Issue Date November 15, 2010 Audit Report Number 2011-FO-0003 TO: Douglas Criscitello, Chief Financial Officer, F //s// FROM: Thomas R. McEnanly, Director, Financial Audits Division, GAF SUBJECT: Additional Details to Supplement Our Report on HUD’s Fiscal Years 2010 and 2009 Financial Statements HIGHLIGHTS What We Audited and Why We are required to annually audit the consolidated financial statements of the U.S. Department of Housing and Urban Development (HUD) in accordance with the Chief Financial Officers Act of 1990, as amended. Our report on HUD’s fiscal years 2010 and 2009 financial statements are included in HUD’s Fiscal Year 2010 Annual Financial Report. This report supplements our report on the results of our audit of HUD’s principal financial statements for the fiscal years ending September 30, 2010, and September 30, 2009. Also provided are assessments of HUD’s internal controls and our findings with respect to HUD’s compliance with applicable laws, regulations, and government-wide policy requirements and provisions of contracts and grant agreements.1 In addition, we plan to issue a 1 Additional details relating to the Federal Housing Administration (FHA), a HUD component, are not included in this report but are included in the accounting firm of Clifton Gunderson LLP’s audit of FHA’s financial statements. That report has been published in our report, Audit of Federal Housing Administration Financial Statements for Fiscal Years 2010 and 2009 (2011-FO-0002, dated November 5, 2010). Additional details relating to the Government National Mortgage Association, (Ginnie Mae), another HUD component, are not included in this report but are included in the accounting firm of Carmichael Brasher Tuvell and Company’s audit of Ginnie Mae’s financial statements. That report has been published in our report, Audit of letter to management on or before January 15, 2011, describing other issues of concern that came to our attention during the audit. What We Found In our opinion, HUD’s fiscal years 2010 and 2009 financial statements were fairly presented. Our opinion on HUD’s fiscal years 2010 and 2009 financial statements is reported in HUD’S Fiscal Year 2010 Agency Financial Report. The other auditors and our audit also disclosed the following nine significant deficiencies in internal controls related to the need to: Have financial management systems comply with the Federal Financial Management Improvement Act of 1996 (FFMIA); Improve the processes for reviewing obligation balances; Continue improvements in the oversight and monitoring of subsidy calculations, intermediaries’ program performance, and Utilization of Housing Choice Voucher program funds; Establish internal controls over Office of Community Planning and Development (CPD) grantees’ compliance with program requirements; Improve administrative control of funds; Further strengthen controls over HUD’s computing environment; Improve personnel security practices for access to the Department’s critical financial systems; Effectively monitor modernization efforts and existing systems to mitigate near term financial reporting risks; and Mitigate increased risks to management estimates caused by economic conditions and inherent model design. Our findings include the following four instances of noncompliance with applicable laws and regulations: HUD did not substantially comply with the Federal Financial Management Improvement Act regarding system requirements; HUD did not substantially comply with the Antideficiency Act; HUD did not substantially comply with Laws and Regulations Governing Claims of the United States Government; and FHA’s Mutual Mortgage Insurance fund capitalization was not maintained at a minimum capital ratio of two percent, which is required under the Cranston-Gonzalez National Affordable Housing Act of 1990 Government National Mortgage Association Financial Statements for Fiscal Years 2010 and 2009 (2011-FO-0001), dated November 5, 2010). 2 The audit also identified $341 million in excess obligations recorded in HUD’s records. We are also recommending that $27.5 million not be expended as originally intended and reprogrammed by the grantee. Lastly, we are recommending that HUD seek legislative authority to implement $385 million in offsets against public housing agencies’ (PHA) excess unusable funding held in Net Restricted Assets Accounts at the PHAs. These amounts represent funds that HUD could put to better use. What We Recommend Most of the issues described in this report represent long-standing weaknesses. We understand that implementing sufficient change to mitigate these matters is a multiyear task due to the complexity of the issues, insufficient information, technology systems funding, and other impediments to change. In this and in prior years’ audits of HUD’s financial statements, we have made recommendations to HUD’s management to address these issues. Our recommendations from the current audit, as well as those from prior years’ audits that remain open, are listed in appendix B of this report. For each recommendation without a management decision, please respond and provide status reports in accordance with HUD Handbook 2000.06, REV-3. Please furnish us copies of any correspondence or directives issued because of the audit. Auditee’s Response The complete text of the auditee’s response, along with our evaluation of that response, can be found in appendix E and F of this report. 3 TABLE OF CONTENTS Highlights 1 Internal Control 5 Compliance with Laws and Regulations 55 Appendixes A. Objectives, Scope, and Methodology 60 B. Recommendations 63 C. FFMIA Noncompliance, Responsible Program Offices, and Recommended 71 Remedial Actions D. Schedule of Questioned Costs and Funds To Be Put to Better Use 77 E. Agency Comments 78 F. OIG Evaluation of Agency Comments 81 4 INTERNAL CONTROL Significant Deficiency 1: HUD Financial Management Systems Do Not Comply With the Federal Financial Management Improvement Act of 1996 (FFMIA) As reported in prior years, HUD’s financial management systems were not in full compliance with federal financial management system requirements. We determined that HUD did not fully comply with the requirements of OMB Circular A-127, in addition to our prior year finding that HUD is not in full compliance with federal financial management system requirements generally. Specifically, HUD did not (1) initiate plans to review financial management systems for compliance with computer security and internal control guidelines; (2) develop an adequate agency-wide financial management systems plan and (3) accurately identify HUD’s financial management systems within its financial system inventory listing. In addition, we determined that the Community Planning and Development (CPD) formula grant process does not comply with U.S. Generally Accepted Accounting Principles, (GAAP), and as a result has weaknesses in the internal controls over financial reporting. Additionally, HUD has not completed development of an adequate integrated financial management system. HUD's financial systems, many of which were developed and implemented before the issue date of current standards, were not designed to perform or provide the range of financial and performance data currently required. The result is that HUD, on a department-wide basis, does not have integrated financial management systems that are compliant with current Federal requirements or provide HUD the information needed to effectively manage its operations on a daily basis. This situation could negatively impact management's ability to perform required financial management functions; efficiently manage the financial operations of the agency; and report, on a timely basis, the agency's financial results, performance measures, and cost information. CPD Formula Grants Reporting is not in Compliance with FFMIA and GAAP Our review found that CPD’s formula grant process does not comply with FFMIA, nor is it compliant with GAAP, which resulted in weaknesses in the internal controls over financial reporting. These deficiencies are the result of CPD’s decision to charge grant disbursement draw downs from the oldest budget fiscal year (BFY) appropriation funding source available at the time of draw down. CPD refers to this practice as FIFO (First-in, First-out). This process results in a mismatching of obligations and outlays and is a departure from U.S. GAAP. 5 We found that the monetary impact of using FIFO and incorrectly mismatching BFY fund sources to be significant; with over 30 percent of the draw downs from HOME and CDBG program grants citing the mismatched BFY appropriation as a source of funds for disbursement. The IDIS is a system used by CPD to support both the financial and non-financial functions necessary for the management of CPD’s formula grant programs. Grantees use the system to track and drawdown CPD funds, report program income, and record the results of CPD funded activities. The financial portions of IDIS are interfaced with HUD’s core financial systems.2 As part of HUD’s financial management system, IDIS is responsible for complying with the standards included within OMB A-127. As such, data coming from IDIS must be posted to LOCCS using proper US general ledger accounts and accounting standards. Additionally, in order to be compliant with Federal accounting standards, management of grants must be compliant with Federal Appropriations Law. Internal controls over Financial Reporting for CPD Formula Grants is Not Adequate CPD management did not maintain effective internal controls over financial reporting. Our review found that the CPD formula grant process design and implementation of adequate budget controls was deficient. Budget controls are compliance controls that provide reasonable assurance that transactions are executed in accordance with laws governing the use of budget authority and are used to manage and control the use of appropriated funds. Based on our review a significant percentage of CPD formula grants were not properly recorded, processed, or summarized to permit the preparation in conformity with GAAP. CPD’s HOME and CDBG programs are formula based block grants. Grantees, nearly all of whom have received annual grant allocations and awards for many consecutive years, will receive funding, if they submit an acceptable annual plan CPD. The annual plan describes the proposed activities, to include demonstrating a bona fide need for funding for their allocation of the BFY’s appropriation. However, each year’s grant is a standalone agreement, which is only complete when the grantee submits an acceptable annual plan describing what the purpose and need for the funds, and executing an agreement committing to complete the projects. According to GAO’s Title 23, the accounting for a federal assistance 2 Line of Credit Controls System (LOCCS), which is one of HUD’s core financial systems, is used to disburse funds. LOCCS then passes the disbursement information to Program Accounting System (PAS) and HUDCAPS which are the accounting systems used to generate the financial statements. 3 Accounting Principles, Standards and Requirements; Title 2 Standards Not Superseded by FASAB Issuances, from GAO Policy and Procedures Manual for Guidance of Federal Agencies 6 award begins with the execution of an agreement or the approval of an application in which the amount and purposes of the grant, the performance periods, the obligations of the parties to the award, and other terms are set out. According to the HOME and CDBG Funds Control Plans, the point of obligation is when an acceptable annual plan is submitted- establishing what should be the BFY projects and activities - and the assistance award/amendment is signed. The point of obligation using the BFY defines the source of funds and establishes the time frames for sub-allocation, expenditures, and when the funds are returned to the US Treasury, if not expended. The grantees, to be in compliance with their generally accepted accounting principles, are required to account for these grants on a BFY appropriation and grant year basis. According to CPD program rules, if the grantees want to make changes to proposed activities and funded projects, they are required to go through a formal process to amend their plans. These programmatic changes are proper and necessary to permit the flexibility to ensure smooth program operation and completely allowable if made within three years as allowed by the fund year appropriation bill. Yearly audits ensure that grantees stay in compliance with their formula grant requirements. Our review of seven grantees4 for CPD’s HOME and CDBG formula grant programs, indicated that for the HOME program for fiscal and grant years 2002- 2010, approximately forty percent and for the CDBG program for fiscal and grant years 1999-2010, approximately fifty percent of the funds disbursed for activities set up5 under a given grant’s BFY appropriation were disbursed from grants awarded with BFY appropriations prior to that grant year. Additionally, we noted that activities are also set up and funds are allocated to these activities on a FIFO basis similar to the disbursements and also mismatches the BFY fund source. We also noted that grantees are not required to identify and plan activities related to a given grant’s BFY award equal to the amount of the award received for the year, thus leaving unused balances to be mismatched to another BFY’s activities. We obtained the disbursement transactions for seven HOME grantees and found that for the 2002-2010 BFY appropriations, of the approximately $1.9 billion of the $3.0 billion (63 percent) that was set up for activities for the BFY appropriation, $748 million (39 percent) was disbursed from grant awards and BFY appropriations made prior to the award and BFY of the activity, due to the FIFO process. The amounts were disbursed from the BFY appropriations 2002- 2009, which were fixed multi-year appropriations and decreased the amount that would be returned to Treasury under the Defense Authorization Act (DAA) when 4 The seven grantees: New York City, State of New York, State of Ohio, State of Pennsylvania, State of Texas, City of Chicago, and City of Los Angeles were selected because for the fiscal years 2003-2010 they received the largest grant awards for both programs. 5 For purposes of the analysis, set up refers to the process of specifically identifying an activity under a specific BFY appropriation grant award and allocating estimated amounts expected to complete an activity within IDIS. 7 the appropriation is cancelled.6The amounts and discrepancies vary amongst each individual fiscal grant year. The HOME Program Results Amounts Disbursed for Amounts % of Fixed Year Activities Set Up Mismatched to Appropriations Authorized for for Fiscal Year Prior Year Grants (2002-2009) Fiscal Year Grant Year Grant due to FIFO Mismatched 2002 330,158,990 284,814,945 - 0.00% 2003 352,784,640 295,346,415 70,243,013 23.78% 2004 380,155,262 265,291,994 78,149,510 29.46% 2005 346,781,784 314,478,586 147,910,262 47.03% 2006 321,842,211 313,871,149 175,009,471 55.76% 2007 321,107,837 266,185,193 160,652,776 60.35% 2008 308,568,884 142,718,001 86,678,747 60.73% 2009 342,045,079 38,249,746 27,639,812 72.26% 2010 341,653,418 2,629,044 1,914,250 72.81% Total 3,045,098,105 1,923,585,074 748,197,841 38.90% In addition, we obtained the disbursement transactions for seven CDBG grantees and found that for the 1999-2010 BFY appropriations, of the approximately $4.2billion of the $7.4 billion (57 percent) that was set up for activities for the BFY appropriation, $2.0 billion (48 percent) was disbursed from grant awards and BFY appropriations made prior to the award and BFY of the activity, due to the FIFO process. The amounts were disbursed from the BFY appropriations 1994- 2009, which were fixed multi-year appropriations and decreased the amount that would be returned to Treasury under the DAA when the appropriation is cancelled. The amounts and discrepancies vary amongst each individual fiscal grant year. 6 The National Defense Authorization Act of 1991(Public Law 101-510, November 5, 1990) established rules governing the availability of appropriations for expenditure. This legislation mandates that on September 30th of the fifth fiscal year after the period of availability for obligation of a fixed appropriation account ends, the account shall be closed and any remaining balance (whether obligated or unobligated) in the account shall be canceled and thereafter shall not be available for obligation or expenditure for any purpose. Beginning with the 2002 fiscal year Annual Appropriation, HOME’s fixed multi-year appropriations are affected by this Act. CDBG was receiving fixed multi-year appropriations prior to the Act and thus was affected when the Act was enacted. 8 The CDBG Program Results Amounts Disbursed for Amounts % of Fixed Year Activities Set Up Mismatched to Appropriations Authorized for for Fiscal Year Prior Year Grants (1994-2009) Fiscal Year Grant Year Grant due to FIFO Mismatched 1999 588,548,151 355,226,626 150,361,555 42.33% 2000 668,863,937 455,760,261 185,681,985 40.74% 2001 696,892,931 447,720,167 189,885,811 42.41% 2002 675,919,940 447,108,087 205,357,924 45.93% 2003 672,823,306 427,222,895 189,035,221 44.25% 2004 668,206,115 429,073,395 214,160,718 49.91% 2005 632,244,955 388,301,414 201,316,529 51.85% 2006 566,798,872 406,788,812 200,543,483 49.30% 2007 564,048,650 366,829,645 177,423,857 48.37% 2008 545,030,719 301,127,604 157,765,162 52.39% 2009 552,034,905 196,023,924 109,011,342 55.61% 2010 597,932,026 52,822,165 49,616,455 93.93% Total 7,429,344,507 4,274,004,994 2,030,160,043 47.50% Based on the work performed, we found that CPD and IDIS is not recording, processing, reporting, or providing accurate information in accordance with federal financial management requirements or accounting standards. The logic used by IDIS and CPD to select the source of funds for use in activity funding and disbursement was faulty. CPD’s definition of ―source of funds‖ takes only into account the source of funding being that of either a State grantee or entitlement grantee and the type of money (program income versus entitlement grant funds, etc.). It disregards the Federal budgetary fiscal year source of funds. CPD describes how FIFO is applied in a procurement document in this manner, The FIFO technique is applied to funds having the same grant program, source of funds, recipient of funds, and type of funds. The grant year is used to order the funds from oldest year to newest year. When a grantee commits funds to an activity (by funding an activity using the activity funding function), the funds are committed from the oldest funds having the same source of funds, recipient of funds, and type of funds. The grantee is unaware of the year from which the funds are committed. Similarly, when a grantee draws funds, the funds are drawn from the oldest funds having the same source of funds, recipient of funds, and type of funds. At issue is CPD and IDIS’s treatment of the source of grant funds. Based on our review and discussion with CPD staff, we found that CPD uses a different meaning and application technique for source of funds depending on what action is being taken. At the point of obligation, a BFY appropriation source year is used to obligate the funds to a State or entitlement grantee. When an activity is established and funded, CPD will match the State or entitlement grantee source and type of funding, and may use the oldest BFY appropriation source of funds to allocate funds for the estimated costs for the activity. At disbursement, CPD and 9 IDIS will match the State or entitlement grantee source and type of funding, and use the oldest BFY appropriation source of funds to disburse funding to pay for an activity. While a grantee’s program year may not line up with a federal fiscal year due to when agreements are signed, the achievements, and projects and activity costs recorded in IDIS Online must be reconcilable with the BFY appropriation source year in which the funding was approved. Arbitrarily liquidating the funding from the older available BFY appropriation source for the fund type associated with the activity is not in line with Federal GAAP and Federal financial management requirements. As noted in CPD’s definition and application of FIFO, the BFY appropriation is excluded, as they exclude this detail as being the identification for the source of funds. They describe the BFY as the grant year and its only purpose is to order the funds from oldest to newest. CPD’s position of excluding the BFY as the identification and mingling all of the grant year (BFY appropriation) funds together and simply ordering them from oldest to newest and using FIFO is appropriate is based on their belief that the purpose of block grants is to provide the grantees a great deal of flexibility in managing their projects. While this may have been the most simple way to manage grants at the start of the programs, which was prior to FASAB, budget controls, the DAA, and other recently implemented Federal financial management Acts, it ignores how FIFO effects these aspects of financial reporting and is also non-compliant with these requirements. CPD and the Department take exception to OIG’s position that IDIS and the use of FIFO being non-compliant with FFMIA, OMB A-127, and U.S. GAAP. They point to a legal opinion received from HUD’s Office of General Counsel (OGC) and a system review performed by an independent contractor. OGC stated that due to the nature of this block grant program they believed that the FIFO accounting method for expenditures is consistent with Federal accounting requirements. One factor the OGC did not address in their memo is that the information submitted by grantees and reported in their financial statements is altered by IDIS, at potentially two steps in processing (1) in the identification of a BFY appropriation for commitments and (2) the selection of a BFY for disbursements. This altering of the source BFY appropriation information is inconsistent with proper internal controls and furthermore, the inability to match revenues with expenditures is at odds with GAAP’s matching concept and budget control objectives to match outlays to the underlying obligation. In response to the prior year’s finding that IDIS was not in compliance with Federal financial management requirements, CPD hired a contractor to determine whether the FIFO method used by IDIS complied with the requirements of 10 FFMIA. While the review found that IDIS provided the required data to HUD’s core financial management system; the review itself had limitations. OIG’s evaluation of the review noted (1) the contractor improperly excluded IDIS as part of HUD’s financial management system and subject to the requirements of FFMIA, (2) did not support its conclusion that FIFO was compliant with Federal systems requirements with criteria or procedures, and (3) did not consider the FIFO mismatch effect prior to being posted to the core financial system. The contractor examined IDIS’s compliance with Federal financial management requirements after IDIS had inappropriately used FIFO and a BFY appropriation inconsistent and mismatched from the obligating BFY appropriation. Federal GAAP, appropriation law, federal financial management requirements consistently point to the source of funds for programs like CPD grants as a BFY appropriation. The BFY appropriation source of funds is required to remain constant with the funds and the fiscal year appropriation linked. This link originates when grant funds are committed and includes, with other data elements, the following information (a) funding dollar amount,( b) fund code(s), (c) appropriation code(s), (d) accounting code, and (e) budget year(s) of funding in the financial