of funds, we recommend that the OCFO, in coordination with the appropriate program offices,

     5.h Identify the appropriate allotment holders and fund control officers for the programs
         related to the 17 program codes identified during the fiscal year 2010 financial audit.

     5.i   Perform a review of all funds control plans to ensure all programs are covered by a
           plan that is up to date and includes all relevant information, including all program and
           accounting codes, current allotment holders and funds control officers, and the
           current accounting and monitoring procedures.

     5.j   Develop and implement funds control plans for any program found to be without an
           up to date funds control plan.

With respect to HUD’s substantial noncompliance with the Antideficiency Act (ADA), we
recommend that the CFO, in coordination with the appropriate program offices,

     6.a   Complete required steps on the six known potential Anti-Deficiency issues and report
           those determined to be violations, immediately to the President, Congress, and GAO,
           as required by 31 U.S.C., and OMB Circular A-11.

     6.b Investigate the potential Antideficiency Act violation and other interagency
         agreements that were similarly executed. If the investigation determines an
         Antideficiency Act violation occurred, immediately report it to the President,
         Congress, and GAO as required by 31 U.S.C., and OMB Circular A-11.

     6.c   Develop, or where appropriate modify, and implement measures to prevent future
           potential Antideficiency Act violations resulting from contracts funded over multiple
           fiscal years.

With respect to HUD’s noncompliance with the laws and regulations governing claims of the
U.S. Government, we recommend that the Office of Housing

     7.a   Finalize and issue the draft Notice regarding collection procedures for delinquent
           Section 202 loans.

     7.b After issuance of the Notice, ensure the policy is effectively communicated to each
         applicable project manager and HUB Director nationwide.




                                                67
     7.c    Ensure adherence to the Notice by establishing internal controls to record activities to
            collect on delinquent loans.

With respect to HUD’s noncompliance with the laws and regulations governing claims of the
U.S. Government, we recommend that the CFO:

     7.d Activate the delinquent debt reporting functionality to enable NLS to report the
         Department’s delinquent debt to credit bureaus and CAIVRS.

     7.e    Establish criteria to determine what delinquent debt should be subject to reporting.

     7.f    Based on the criteria established, identify delinquent debt and report those to credit
            bureaus and CAIVRS as required.


           Unimplemented Recommendations From Prior Years’ Reports

Not included in the recommendations listed above are recommendations from prior years’
reports on HUD’s financial statements that have not been fully implemented based on the status
reported in ARCATS. HUD should continue to track these under the prior years’ report numbers
in accordance with departmental procedures. Each of these open recommendations and its status
is shown below. Where appropriate, we have updated the prior recommendations to reflect
changes in emphasis resulting from recent work or management decisions.


OIG Report Number 2010-FO-0003 (Fiscal Year 2009 Financial Statements)

With respect to the significant deficiency that the CPD needs to improve its oversight of
grantees, we recommend that CPD:

     1.a. Consider modifying an existing system to create an automated process that will house
          all of the data needed to review the timeliness requirement for the State CDBG
          program to create a more effective and efficient process. (Final Action Target Date is
          December 31, 2010; reported in ARCATS as recommendation 1D).

     1.b. Determine whether the $24.7 million in unexpended funds for the HOME program
          from fiscal years 2001 and earlier that are not spent in a timely manner should be
          recaptured and reallocated in next year’s formula allocation. (Final Action Target
          Date is April 1, 2011; reported in ARCATS as recommendation 1E).

     1.c. Develop a policy for the HOME program that would track expenditure deadlines for
          funds reserved and committed to community housing development organizations and
          subgrantees separately. (Final Action Target Date is September 30, 2011; reported in
          ARCATS as recommendation 1F).




                                                 68
With respect to the significant deficiency that HUD management must continue to improve
oversight and monitoring of subsidy calculations, intermediaries’ performance, and Housing
Choice Voucher funds, we recommend that PIH:

     2.a. Develop a mechanism in the Voucher Management System that enables HUD to (1)
          track and compare what the PHAs spend and receive in administrative fee expenses
          and (2) capture transfers between housing assistance and the funds for administrative
          fees, resulting in better estimates of net restricted assets account calculated balances.
          (Final Action Target Date is December 31, 2010; reported in ARCATS as
          recommendation 2C).