management system. When the funds are obligated to a specific grantee, additional required information is entered ( a) grant number, (b) grantee or recipient name, (c) grantee identifier, (d) grant purpose, (e) dollar amount, and (f) accounting classification data, which incorporates the appropriation code, accounting code, and budget year of funding. When grants funds are disbursed, the disbursement request required data elements includes (a) grantee name and identifier, (b) amount of funds authorized, (c) amount approved, (d) program funding codes, and (e) appropriation code(s) which are matched to information already indentified with the funds. Accurate data on which to base crucial program and resource decisions is critical. Statement of Federal Financial Accounting Standards 4: Managerial Cost Accounting Standards and Concepts requirement for Cost Accounting is: each reporting entity should accumulate and report the cost of its activities on a regular basis for management information purposes. Costs may be accumulated either through the use of cost accounting systems or through the use of cost finding techniques. To address the long-standing weaknesses in the availability of reliable, accurate, and comparable financial data, Congress mandated financial management systems reform within the federal government by enacting the Federal Financial Management Improvement Act of 1996 (FFMIA). FFMIA requires the departments and agencies covered by the Chief Financial Officers (CFO) Act of 1990 to implement and maintain financial management systems that comply substantially with (1) federal financial management systems requirements, (2) applicable federal accounting standards, and (3) the U.S. Government Standard General Ledger (SGL) at the transaction level. FFMIA builds on the foundation laid by the CFO Act, which has the goal of modern financial management systems that enable the systematic measurement of performance; the development of cost information; and the integration of 11 program, budget, and financial information for management reporting. FFMIA also requires auditors to state in their audit reports whether the agencies’ financial management systems comply with the act’s requirements GAO, Principles of Federal Appropriations Law, Third Edition, Volume II, Chapter 10, Federal Assistance: Grants and Cooperative Agreements define and clarify the proper treatment of grants in accordance with Federal Appropriations Law, and describes the three elements of legal availability—purpose, time, and amount as they specifically apply equally to assistance funds. An ―authorized grant purpose‖ is determined by examining the relevant program legislation, legislative history, and appropriation acts. Funds must be obligated by the grantor agency within their period of availability. The ―bona fide needs rule,‖ which is a basic principle of time availability, holds that an appropriation is available for obligation only to fulfill a genuine or bona fide need of the period of availability for which the appropriation was made. This rule applies to grants and cooperative agreements as well as to other types of obligations or expenditures. The overall management of CPD formula grants, including the financial system which they are managed in, IDIS, was non-compliant with the principals of Appropriation Law for Grants and Federal accounting standards and requirements. We found that determination of a bona fide need was not being taken into account over the formula grants. To that end, the grant funds which were managed were not maintained in the system in a manner in which the bona fide need can be determined and the funds can be maintained in accordance with the bona fide need in which the grant was awarded. This is through the programs use of FIFO to commit and disburse funds. CPD has mistaken the fact that while block grants reduce federal involvement in that they transfer much of the decision-making to the grantee and reduce the number of separate grants that must be administered by the federal government there is a continuing responsibility to account for and report program results in accordance with BFY funding. It is a misconception, however, to think that block grants are ―free money‖ in the sense of being totally free from federal ―strings.‖ HUD’s design and implementation of the integrated financial management system that supports the CPD formula grant programs is not in compliance with federal financial management system requirements. The system arbitrarily liquidates obligations on a First-In, First-Out (FIFO) basis, irrespective of the budget fiscal year funding source. This process is not in compliance with Federal financial accounting and federal appropriations laws, which are explicitly and indirectly, included in the federal financial management system requirements. Additionally, with the enactment of the Defense Authorization Act of 1991, liquidating the funds on this FIFO basis also intentionally decreases the amounts that HUD would be required to return to Treasury after fixed-year appropriations cancel and is in direct contradiction with congressional intent. 12 Agency wide Financial Management Systems Plan Did Not Meet Circular A-127 Requirements We performed an audit to assess the Department’s compliance with the requirements specified in OMB Circular A-127. We found that HUD is not in full compliance with the requirements. The OIG reported in its FY 2008 financial statement audit report7 that HUD had not performed the OMB Circular A-127 required reviews of its financial management systems for compliance with computer security and internal control guidelines. HUD has not taken corrective action to address this weakness and ensure that A-127 compliance reviews were conducted. HUD’s policy was to review all of its financial systems within a 3- year cycle. Only eight of the 54 reviews required have been completed by the Department since 2007. The agency-wide Financial Management Systems Plan developed by the Chief Financial Officer (CFO) did not fully meet requirements of OMB Circular A-127. Although, the Financial Management System Plan developed for FY 2010 contained headers and or specific sections for each of the required pieces of information per the Circular, the information included within the document was not sufficient to meet the requirements. For example, the Plan contains a ―Target Architecture‖ section which explains HUD’s Integrated Financial Management Improvement Project (HIFMIP). However, it does not contain specifics that explain how each application will be affected by or included in the project. Similarly, many of the other A-127 required sections discuss Integrated Core Financial System implementation at a high level and do not provide details that describe an actual migration strategy, milestones for equipment acquisitions, personnel needs, and estimated costs. Additionally, in the ―Existing Financial Management System Architecture‖ section the Plan only provides general planned upgrades for a 5 year time period. There is no detail on funding requirements and no projection of a reasonable useful life for the applications. HUD has not maintained a complete inventory of its financial management systems. The CFO did not classify the Financial Data Mart (FDM) or Personnel Services Cost Reporting Subsystem (PSCRS) as financial management systems and therefore has not included them in its inventory of financial management systems. The Financial Data Mart is a database application used by HUD for financial reporting and to transfer data between HUDCAPS and Hyperion to produce HUD’s consolidated financial statements. Based upon the current data transfer process, HUD’s consolidated financial statements cannot be produced without the Financial Data Mart. The Financial Data Mart has been operational since February 1999. PSCRS is used to support HUD’s interface with the payroll 7 OIG Audit Report number 2009-FO-0003, ―Additional Details to Supplement Our Report on HUD’s Fiscal Years 2008 and 2007 Financial Statements,‖ issued November 14, 2008. 13 system and acts as a batch processor/translator for HUD. The application generates the journal voucher batches and transactions required to post the HUD pay and leave cost data to the department’s general ledger. PSCRS has been operational since October 1994. Both applications are classified as major applications. HUD Required To Implement a Compliant Financial Management System FFMIA requires, among other things, that HUD Implement and maintain financial management systems that substantially comply with federal financial management system requirements. The financial management system requirements include implementing information system security controls. The requirements are also included in OMB Circular A-127, ―Financial Management Systems.‖ Circular A-127 defines a core financial system as an information system that may perform all financial functions including general ledger management, funds management, payment management, receivable management, and cost management. The core financial system is the system of record that maintains all transactions resulting from financial events. It may be integrated through a common database or interfaced electronically to meet defined data and processing requirements. The core financial system is specifically used for collecting, processing, maintaining, transmitting, and reporting data regarding financial events. Other uses include supporting financial planning, budgeting activities, and preparing financial statements. As in previous audits of HUD’s financial statements, in fiscal year 2010 there continued to be instances of noncompliance with federal financial management system requirements. These instances of noncompliance have given rise to significant management challenges that have: (1) impaired management’s ability to prepare financial statements and other financial information without extensive compensating procedures, (2) resulted in the lack of reliable, comprehensive managerial cost information on its activities and outputs, and (3) limited the availability of information to assist management in effectively managing operations on an ongoing basis. HUD's Financial Systems Are Not Adequate As reported in prior years, HUD does not have financial management systems that enable it to generate and report the information needed to both prepare financial statements and manage operations on an ongoing basis accurately and timely. To prepare consolidated department wide financial statements, HUD required Federal Housing Administration (FHA) and the Government National Mortgage 14 Association (Ginnie Mae) to submit financial statement information on spreadsheet templates, which were loaded into a software application. In addition, all consolidating notes and supporting schedules had to be manually posted, verified, reconciled, and traced. To overcome these systemic deficiencies with respect to preparation of its annual financial statements, HUD was compelled to rely on extensive compensating procedures that were costly, labor intensive, and not always efficient. Due to a lengthy HUD Integrated Financial Management Improvement Project (HIFMIP) procurement process and lack of funding for other financial application initiatives, there were no significant changes made in fiscal year 2010 to HUD’s financial management processes. As a result, the underlying system limitations identified in past years remain. The functional limitations of the three applications (HUDCAPS, LOCCS and PAS) performing the core financial system function for HUD are dependent on its data mart and reporting tool to complete the accumulation and summarization of data needed for U.S. Department of the Treasury and OMB reporting. HUD’s Financial Systems do not Provide Managerial Cost Data In fiscal year 2006, the Government Accountability Office (GAO) reported in GAO-06-1002R Managerial Cost Accounting Practices that HUD’s financial systems do not have the functionality to provide managerial cost accounting across its programs and activities. This lack of functionality has resulted in the lack of reliable and comprehensive managerial cost information on its activities and outputs. HUD lacks an effective cost accounting system that is capable of tracking and reporting costs of HUD’s programs in a timely manner to assist in managing its daily operations. This condition renders HUD unable to produce reliable cost-based performance information. HUD officials have indicated that various cost allocation studies and resource management analyses are required to determine the cost of various activities needed for mandatory financial reporting. However, this information is widely distributed among a variety of information systems, which are not linked and therefore cannot share data. This makes the accumulation of cost information time consuming, labor intensive, untimely, and ultimately makes that cost information not readily available. Budget, cost management, and performance measurement data are not integrated because HUD: Did not interface its budget formulation system with its core financial system; Lacks the data and system feeds to automate a process to accumulate, allocate, and report costs of activities on a regular basis for financial reporting needs, as well as internal use in managing programs and activities; 15 Does not have the capability to derive current full cost for use in the daily management of Department operations; and Requires an ongoing extensive quality initiative to ensure the accuracy of the cost aspects of its performance measures as they are derived from sources outside the core financial system. While HUD has modified its resource management application to enhance its cost and performance reporting for program offices and activities, the application does not use core financial system processed data as a source. Instead, HUD uses a variety of applications, studies, and models to estimate the cost of its program management activities. One of these applications, TEAM/REAP, was designed for use in budget formulation and execution, strategic planning, organizational and management analyses, and ongoing management of staff resources. It was enhanced to include an allocation module that added the capability to tie staff distribution to strategic objectives, the President’s Management Agenda, and HUD program offices’ management plans. Additionally, HUD has developed time codes and an associated activity for nearly all HUD program offices to allow automated cost allocation to the program office activity level. HUD has indicated that the labor costs that will be allocated to these activities will be obtained from the HUD payroll service provider. However, because the cost information does not pass through the general ledger, current federal financial management requirements are not met. Financial Systems do not Provide for Effective and Efficient Financial Management During fiscal year 2010, HUD’s financial information systems did not allow it to achieve its financial management goals in an effective and efficient manner in accordance with current federal requirements. To perform core financial system functions, HUD depends on three major applications, in addition to a data warehouse and a report-writing tool. Two of the three applications that perform core financial system functions require significant management oversight and manual reconciliations to ensure accurate and complete information. HUD’s use of multiple applications to perform core financial system functions further complicates financial management and increases the cost and time expended. Extensive effort is required to manage and coordinate the processing of transactions to ensure the completeness and reliability of information. Additionally, the interface between the core financial system and HUD’s procurement system does not provide the required financial information. The procurement system interface with HUDCAPS does not contain data elements to support the payment and closeout processes. Also, the procurement system does 16 not interface with LOCCS and PAS. Therefore, the processes of fund certification, obligation, de-obligation, payment, and close out of transactions that are paid out of the LOCCS system are all completed separately, within either PAS or LOCCS. This lack of compliance with federal requirements impairs HUD’s ability to effectively monitor and manage its procurement actions. HUD Plans to Implement a Department-wide Core Financial System HUD plans to implement a commercial federal certified core financial system and integrate the current core financial system into one Department-wide core financial system. FHA and Ginnie Mae have already implemented a compatible and compliant system to support the transition to the enterprise core financial system. HUD originally planned to select a qualified shared service provider to host the enterprise system and integrate the three financial systems (HUD, FHA, and Ginnie Mae) into a single system by fiscal year 2015. Achieving integrated financial management for HUD will result in a reduction in the total number of systems maintained, provide online, real-time information for management decision-making, enable HUD to participate in E-government initiatives, and align with HUD's information technology modernization goals. HIFMIP, launched in fiscal year 2003, has been plagued by delays. HUD believes that at some point, HIFMIP will encompass all of HUD’s financial systems, including those supporting FHA and Ginnie Mae. Due to delays with the procurement process, however, the contract for HIFMIP was not awarded until September 2010. OMB reviewed HIFMIP and recommended that HUD give additional consideration to its (1) categorization of risk and mitigation strategies; (2) governance structure to ensure appropriate leadership is in place to support the project; and (3) funding strategy to give more time to assess whether the current approach is viable. As a result of OMB’s recommendations, HUD agreed to re- scope HIFMIP to address only the Department- level portion. Based on HUD’s agreement to re-scope the project, OMB approved the 18-month base period. Additional approvals will be needed for the option periods associated with HIFMIP. Until its core financial system is implemented, we believe the following weaknesses with HUD’s financial management systems will continue: HUD’s ability to prepare financial statements and other financial information requires extensive compensating procedures. HUD has limited availability of information to assist management in effectively managing operations on an ongoing basis. We are requesting that CPD use the current commitment budget fiscal year 17 currently in the IDIS for making all future disbursements for its HOME, CDBG, HOPA, and other formula grant plans. We are requesting that CPD use the plan year identified in the setup process for establishing the commitment budget fiscal year. 18 Significant Deficiency 2: HUD Needs To Improve Its Processes for Reviewing Obligation Balances HUD needs to improve controls over the monitoring of obligation balances to ensure that they remain needed and legally valid as of the end of the fiscal year. HUD’s procedures for identifying and deobligating funds that are no longer needed to meet its obligations were not always effective. This has been a long-standing weakness. In fiscal year 2010, HUD’S CFO coordinated a review of unliquidated obligations to determine whether the obligations should be continued, reduced, or canceled. The review encompasses all of HUD’s unliquidated obligations except those for the Section 8 project-based and tenant-based mod-rehab programs and Sections 235/236 interest reduction and rental assistance/rent supplement programs, which were subjected to separate reviews led by the program offices. We evaluated HUD’s internal controls for monitoring obligated balances and found that HUD has continued its progress in implementing improved procedures and information systems. However, additional improvements are needed. Our review of the fiscal year 2010 year-end obligation balances showed that timely reviews and recaptures of unexpended obligations for Section 8 project-based, Sections 202 and 811 supportive housing programs, and administrative and other program obligations were not being performed. As a result, $69.2 million in excess funds had not been recaptured. In addition, we identified $36.4 million in unliquidated obligations that were not subjected to a review process, 434 Low Rent Development grants that have not been closed out amounting to $174 million of invalid obligations outstanding, and an additional $1.62 billion in program obligations under CPD that were not properly reviewed. Administrative/Other Program Obligations Annually, the CFO forwards requests for obligation reviews to HUD’s administrative and program offices. The focus of the review is on administrative and program obligations that exceed threshold amounts established by the CFO. For this year’s review, the thresholds were set at $23,000 for administrative obligations and $243,000 for program obligations. HUD identified 1,275 obligations with remaining balances totaling $45.5 million for deobligation. We tested the 1,275 obligations HUD identified to determine whether the associated $45.5 million had been deobligated in HUD’s Central Accounting and Program System and PAS. We found that, as of September 30, 2010, a total of 91 obligations with remaining balances totaling $3.2 million had not been deobligated. HUD has initiated the process of closing these contracts, and the associated funding should be recaptured in fiscal year 2011. In addition, we reviewed the database used for the open obligation review to determine if all of HUD’s obligations were subjected to a review process. We identified 506 obligations with available balances totaling $37 million that were not distributed to the program offices for review. These obligations were not distributed to the program offices as they were made using funds under Treasury 19 Account Fund Symbols (TAFS) typically used for Section 8 project-based obligations, and therefore thought to be part of the separate Section 8 project- based obligation review process. However, these obligations are related to programs not subject to the Section 8 review and thus the CFO should distribute them to the appropriate program offices for review. Of these 506 obligations, we determined that 437 with available balances totaling $27.5 million were either expired or inactive as of June 30, 2010. For HUD’s administrative and other program obligations, HUD needs to promptly perform contract closeout reviews and recapture the associated excess contract authority and imputed budget authority. The administrative and program offices need to actively monitor all of their open obligations throughout the fiscal year, including those under the threshold amounts, to ensure that all obligations on HUD’s books remain valid. Active monitoring is also needed to decrease the number of obligations identified for recapture during the CFO’s department-wide review of obligations. When a large number of obligations are identified during this review it takes a significant amount of time to process all of the contract close-outs and deobligations. This resulted in obligations that were marked for deobligation remaining on HUD’s books after the end of the fiscal year. The CPD’s Field Offices are not Reviewing Underlying Support During the CFO Department- wide Open Obligation Review We reviewed CPD’s results of their March 31, 2010 review of outstanding obligations and found that the internal controls for monitoring obligations were not effective. We found that open obligations were being retained without adequate review as to whether the funds were still needed. We found