     2.b. Develop procedures to validate the net restricted assets account balances as part of its
          on-site monitoring review of PHAs and initiate reviews earlier in the year to ensure
          that excess funding in PHAs’ net restricted assets account is accurate before funding
          decisions are made. (Final Action Target Date is December 31, 2010; reported in
          ARCATS as recommendation 2D).

With respect to the significant deficiency that HUD needs to improve the process for reviewing
obligation balances, we recommend that the CFO, in coordination with the appropriate program
offices:

     3.a. Deobligate the $8.8 million in administrative and program unliquidated obligations
          that were marked for deobligation. (Final Action Target Date is October 26, 2010;
          reported in ARCATS as recommendation 3A).

     3.b. Promptly perform contract closeout reviews and recapture of invalid obligations.
          (Final Action Target Date is March 11, 2011; reported in ARCATS as
          recommendation 3B).

With respect to the significant deficiency that HUD's Financial Management Systems Need to
Comply with Federal Financial Management System Requirements, we recommend that the
CPD:

     4.a. Ensure that its programs are accounting for and reporting their financial and
          performance information in accordance with federal financial management system
          requirements. (Final Action Target Date is July 30, 2010; reported in ARCATS as
          recommendation 4A).

With respect to HUD’s substantial noncompliance with the Antideficiency Act (ADA), we
recommend that the Chief Financial Officer, in coordination with the appropriate program
offices:

     5.a. Complete the investigations and determine whether or not ADA violations have
          occurred, and if an ADA violation has occurred, immediately report to the President,
          Congress, and GAO. (Final Action Target Date is March 11, 2011; reported in
          ARCATS as recommendation 5A)



                                                69
     5.b. Report the six ADA violations immediately to the President, Congress, and GAO, as
          required by 31 U.S.C and OMB Circular A-11, upon receiving OCFO legal staff
          concurrence with the investigation results. (Final Action Target Date is March 16,
          2011; reported in ARCATS as recommendation 5B)


OIG Report Number 2009-FO-0003 (Fiscal Year 2008 Financial Statements)

With respect to the significant deficiency that HUD management must continue to improve
oversight and monitoring of subsidy calculations and intermediaries’ program performance and
promote full utilization of Housing Choice Voucher funds, we recommend that PIH:

     1.a. Increase the monitoring efforts over the Net Restricted Asset Account held by PHAs
          (Final Action Target Date is December 31, 2011; reported in ARCATS as
          recommendation 1C).

With respect to HUD’s substantial noncompliance with the Federal Financial Management
Improvement Act, we recommend that the CFO:

     2.a. Develop a plan to comply with OMB A-127 review requirements, which results in the
          evaluation of all HUD financial management systems within a 3-year cycle (Final
          Action Target Date is March 19, 2010; reported in ARCATS as recommendation 3A).




                                             70
Appendix C

Federal Financial Management Improvement Act Noncompliance,
Responsible Program Offices, and Recommended Remedial Actions


This appendix provides details required under Federal Financial Management Improvement Act
(FFMIA) reporting requirements. To meet those requirements, we performed tests of
compliance using the implementation guidance for FFMIA issued by OMB and GAO’s Financial
Audit Manual. The results of our tests disclosed that HUD’s systems did not substantially
comply with the foregoing requirements. The details for our basis of reporting substantial
noncompliance, responsible parties, primary causes, and HUD’s intended remedial actions are
included in the following sections.

Federal Financial Management Systems Requirements
1. HUD’s annual assurance statement, issued pursuant to Section 4 of the Financial Manager’s
Integrity Act, will report two nonconforming systems.36

          The organizations responsible for systems that were found not to comply with the
          requirements of OMB Circular A-127 based on HUD’s assessments are as follows:


      Responsible office                               Number of systems     Nonconforming systems
      Office of Housing                                       18                        0
      Office of the Chief Financial Officer                   14                        0
      Office of Chief Human Capital Officer                    1                        1
      Office of the Chief Procurement Officer                  0                        2
      Office of Community Planning and Development             3                        0
      Office of Public and Indian Housing                      2                        0
      Government National Mortgage Association                 1                        0
      Totals                                                  39                        3




The following section outlines HUD’s plan to correct noncompliance with OMB Circular A-127
as submitted to us as of September 30, 2010, and unedited by us.