that CPD retained over $1.62 billion in undisbursed obligations which were originally obligated from 1989 through 2005. Further review of the $1.62 billion showed that $243.93 million of undisbursed obligations had no disbursement actions since 2008. Additionally, included in the $243.93 million, was $98.85 million of undisbursed obligations with no disbursement actions made against the original obligation. In addition, we reviewed the results of the Chief Financial Officer’s Department– wide Annual Open Obligation Review for FY10, specifically the results and open obligations related to CPD. CPD retained 24,313 of 24,564 (98.98 percent) of obligations for a total of $32.023 billion of $32.032 billion (99.97 percent) and deobligated 251 (1.02 percent) obligations for a total of $9.13 million (0.03 percent). We provided a questionnaire to the CPD Field Office Directors (Directors), inquiring of their implementation of the CFO Annual Department-wide Open 20 Obligations Review. The responses received to our questionnaire revealed that for CPD’s formula and mandatory entitlement grant programs, where the grant agreement did not contain an expiration date, the open obligation amounts were retained by the Directors without having their underlying supporting documentation reviewed. Reviewers were focusing their obligation review on the competitive grants and grant agreements which have an expiration date. Additionally, some Directors relied on the recaptures identified and processed through the review for compliance with program regulatory requirements. Specifically for the HOME and CDBG programs, compliance with the program regulations are calculated and assessed on a cumulative basis based upon the grantee’s overall, cumulative grant balances since inception, and the recapture amount is based on those results. OIG does not agree with this cumulative method. By relying on the cumulative method to account for the obligation validity, amounts that could be individually determined as a valid or invalid obligation are not being reviewed. In fiscal year 2009, we issued OIG audit8 which contained a finding related to the cumulative method for computing compliance. The report pointed out that the HOME program had $7 million in obligations for 77 open activities that were more than five years old, for which no amounts were drawn against and were not recaptured, as a result of this cumulative method. A similar finding was reported in the fiscal year 2010 Consolidated Financial Statement Audit. Although the actual performance of the review is performed at the Field Office level, direction, guidelines, procedures, or expectations have not been clearly communicated or documented by CFO, CPD, or the individual program offices within CPD. Control procedures have not been established or implemented and evaluations of the operating effectiveness of the controls for implementing the review have not been conducted, allowing inconsistent and inadequate performance to go undetected and old, unused balances to remain in the Financial Statements for years without any activity or individual review. Project-Based Section 8 Contracts HUD’s systems and controls for processing payments, monitoring, budgeting, accounting, and reporting for Section 8 project-based contracts needs to be improved. HUD has been hampered in its ability to estimate funding requirements, process timely payments to project-based landlords, and recapture excess funds in a timely manner. This problem is evidenced in HUD’s long-term challenges in paying Section 8 project-based landlords on a timely basis; properly monitoring, budgeting, and accurately accounting for contract renewals; and reporting obligation balances. 8 (HUD Lacked Adequate Controls to Ensure the Timely Commitment and Expenditure of HOME funds, Audit report 2009-AT—0001 21 HUD administers 17,649 housing assistance payments contracts to provide about 1.25 million low-income housing units. A total of 14,737 contracts, covering more than 1 million housing units, are currently subject to annual renewal. HUD’s $8.9 billion in budget authority for Section 8 project-based contracts in fiscal year 2010 included $168 million in carryover from prior years, $8.8 million of which was from the $2 billion in supplemental funding appropriated under the Recovery Act in fiscal year 2009. Section 8 budget authority is generally available until expended. As a result, HUD should periodically assess budget needs and identify excess program reserves in the Section 8 programs as an offset to future budget requirements. Excess program reserves represent budget authority originally received, which will not be needed to fund the related contracts to their expiration. While HUD had taken actions to identify and recapture excess budget authority in the Section 8 project-based program, weaknesses in the review process and inadequate financial systems continued to hamper HUD’s efforts. There was a lack of automated interfaces between the Office of Housing subsidiary records and HUD’s general ledger for the control of program funds. This condition necessitated that HUD and its contractors make extensive use of ad hoc analyses and special projects to review Section 8 contracts for excess funds, which has hampered HUD’s ability to identify excess funds remaining on Section 8 contracts in a timely manner. This fiscal year, the Office of Housing recaptured approximately $144.3 million in unliquidated obligation balances from 2,291 projects in the Section 8 project- based program. However, their 2010 recapture methodology did not take into account funds remaining on funding lines for expired annual renewal contracts. Our review of the Section 8 project-based obligations identified 4,886 funding lines with remaining balances totaling $188 million tied to annual renewal contracts that expired in fiscal year 2010 or earlier. Under past recapture methodologies, $38.5 million from 936 of the 4,886 funding lines would have been recaptured in fiscal year 2010, or earlier. The $149.5 million from the remaining 3,950 funding lines would be subject to recapture in future years. The Office of Housing needs to include funds remaining on expired annual renewal contracts in their recapture methodology and consider them when formulating future budget requests, to keep from over-estimating their funding needs. We recommended in our audit of HUD’s fiscal year 1999 financial statements that systems be enhanced to facilitate timely closeout and recapture of funds. In addition, we recommended that the closeout and recapture process occur periodically during the fiscal year and not just at year-end. For fiscal year 2010 the Office of Housing implemented a quarterly review and recapture methodology. However, deficiencies in HUD’s systems and the monitoring and review processes for Section 8 project-based obligations led to 936 funding lines with balances totaling $38.5 million for expired annual renewal contracts remaining on HUD’s books. Implementation of the recommendations and the 22 long-term financial management system improvement plan is critical so that excess budget authority can be recaptured in a timely manner and considered in formulating requests for new budget authority. Supportive Housing for the Elderly and Disabled - Sections 202 and 811 Programs HUD’s Sections 202 and 811 programs provide affordable housing and supportive services for elderly families and families with disabilities. These programs provide capital advances to private nonprofit organizations to finance the construction of new facilities or acquisition or rehabilitation of existing facilities. The capital advance is interest free and does not have to be repaid if the housing remains available for very low-income elderly or disabled families for at least 40 years. After the facility has been constructed and occupied, HUD provides additional project rental assistance contract (PRAC) funds to owners to cover the difference between the HUD-approved operating cost for the project and the tenants’ contribution toward rents. The point of obligation of the initial award amount for the Section 202 and Section 811 programs is the agreement letter that obligates funds for both capital advances and PRAC. The hub/program center director signs first, the sponsor(s) signs second and an authorized signature memo from the Assistant Secretary for Housing/Federal Housing Commissioner or designee to the Fort Worth Accounting Center completes the obligation. The Fort Worth Accounting Center verified that funds are in LOCCS and recorded the obligation in PAS. Generally, funds appropriated for capital advances and PRAC are available for three years. After three years, the funds expire and will not be available for obligation, thus necessitating the need to track funds obligated under the program. At the beginning of fiscal year 2010, the Sections 202 and 811 programs had unliquidated obligation balances of $3.5 billion and $954 million, respectively. We reviewed the PAS subsidiary ledger supporting the current Sections 202 and 811 program unliquidated obligations to determine whether unliquidated program obligations reported were valid and whether invalid obligations had been cancelled and recaptured in PAS. Our review identified 57 Section 202 and 811 projects with available obligation balances totaling $25.3 million that had expired according to HUD’s accounting systems, PAS/LOCCS. According to Office of Housing staff, 55 of these projects were active and had the incorrect expiration dates in the accounting systems. Controls within PAS/LOCCS do not allow disbursements to be made for projects that have expired. Accordingly, the Office of Housing is working to correct the expiration dates in PAS/LOCCS. It is imperative that a project’s expiration date is kept up to date to ensure HUD is able to process disbursements to project owners in a timely manner. Additionally, 23 data within HUD’s accounting systems needs to be reliable to ensure adequate monitoring and reviews of HUD’s unliquidated obligations are performed. Low Rent Development Grant (LRP) Obligations Not Reviewed and Financial Statements Overstated by $174 Million The Low-Rent Public Housing Loan Fund was established to provide direct Federal Loans to fund remaining PHAs and Indian Housing Authority construction, acquisition, and modernization activities reserved under the Annual Contributions appropriation. In fiscal year 1986, Congress passed legislation changing the financing of the LRP from direct loans to grants. The legislation resulted in the forgiveness of all outstanding LRP direct loans made to PHAs. During our review of the unliquidated obligations, we found that HUD did not include the LRP grants in the annually required HUD-wide open obligations review. In addition, HUD reported inaccurate and duplicate data in HUD’s financial systems for the LRP program which resulted in unsupported balances on the financial statements. The lack of an open obligation review resulted in the undelivered orders line item on HUD’s consolidated financial statements were overstated by as much as $174 million. This condition has existed since 1997 and was previously identified in a 1997 HUD OIG audit. That audit report recommended HUD develop procedures for performing and monitoring the close-out of 419 LRP grants and for the recapture of unused funds. During fiscal year 2010, we reviewed the LRP subsidiary records and found 351 grants open since 1997 that have not been closed out and funds recaptured. In addition, we identified a total of $174 million in outstanding obligations for a total of 434 LRP grants that have not been reviewed and closed out. We tested the 20 of the 434 grants with the largest outstanding obligation balances and found that grants were no longer valid and the general ledger was overstated by $87 million. The grants tested were not closed in the financial system due to IT system problems and the lack of a coordinated effort between PIH and the CFO to resolve the issues. As a result of OIG’s review in this area, CFO and PIH began reviewing these outstanding obligations and are drafting enhanced closeout procedures for the LRP grant program. As of September 2010, PIH has identified 242 grants for close out and deobligated $71.6 million. We recommend PIH continue their review of the remaining grants and associated outstanding obligations. We also recommend PIH update their funds control plans by adding procedures to ensure 24 that that any unexpended obligation portfolios are not excluded from the open obligation review. Long-Term Financial Management System Needs to be Implemented We have been reporting weaknesses in HUD’s financial management systems areas for many years, including making a recommendation that HUD develop a long-term financial management system solution to automate and streamline its processes. Last year, as part of HUD’s effort to improve the quality of services within the rental housing assistance business areas, HUD conducted a study of its performance gap and developed a long-term information technology (IT) strategy and improvement plan to address the performance gap. However, as of the end of fiscal year 2010, it had not been fully implemented. Meanwhile, the shortcomings in the financial management systems continued to impair HUD’s abilities to properly monitor and accurately account for contract renewals and report obligation balances. 25 Significant Deficiency 3: HUD Management Must Continue To Improve Oversight and Monitoring of Subsidy Calculations, Intermediaries’ Performance, and Utilization of Housing Choice Voucher Funds Under the provisions of the U.S. Housing Act of 1937, HUD provides housing assistance funds through various grant and subsidy programs to multifamily project owners (both nonprofit and for profit) and housing agencies. These intermediaries, acting for HUD, provide housing assistance to benefit primarily low-income families and individuals (households) that live in public housing, Section 8 and Section 202/811 assisted housing, and Native American housing. In fiscal year 2010, HUD spent about $30 billion to provide rent and operating subsidies that benefited more than 4.8 million households. Since 1996, we have reported on weaknesses with the monitoring of the housing assistance program’s delivery and the verification of subsidy payments. We focused on the impact these weaknesses had on HUD’s ability to (1) ensure intermediaries are correctly calculating housing subsidies and (2) verify tenant income and billings for subsidies. During the past several years, HUD has made progress in correcting this deficiency. Since fiscal year 2006, HUD has utilized the comprehensive consolidated reviews in the Office of Public and Indian Housing’s (PIH) efforts to address public housing agencies’ (PHA) improper payments and other high-risk elements. HUD’s continued commitment to the implementation of a comprehensive program to reduce erroneous payments will be essential to ensuring that HUD’s intermediaries are properly carrying out their responsibility to administer assisted housing programs according to HUD requirements. The Department has demonstrated improvements in its internal control structure to address the significant risk that HUD’s intermediaries are not properly carrying out their responsibility to administer assisted housing programs according to HUD requirements. HUD’s increased and improved monitoring has resulted in a significant decline in improper payment estimates over the last several years. However, HUD needs to continue to place emphasis on its on-site monitoring and technical assistance to ensure that acceptable levels of performance and compliance are achieved and periodically assess the accuracy of intermediaries rent determinations, tenant income verifications, and billings. Tenant income is the primary factor affecting eligibility for housing assistance, the amount of assistance a family receives, and the amount of subsidy HUD pays. Generally, HUD’s subsidy payment makes up the difference between 30 percent of a household’s adjusted income and the housing unit’s actual rent or, under the Section 8 voucher program, a payment standard. The admission of a household to these rental assistance programs and the size of the subsidy the household receives depend directly on the household’s self-reported income. However, significant amounts of excess subsidy payments occur because of errors in intermediaries’ rent determinations and undetected, unreported, or underreported income. By overpaying rent subsidies, HUD serves fewer families. Every dollar paid in excess subsidies represents funds that could have been used to subsidize other eligible families in need of assistance. 26 HUD’s Gross Estimate of Erroneous Payments Decreased in Fiscal Year 2010 The estimate of erroneous payments that HUD reports in its Agency Financial Report (AFR) relates to HUD’s inability to ensure or verify the accuracy of subsidy payments being determined and paid to assisted households. This year’s contracted study of HUD’s three major assisted housing programs estimated that the rent determination errors made by the intermediaries and intentional underreporting of income by the tenants resulted in substantial subsidy overpayments and underpayments. The study was based on analyses of a statistical sample of tenant files, tenant interviews, and income verification data for activity that occurred during fiscal year 2009. Since January 2007 the amounts reported in the study were being adjusted due to program structure changes9 . While HUD's improper payment rate decreased from 3.5 percent in fiscal year 2009 to 3.1 percent in fiscal year 2010, HUD continues to report substantial amount of gross dollar erroneous payments in the rental housing assistance program. In fiscal year 2010, HUD reported in its AFR a combined gross improper payment estimate of $925 million in fiscal year 2009. This is a decrease of 10 percent compared to the prior year estimate of $1.02 billion. As noted above, the gross erroneous payments reported by the department in fiscal year 2010 excluded $215 million in gross erroneous payments attributable to PHA's administrator ($130 million) and income reporting ($85 million) errors. In fiscal year 2010, in response to section 3(b) of the Presidential Executive Order 13520, Reducing Improper Payments, we also noted specific areas for improvements which would strengthen HUD's improper payment reduction strategies. We also recommended HUD to consider full disclosure of HUD's statistical estimates of erroneous payments in PIH’s rental assistance program to provide the required 9 The Public Housing programs switched to Asset Management and began calculating formula income for PHAs as noted in 24 CFR 990.195 Calculating Formula Income. This change eliminated the 3 types of improper payment errors for the Public Housing program. This new process was implemented in January 2007. Therefore for FY 2007 this process was in place for the last 3 quarters of the year and HUD subsidy errors occurred only in the first quarter. Errors could still be made by PHAs in their calculation of the amount of tenant rent or tenants could still be under reporting their income, however beginning January 2007 this no longer affected HUD's subsidy. The Quality Control (QC) study and Income Match Reporting study estimated these errors for the entire fiscal year because this information is useful to management of both PIH and the PHAs. However, based on the conversion to asset management and the change in calculating formula income becoming effective in January 2007, none of the amounts calculated in the QC study for the Public Housing Administrator, Income Reporting, and Billing errors will be reported for FY 2008 as this change was in effect for all of FY 2008. In addition, the establishment of a budget based funding methodology was implemented for the Housing Choice Voucher Program to eliminate the opportunity for billing errors in that program. Budget based means that each PHA will have a set annual budget for vouchers to serve their clients’ needs. The PHA will receive the annual budget in 12 equal monthly payments – thus eliminating the need to bill HUD and eliminating the Housing Choice Voucher Program Billing Error. 27 transparency under this order. Our analysis of the payment error estimates reported by HUD in fiscal years 2010 and 2009 is provided in detail below. Administrator Error - This error represents the program administrators' failure to properly apply income exclusions and deductions and correctly determine income, rent, and subsidy levels. HUD reported $440 million (net of adjustments) in estimates of erroneous payments due to administrator error in fiscal year 2010. This is a 10 percent increase compared to prior year estimates of $400 million. Income Reporting Error - This error represents the tenant beneficiary's failure to properly disclose all income sources and amounts upon which subsidies are determined. HUD reported $218 million (net of adjustments) estimates of erroneous payments due to income reporting error in fiscal year 2010. This is a 41 percent decrease compared to prior year estimates of $371 million. Billing Error - This error represents errors in the billing and payment of subsidies between HUD and third party program administrators and/or housing providers. HUD reported $57 million in estimates of erroneous payments due to billing error in fiscal year 2010. This is 4 percent decrease compared to the $59 million estimates in fiscal year 2009. The fiscal year 2009 estimates were carried over from the 2006 billings study. HUD conducted billings study during fiscal year 2010 to update the 2006 billings study. As in prior years, PIH's billings error estimates had been reduced to zero for the Housing Choice Voucher program. Therefore, only the Office of Housing's estimate of $57 million was included in the estimate of erroneous payments for billing errors. Need To Continue Initiatives to Mitigate Risks Due to Unreported Tenant Income HUD has implemented several initiatives, including Enterprise Income Verification (EIV), supplemental measures, and Integrated Subsidy Error Reduction System (ISERS), to mitigate the improper payment risks due to unreported tenant income. The computer matching agreement between HUD’s Office of Housing and the Department of Health and Human Services (HHS) for use of the National Directory of New Hires in the Enterprise Income Verification system (EIV) was finalized in fiscal year 2008. HUD successfully expanded its computer matching program with the HHS data to all of its rental assistance programs (public housing, housing vouchers, and project-based housing) when HUD’s project-based 28 program gained access to the HHS database on January 15, 2008. The other programs had gained access previously. Effective January 31, 2010, HUD required all public housing agencies and owners and management agents to use EIV in verifying the employment and income of program participants in order to improve the accuracy of income and rent determinations in the assisted housing programs. EIV is a web-based system that compiles tenant income information and makes it available online to HUD business partners to assist in determining accurate tenant income as part of the process of setting rental subsidy. Currently, EIV matches tenant data against Social Security Administration information, including Social Security benefits and Supplemental Security Income, and with the HHS National Directory of New Hires (NDNH) database, which provides information such as wages, unemployment benefits, and W-4 (―new hires‖) data, on behalf of PIH and Multifamily Housing programs. The EIV System is available to PHAs nationwide and to Owner Administered project-based assistance programs and they are encouraged to use and implement the EIV System in their day-to-day operations. In addition, both the PIH and Office of Housing established supplemental measures, in response to Presidential Executive Order 13520, to manage the risk from other sources of payment errors such as deceased tenants or those tenants who failed identity verifications due to an invalid social security number and to monitor and track compliance with the mandatory use of EIV. These supplemental measures by design are capable of achieving HUD's control objective of mitigating improper payment risks but it needs to ensure that they are tested as part of HUD's annual OMB Circular A-123 assessment reviews to provide them reasonable assurance that these controls are working properly. In our fiscal year 2009 audit, we noted that ISERS (previously known as Multifamily Error Tracking Log) was going through the procurement process. The ISERS system was intended to document whether and to what extent owners are accurately, thoroughly, and clearly determining family income and rents in the Office of Multifamily Housing Subsidy Programs, and also to track the specific dollar impact of income and rent discrepancies and the corresponding resolution of such errors. In fiscal year 2010, a contract to build the system was in place and a contractor has been selected. To date, the system is currently in its early stages of system development life cycle and its full implementation is not expected until April. 29 Need To Continue Progress on RHIIP Initiatives for Monitoring Intermediaries Performance HUD initiated the RHIIP as part of an effort in fiscal year 2001 to develop tools and the capability to minimize erroneous payments. The type of erroneous payments targeted includes the excess rental subsidy caused by unreported and underreported tenant income. HUD has continued to make progress in addressing the problems surrounding housing authorities’ rental subsidy determinations, underreported income, and assistance billings. However, HUD still needs to ensure that it fully uses automated tools to detect rent subsidy processing deficiencies and identify and measure erroneous payments. During fiscal year 2006, HUD implemented a 5-year plan to perform consolidated reviews to reinforce PIH’s efforts in addressing housing authorities’ improper payments and other high-risk elements. These reviews were also implemented to ensure the continuation of PIH’s comprehensive monitoring and oversight of housing authorities. The 5-year plan required HUD to perform tier 1 comprehensive reviews on approximately 20 percent or 490 of the housing authorities that manage 80 percent of HUD’s funds. The comprehensive reviews included rental integrity monitoring (RIM), RIM follow-up on corrective action plans, EIV implementation and security, Section 8 Management Assessment Program (SEMAP) confirmatory reviews, SEMAP quality control reviews, exigent health and safety spot checks, Management Assessment Subsystem (MASS) certifications, and civil rights limited front-end reviews. In fiscal year 2010, HUD deemphasized the RHIIP initiative as a priority and focused its resources on the review of American Recovery and Reinvestments Act (ARRA) activities. PIH did not plan, set goals, or perform as many consolidated reviews. In prior years, the PIH required the field offices to perform about 100 tier 1 reviews in conjunction with the RHIIP initiative and outlined the goals for performing those reviews in the HUD Management Plan. In fiscal year 2010, HUD did not prepare a Management Plan to document its planned efforts or set goals for RHIIP reviews. PIH stated that for fiscal year 2010, they would initiate RIM reviews in response to specific concerns. We found that in fiscal year 2010, HUD only performed 19 tier 1 reviews of its highest at risk housing authorities, which was significantly lower than the 105 reviews completed in fiscal year 2009. In addition, we noted corrective action plans implemented as a result of the reviews performed in prior years were not being tracked and monitored. In prior years, we reported that information contained in the PIH Inventory Management System (PIC-IMS) was incomplete and/or inaccurate because PHAs reporting requirements were discretionary. As a result, PHAs have been mandated to submit 100 percent of their family records to HUD. HUD annually evaluates those PHAs not meeting the 95 percent requirement. Based on the PIC- 30 IMS data, as of April 2010, nine percent (489 out of the 5,491) of the PHAs did not meet HUD’s minimum reporting rate requirements. PIH is required to annually evaluate PHA’s reporting rates and may impose sanctions for failure to meet the minimum reporting requirements. We found no sanctions imposed on the PHAs for the past two years. Complete and accurate data within the PIC-IMS is essential to perform EIV computer matching analysis, which detects underreported income as well as other fraud factors. We believe that PIH should be consistent in its annual review process and impose sanctions when warranted on PHAs that are not meeting the required minimum reporting rates. HUD has made substantial progress in taking steps to reduce erroneous payments. However, it must continue its regular on-site and remote monitoring of the PHAs and use the results from the monitoring efforts to focus on corrective actions when needed. We are encouraged by the on-going actions to focus on improving controls regarding income verification. Monitoring Public Housing Agencies’ Utilization of Section 8 Housing Choice Voucher Program Funds The Section 8 Housing Choice Program is HUD’s largest housing assistance program with an annual appropriation of $18 billion and provides assistance to 2.1 million families. In fiscal year 2005, Congress in an effort to control the cost of the program and to provide PHAs flexibility in the administration of available program funding, significantly changed the way HUD provides subsidies and monitors the subsidies paid to PHAs. The basis of the program funding went from a ―unit-based‖ process to a ―budget-based‖ process that limits the Federal funding to a fixed amount. HUD distributes funding using a formula based on the housing agencies’ self- reported prior-year costs by in the Voucher Management System (VMS). PHAs retain and are expected to use the funds in their entirety for authorized program activities and expenses within the time allowed. Program guidance states that any budget authority provided to PHAs that exceeds actual program expenses for the same period must be accounted for as restricted cash and maintained separately and available for program operations. Although these funds are retained by the PHA and not HUD, HUD relies on the PHAs to hold excess budget authority in reserve and available for program cost increases. According to HUD’s monitoring systems, as of June 30, 2010, PHAs’ Net Restricted Assets (NRA) accounts showed an estimated balance of $1.04 billion in excess funding held by PHAs. 31 HUD’s monitoring of PHAs’ budget authority utilization is an essential internal control to ensure PHAs properly account for program resources and excess funds are used for authorized program activities. Consequently, accurate VMS cost data is essential to (1) correctly calculate the $18 billion annual PHAs budget allocations; (2) determining over and under utilization of funds and excess budget authority available for unanticipated cost increases and budget offsets; and (3) evaluating PHAs’ performance in ensuring the maximum number of families served. In our fiscal year 2009 report,10 we recommended (1) increased monitoring efforts regarding the excess budget authority held by PHAs; (2) HUD seek legislative authority to perform additional offsets on PHAs with large balances of excess funding and put unused funds into better use; (3) HUD reconcile PHAs excess restricted funds accounts to ensure funds available for program use; and lastly (4) HUD increase its on-site monitoring by including the confirmation of the excess budget authority as part of the VMS expenditure reviews. Last year, we also reported that approximately 370 PHAs requested additional funding in fiscal year 2009 to cover anticipated funding shortfalls, which placed many families at risk of losing the subsidy. During fiscal year 2010, Congress allowed HUD to use up to $200 million to provide additional funding to PHAs experiencing housing assistance and administrative fees funding shortfalls in 2009. With those funds 182 PHAs received a total of $78 million of additional funding. As a proactive measure, HUD established the shortfall prevention team (SPT) to prevent assisted families from being terminated from the Housing Choice Voucher (HCV) program due to PHAs’ failure to adequately manage their funds. This team reviewed updated funding utilization from reports that combining funding, leasing and expense data from various HUD systems, and used the data to project the funding utilization rate for the 2,347 PHAs administering HCV programs. Their goal was to identify PHAs at risk of running out of funds before the end of the year. According to the SPT, in fiscal year 2010 there are 34 PHAs identified at risk. The total projected shortfall at this time is $1.4 million and 1,466 families are potentially at risk of losing their housing assistance. The SPT is currently working with the 34 PHAs to identify cost savings measures to maximize the current funding utilization levels without having to terminate families from receiving assistance. HUD has made improvements for tracking PHAs funds utilization by comprehensibly analyzing the expenditure data collected in VMS. HUD’s monitoring reports shows that overall dollar utilization rate is 100 percent as of 10 Additional Details to Supplement Our Report on HUD’s Fiscal Year 2009 and 2008 Financial Statements, 2010-FO-0003, dated November 16, 2009 32 June 30, 2010, however some PHAs continue to accumulate excess funds reserves accumulated because they are not maximizing their leasing vouchers rate. According to HUD’s monitoring report the total unit-voucher available for lease utilization rate for the 2,347 PHAs is 93 percent as of June 30, 2010. Of that, 1,431 PHAs have less than the desirable rate of 95 percent utilization of unit voucher rate. Those PHAs have a total of $640 million in estimated excess funds unused. The voucher utilization rates for the other 916 PHAs are at 95 percent or above with NRA estimated account balances of $403 million in excess unused funds. Last year, we recommended that HUD to seek legislative authority to implement $317 million in offsets against PHA’s excess unusable. HUD included language in the FY 2011 congressional budget justification seeking authority to reduce a PHA’s annual budget allocation by an amount in excess of 6 percent of a PHA’s accumulated NRA balance. Based on the annualized rate of BA and NRA balance as of June 30, 2010, we calculated that 1,459 PHAs will be eligible for offsets amounting to $385 million. Therefore, we recommend that HUD execute an offset of the $385 million in excess funds. In 2010, HUD began efforts to address prior year recommendations to ensure that PHAs excess funds are reconciled with HUD’s estimated excess funds in order to maintain control and to better manage the program’s budgetary resources. This effort11 consisted on a reconciling the excess funds balance reported by the PHAs into HUD FASS12 against the VMS13 data to ensure that accurate account balance data will be available for financial management and budget decisions. We made a site visit to Section 8 Financial Management Center in Kansas City and performed a walkthrough of the financial statements reconciliations process. We selected a sample of 20 reconciliations from the 223 PHAs reconciliations completed at the time. We reviewed the reconciliations to determine whether the HUD’s estimated excess funds were accurate when compared with the PHAs financial statements as of December 31, 2009. Our review showed 16 PHAs had a total of $50 million more than the $25 million excess estimated by HUD. The other 4 PHAs had $53 million less than $57 million estimated by HUD. We did 11 The reconciliation effort will encompass the correction of discrepancies and the taking of actions against PHAs that are not in compliance with the HCV program financial requirements. HUD plans to reconcile the PHA excess unused budgetary resources accounted in the restricted (NRA) and non-restricted (UNA) equity fund balance accounts for all 2,400 PHAs. The Section 8 Financial Management Center and Real Estate Assessment Center will continue this process to maintain the accuracy of the NRA and NUA balances going forward. HUD also added fields to VMS to capture both excess unused NRA and NUA balances on a monthly basis to be able to more efficiency and effectively monitor PHAs utilization of NRA and NUA. 12 Real Estate Assessment Center Financial Assessment Subsystem (FASS) is used to electronically receive and evaluate unaudited and audited financial statements from the housing authorities as required by OMB Circular A- 133 Single Audit Act. 13 Voucher Management System (VMS) is a web portal where housing authorities report HUD the monthly expenditures and units voucher utilized. HUD used these data to monitor expenditures and determine over-under utilization, over leasing and excess unused funds that housing authorities maintain in their accounts. 33 note that improvements could be made to the reconciliation process in order to ensure that a proper audit trail of changes made by PHAs in VMS during the reconciliation project. We recommend that HUD develop procedures to ensure an audit trail is maintained of changes made in the reconciliation process. 34 Significant Deficiency 4: Office of Community Planning and Development (CPD) Needs to Establish an Adequate System of Internal Controls to Properly Monitor Grantees’ Compliance with Program Requirements CPD seeks to develop viable communities by promoting integrated approaches that provide decent housing and a suitable living environment and expand economic opportunities for low- and moderate-income persons. The primary means toward this end is the development of partnerships among all levels of government and the private sector, including for-profit and nonprofit organizations. To carry out its mission, CPD utilizes a mixture of competitive and formula-based grants. OMB Circular A-123, Management’s Responsibility for Internal Controls, requires that program offices implement an effective system of internal controls in order to ensure that grantees for which funds are provided are meeting their goals and objectives and carrying out the program in accordance with program requirements. These responsibilities include developing and maintaining internal control activities that comply with standards to meet the three objectives of internal control (1) effectiveness and efficiency of operations, (2) reliability of financial reporting, and (3) compliance with applicable laws and regulations. In carrying out its internal control responsibility of grantee oversight, management is responsible for assessing the risk of grantee non-compliance with program regulations and developing control activities which collect and distribute timely and relevant information to those charged with making informed decisions. Control procedures developed should be clearly communicated, written, provide an audit trail and located where they can be obtained by those carrying out the activities. Proper design of control activities is important; however, monitoring and evaluating the effectiveness of the procedures is critical to facilitate the correction of control deficiencies before they materially affect the achievement of the organization’s objectives. Based upon our review of HUD’s HOME and Homeless Assistance programs, we noted control deficiencies regarding the programs’ timely deobligation and recapture of grantee funds, for grantees which were non-compliant in obligating and expending funds in accordance with program regulations. The combination of the control deficiencies we noted during our audit have adversely affected the organization's ability to meet its internal control objectives, which are to not only determine grantee compliance with applicable laws and regulations, but to also timely identify deficiencies, and to design and implement corrective actions to improve or reinforce program participant performance. 35 Subgrantees and Community Housing Development Organizations for the HOME Program Do Not Always Expend Grantee Funds in a Timely Manner Our review of the HOME Investment Partnerships Program found $20.8 million in unexpended grants funded with no-year expiration funds and dated from 1992 through 2001. In addition, $10.3 million of the $20.8 million were uncommitted funds. These no-year funds had accumulated due to poor performing community housing development organizations (CHDO) and subgrantees (1) that did not expend funds in a timely manner and (2) a cumulative accounting process which allowed poor performance to go undetected. Current HOME program regulations state that funds not expended in a timely manner can be reallocated in the next year’s formula allocation to further the mission of the program. It is the field offices’ responsibility to ensure that funds from fiscal years 2001 and earlier that were not spent in a timely manner were recaptured and used in the next year’s formula allocation. HOME program regulations do not penalize or highlight poorly performing subgrantees or CHDOs for two reasons. First, the commitment, reservation, and disbursement deadlines were determined on an aggregate/cumulative basis versus a grant year basis. This process created a situation in which older funds remain available for drawdown because compliance with the disbursement deadline is determined cumulatively. Therefore, if a subgrantee or CHDO were not performing as it should, or not spending funds to complete its projects, the cumulative program requirements allow one grantee’s poor performance to remain undetected. Second, CHDO subgranted or reserved funds that are subgranted or reserved to a CHDO are held to the five year disbursement deadline, but it is the participating jurisdiction that was ultimately responsible for meeting the disbursement deadline. Only the participating jurisdiction can draw funds, not the subgrantee or CHDO. In addition, it appears that the large number of subgrantees and CHDOs per participating jurisdiction within the HOME program and lack of field office staff, made it difficult for the field offices to sufficiently monitor the status of subgranted funds. The $20.8 million in HOME grant funds for fiscal years 2001 and earlier which have not been expended and the $10.3 million in unreserved and uncommitted HOME grant funds for fiscal years 2001 and earlier, were not used to expand the 36 supply of decent, safe, sanitary, and affordable housing for low- and very low- income families. In addition, our review also showed $3.7 million in unexpended fiscal year 2003 HOME funds and $1.4 million in uncommitted funds. These funds, due to provisions of the Defense Authorization Act14 should be cancelled and the remaining amounts remitted to Treasury on September 30, 2010. During the fiscal year 2009 audit15, OIG recommended that CPD ensure that field offices encourage participating jurisdictions to review the Expiring Funds Report as well as the performance of CHDOs and subgrantees to determine whether the unused funds should be deobligated. We also recommended that CPD develop a policy that would track expenditure deadlines for funds reserved and committed to CHDOs and subgrantees separately. However, as part of the fiscal year 2010 audit, CPD informed the OIG that in order to rectify this problem and in response to our recommendations, they contracted with an independent company to modify the Integrated Disbursement Information System (IDIS)16 so that one CHDO or subgrantee’s funds under one PJ can be used by another in the event of untimely use of funds by another CHDO or subgrantee. CPD terms this process as ―true-FIFO.‖ CPD officials stated this will eliminate unused funds from being ―held‖ to one CHDO. The Department estimates that the proposed change in IDIS will result in the drawdown of grant funds on a true-FIFO basis, will eliminate the current fiscal years 1992 – 2001 HOME grant balances in less than one fiscal year. The project is currently in the design phase, and is expected to be implemented by December 31, 2010. These amounts would be disbursed after changes are made to FIFO rules in IDIS. We believe that the modifications to IDIS are inappropriate and would further erode CPD ability to monitor actual performance by its participating jurisdictions and CHDOs. HUD should suspend work on this task immediately until a review of how appropriate compliant business processes can be integrated into IDIS’s programming. 14 The National Defense Authorization Act of 1991(Public Law 101-510, November 5, 1990) established rules governing the availability of appropriations for expenditure. This legislation mandates that on September 30th of the fifth fiscal year after the period of availability for obligation of a fixed appropriation account ends, the account shall be closed and any remaining balance (whether obligated or unobligated) in the account shall be canceled and thereafter shall not be available for obligation or expenditure for any purpose. 15 Audit Report number 2010-FO-003 – Subgrantees and Community Housing Development Organizations for the HOME Program Do Not Always Expend Grant Funds in a Timely Manner – identified $24.7 million in undisbursed HOME funds on grants from 1992 through 2001. 16 As a nationwide database, IDIS provides HUD with current information regarding the program activities underway across the Nation, including funding data. HUD uses this information to report to Congress and to monitor grantees. IDIS is the draw down and reporting system for the four CPD formula grant programs: CDBG, HOME, ESG, and HOPWA and Recovery Act programs: CDBG-R, TCAP and HPRP. The system allows grantees to request their grant funding from HUD and report on what is accomplished with these funds. 37 Funds from Expired Contracts Not Timely Recaptured for Homeless Assistance Programs Our review of the obligation balances for the Office of Special Needs Assistance Programs (SNAPS) as of September 30, 2010, showed approximately $97.8 million in undisbursed obligations recorded for expired contracts for Shelter Plus Care and Supportive Housing Program homeless assistance programs. These contracts expired on or before June 30, 2010. CPD’s Funds Control Plan allows a 90-day closeout period for expired contracts. HUD regulations also state that HUD may authorize an extension for a recipient to complete the closeout process and liquidate all obligations incurred under the award. Field offices were responsible for reviewing the status of contracts and recommending that funds that have been obligated but not disbursed in the appropriate timeframes be deobligated and included in the next year’s Continuum of Care competition to be redistributed to eligible grantees, if they are deobligated during the unexpired phase of the budget authority17. The competitive programs under homeless assistance included Shelter Plus Care, Supportive Housing, and Section 8 Moderate Rehabilitation Single Room Occupancy. CPD officials stated that when a contract expires, the excess funding should be locked and the grantees access to the funds curtailed. CPD instructed the field offices to review these contracts and recommended that remaining funds be recaptured. Special emphasis was placed on this review process before the annual funding competition. However, we found that many of these expired contract reviews were not performed. SNAPs did not have an effective system of internal controls with published control activities that include specific policies, procedures and mechanisms in place to help ensure that grants were closed out and remaining balances recaptured, including appropriate documentation of extensions granted and follow-up efforts with the grantees. Excess funding on the expired contracts included in the $97.8 million identified, which have not been extended and are still within the unexpired phase of the budget authority, can be included in the next continuum of care competition as announced in the notice of funding availability and redistributed to eligible grantees. The excess funds should be recaptured and used to further accomplish the objectives of the program, which are to reduce the incidence of homelessness 17 Period of availability for making disbursements: Under a general law, annual budget authority and multi-year budget authority may disburse during the first two phases of the life cycle of the budget authority. During the unexpired phase, the budget authority is available for incurring "new" obligations. You may make "new" grants or sign "new" contracts during this phase and you may make disbursements to liquidate the obligations. This phase lasts for a set number of years. Annual budget authority lasts for up to one fiscal year. Multi-year authority lasts for longer periods, currently from over one fiscal year up to 15 fiscal years, and no-year authority lasts indefinitely. 