36
     The two nonconforming systems are A35-HUD Procurement System and P035-Small Purchase System.


                                                     71
OFFICE OF THE CHIEF PROCUREMENT OFFICER REMEDIATION PLANS
                        AS OF 9/30/2010

                          A35 HUD Procurement Systems (HPS)
                           P035 Small Purchase System (SPS)

Noncompliance Issue(s)            Tasks/Steps (including Milestones)                   Target       Actual
                                                                                     Completion   Completion
                                                                                       Dates        Dates
INTERNAL CONTROLS
1. HUD’s Procurement     INTERMEDIATE RESOLUTION PLAN
   Systems Do Not
   Have Adequate         1A Review transactions of the four contracting officers
   Controls for                who input records in excess of their contract
   Monitoring the              authority and take actions as appropriate.
   Procurement Process             OCPO researched the transactions in
                                   question to determine if the obligations          12/23/2006   12/14/2006
                                   were appropriate or not.
                                   OCPO determined that the transactions
                                   were properly executed by contracting             03/31/2007   12/14/2006
                                   officers acting within their authority. No
                                   further action is necessary.

                         1B          Implement system controls to ensure that
                                 contracting officers are not able to exceed their
                                 procurement authority.
                                     The OCPO will implement procurement
                                     authority control procedures.                   03/31/2007   04/25/07
                                     The OCPO will include validation of
                                     contracting officer authority as part of
                                     each Procurement Management Review.             01/08/2007   01/08/2007
                                                                                                  On-Going
                         1C   Implement controls to ensure that contracting
                                 officers are required to either input or approve
                                 all transactions that record funds through the
                                 HUDCAPS interfaces.
                                      The OCPO will implement procedural
                                      controls to require contracting officers to    04/30/2007   04/25/2007
                                      validate transactions in HPS.

                         1D         Modify the systems to make the contracting
                                 officer field mandatory.
                                      The OCPO will implement procedures for
                                      electronic records, which are recorded in
                                      HPS, are reviewed to ensure that a             04/30/2007   06/20/2008
                                      Contracting Officer is identified for each     Revised—
                                      record.                                        11/30/2008
                                      The OCPO will implement validation of
                                      the contracting officer identification as      01/8/2007    01/08/2007
                                      part of each Procurement Management                          On-Going
                                      Review.
                                      (See 1B bullet 2 above. Validation of




                                                    72
Noncompliance Issue(s)              Tasks/Steps (including Milestones)                   Target       Actual
                                                                                       Completion   Completion
                                                                                         Dates        Dates
                                        contracting authority is the same as
                                        implementation of task)
2.   HUD Procurement       2A       Ensure that system administration and security
     Systems’ Separation            administration functions are separate.
     of Duties Controls                 The OCPO will formally appoint separate        04/16/2007   05/01/2007
     Were Bypassed                      individuals to act as security administrator
                                        and system administrator for each OCPO
                                        system and that the individuals will not be
                                        performing conflicting duties.

                           2B       Ensure that staff are not assigned conflicting
                                    duties, that separate functions are performed
                                    by separate individuals, and that the concept
                                    of least privilege is applied.
                                         OCPO will determine if multiple system
                                         profiles are actually a valid requirement
                                         on an individual basis in HPS. The goal
                                         is to eliminate all unnecessary and
                                         redundant profiles in HPS and that the
                                         individuals will not be performing
                                         conflicting duties.
                                         o The OCPO will identify users with           02/15/2007   12/21/2006
                                               multiple HPS profiles.
                                         o The OCPO will deactivate                    07/31/2007   07/19/2007
                                               unnecessary/redundant profiles.
                           NOTE: While we can separate the duties procedurally, the
                           separation cannot be enforced in HPS or SPS without
                           reprogramming.

                           2C       Implement formal policies and procedures to
                                    recertify the access granted to users at least
                                    annually.
                                        The OCPO will develop and implement
                                        formal procedures for granting access by
                                        using the concept of least privilege to
                                        OCPO systems, as well as annual user
                                        access reviews by:
                                         o Revise system access request forms          01/31/2007   12/31/2006
                                         o Revise process in which user                02/28/2007   01/31/2007
                                              requests system access
                                         o Revise procedure in which system            03/31/2007   01/31/2007
                                              access is granted
                                         o Develop formal procedure to enforce         06/30/2007   07/18/2007
                                              annual user access review

                           2D       Create and implement routing functionality
                                    within the Small Purchase System to allow
                                    users to be granted access to more than one
                                    office or region.
                                         OCPO recommends implementing the
                                         following tasks to alleviate the routing
                                         issue. OCPO will determine if multiple
                                         SPS system profiles are actually a valid


                                                        73
Noncompliance Issue(s)               Tasks/Steps (including Milestones)                   Target       Actual
                                                                                        Completion   Completion
                                                                                          Dates        Dates
                                       requirement on an individual basis. The
                                       goal is to eliminate all unnecessary and
                                       redundant profiles in SPS.                       02/15/2007   12/21/2006
                                       o The OCPO will identify users with
                                            multiple SPS profiles.                      11/30/2007   12/14/2007
                                       o The OCPO will restructure the issuing
                                            office hierarchy to alleviate the
                                            necessity of multiple profiles for a
                                            given user.
   3.   HUD’s               3A Perform a cost benefit analysis to determine
        Procurement               whether it is more advantageous to modify or
        Systems Do Not            replace the procurement systems to ensure
        Contain                   compliance with Joint Federal Management
        Sufficient                Improvement Program Requirements.
        Financial Data to              The OCPO will perform a cost benefit             05/31/2008   02/12/2008
        Allow It to                    analysis to replace the OCPO systems.
        Effectively
        Manage and          3B   Implement functionality to ensure that there is
        Monitor                     sufficient     information      within     HUD’s
        Procurement                 procurement systems to support the primary
        Transactions                acquisition functions of fund certification,
                                    obligation, deobligation, payment, and closeout.
                                         Based on the availability of funds, OCPO
                                         will replace its systems with COTS
                                         software to ensure identified issues with
                                         security controls are addressed.
                                         Milestones – Not later than
                                               Develop Independent Government
                                               Estimate                                              05/03/2007
                                               Conduct Market Research
                                               Source Selection                         05/4/2007    04/06/2007
                                               Roll-out pilot of production system                   09/30/2010
                                                                                        04/6/2007    HIAMS
                                                                                        07/31/2010   Contract
                                                                                        01/31/2012   Awarded
SECURITY COTROLS
   4. The Office of the     4A      Obtain the training and or resources necessary to
      Chief                         develop or perform compliant (1) information
      Procurement                   system categorization analyses; (2) risk
      Officer Did Not               assessments; (3) security plans; (4) contingency
      Design or                     plans and tests; (5) monitoring processes, which
      Implement                     include applicable Federal Information
      Required                      Processing      Standards     Publication    200
      Information                   managerial,      operational,   and     technical
      Security Controls             information security controls; and (6)
                                    evaluations of the managerial, operational, and
                                    technical security controls.

                                        OCPO will ensure that training or other
                                        resources are obtained to develop or
                                        perform required managerial, operational,



                                                       74
                                          and technical security controls.
  Noncompliance Issue(s)                 Tasks/Steps (including Milestones)                 Target       Actual
                                                                                         Completion   Completion
                                                                                            Dates        Dates
                                          Update Risk Assessments                        12/31/2008   08/31/2007
                                          Update Security Plans                          12/31/2008   08/31/2007
                                                                                         12/31/2008   12/13/2007
                                          Update Annual Contingency Plans and
                                                                                                      On Going
                                          Tests


                                        o Monitoring processes, which includes           09/01/2008   08/29/2008
                                          applicable Federal Information Processing                   On Going
                                          Standards (FIPS) Publication 200
                                          managerial, operational, and technical
                                          information security controls; and

The OCPO continues to work the OCIO to monitor the above mentioned areas on an
                                       annual basis through updates to the
                                       Contingency plans, Security Plans, and
                                       BIA.