38 in Continuum of Care communities by assisting homeless individuals and families to move to self-sufficiency and permanent housing. Completed Projects for the HOME Program Not Always Closed Out in IDIS in a Timely Manner A review of the Home program Open Activities Report18 (Report) dated August 31, 2010, showed 5,437of 19,552 open activities (28 percent), in which the participating jurisdiction had made its final draw but the activity was still listed on the Open Activities Report. Thus, these projects were not closed in the system although all funds had been drawn. HOME program regulations required participating jurisdictions enter project completion information into IDIS within 120 days of making a final draw for a project. A similar finding was reported by the Office of Inspector General (OIG) during the FY09 audit19. The Report also showed 350 activities with funding dates 2005 and prior wherein the percentage of amounts drawn on the activity was 50 percent or less. These activities had a funded amount of $35M with $27.5M still available to draw at August 31, 2010, or at least five years after they were originally funded. The Report also showed 1,270 activities which were funded between 1993 and 2009 that have a funded and remaining amount of $189M, as no draws have been made against the activity since they were initially funded. The Open Activities Report also allows participating jurisdictions to view activities that have been open for several years with little or no HOME funds drawn. Field offices can use this report as a desk-monitoring tool to view each participating jurisdiction’s open activities in need of completion or possibly cancellation in IDIS. If the report indicates that funds have not been drawn for an extended period, the field office can use the report to follow up with the participating jurisdiction to determine the reason for the slow progress on the project and whether it should be cancelled. However, it appeared that the field offices were not using the Open Activities Report to follow up with participating jurisdictions on slow-moving projects listed on the report. It also appeared that participating jurisdictions were not using the report as a reference to determine projects that should be cancelled or closed in IDIS. The report was created to alleviate the widespread problem of participating jurisdictions not entering project completion data into IDIS in a timely manner. A 18 The Open Activities Report is issued monthly and used by CPD field offices and participating jurisdictions within the HOME program to review open activities in the Integrated Disbursement and Information System (IDIS). Open activities are those that have not been closed in the system. 19 2010-FO-003 – Completed Projects for the HOME Program Not Always Closed Out in IDIS in a Timely Manner – identified 5,972 of 29,216 (20 percent), in which the participating jurisdiction had made its final draw but the activity was still listed on the August 31, 2009 Open Activities Report. 39 similar finding was reported by the Office of Inspector General (OIG) concerning HUD’s needs to improve efforts to require participating jurisdictions to cancel HOME fund balances for open activities20. As a response to the two OIG findings, HOME published a new HOME FACTS policy (HOME FACTS - Vol. 3 No. 1, June, 2010). The HOME FACTS announces and explains the change in HUD’s treatment of HOME activities with commitments in the IDIS that are over 12 months old with no funds disbursed. Effective January 1, 2011, these activities will be automatically cancelled by HUD. Once the activity is cancelled, any funds that were committed to that activity will no longer be considered committed HOME funds; however, they will be available to the PJ for commitment to other projects. Additionally, HUD will be reviewing the Open Activities Report on an annual basis for stalled activities and following up on them until resolution. However, the HOME FACTS does not address PJs entering completion data into IDIS in a timely manner and the annual review for stalled activities has not been implemented in a formal policy. Moreover, documentation of a system of internal controls, wherein control activities that have been established and implemented to ensure compliance with Title 24 CFR 92.502(d)(1) and that instances of non-compliance is being communicated to the level of management in a timely manner to effect change, does not exist. During the annual monitoring process if a grantee is determined to be non-compliant and if a Finding is issued, CPD does not maintain documentation or require any follow-up procedures for these instances of non-compliance. Participating jurisdictions that do not enter completion data in a timely manner are in violation of the HOME regulations. Failure to enter project completion data in IDIS negatively affects a participating jurisdiction’s score on several HOME performance SNAPSHOTS indicators, understating actual accomplishments and reducing the participating jurisdiction’s statewide and national overall rankings. The widespread failure of participating jurisdictions to enter completion and beneficiary data in a timely manner resulted nationally in underreporting of actual HOME program accomplishments to Congress and the Office of Management and Budget (OMB) and may negatively impact future funding for the program. Failure to timely cancel stalled or inactive activities leaves unused funds committed to activities and keeps them from being committed to new activities. 20 OIG audit report entitled ―HUD Lacked Adequate Controls to Ensure the Timely Commitment and Expenditure of HOME Funds (2009-AT-0001, dated September 28, 2009). 40 Significant Deficiency 5: HUD Needs to Improve Administrative Control of Funds HUD needs to improve accounting and administrative controls of funds to ensure funds control plans are complete, accurate, updated and complied with by the program offices. During our review, we noted funds control plans were not updated to reflect changes in accounting procedures, allotment holders, or funds control officers and requirements were not always followed to support obligations and disbursements of funds. This has been a long standing issue and has been previously reported in our Management Letter to the Department since fiscal year 2005. The Federal Managers’ Financial Integrity Act (FMFIA) of 1982 requires that ―internal accounting and administrative controls of each executive agency shall be established to ensure (1) obligations and costs are in compliance with applicable law; (2) funds, property, and other assets are safeguarded against waste, loss, unauthorized use, or misappropriation; and (3) revenues and expenditures applicable to agency operations are properly recorded and accounted for to permit the preparation of accounts and reliable financial and statistical reports and to maintain accountability over the assets.‖ HUD’s Handbook 1830.2 set forth the authorities and responsibilities to administer control of HUD’s funds. The handbook states that Congress has vested overall responsibility for establishing an effective administrative control of funds process with the CFO. It provides the internal guidance for the preparation of the funds control plans to comply with the Provisions of the Anti-deficiency Act and FMFIA as well as the overall process for reviewing and approving the funds control plans. It also states that the OCFO will conduct periodic reviews of compliance with funds control plans to assure adequate funds control is being applied in actual practice. Funds Control Plans are not Complete and Accurate During our review of the Low Rent Program (LRP) unliquidated obligations, we noted that the funds control plan for the LRP was not updated to reflect changes made in accounting procedures that resulted from LRP’s 1986 legislative changes. At that time, Congress changed the financing of the LRP from Direct Loans to Grants. The legislation resulted in the forgiveness of all outstanding LRP direct loans made to PHAs converting those into grants that were used for the constructions of new housing projects. When that occurred, the funds control plan should have been revised to reflect the changed accounting processes necessary to capture, account and review the financial activity of the program as grants rather than loans. PIH did not make any updates to the funds control plan document to reflect the changes in the accounting procedures needed for account, review and recapture the resulting obligations of grants. Furthermore, the LRP funds control plan was approved year after year from 2003 until FY 2009 without the 41 appropriate changes being made. This resulted in an overstatement of $174 million to the unliquidated obligations line item. During our review, we noted that the LRP (appropriation 4098) had $587 million in Treasury notes receivables and had $587 in payable balances to the Capital Fund Program (0304) at the end of September 30, 2009 in the HUDCAPS trial balance. These Treasury notes were bought with resources from the Capital Fund program creating the payable amounts in appropriations 4098 and 0304. The Treasury notes purchases were bought to offset part of the financing cost of the long term debt accounted for in the Capital Fund Program. Yearly, the CFO performed adjusting entries to eliminate the LRP receivable and payable balance to present the correct balance of long term debt in the financial statements. In March 2010, the CFO took steps to liquidate the intra-HUD receivables/payables outstanding as well as liquidating the long term debt with Treasury. This liquidation should have been accomplished when the loan program was converted to a grant program. HUD needs to have procedures in place for comprehensively analyzing program proprietary and budgetary financial conditions in connections with the review of the funds control plans. HUD’s Handbook 1830.2 Rev-5 relies solely on the program allotment holders for preparing or updating the funds controls plan. The handbook also places the responsibility on the program allotment holder for notifying the CFO of changes made to the plan resulting from legislative changes. The Handbook does not provide specific elements or requirements that a funds control plan should have to comply with as well as steps for corroborating that the allotment holder has considered the latest program legislation. In addition, we reviewed the obligation and expenditure of the American Recovery and Reinvestment Act (ARRA) funds to determine whether their obligation and expenditure met legal and administrative requirements as required by law. We obtained the funds control plans for the programs that received ARRA funding to determine the funding amounts, obligation/disbursement time limits for HUD and the grantees, HUD systems utilized to account for and allow the authorized disbursement of ARRA funds, provisions for the payment of administrative costs including appropriation codes, point of obligation documentation, and payment request and validation procedures. We found that ARRA funds control plans did not always include details to enable HUD staff to monitor, properly account for, and process ARRA funding and reimbursement requests. Specifically, we reviewed fifteen funds control plans, and found that fourteen funds control plans did not always include information such as funding codes, funding amounts, and obligation and expenditure time limit details. Additionally, for the Green Retrofit loan program, we noted that the fund control plans did not include the processes, procedures, and program code for obligations and disbursements made to Treasury for interest payments. 42 HUD Needs to Comply with Its Funds Control Plan Requirements During our testing of obligations and disbursements, we found that HUD did not always follow the procedures and requirements in the fund control plans. We reviewed 453 obligations and 526 disbursements to determine whether HUD followed the requirements of its funds control plans. Our review showed non- compliance with the funds control plans for 32 of the obligations and disbursement items sampled. Specifically, we found: HUD and the grantee did not always sign the obligation documents in the order required by the funds control plan; HUD recorded ―date grantee notified‖ as the effective date and point of obligation instead of the date the grantee signed the agreement; Grant agreements were not signed/dated by an entity official; Titles of signing officials were not noted in the grant agreement and the signature of grantee not dated; The obligation date in LOCCS PAS (Program Accounting System) Project report was not the congressional release date as required by funds control plan; and HUD did not always execute the required documentation to obligate the funds, and HAP Renewal Contracts were not always signed by HUD officials. Additionally, our review of the Green Retrofit loan program determined that HUD did not always follow the procedures and requirements in the fund control plan. We noted that HUD did not execute the required documentation per the fund control plan authorizing the transfer of the credit subsidy. Additionally, we identified 11 disbursed loans which did not have the required credit subsidy transferred prior to disbursement of the loan, as required. HUD Did Not Always Timely Update Its Funds Control Plans We reviewed the funds control plans for 59 funds managed by the Community Planning and Development (CPD) and found that its funds control plans were not always updated timely. Specifically when there was a change in allotment holders or funds control officers for a program within the CPD, the names the responsible parties were not always updated and allotment holder certification signed. During our first and second phase testing covering the period from October 1, 2009 to July 31, 2010 in support of the fiscal year 2010 nationwide statistical sample segment testing, the audit procedures within that segment call for the 43 review of funds control plans. We reviewed 35 Funds Control Plans (30 associated with Financial Accounting Center (FAC), and 5 associated with Financial Management Center (FMC)) to determine whether HUD updated its funds control plans in a timely manner. We found that for 11 CPD programs, CPD did not update its funds control plans to show the new funds control officer and did not require the new funds control officer to sign the certification attached to the funds control plans. Certain HUD’s Programs are Operating without Funds Control Plans Our review of 12 funds control plans for appropriation 0303 and 0319 has identified 16 program codes that are not included in a funds control plan. We have determined that these program codes are related to programs under at least three HUD offices, including the Offices of Housing, CPD, and Policy, Development, and Research (PD&R). The age of the obligations under these program codes combined with the lack of a funds control plan has made it difficult to positively identify the responsible program offices and divisions. Although it is the responsibility of the program office to timely notify and update the funds control plans for their program office, the overall responsibility for establishing an effective administrative control of funds process is vested in the CFO. This responsibility includes ensuring that program offices adhere to the policies effective over the administrative control of funds and the respective funds control plans. 44 Significant Deficiency 6: Controls over HUD’s Computing Environment Can Be Further Strengthened HUD’s computing environment, data centers, networks, and servers provide critical support to all facets of the Department’s programs, mortgage insurance, financial management, and administrative operations. In prior years, we reported on various weaknesses with general system controls and controls over certain applications, as well as weak security management. These deficiencies increase risks associated with safeguarding funds, property, and assets from waste, loss, unauthorized use, or misappropriation. We evaluated selected information systems general controls of the Department’s computer systems on which HUD’s financial systems reside. We also followed up on the status of previously reported application control weaknesses. Our review found information systems control weaknesses that could negatively affect HUD’s ability to accomplish its assigned mission, protect its data and information technology assets, fulfill its legal responsibilities, and maintain its day-to-day functions. Presented below is a summary of the control weaknesses found during the review. Security Management Program HUD has continued its progress in implementing a comprehensive, entity-wide information system security program. Specifically, HUD’s Office of the Chief Information Officer (OCIO) has successfully certified and accredited its major application and general support systems, responded to and resolved reported computer incidents within a timely manner, conducted contingency plan testing, and tracked, prioritized and remediated weaknesses identified in the plan of actions and milestones (POA&M) reports. However, several matters require management’s attention. Specifically, HUD did not: (1) conduct vulnerability scans of its network in accordance with NIST guidance; (2) require those with significant information system responsibilities complete applicable training courses, although a specialized security training curriculum had been developed; (3) ensure that remote access procedures were in compliance with regulations; (4) ensure that it could identify all users who access HUD systems; (5) fully develop and implement a continuous monitoring program; and (6) ensure that interconnectivity service agreements and memorandums of understanding were in place for interfaces between contractor systems and those that it owns and operates. 45 HUD’s Network Devices Have Security Weaknesses We audited security controls over HUD’s network devices21 to determine whether the security configurations implemented on the devices provided adequate controls to prevent abuse or unauthorized access to HUD’s information resources. We evaluated security measures that protect HUD information by scanning identified network devices and identifying vulnerabilities and suspect configurations that place sensitive information at risk. Security configurations implemented on HUD’s network devices were weak. Specifically, HUD did not (1) maintain a complete inventory of network devices, (2) implement strong security configurations on network devices, and (3) implement security configurations that sufficiently protected network paths. If HUD cannot comprehensively identify devices within its network, it cannot determine when there is unauthorized access to its network. An attacker could potentially exploit the weak security configurations to obtain information on the network and gain access to HUD’s systems and sensitive information. Failure to securely configure network devices and analyze information flow within a network increases the chances of sensitive information disclosure occurring without detection. Preventive Maintenance for the IBM Mainframe Operating System and Database Software was Not Performed HUD’s information technology (IT) support contractor did not perform preventive maintenance on the IBM mainframe system software22 to keep products up to date and available for support and enhancements. Software patches were not always installed, and software versions were not always upgraded to the minimum level that is supported by IBM. At least one issue was identified due to software patches not being applied as part of preventive maintenance. Specifically, a HUD system owner requested installation of the software to allow connectivity to databases on a HUD mainframe from applications based on other platforms. The request was approved, but the installation was delayed because software patches had not been installed up to the minimum supported level. 21 Audit report number 2010-DP-0004, ―Security Weaknesses on HUD’s Network Devices,‖ issued September 30, 2010 22 Audit report number 2011-DP-0001, ―HUD Did Not Properly Manage HITS Contracts and Contractors To Fully Comply With Contract Requirements and Acquisition Regulations,‖ issued October 6, 2010 46 In addition to the database software, we found two other system software products that had reached or were close to reaching their end of support life. Software, used to support the online transaction processing on the mainframe, was upgraded in June 2010, but had reached its end of support life in September 2009. Also, the mainframe operating system was upgraded in July 2010 or one month prior to the software reaching its end of support life in September 2010. Preventive maintenance is not generated and distributed for products that have reached end of support life; therefore, preventive maintenance cannot be performed to mitigate future potential problems as recommended by industry standards best practices. The use of system software, which was not maintained at the recommended level of service, could result in system outages, delays in service, and the inability to implement changes required by new initiatives and/or legislation. IBM Mainframe Libraries and Program Properties Table Were Not Properly Managed HUD’s IBM Mainframe libraries and program properties table were not adequately controlled. We reviewed the IBM mainframe authorized libraries and identified weaknesses that left HUD’s IBM mainframe vulnerable to unauthorized access. Three libraries were not under HUD security software23 resource security protection24. The resource level of protection is the most secure level of protection because it prevents programmers from linking into protected programs and files. Additionally, the mainframe library list included the names of libraries that do not exist, increasing the risk that unauthorized programs could be inserted and executed in the mainframe environment. This type of weakness could seriously diminish the reliability of information produced by all of the applications supported by the computer system and increase the risk of fraud and sabotage. The program properties table 25 is a list of programs that have been granted special properties and privileges above those that are normally permitted by the operating system. We reviewed the HUD’s mainframe program property table and identified program modules that were not being used by any legitimate program on the system. This creates vulnerability, in that, unscrupulous individuals could create malicious code under the name of an unused program module and circumvent security controls to read, modify, or delete critical or sensitive information and programs. If unused program modules remain active in the program property table, malicious code could be inserted and executed in HUD’s mainframe environment. 