                                       Evaluations of the managerial, operational,
                                       and technical security controls.                  09/01/2008   08/29/2008
The OCPO continues to work the OCIO to evaluate the above mentioned areas on an                        On Going
                                       annual basis.

                             4B.       Complete the corrective actions for the known
                                      open information security vulnerabilities or
                                      develop mitigation strategies if new system
                                      development is underway.
                                          OCPO will ensure it develops mitigation
                                          strategies for the known open information
                                          security vulnerabilities.
                                          o Review vulnerabilities
                                          NOTE: Vulnerability scans were requested by
                                          OCPO 06/09/2010 through OIT and security
                                          office – estimated scan date by 06/14/2010     11/30/2008
                                                                                         Requested
                                                                                         an
                                           o    Develop mitigation strategy              Extension—
                                           NOTE: Upon completion of the scans,           12/31/2009
                                           mitigating strategies will be developed for   07/31/2010
                                           known vulnerabilities. Completion time is
                                                                                                         TBD
                                           dependent on the number of vulnerability      TBD
                                           discovered                                    See Note
                             4C    Designate a manager to assume responsibility for
                                      ensuring the Office of the Chief Procurement
                                      Officer’s compliance with federal certification
                                      and accreditation process requirements and to
                                      provide ―continuous monitoring‖ of the office’s
                                      information systems security.




                                                          75
NoncomplianceTasks/Steps
              Issue(s)   (including Milestones)                                        Target       Actual
                                                                                    Completion   Completion
                                                                                       Dates        Dates
                                       OCPO will designate a manager                01/15/2007   03/31/2007
                                       responsible for ensuring compliance with
                                       information systems security and federal
                                       certification and accreditation process.
                                       OCPO will work with OCIO to define           02/01/2007   02/1/2007
                                       roles and responsibilities and to ensure
                                       that appropriate resources are provided to
                                       perform required monitoring and
                                       certification and accreditation.

                         4D.       Reevaluate the HUD Procurement System and
                                  Small Purchase System application systems’
                                  security categorization in light of Office of
                                  Management and Budget guidance on
                                  personally identifiable information.
                                      OCPO will reevaluate the HUD                  08/31/2007   08/31/2007
                                      Procurement System and Small Purchase
                                      System application systems’ security
                                      categorization in light of Office of
                                      Management and Budget guidance on
                                      personal identifiable information.

                         4E    Perform a business impact analysis for the
                                  procurement systems. Based on the results of
                                  the impact analysis, determine what actions
                                  HUD can take to limit the amount of time
                                  needed to recover from the various levels of
                                  contingencies that can occur and include the
                                  determined actions in the contingency plans for
                                  the systems.
                                       OCPO will develop a business impact
                                       analysis for the procurement systems and
                                       revise the contingency plan based on the
                                       BIA.
                                       o Develop business impact analyses.          04/30/2007   06/06/2007
                                       o Incorporate BIA into contingency           09/30/2007   12/13/2007
 plans.
                         5A. Implement the HUD Integrated Acquisition
                         Management System (HIAMS)
                                    Complete Requirements Document                  06/26/2009   07/15/2009
                                    Complete Statement of Work                      06/26/2009   07/15/2009
                                    Re-Issue RFI to receive comments on             12/18/2009   12/18/2009
                                    SOW and requirements
                                    Review comments from RFI and update             01/31/2010   01/31/2010
                                    SOW and requirements
                                    Issue solicitation                              05/31/2010   07/01/2010
                                    Purchase software                               09/30/2010   09/30/2010
                                                                                    12/31/2010    HIAMS
                                    Configuration of software
                                                                                    01/31/2012    Contract
                                    Testing/Training/Implementation
                                                                                                  Awarded




                                                     76
Appendix D

              SCHEDULE OF QUESTIONED COSTS
             AND FUNDS TO BE PUT TO BETTER USE

 Recommendation       Ineligible 1/      Unsupported      Unreasonable or     Funds to be put
     number                                  2/           unnecessary 3/      to better use 4/
      2.a.                                                                          $3.2M
      2.c.                                                                        $27.5M
      2.i.                                                                        $38.5M
      2.n.                                                                         $174M
      3.a.                                                                         $385M
      4.a.                                                                        $97.8M
      4.f.                                                                        $27.5M


1/   Ineligible costs are costs charged to a HUD-financed or HUD-insured program or activity
     that the auditor believes are not allowable by law; contract; or Federal, State, or local
     policies or regulations.