23 CA-Top Secret is the software used on the IBM mainframe to secure resources from unauthorized exposure. 24 Resource security protection prevents unauthorized updates to programs within the libraries. 25 The program properties table contains entries for special attributes of programs. 47 Security Controls Over HUD's Web Applications Need Improvement During FY 2009, we audited security controls over HUD's Web applications and identified weaknesses in the areas of security configurations and technical controls. For instance, HUD did not ensure that access controls followed the principle of least privilege for Web application configurations. Weak Web application security configurations disclose potentially sensitive information that may enable a malicious user to devise exploits of the application and the resources it accesses. This weakness could also potentially expose sensitive or confidential information as well as useful information that may enable a malicious user to devise effective and efficient exploits of the application and the resources it accesses. Additionally, HUD did not adequately implement controls to ensure confidentiality and privacy for Web applications. These weaknesses were not exploitable vulnerabilities, but they were a violation of security policy because the configurations potentially allowed access to data that are required to be confidential by law. Further, HUD did not adequately review Web applications for vulnerabilities and patch them. Exploiting vulnerabilities can breach confidentiality requirements to reveal sensitive information. We followed up on the status of these weaknesses during fiscal year 2010 and determined that corrective actions have not yet been implemented for these weaknesses. HUD plans to complete corrective actions for these weaknesses between October 31, 2010 and September 30, 2011. Disaster Recovery Grant Reporting System In FY 2009, we reported on selected controls within the Disaster Recovery Grant Reporting System (DRGR)26 related to the Neighborhood Stabilization Program (NSP) funding. We found that (1) access control policies and procedures for DRGR violate HUD policy, (2) the system authorization to operate is outdated and based upon inaccurate and untested documentation, (3) the Office of Community Planning and Development (CPD) did not adequately separate the DRGR system and security administration functions, and (4) CPD has not sufficiently tested interface transactions between DRGR and the Line of Credit Control System (LOCCS). As a result, CPD cannot ensure that only authorized users have access to the application, user access is limited to only the data that is 26 Audit Report No. 2009-DP-0007, Review of Selected Controls within the Disaster Recovery Grant Reporting System, issued September 30, 2009. 48 necessary for them to complete their jobs, and users who no longer require access to the data in the system have had their access removed. Further, the failure to sufficiently test interface transactions between DRGR and LOCCS leaves the department with limited assurance that the $5.9 billion in NSP funding are accurately processed. HUD has made progress toward resolving the issues identified last year. Policies and procedures were established for requesting access to DRGR, the duties of security administration and system administration for the DRGR application were separated, and steps were taken to fund the use of the CPD contractor to perform the help desk function for the DRGR application. However, significant weaknesses remain unresolved. HUD still needs to take action to address the weaknesses identified with system access controls, system documentation, and inadequate separation of duties and insufficient testing of controls with LOCCS. HUD Procurement System We audited HUD's procurement systems in fiscal year 200627. Through actions taken during fiscal years 2007, 2008, and 2009, the Office of the Chief Procurement Officer (OCPO) has made progress toward resolving the issues identified during the audit. However, two significant recommendations made in the audit report remain open, and the procurement systems continue to be noncompliant with Federal financial management requirements. In addition, the OCPO has not yet implemented functionality to ensure that there is sufficient information within HUD’s current procurement systems to support the primary acquisition functions of fund certification, obligation, de-obligation, payment, and closeout. The OCPO plans to replace the current acquisition systems and during fiscal year 2009 obtained $3.7 million in funding to purchase a commercial off the shelf application. The selection and acquisition of the new application, PRISM, was completed on September 30, 2010. Security Controls Over HUD's Databases During fiscal year 2008, we evaluated security controls over HUD’s databases28. We identified security configuration and technical control deficiencies within HUD’s database security controls in the areas of (1) passwords, (2) system patches, and (3) system configuration. We followed up on the status of these 27 Audit Report No. 2007-DP-0003: Review of HUD’s Procurement Systems, issued January 25, 2007. 28 Audit Report No. 2008-DP-0007, Evaluation of HUD 's Security Controls over Databases, issued September 11, 2008 49 weaknesses during fiscal year 2010 and determined that technical control deficiencies relating to database passwords and database patches have been reviewed and corrected as the Office of the Chief Information Officer (OCIO) deemed appropriate. OCIO has not yet implemented secure configuration baselines for databases and the reviews for monitoring those configurations. This corrective action is not scheduled to be completed until December 31, 2010. LOCCS During our fiscal year 2007 audit, we found that the controls over the LOCCS user recertification process were not effective to verify the access of all users. Systemic deficiencies led to the omission of more than 10,000 users from the LOCCS recertification process. An additional 199 users had last recertification dates within the application prior to March 31, 2006, indicating that they also were not included in the fiscal year 2007 recertification process. During fiscal year 2008, the OCFO made improvements to this process by generating a report from the system that allowed them to identify users that only have approving authority within the application for the user recertification process. During fiscal year 2009, the OCFO made additional adjustments to the report. Our review of the data from both 2008 and 2009 again identified LOCCS users that were not recertified by the system. As a result, we concluded that further improvements are necessary to ensure that all users of LOCCS are recertified in accordance with HUD policy and that the corrective action taken in response to our 2007 finding did not fully address the problem. Our review of LOCCS user recertification data as of November 2009 identified 19 users whose access was not recertified as required by HUD policy. None of these users were HUD employees, and all of them had data entry access to LOCCS. The condition described above existed because OCFO did not ensure that all LOCCS users were included in the recertification process. By not ensuring that the access for all LOCCS users was reviewed, HUD was unable to ensure that (1) users only had access to the data within the core financial systems that were necessary for them to complete their jobs, (2) only authorized users had access to the system, and (3) users who no longer required access to the data in the system had their access removed. The recommendation regarding this issue remains open. Contingency Planning and Physical Security In fiscal year 2009, we found that the disaster recovery plan contained conflicting information and that the disaster recovery exercises did not fully test system functionality because critical applications were not verified through transaction 50 and batch processing and the exercises did not include recovery of all applications that interface with the critical systems. By not having current information in the disaster recovery plan and fully testing system functionality during disaster recovery exercises, HUD cannot ensure that its systems and applications will function as intended in an actual emergency. We also determined that sensitive data stored on backup tapes, transported and stored offsite, were not adequately protected. HUD’s information technology support contractor is required to create backup tapes of HUD’s mission-critical data and store the backup tapes at an offsite storage facility. These backup tapes are created for use in contingency operations and disaster recovery events and exercises. However, during the 2009 disaster recovery exercises, we observed that backup tapes from the offsite storage facility were not in encrypted form. We followed up on the status of these weaknesses during our fiscal year 2010 review and determined that corrective actions have not yet been completed. During our FY 2010 review, we evaluated contingency planning for core telecommunications functions provided by one of HUD’s IT support contractors. We found that the backup network control center (NCC) was not tested in a disaster recovery scenario to ensure the equipment would be able to support the contractor’s full network monitoring requirements in the event of a disaster that renders the primary NCC unavailable. The NCC provides oversight and control of HUD’s wide-area network (WAN) resources. By not testing the backup NCC, HUD could not be assured that the NCC backup equipment would support the full network monitoring requirements during an actual disaster recovery event where the primary NCC is no longer available. Consequently, there is a high risk of poor performance or failure of key business application processing and interruptions to the business. 51 Significant Deficiency 7: Weak Personnel Security Practices Continue to Pose Risks of Unauthorized Access to the Department’s Critical Financial Systems For several years, we have reported that HUD’s personnel security practices over access to its systems and applications were inadequate. Deficiencies in HUD’s IT personnel security program were found and recommendations were made to correct the problems. However, the risk of unauthorized access to HUD’s financial systems remains a critical issue as the underlying conditions have not been fully resolved. We followed up on previously reported IT personnel security weaknesses and deficiencies and found that deficiencies still exist. HUD Does Not Have a Central Repository Listing of All Users with Access to HUD’s General Support and Application Systems Since 2004, we have reported that HUD did not have a complete list of all users with above-read access at the application level. Those users with above-read access to sensitive application systems are required to have a background investigation. Our review this year found that HUD still did not have a central repository that lists all users with access to HUD's general support and application systems. Consequently, in fiscal year 2010, HUD still had no central listing for reconciling that all users who have access to HUD's critical and sensitive systems have had the appropriate background investigation. While HUD's implementation in 2007 of the Centralized HUD Account Management Process (CHAMP) was a step toward improving its user account management practices, CHAMP remains incomplete and does not fully address OIG's concerns. Specifically, we noted that: CHAMP does not contain complete and accurate data. OCIO did not electronically migrate data from the HUD Online User Registration System into CHAMP. Instead, it chose to enter the legacy data manually. However, this process had not been completed. In a January 2009 audit report29, we recommended that all offices within HUD provide the historical information necessary to populate CHAMP. OCIO agreed with our recommendation, and corrective action was scheduled for completion in December 2009. We followed up on open recommendations and found that as of September 30, 2010, OCIO only completed entering user access data for 178 systems into 29 Audit report #2009-DP-0003―Review of the Centralized HUD Account Management Process’ dated Jan 9, 2009. 52 CHAMP (out of the total number of 235 systems, which is approximately 76 percent). In addition, because input of CHAMP user data has not been completed, HUD has not requested system owners to verify user access authorization with CHAMP on a semi-annual basis and provide feedback to OCIO as recommended. OCIO plans to complete the CHAMP user access authorization verification process by December 31, 2010. HUD did not conduct a security categorization and a risk assessment for CHAMP as required by Federal Information Processing Standards Publications 199 and 200. HUD's OCIO chose not to conduct a security categorization and risk assessment for CHAMP because it believed that these items were not required for CHAMP, which HUD considered to be a process rather than a system. HUD also believed that since CHAMP was exclusively owned by its IT contractor, it was not subject to the requirements of a security categorization and a risk assessment. Without a security categorization and risk assessment of CHAMP, HUD cannot know the full extent of risks that the CHAMP process is vulnerable to or whether adequate levels of security controls have been put into place to protect data and applications impacted by CHAMP. In the January 2009 audit report, OIG recommended that OCIO conduct a security categorization and a risk assessment for CHAMP. OCIO agreed with this recommendation and originally expected to complete the security categorization and risk assessment of CHAMP by August 31, 2009 but did not meet this date. Reconciliations to Identify Sensitive System Users Without Appropriate Background Investigations Remains a Concern In prior audits, we found that the reconciliations to identify users with above-read access to HUD sensitive systems but without appropriate background checks were not routinely conducted. Granting people access to HUD’s information and resources without appropriate background investigations increases the risk that unsuitable individuals could gain access to sensitive information and inappropriately use, modify, or delete it. HUD’s Personnel Security Division30 is required to reconcile listings of users with above-read access to HUD’s sensitive systems to the database containing background investigation information to ensure that each user has had the appropriate background investigation. In our May 2010 audit report31, we recommended that the Office of the Chief Human Capital Officer (OCHCO) develop and implement a plan to routinely perform the quarterly reconciliation of users with above-read access to sensitive systems and 30 The Personnel Security Division, within the Office of the Chief Human Capital Officer, has taken over the responsibilities of the former Office of Security and Emergency Planning (OSEP). 31 Audit report number 2010-DP-0002 ―Audit Report on the Fiscal Year 2009 Review of Information Systems Controls in Support of the Financial Statements Audit,‖ dated May 14, 2010. 53 general support systems to identify those without appropriate background investigations. We noted that OCHCO did perform the reconciliation of one sensitive system for the period ending June 30, 2010 and identified 30 (out of 46) users that did not have the appropriate background investigation level32. After completing the reconciliation, OCHCO stated that the reconciliation results were provided to OCIO for resolution. We have reported since 2006 that the list of sensitive systems to be included in the reconciliation was incomplete. In response to a recommendation in our fiscal year 2008 audit report33, OCIO planned to update the sensitive system list by April 30, 2010. For this year’s review, we found that OCIO listed two sensitive systems but the Personnel Security Division received user information from only one system for reconciliation. In fiscal year 2007, we reported that the general support systems on which HUD’s mission-critical and sensitive applications reside were not included in the reconciliations because they were not classified as mission critical34. Granting people access to general support systems without appropriate background investigations increases the risk that unsuitable individuals could gain access to sensitive information and inappropriately use, modify, or delete it. We recommended that OSEP update its policies and procedures to include users of HUD’s general support systems in the user access reconciliation process. OSEP updated the personnel security and suitability handbook in September 2009 but did not include language requiring general support systems to be included in the reconciliation process. Having access to general support systems typically includes access to system tools, which provide the means to modify data and network configurations. We previously identified IT personnel, such as database administrators and network engineers, who had access to these types of system tools but did not have appropriate background checks. These persons were not identified as part of the reconciliation process. 32 Types of background investigations at HUD are: National Agency Check and Inquiries (NACI - for non sensitive designation), Minimum Background Investigation (MBI) or Limited Background Investigation (LBI - for moderate risk designation), and Background Investigation (BI - for high risk designation) 33 Audit report number 2009-DP-0004 ―Fiscal Year 2008 Review of Information Systems Controls in Support of the Financial Statements Audit‖, dated May 29, 2009 34 Audit report number 2008-DP-0003, ―Fiscal Year 2007 Review of Information Systems Controls in Support of the Financial Statements Audit,‖ date March 4, 2008 54 Compliance with Laws and Regulations In fiscal year 2010 we found several instances where HUD did not ensure transactions were executed in accordance with laws governing the use of budget authority and with other laws and regulations that could have a direct and material effect on the financial statements and any other laws, regulations, and governmentwide policies identified in OMB audit guidance. HUD Did Not Substantially Comply With the Federal Financial Management Improvement Act FFMIA requires auditors to report whether the agency’s financial management systems substantially comply with the Federal financial management systems requirements and applicable accounting standards and support the U.S. Standard General Ledger (SGL) at the transaction level. We found that HUD was not in substantial compliance with FFMIA because CPD’s IDIS grant information system was not in compliance with Federal GAAP, FFMIA, and its internal controls over financial reporting as well as HUD’s financial management systems non compliance with Federal financial management system requirements. During fiscal year 2010, we found that CPD’s IDIS was determined to be non compliant FFMIA due to deficiencies in internal controls over financial reporting, and its ability to process transactions that would Federal GAAP. These deficiencies are described in detail in Significant Deficiency 1: HUD Financial Management Systems Do Not Comply With the Federal Financial Management Improvement Act of 1996 (FFMIA) HUD on an entity wide basis made limited progress as it attempted to address its financial management deficiencies to bring the agency’s financial management systems into compliance with FFMIA. Deficiencies remained as HUD’s financial management systems continued to not meet current requirements and were not operated in an integrated fashion and linked electronically to efficiently and effectively provide agency-wide financial system support necessary to carry out the agency’s mission and support the agency’s financial management needs. HUD is not in full compliance with OMB Circular A-127. The Circular requires each agency to perform reviews of its financial management systems. Since FY 2007, HUD completed 8 of the 54 required financial management system reviews. Only one of the eight reviews was completed during FY 2010. HUD is required to maintain an accurate inventory of their financial management systems. We determined that HUD has not accurately classified the Financial DataMart (FDM) and the Personnel Services Cost Reporting Subsystem (PSCRS) within their inventory listing. HUD is required to maintain financial management system plans for each of their financial management applications. We determined that HUD’s financial management systems plan document for FY 2010 does not meet the requirements specified in the circular. 55 Federal Financial Management System Requirements In its Fiscal Year 2010 Agency Financial Report, HUD reported that 3 of its 42 financial management systems did not comply with the requirements of FFMIA and OMB Circular A-127, Financial Management Systems. Although 39 individual systems had been certified as compliant with Federal financial management systems requirements, HUD had not adequately performed reviews of these systems as required by OMB Circular A-127. Collectively and in the aggregate, deficiencies continued to exist. We continue to report as a significant deficiency that HUD financial management systems need to comply with Federal financial management systems requirements. The significant deficiency addresses how HUD’s financial management systems remain substantially noncompliant with Federal financial management requirements. FHA’s auditor reports as significant deficiencies that effective FHA modernization is necessary to address systems risks. The significant deficiency addresses the challenge in FHA’s capacity to address various system modernization initiatives and control deficiencies affecting the reliability and completeness of FHA’s financial information. We also continue to report as significant deficiencies that (1) controls over HUD’s computing environment can be further strengthened and (2) weak personnel security practices continue to pose risks of unauthorized access to the Department’s critical financial systems. These significant deficiencies discuss how weaknesses with general controls and certain application controls and weak security management increase risks associated with safeguarding funds, property, and assets from waste, loss, unauthorized use, or misappropriation. In addition, OIG audit reports have disclosed that security of financial information was not provided in accordance with OMB Circular A-130, Management of Federal Information Resources, appendix III, and FISMA. We have included the specific nature of noncompliance issues, responsible program offices, and recommended remedial actions in appendix C of this report. 56 HUD Did Not Substantially Comply with the Anti-Deficiency Act HUD Has Not Made Progress In Reporting ADA Violations As Required Our fiscal year 2010 audit found that HUD had not improve its process for conducting, completing, reporting, and closing the investigation of potential 31U.S.C. 1351.1517(b) Anti-Deficiency Act (ADA) violations. Our review found that none of the six cases identified as a potential deficiency in fiscal year 2009 were reported to the President through OMB, Congress or GAO as required or determined not to be a violation. Of the six cases, for three of the six case files a determination of an ADA violation had occurred and a draft letter to the President and OMB was prepared but was not issued. In one of the six case tiles, the final report is still in draft and not submitted. For the two remaining case files, the individual listed as the approving authority for final report submission is no longer employed with the Department. Consequently, we did not find substantial improvement in HUD’s conducting, completing, reporting, or closing potential ADA violation investigations. OCFO is responsible for conducting investigations, and reporting on violations of the ADA. HUD’s continued delay in completing ADA investigations and reporting known violations results in ADA violators avoiding timely reprimands or punishments and prevents timely correction of violations. HUD Entered Into an Interagency Agreement that Potentially Violated the Anti-Deficiency Act Our audit found that HUD potentially violated the Anti-Deficiency Act when HUD officials committed the Department to a financial obligation through an Interagency Agreement with the United States Bureau of the Census (Census) without fully funding the contracted obligation at the time the agreement was executed. HUD entered into the Interagency Agreement on September 30, 2009 for housing surveys with a performance period covering September 30, 2009 to September 29, 2010 while only partially funding the contracted obligation created by the contract. HUD obligated only $453,000 at the time of the contract execution (September 30, 2009) and did not obligate the remaining $2,761,000 until March 18, 2010. Additionally, the contract did not stipulate that the Department’s obligation under the contract was contingent upon the availability of appropriated funds as required by FAR 32.703-2 and 52.232-18. As a result, the Census was providing services without a fully funded contract which may not have had sufficient funds available to fulfill the entire contracted 57 obligation. Further, HUD financial systems and statements did not reflect the total resources needed to cover commitments resulting from this interagency agreement. HUD Did Not Comply with Laws and Regulations Governing Claims of the United States Government Inadequate Efforts to Collect on Delinquent Section 202 Loans Title 31 of the Code of Federal Regulations, Section 901, Standards for the Administration of Claims, holds the Department responsible for aggressively collecting all debts arising out of activities performed by the agency. These activities include notifying debtors of a delinquency and performing timely follow-up activities. Our review of the Section 202 loan portfolio determined that these activities were not being substantially and promptly performed as required by HUD Handbook 1900.25 REV-3 and 31 CFR 901. Eight of 14 delinquent loans (57 percent) reviewed indicated that follow-up and collection activities to cure the delinquency had not occurred prior to our review. These eight loans had delinquent payments that had aged between 117 days and 6 years. The Office of Housing is responsible for performing the notification and follow- up activities for projects with Section 202 loans. Our review concluded that the Office of Housing inadequately monitored delinquent Section 202 loans and did not aggressively attempt to cure the delinquency. Proper action was not taken when information identifying delinquent loans became available and policies and procedures for collecting delinquent debts set forth in HUD Handbook 1900.25 REV-3 were not followed. Additionally, guidance drafted by the Office of Housing at the beginning of the fiscal year addressing collection procedures for delinquent loans was not formally issued as of September 30, 2010. Inadequate efforts to collect on delinquent loan balances resulted in a higher risk of HUD's assets becoming uncollectable. If insufficient follow-up continues, over time, more loans in the Section 202 loan portfolio may fall into delinquent status and be at a higher risk of becoming uncollectable. The anticipated collections from these delinquent loans could become unrealized, consequently, decreasing the total budgetary resources available for the program. Non-reporting of Delinquent Loan Information to Third Parties The Office of the Chief Financial Officer (OCFO) utilized a Commercial off the Shelf (COTS) application, entitled the Nortridge Loan System (NLS), to account for the Department’s direct loans, which included Section 202 (Housing for the 58 Elderly), Section 201 (Flexible Subsidy), and Green Retrofit Program direct loans. The functionality to report delinquent direct loans to third party entities, such as credit bureaus and CAIVRS (Credit Alert Verification Reporting System)35, was not activated by HUD and the Department did not report this information through supplementary means. Therefore, the delinquent status of debt due to the Department was not reported to credit bureaus as required by 31 U.S.C 3711. As a result, the delinquent status of this debt was not available to other Federal Credit agencies. Consequently, other agencies did not have all delinquent information available to perform prescreening procedures as required by 31 U.S.C 3711 and OMB. HUD's failure to report its delinquent debtors might have resulted in other agencies improperly qualifying these debtors for a federal loan, when they were actually ineligible. This prevents other agencies from effectively protecting the Government’s assets and curtailing the losses in relation to government benefits provided. 35 CAIVRS is a Federal government database of delinquent Federal debtors that allows federal agencies to reduce the risk to federal loan and loan guarantee programs. CAIVRS allows authorized employees of participating Federal agencies to access a database of delinquent Federal borrowers for the purpose of pre-screening direct loan applicants for credit worthiness, and permits approved private lenders acting on the Government’s behalf to access the delinquent borrower database for the purpose of pre-screening the credit worthiness of applicants for Federally guaranteed loans. 59 APPENDIXES Appendix A Objectives, Scope, and Methodology Management is responsible for * Preparing the financial statements in conformity with accounting principles generally accepted in the United States of America; * Establishing, maintaining, and evaluating internal controls and systems to provide reasonable assurance that the broad objectives of Federal Managers’ Financial Integrity Act are met; and * Complying with applicable laws and regulations. In auditing HUD’s principal financial statements, we were required by Government Auditing Standards to obtain reasonable assurance about whether HUD’s principal financial statements are presented fairly in accordance with generally accepted accounting principles, in all material respects. We believe that our audit provides a reasonable basis for our opinion. In planning our audit of HUD’s principal financial statements, we considered internal controls over financial reporting by obtaining an understanding of the design of HUD’s internal controls, determined whether these internal controls had been placed into operation, assessed control risk, and performed tests of controls to determine our auditing procedures for the purpose of expressing our opinion on the principal financial statements. We are not providing assurance on the internal control over financial reporting. Consequently, we do not provide an opinion on internal controls. We also tested compliance with selected provisions of applicable laws, regulations, and government policies that may materially affect the consolidated principal financial statements. Providing an opinion on compliance with selected provisions of laws, regulations, and government policies was not an objective, and, accordingly, we do not express such an opinion. We considered HUD’s internal control over required supplementary stewardship information reported in HUD’s Fiscal Year 2010 Agency Financial Report by obtaining an understanding of the design of HUD’s internal controls, determined whether these internal controls had been placed into operation, assessed control risk, and performed limited testing procedures as required by AU Section 558, Required Supplementary Information. The tests performed were not to provide assurance on these internal controls, and, accordingly, we do not provide assurance on such controls. With respect to internal controls related to performance measures to be reported in the Management’s Discussion and Analysis and HUD’s Fiscal Year 2010 Agency Financial Report, we obtained an understanding of the design of significant internal controls relating to the existence and completeness assertions as described in Section 230.5 of OMB Circular A-11, Preparation, Submission and Execution of the Budget. We performed limited testing procedures 60 as required by AU Section 558, Required Supplementary Information, and OMB Bulletin 07-04, Audit Requirements for Federal Financial Statements, as amended. Our procedures were not designed to provide assurance on internal control over reported performance measures, and, accordingly, we do not provide an opinion on such controls. To fulfill these responsibilities, we * Examined, on a test basis, evidence supporting the amounts and disclosures in the consolidated principal financial statements; * Assessed the accounting principles used and the significant estimates made by management; * Evaluated the overall presentation of the consolidated principal financial statements; * Obtained an understanding of internal controls over financial reporting (including safeguarding assets), and compliance with laws and regulations (including execution of transactions in accordance with budget authority);; * Tested and evaluated the design and operating effectiveness of relevant internal controls over significant cycles, classes of transactions, and account balances; * Tested HUD’s compliance with certain provisions of laws and regulations; government- wide policies, noncompliance with which could have a direct and material effect on the determination of financial statement amounts; and certain other laws and regulations specified in OMB Bulletin 07-04, as amended, including the requirements referred to in the Federal Managers’ Financial Integrity Act; * Considered compliance with the process required by the Federal Managers’ Financial Integrity Act for evaluating and reporting on internal control and accounting systems; and * Performed other procedures we considered necessary in the circumstances. We did not evaluate the internal controls relevant to operating objectives as broadly defined by the Federal Managers’ Financial Integrity Act. We limited our internal control testing to those controls that are material in relation to HUD’s financial statements. Because of inherent limitations in any internal control structure, misstatements may nevertheless occur and not be detected. We also caution that projection of any evaluation of the structure to future periods is subject to the risk that controls may become inadequate because of changes in conditions or that the effectiveness of the design and operation of policies and procedures may deteriorate. Our consideration of the internal controls over financial reporting would not necessarily disclose all matters in the internal controls over financial reporting that might be significant deficiencies. We noted certain matters in the internal control structure and its operation that we consider significant deficiencies under OMB Bulletin 07-04, as amended. Under standards issued by the American Institute of Certified Public Accountants, a significant deficiency is a deficiency or a combination of deficiencies, in internal control such that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. 61 A material weakness is a deficiency, or combination of deficiencies, in internal controls, such that there is a reasonable possibility that a material misstatement of the financial statements will not be prevented, or detected and corrected on a timely basis. Our work was performed in accordance with generally accepted government auditing standards and OMB Bulletin 07-04, as amended. This report is intended solely for the use of HUD management, OMB, and the Congress. However, this report is a matter of public record, and its distribution is not limited. 62 Appendix B Recommendations To facilitate tracking recommendations in the Audit Resolution and Corrective Action Tracking System (ARCATS), this appendix lists the newly developed recommendations resulting from our report on HUD’S fiscal year 2010 financial statements. Also listed are recommendations from prior years’ reports that have not been fully implemented. This appendix does not include recommendations pertaining to FHA and Ginnie Mae issues because they are tracked under separate financial statement audit reports of that entity. Recommendations From the Current Report With respect to the significant deficiency that HUD's Financial Management Systems Need to Comply with Federal Financial Management System Requirements, we recommend CPD: 1.a. Cease the changes being made to IDIS for the HOME program related to the FIFO rules until the cumulative effect of using FIFO can be quantified on the financial statements. 1.b. Change IDIS so that the budget fiscal year source is identified and attached to each activity from the point of obligation to disbursement. 1.c. Cease the use of FIFO to allocate funds (fund activities) within IDIS and disburse grant payments. Match outlays for activity disbursements to the obligation and budget fiscal source year in which the obligation was incurred, and in addition, match the allocation of funds (activity funding) to the budget fiscal year source of the obligation. 1.d. Include as part of the annual CAPER, a reconciliation of HUD’s grant management system, IDIS, to grantee financial accounting records on an individual annual grant basis, not cumulatively, for each annual grant awarded to the grantee. With respect to the significant deficiency that HUD needs to improve the process for reviewing obligation balances, we recommend that the CFO, in coordination with the appropriate program offices: 2.a. Deobligate the $3.2 million in administrative and program unliquidated obligations that were marked for deobligation. 2.b. Promptly perform contract closeout reviews and recapture of invalid obligations. 2.c. Review the 510 obligations which were not distributed to the program offices during the open obligations review and deobligate amounts tied to closed or inactive 63 projects, including the $27.5 million we identified during our review as expired or inactive. 2.d. Perform a review to determine whether any additional obligations that are currently excluded from the open obligations review should be included, to ensure that all of HUD’s obligations are being subjected to review procedures. With respect to the significant deficiency that HUD needs to improve the process for reviewing obligation balances, we recommend that the CPD, 2.e. Investigate through reviewing each individual obligating document and contacting the grantee, the $1.62 billion in obligations, which were originally obligated in 2005 and prior, to obtain the intended use for open obligation amount (commitments, etc). For those which do not have a specific intended use, recapture the open obligation amount. Where applicable for non-fixed year funds, include the de-obligated amounts in next year’s formula allocation. 2.f. For grantees which do not comply with program regulations, de-obligate the funds related to the non-compliance from the older applicable grant award and not the current available for obligation awards. 2.g. In coordination with the CFO, develop and publish written guidance and policies to establish a bench mark for Field Directors to use to determine the validity of the open obligation. The guidance should include specific procedures for open obligation amounts, wherein the obligation was made prior to a specified amount of time, as well as disbursement inactivity beyond a specified amount of time. 2.h. In coordination with the CFO, develop procedures to periodically evaluate HUD’s program financial activities and operations to ensure that current accounting policies are sufficient and appropriate and to ensure that they are implemented and operating by program and accounting staff as intended. With respect to the significant deficiency that HUD needs to improve the process for reviewing obligation balances, we recommend that Housing, in coordination with the CFO: 2.i. Recapture the $38.5 million from the 936 funding lines for expired annual renewal contracts. 2.j. Revise the Section 8 project-based recapture methodology to include reviews/recaptures from expired annual renewal contracts. 2.k. Implement a long-term financial management strategy and improvement plan to address data and system weaknesses to ensure that information for the Office of Housing’s obligations is kept up to date and accurate. 64 With respect to the significant deficiency HUD needs to improve the process for reviewing obligation balances, we recommend that the CFO, in coordination with the PIH: 2.l. Coordinate a review and close-out each of the 434 PIH Low Rent grants in PAS subsidiary and determine the status on any other grants included in the OIG audit report SF-1997-107-0001 that remain open. 2.m. After reviewing and closing out these PIH Low Rent 434 grants, determine if there are any overpayments that need to be recovered from any Housing Authority grants that were overpaid. 2.n. Recapture the full amount of obligations from these PIH Low Rent 434 grants totaling $174 million and return to Treasury the total balance of budgetary resources from invalid grants. 2.o. Coordinate with PIH to update their funds control plans adding procedures to ensure that any unexpended obligation portfolios are excluded from the open obligation review and for accurately documenting the entire accounting process and responsibilities. 2.p. Develop procedures for ensuring all material general ledger accounts balances are reconciled to subsidiary records so that general ledger accounts support amounts presented in the financial statement. 2.q. Develop procedures to periodically evaluate HUD’s program financial activities and operations to ensure that current accounting policies are sufficient and appropriate and to ensure that are properly carried out by the program and accounting staff. With respect to the significant deficiency that PIH needs more effectively monitor PHA accumulation of excess funds we recommend that HUD 3.a. Execute an offset of $385 million from PHAs that have more than six percent of budget authority accumulated in their Net Restricted Assets Account balance. With respect to the significant deficiency that CPD needs to improve its oversight of grantees, we recommend CPD: 4.a. Review the status of each of its Homeless Assistance contracts that makes up the $97.8 million OIG identified as excess funding and recapture excess funds for expired contracts, which have not been granted extensions. 4.b. Institute an annual review by Field Offices of the status of expiring Homeless Assistance contracts and recapture excess funds prior to the Continuum of Care competition, so that all amounts, within the unexpired phase, can be included in the NOFA. 65 4.c. Establish internal control procedures and control activities that include specific policies, procedures and mechanisms, including appropriate documentation of extensions granted and follow-up efforts with the grantees to obtain the close-out documents, to ensure that grants are closed out within the 90-day period after the contract expiration or after the extension period, so that remaining balances are recaptured on a periodic basis, but at least quarterly. 4.d. Implement the guidance as instructed in the new HOME FACTS regarding activities that are over 12 months old with no funds disbursed, these activities will be automatically cancelled by HUD and the funds uncommitted. 4.e. Establish internal control procedures or internal regulations that require field offices to perform follow-up measures for participating jurisdictions (PJs) with slow-moving projects on an annual basis, including contacting the PJs and requiring the PJs to respond with an action plan for disbursing the unused funds on slow-moving projects. 4.f. Investigate the progress of the 350 stalled activities with funding dates 2005 and prior wherein the percentage of amounts drawn on the activity was 50 percent or less with a remaining undrawn amount $27.5M and recapture those amounts in which the activity can be cancelled. With respect to the significant deficiency that HUD needs to improve its administrative control of funds, we recommend the OCFO: 5.a Enhance the Low Rent funds control plans to Verify that the legislation changes are incorporated; ensure that the accounting treatment and policies employed are appropriate; and include the OCFO Accounting and Reporting staff in the review the classification, disclosure, and presentation of programmatic accounting information. 5.b Establish and implement procedures to ensure accuracy and completeness of ARRA Fund Control Plans. 5.c Require changes and new signatures on the pages which name responsible parties for every funds control plan when new allotment holders, sub allotment holders, and/or funds control officers appointed. 5.d Conduct periodic reviews of the program offices’ compliance with requirements of the funds control plans. With respect to the significant deficiency that HUD needs to improve its administrative control of funds, we recommend that HUD allotment holders, 5.e Ensure that their designated Funds Control Officer maintain and ensure adherence to the funds control plan. 66 5.f Inform OCFO of any changes in law, policy, or procedure that has occurred that would be inconsistent with the existing fund control plan. 5.g Ensure timely update of their funds control plans including when allotment holders and funds control officers change. With respect to the significant deficiency that HUD needs to improve its administrative control of funds, we recommend that the OCFO, in coordination with the appropriate program offices, 5.h Identify the appropriate allotment holders and fund control officers for the programs related to the 17 program codes identified during the fiscal year 2010 financial audit. 5.i Perform a review of all funds control plans to ensure all programs are covered by a plan that is up to date and includes all relevant information, including all program and accounting codes, current allotment holders and funds control officers, and the current accounting and monitoring procedures. 5.j Develop and implement funds control plans for any program found to be without an up to date funds control plan. With respect to HUD’s substantial noncompliance with the Antideficiency Act (ADA), we recommend that the CFO, in coordination with the appropriate program offices, 6.a Complete required steps on the six known potential Anti-Deficiency issues and report those determined to be violations, immediately to the President, Congress, and GAO, as required by 31 U.S.C., and OMB Circular A-11. 6.b Investigate the potential Antideficiency Act violation and other interagency agreements that were similarly executed. If the investigation determines an Antideficiency Act violation occurred, immediately report it to the President, Congress, and GAO as required by 31 U.S.C., and OMB Circular A-11. 