2/   Unsupported costs are those costs charged to a HUD-financed or HUD-insured program
     or activity when we cannot determine eligibility at the time of the audit. Unsupported
     costs require a decision by HUD program officials. This decision, in addition to
     obtaining supporting documentation, might involve a legal interpretation or clarification
     of departmental policies and procedures.

3/   Unreasonable/unnecessary costs are those costs not generally recognized as ordinary,
     prudent, relevant, and/or necessary within established practices. Unreasonable costs
     exceed the costs that would be incurred by a prudent person in conducting a competitive
     business.

4/   Recommendations that funds be put to better use are estimates of amounts that could be
     used more efficiently if an Office of Inspector General (OIG) recommendation is
     implemented. These amounts include reductions in outlays, deobligation of funds,
     withdrawal of interest, costs not incurred by implementing recommended improvements,
     avoidance of unnecessary expenditures noted in preaward reviews, and any other savings
     that are specifically identified.




                                             77
Appendix E

             AUDITEE COMMENTS




                    78
79
80
Appendix F

                      OIG Evaluation of Agency Comments

With the exception of the report’s conclusions related to Federal Financial Management
Improvement Act (FFMIA) compliance, and Improving Administrative Control of Funds
management generally agrees with our presentation of findings and recommendations subject to
their detailed comments.

HUD’s disagreement on its non compliance with FFMIA has two components, HUD’s entity
wide integrated financial management system and CPD formula grant accounting.

 First, HUD continues to hold their long stated position, that while acknowledging deficiencies,
its entity wide integrated financial management system is compliant with FFMIA. HUD agrees
that their systems processes can be more efficiently integrated to eliminate the need for existing
compensating controls, nevertheless management feels the existing environment is substantially
compliant and not at material risk of misreporting. The deficiencies noted in HUD’s financial
management systems are due to the current financial system being developed prior to the
issuance of current requirements. The system is also technically obsolete, has inefficient multiple
batch processes, and requires labor-intensive manual reconciliations. Because of these
inefficiencies, HUD’s management systems are unable to routinely produce reliable, useful, and
timely financial information. This weakness manifests itself by limiting HUD’s capacity to
manage with timely and objective data, and thereby hampers its ability to effectively manage and
oversee its major programs. In addition, the Department has not met the minimum set of
automated information resource controls relating to Entity-wide Security Program Planning and
Management as required by FISMA and OMB Circular A-130 Appendix III.

Second, HUD believes that the CPD formula grant programs are compliant and that our FFMIA
noncompliance conclusion due to CPD grant accounting departures from U.S.GAAP and
weaknesses in internal controls over financial reporting do not fully take into account the nature
of block grants. We disagree with their assessment and believe that CPD formula grants need to
comply with budgetary controls and Federal financial management requirements related to the
matching of outlays to source of funds by appropriation year. We will continue our work on
CPD formula grants and seek clarification on whether formula grants are required to fully
comply with U.S. GAAP.

HUD also did not agree with the categorization of our observation that HUD Needs to Improve
Administrative Control of Funds as a significant deficiency. After a review of their detailed
comments, we modified the write up to reflect information provided. We take exception to
HUD’s position that the requirement for documenting controls over funds administration ends at
the point of obligation when compliance with the provisions of the Anti Deficiency Act is
ensured. Defects in HUD’s design and implementation of the administrative control of funds
have been identified and discussed with HUD since fiscal year 2005. Our justification for raising
this issue to a significant deficiency this year was the notable inaccuracies in the Low Rent
Program’s fund control plan, and the lack of funds control plans for programs that no longer


                                                81
have new obligation activity but continue making expenditures. Additionally, we found
deficiencies in the new programs’ funds control plans, outdated funds control officer information
in older funds control plans and that administrative funds control requirements were not always
followed to support obligations and disbursements of funds.




                                               82