6.c Develop, or where appropriate modify, and implement measures to prevent future potential Antideficiency Act violations resulting from contracts funded over multiple fiscal years. With respect to HUD’s noncompliance with the laws and regulations governing claims of the U.S. Government, we recommend that the Office of Housing 7.a Finalize and issue the draft Notice regarding collection procedures for delinquent Section 202 loans. 7.b After issuance of the Notice, ensure the policy is effectively communicated to each applicable project manager and HUB Director nationwide. 67 7.c Ensure adherence to the Notice by establishing internal controls to record activities to collect on delinquent loans. With respect to HUD’s noncompliance with the laws and regulations governing claims of the U.S. Government, we recommend that the CFO: 7.d Activate the delinquent debt reporting functionality to enable NLS to report the Department’s delinquent debt to credit bureaus and CAIVRS. 7.e Establish criteria to determine what delinquent debt should be subject to reporting. 7.f Based on the criteria established, identify delinquent debt and report those to credit bureaus and CAIVRS as required. Unimplemented Recommendations From Prior Years’ Reports Not included in the recommendations listed above are recommendations from prior years’ reports on HUD’s financial statements that have not been fully implemented based on the status reported in ARCATS. HUD should continue to track these under the prior years’ report numbers in accordance with departmental procedures. Each of these open recommendations and its status is shown below. Where appropriate, we have updated the prior recommendations to reflect changes in emphasis resulting from recent work or management decisions. OIG Report Number 2010-FO-0003 (Fiscal Year 2009 Financial Statements) With respect to the significant deficiency that the CPD needs to improve its oversight of grantees, we recommend that CPD: 1.a. Consider modifying an existing system to create an automated process that will house all of the data needed to review the timeliness requirement for the State CDBG program to create a more effective and efficient process. (Final Action Target Date is December 31, 2010; reported in ARCATS as recommendation 1D). 1.b. Determine whether the $24.7 million in unexpended funds for the HOME program from fiscal years 2001 and earlier that are not spent in a timely manner should be recaptured and reallocated in next year’s formula allocation. (Final Action Target Date is April 1, 2011; reported in ARCATS as recommendation 1E). 1.c. Develop a policy for the HOME program that would track expenditure deadlines for funds reserved and committed to community housing development organizations and subgrantees separately. (Final Action Target Date is September 30, 2011; reported in ARCATS as recommendation 1F). 68 With respect to the significant deficiency that HUD management must continue to improve oversight and monitoring of subsidy calculations, intermediaries’ performance, and Housing Choice Voucher funds, we recommend that PIH: 2.a. Develop a mechanism in the Voucher Management System that enables HUD to (1) track and compare what the PHAs spend and receive in administrative fee expenses and (2) capture transfers between housing assistance and the funds for administrative fees, resulting in better estimates of net restricted assets account calculated balances. (Final Action Target Date is December 31, 2010; reported in ARCATS as recommendation 2C). 2.b. Develop procedures to validate the net restricted assets account balances as part of its on-site monitoring review of PHAs and initiate reviews earlier in the year to ensure that excess funding in PHAs’ net restricted assets account is accurate before funding decisions are made. (Final Action Target Date is December 31, 2010; reported in ARCATS as recommendation 2D). With respect to the significant deficiency that HUD needs to improve the process for reviewing obligation balances, we recommend that the CFO, in coordination with the appropriate program offices: 3.a. Deobligate the $8.8 million in administrative and program unliquidated obligations that were marked for deobligation. (Final Action Target Date is October 26, 2010; reported in ARCATS as recommendation 3A). 3.b. Promptly perform contract closeout reviews and recapture of invalid obligations. (Final Action Target Date is March 11, 2011; reported in ARCATS as recommendation 3B). With respect to the significant deficiency that HUD's Financial Management Systems Need to Comply with Federal Financial Management System Requirements, we recommend that the CPD: 4.a. Ensure that its programs are accounting for and reporting their financial and performance information in accordance with federal financial management system requirements. (Final Action Target Date is July 30, 2010; reported in ARCATS as recommendation 4A). With respect to HUD’s substantial noncompliance with the Antideficiency Act (ADA), we recommend that the Chief Financial Officer, in coordination with the appropriate program offices: 5.a. Complete the investigations and determine whether or not ADA violations have occurred, and if an ADA violation has occurred, immediately report to the President, Congress, and GAO. (Final Action Target Date is March 11, 2011; reported in ARCATS as recommendation 5A) 69 5.b. Report the six ADA violations immediately to the President, Congress, and GAO, as required by 31 U.S.C and OMB Circular A-11, upon receiving OCFO legal staff concurrence with the investigation results. (Final Action Target Date is March 16, 2011; reported in ARCATS as recommendation 5B) OIG Report Number 2009-FO-0003 (Fiscal Year 2008 Financial Statements) With respect to the significant deficiency that HUD management must continue to improve oversight and monitoring of subsidy calculations and intermediaries’ program performance and promote full utilization of Housing Choice Voucher funds, we recommend that PIH: 1.a. Increase the monitoring efforts over the Net Restricted Asset Account held by PHAs (Final Action Target Date is December 31, 2011; reported in ARCATS as recommendation 1C). With respect to HUD’s substantial noncompliance with the Federal Financial Management Improvement Act, we recommend that the CFO: 2.a. Develop a plan to comply with OMB A-127 review requirements, which results in the evaluation of all HUD financial management systems within a 3-year cycle (Final Action Target Date is March 19, 2010; reported in ARCATS as recommendation 3A). 70 Appendix C Federal Financial Management Improvement Act Noncompliance, Responsible Program Offices, and Recommended Remedial Actions This appendix provides details required under Federal Financial Management Improvement Act (FFMIA) reporting requirements. To meet those requirements, we performed tests of compliance using the implementation guidance for FFMIA issued by OMB and GAO’s Financial Audit Manual. The results of our tests disclosed that HUD’s systems did not substantially comply with the foregoing requirements. The details for our basis of reporting substantial noncompliance, responsible parties, primary causes, and HUD’s intended remedial actions are included in the following sections. Federal Financial Management Systems Requirements 1. HUD’s annual assurance statement, issued pursuant to Section 4 of the Financial Manager’s Integrity Act, will report two nonconforming systems.36 The organizations responsible for systems that were found not to comply with the requirements of OMB Circular A-127 based on HUD’s assessments are as follows: Responsible office Number of systems Nonconforming systems Office of Housing 18 0 Office of the Chief Financial Officer 14 0 Office of Chief Human Capital Officer 1 1 Office of the Chief Procurement Officer 0 2 Office of Community Planning and Development 3 0 Office of Public and Indian Housing 2 0 Government National Mortgage Association 1 0 Totals 39 3 The following section outlines HUD’s plan to correct noncompliance with OMB Circular A-127 as submitted to us as of September 30, 2010, and unedited by us. 36 The two nonconforming systems are A35-HUD Procurement System and P035-Small Purchase System. 71 OFFICE OF THE CHIEF PROCUREMENT OFFICER REMEDIATION PLANS AS OF 9/30/2010 A35 HUD Procurement Systems (HPS) P035 Small Purchase System (SPS) Noncompliance Issue(s) Tasks/Steps (including Milestones) Target Actual Completion Completion Dates Dates INTERNAL CONTROLS 1. HUD’s Procurement INTERMEDIATE RESOLUTION PLAN Systems Do Not Have Adequate 1A Review transactions of the four contracting officers Controls for who input records in excess of their contract Monitoring the authority and take actions as appropriate. Procurement Process OCPO researched the transactions in question to determine if the obligations 12/23/2006 12/14/2006 were appropriate or not. OCPO determined that the transactions were properly executed by contracting 03/31/2007 12/14/2006 officers acting within their authority. No further action is necessary. 1B Implement system controls to ensure that contracting officers are not able to exceed their procurement authority. The OCPO will implement procurement authority control procedures. 03/31/2007 04/25/07 The OCPO will include validation of contracting officer authority as part of each Procurement Management Review. 01/08/2007 01/08/2007 On-Going 1C Implement controls to ensure that contracting officers are required to either input or approve all transactions that record funds through the HUDCAPS interfaces. The OCPO will implement procedural controls to require contracting officers to 04/30/2007 04/25/2007 validate transactions in HPS. 1D Modify the systems to make the contracting officer field mandatory. The OCPO will implement procedures for electronic records, which are recorded in HPS, are reviewed to ensure that a 04/30/2007 06/20/2008 Contracting Officer is identified for each Revised— record. 11/30/2008 The OCPO will implement validation of the contracting officer identification as 01/8/2007 01/08/2007 part of each Procurement Management On-Going Review. (See 1B bullet 2 above. Validation of 72 Noncompliance Issue(s) Tasks/Steps (including Milestones) Target Actual Completion Completion Dates Dates contracting authority is the same as implementation of task) 2. HUD Procurement 2A Ensure that system administration and security Systems’ Separation administration functions are separate. of Duties Controls The OCPO will formally appoint separate 04/16/2007 05/01/2007 Were Bypassed individuals to act as security administrator and system administrator for each OCPO system and that the individuals will not be performing conflicting duties. 2B Ensure that staff are not assigned conflicting duties, that separate functions are performed by separate individuals, and that the concept of least privilege is applied. OCPO will determine if multiple system profiles are actually a valid requirement on an individual basis in HPS. The goal is to eliminate all unnecessary and redundant profiles in HPS and that the individuals will not be performing conflicting duties. o The OCPO will identify users with 02/15/2007 12/21/2006 multiple HPS profiles. o The OCPO will deactivate 07/31/2007 07/19/2007 unnecessary/redundant profiles. NOTE: While we can separate the duties procedurally, the separation cannot be enforced in HPS or SPS without reprogramming. 2C Implement formal policies and procedures to recertify the access granted to users at least annually. The OCPO will develop and implement formal procedures for granting access by using the concept of least privilege to OCPO systems, as well as annual user access reviews by: o Revise system access request forms 01/31/2007 12/31/2006 o Revise process in which user 02/28/2007 01/31/2007 requests system access o Revise procedure in which system 03/31/2007 01/31/2007 access is granted o Develop formal procedure to enforce 06/30/2007 07/18/2007 annual user access review 2D Create and implement routing functionality within the Small Purchase System to allow users to be granted access to more than one office or region. OCPO recommends implementing the following tasks to alleviate the routing issue. OCPO will determine if multiple SPS system profiles are actually a valid 73 Noncompliance Issue(s) Tasks/Steps (including Milestones) Target Actual Completion Completion Dates Dates requirement on an individual basis. The goal is to eliminate all unnecessary and redundant profiles in SPS. 02/15/2007 12/21/2006 o The OCPO will identify users with multiple SPS profiles. 11/30/2007 12/14/2007 o The OCPO will restructure the issuing office hierarchy to alleviate the necessity of multiple profiles for a given user. 3. HUD’s 3A Perform a cost benefit analysis to determine Procurement whether it is more advantageous to modify or Systems Do Not replace the procurement systems to ensure Contain compliance with Joint Federal Management Sufficient Improvement Program Requirements. Financial Data to The OCPO will perform a cost benefit 05/31/2008 02/12/2008 Allow It to analysis to replace the OCPO systems. Effectively Manage and 3B Implement functionality to ensure that there is Monitor sufficient information within HUD’s Procurement procurement systems to support the primary Transactions acquisition functions of fund certification, obligation, deobligation, payment, and closeout. Based on the availability of funds, OCPO will replace its systems with COTS software to ensure identified issues with security controls are addressed. Milestones – Not later than Develop Independent Government Estimate 05/03/2007 Conduct Market Research Source Selection 05/4/2007 04/06/2007 Roll-out pilot of production system 09/30/2010 04/6/2007 HIAMS 07/31/2010 Contract 01/31/2012 Awarded SECURITY COTROLS 4. The Office of the 4A Obtain the training and or resources necessary to Chief develop or perform compliant (1) information Procurement system categorization analyses; (2) risk Officer Did Not assessments; (3) security plans; (4) contingency Design or plans and tests; (5) monitoring processes, which Implement include applicable Federal Information Required Processing Standards Publication 200 Information managerial, operational, and technical Security Controls information security controls; and (6) evaluations of the managerial, operational, and technical security controls. OCPO will ensure that training or other resources are obtained to develop or perform required managerial, operational, 74 and technical security controls. Noncompliance Issue(s) Tasks/Steps (including Milestones) Target Actual Completion Completion Dates Dates Update Risk Assessments 12/31/2008 08/31/2007 Update Security Plans 12/31/2008 08/31/2007 12/31/2008 12/13/2007 Update Annual Contingency Plans and On Going Tests o Monitoring processes, which includes 09/01/2008 08/29/2008 applicable Federal Information Processing On Going Standards (FIPS) Publication 200 managerial, operational, and technical information security controls; and The OCPO continues to work the OCIO to monitor the above mentioned areas on an annual basis through updates to the Contingency plans, Security Plans, and BIA. Evaluations of the managerial, operational, and technical security controls. 09/01/2008 08/29/2008 The OCPO continues to work the OCIO to evaluate the above mentioned areas on an On Going annual basis. 4B. Complete the corrective actions for the known open information security vulnerabilities or develop mitigation strategies if new system development is underway. OCPO will ensure it develops mitigation strategies for the known open information security vulnerabilities. o Review vulnerabilities NOTE: Vulnerability scans were requested by OCPO 06/09/2010 through OIT and security office – estimated scan date by 06/14/2010 11/30/2008 Requested an o Develop mitigation strategy Extension— NOTE: Upon completion of the scans, 12/31/2009 mitigating strategies will be developed for 07/31/2010 known vulnerabilities. Completion time is TBD dependent on the number of vulnerability TBD discovered See Note 4C Designate a manager to assume responsibility for ensuring the Office of the Chief Procurement Officer’s compliance with federal certification and accreditation process requirements and to provide ―continuous monitoring‖ of the office’s information systems security. 75 NoncomplianceTasks/Steps Issue(s) (including Milestones) Target Actual Completion Completion Dates Dates OCPO will designate a manager 01/15/2007 03/31/2007 responsible for ensuring compliance with information systems security and federal certification and accreditation process. OCPO will work with OCIO to define 02/01/2007 02/1/2007 roles and responsibilities and to ensure that appropriate resources are provided to perform required monitoring and certification and accreditation. 4D. Reevaluate the HUD Procurement System and Small Purchase System application systems’ security categorization in light of Office of Management and Budget guidance on personally identifiable information. OCPO will reevaluate the HUD 08/31/2007 08/31/2007 Procurement System and Small Purchase System application systems’ security categorization in light of Office of Management and Budget guidance on personal identifiable information. 4E Perform a business impact analysis for the procurement systems. Based on the results of the impact analysis, determine what actions HUD can take to limit the amount of time needed to recover from the various levels of contingencies that can occur and include the determined actions in the contingency plans for the systems. OCPO will develop a business impact analysis for the procurement systems and revise the contingency plan based on the BIA. o Develop business impact analyses. 04/30/2007 06/06/2007 o Incorporate BIA into contingency 09/30/2007 12/13/2007 plans. 5A. Implement the HUD Integrated Acquisition Management System (HIAMS) Complete Requirements Document 06/26/2009 07/15/2009 Complete Statement of Work 06/26/2009 07/15/2009 Re-Issue RFI to receive comments on 12/18/2009 12/18/2009 SOW and requirements Review comments from RFI and update 01/31/2010 01/31/2010 SOW and requirements Issue solicitation 05/31/2010 07/01/2010 Purchase software 09/30/2010 09/30/2010 12/31/2010 HIAMS Configuration of software 01/31/2012 Contract Testing/Training/Implementation Awarded 76 Appendix D SCHEDULE OF QUESTIONED COSTS AND FUNDS TO BE PUT TO BETTER USE Recommendation Ineligible 1/ Unsupported Unreasonable or Funds to be put number 2/ unnecessary 3/ to better use 4/ 2.a. $3.2M 2.c. $27.5M 2.i. $38.5M 2.n. $174M 3.a. $385M 4.a. $97.8M 4.f. $27.5M 1/ Ineligible costs are costs charged to a HUD-financed or HUD-insured program or activity that the auditor believes are not allowable by law; contract; or Federal, State, or local policies or regulations. 2/ Unsupported costs are those costs charged to a HUD-financed or HUD-insured program or activity when we cannot determine eligibility at the time of the audit. Unsupported costs require a decision by HUD program officials. This decision, in addition to obtaining supporting documentation, might involve a legal interpretation or clarification of departmental policies and procedures. 3/ Unreasonable/unnecessary costs are those costs not generally recognized as ordinary, prudent, relevant, and/or necessary within established practices. Unreasonable costs exceed the costs that would be incurred by a prudent person in conducting a competitive business. 4/ Recommendations that funds be put to better use are estimates of amounts that could be used more efficiently if an Office of Inspector General (OIG) recommendation is implemented. These amounts include reductions in outlays, deobligation of funds, withdrawal of interest, costs not incurred by implementing recommended improvements, avoidance of unnecessary expenditures noted in preaward reviews, and any other savings that are specifically identified. 77 Appendix E AUDITEE COMMENTS 78 79 80 Appendix F OIG Evaluation of Agency Comments With the exception of the report’s conclusions related to Federal Financial Management Improvement Act (FFMIA) compliance, and Improving Administrative Control of Funds management generally agrees with our presentation of findings and recommendations subject to their detailed comments. HUD’s disagreement on its non compliance with FFMIA has two components, HUD’s entity wide integrated financial management system and CPD formula grant accounting. First, HUD continues to hold their long stated position, that while acknowledging deficiencies, its entity wide integrated financial management system is compliant with FFMIA. HUD agrees that their systems processes can be more efficiently integrated to eliminate the need for existing compensating controls, nevertheless management feels the existing environment is substantially compliant and not at material risk of misreporting. The deficiencies noted in HUD’s financial management systems are due to the current financial system being developed prior to the issuance of current requirements. The system is also technically obsolete, has inefficient multiple batch processes, and requires labor-intensive manual reconciliations. Because of these inefficiencies, HUD’s management systems are unable to routinely produce reliable, useful, and timely financial information. This weakness manifests itself by limiting HUD’s capacity to manage with timely and objective data, and thereby hampers its ability to effectively manage and oversee its major programs. In addition, the Department has not met the minimum set of automated information resource controls relating to Entity-wide Security Program Planning and Management as required by FISMA and OMB Circular A-130 Appendix III. Second, HUD believes that the CPD formula grant programs are compliant and that our FFMIA noncompliance conclusion due to CPD grant accounting departures from U.S.GAAP and weaknesses in internal controls over financial reporting do not fully take into account the nature of block grants. We disagree with their assessment and believe that CPD formula grants need to comply with budgetary controls and Federal financial management requirements related to the matching of outlays to source of funds by appropriation year. We will continue our work on CPD formula grants and seek clarification on whether formula grants are required to fully comply with U.S. GAAP. HUD also did not agree with the categorization of our observation that HUD Needs to Improve Administrative Control of Funds as a significant deficiency. After a review of their detailed comments, we modified the write up to reflect information provided. We take exception to HUD’s position that the requirement for documenting controls over funds administration ends at the point of obligation when compliance with the provisions of the Anti Deficiency Act is ensured. Defects in HUD’s design and implementation of the administrative control of funds have been identified and discussed with HUD since fiscal year 2005. Our justification for raising this issue to a significant deficiency this year was the notable inaccuracies in the Low Rent Program’s fund control plan, and the lack of funds control plans for programs that no longer 81 have new obligation activity but continue making expenditures. Additionally, we found deficiencies in the new programs’ funds control plans, outdated funds control officer information in older funds control plans and that administrative funds control requirements were not always followed to support obligations and disbursements of funds. 82
Additional Details to Supplement Our Report on HUD's Fiscal Years 2010 and 2009 Financial Statements
Published by the Department of Housing and Urban Development, Office of Inspector General on 2010-11-15.
Below is a raw (and likely hideous) rendition of the original report. (PDF)