oversight

Additional Details To Supplement Our Report on HUD's Fiscal Years 2011 and 2010 Financial Statements

Published by the Department of Housing and Urban Development, Office of Inspector General on 2011-11-15.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                                                                              Issue Date
                                                                                       November 15, 2011
                                                                              Audit Report Number
                                                                                           2012-FO-0003




TO:             David Sidari, Acting Chief Financial Officer, F

                //s//
FROM:           Thomas R. McEnanly, Director, Financial Audits Division, GAF


SUBJECT: Additional Details To Supplement Our Report on HUD’s Fiscal Years 2011 and
         2010 Financial Statements


                                             HIGHLIGHTS

 What We Audited and Why

                 We are required to annually audit the consolidated financial statements of the U.S.
                 Department of Housing and Urban Development (HUD) in accordance with the
                 Chief Financial Officers Act of 1990, as amended. Our report on HUD’s fiscal
                 years 2011 and 2010 financial statements are included in HUD’s Fiscal Year 2011
                 Annual Financial Report. This report supplements our report on the results of our
                 audit of HUD’s principal financial statements for the fiscal years ending
                 September 30, 2011, and September 30, 2010. Also provided are assessments of
                 HUD’s internal controls and our findings with respect to HUD’s compliance with
                 applicable laws, regulations, and governmentwide policy requirements and
                 provisions of contracts and grant agreements.1 In addition, we plan to issue a


    1
       Additional details relating to the Federal Housing Administration (FHA), a HUD component, are not included
in this report but are included in the accounting firm of Clifton Gunderson LLP’s audit of FHA’s financial
statements. That report has been published in our report, Audit of Federal Housing Administration Financial
Statements for Fiscal Years 2011 and 2010 (2012-FO-0002, dated November 07, 2011).

    Additional details relating to the Government National Mortgage Association, (Ginnie Mae), another HUD
component, are not included in this report but are included in the accounting firm of Clifton Gunderson LLP’s audit
of Ginnie Mae’s financial statements. That report has been published in our report, Audit of Government National

                                                         1
                letter to management on or before January 13, 2012, describing other issues of
                concern that came to our attention during the audit.

 What We Found


                In our opinion, HUD’s fiscal years 2011 and 2010 financial statements were fairly
                presented. Our opinion on HUD’s fiscal years 2011 and 2010 financial
                statements is reported in HUD’s Fiscal Year 2011 Agency Financial Report. The
                other auditors and our audit also disclosed the following ten significant
                deficiencies in internal controls related to the need to:

                         Have financial management systems comply with Federal Financial
                         Management System Requirements;
                         Continue improvement in the processes for reviewing obligation balances;
                         Ensure internal controls over Office of Community Planning and
                         Development (CPD) grantees’ compliance with program requirements are
                         operating effectively;
                         Improve administrative control of funds;
                         Continue improvements in the oversight and monitoring of subsidy
                         calculations, intermediaries’ program performance, and use of Housing
                         Choice Voucher program funds;
                         Further strengthen controls over HUD’s computing environment;
                         Improve personnel security practices for access to HUD’s critical financial
                         systems;
                         Improve compliance control to ensure the safety, completeness, and
                         validity of collateral loan files;
                         Strengthen internal control over risk-based issuer and document custodian
                         reviews to improve the effectiveness of counterparty monitoring and
                         oversight; and
                         Effectively analyze and resolve identified information technology security
                         control deficiencies.

                Our findings include the following five instances of noncompliance with
                applicable laws and regulations:

                         HUD did not substantially comply with FFMIA regarding system
                         requirements;
                         HUD did not substantially comply with the Antideficiency Act;
                         HUD did not substantially comply with laws and regulations governing
                         claims of the United States Government;


Mortgage Association Financial Statements for Fiscal Years 2011 and 2010 (2012-FO-0001), dated November 07,
2011)



                                                     2
                     FHA’s Mutual Mortgage Insurance Fund capitalization was not
                     maintained at a minimum capital ratio of 2 percent, which is required
                     under the Cranston-Gonzalez National Affordable Housing Act of 1990;
                     and
                     FHA did not substantially comply with the Federal Financial Management
                     Improvement Act (FFMIA) regarding system limitations related to
                     operational effectiveness and efficiency.

           In addition, our audit disclosed another matter, in which HUD did not obligate all
           of the funds appropriated for the Emergency Homeowners’ Loan Program.

What We Recommend


           Most of the issues described in this report represent long-standing weaknesses.
           We understand that implementing sufficient change to mitigate these matters is a
           multiyear task due to the complexity of the issues, insufficient information,
           technology systems funding, and other impediments to change. In this and prior
           years’ audits of HUD’s financial statements, we have made recommendations to
           HUD’s management to address these issues. Our recommendations from the
           current audit, as well as those from prior years’ audits that remain open, are listed
           in appendix B of this report.

           The audit also identified $80.7 million in excess obligations recorded in HUD’s
           records. We are also recommending that HUD request a congressional recission
           of $471.8 million in funding originally appropriated for the Emergency
           Homeowners’ Loan Program but not obligated by the required obligation date.
           Lastly, we are recommending that HUD seek legislative authority to implement
           offsets of $820 million against public housing agencies’ (PHA) excess Section 8
           funding held in net restricted assets accounts at the PHAs and $1 billion in the
           operating subsidy account. These amounts represent funds that HUD could put to
           better use.

           For each recommendation without a management decision, please respond and
           provide status reports in accordance with HUD Handbook 2000.06, REV-4.
           Please furnish us copies of any correspondence or directives issued because of the
           audit.

Auditee’s Response


           The complete text of the auditee’s response, along with our evaluation of that
           response, can be found in appendix E and F of this report.




                                             3
                          TABLE OF CONTENTS

Highlights                                                                1

Internal Control                                                          5

Compliance With Laws and Regulations                                      63

Other Matters                                                             69

Appendixes
   A. Objectives, Scope, and Methodology                                  71
   B. Recommendations                                                     74
   C. FFMIA Noncompliance, Responsible Program Offices, and Recommended   85
      Remedial Actions
   D. Schedule of Funds To Be Put to Better Use                           99
   E. Agency Comments                                                     100
   F. OIG Evaluation of Agency Comments                                   103




                                        4
                                   INTERNAL CONTROL

Significant Deficiency 1: HUD Financial Management Systems Did
Not Fully Comply With Federal Financial Management System
Requirements
As reported in prior years, the U.S. Department of Housing and Urban Development’s (HUD)
financial management systems did not fully comply with Federal financial management system
requirements. HUD did not develop an adequate agencywide financial management systems
plan. Additionally, HUD had not completed development of an adequate integrated financial
management system. HUD’s financial systems, many of which were developed and
implemented before the issue date of current standards, were not designed to perform or provide
the range of financial and performance data currently required. The result is that HUD, on a
departmentwide basis, did not have integrated financial management systems that complied with
current Federal requirements or provided HUD the information needed to effectively manage its
operations on a daily basis. This situation could negatively impact management’s ability to
perform required financial management functions; efficiently manage the financial operations of
the agency; and report, on a timely basis, the agency’s financial results, performance measures,
and cost information. The Office of Community Planning and Development’s (CPD) grants
management systems had weaknesses in internal control and were also noncompliant with Office
of Management and Budget (OMB) A-127 Federal financial management systems requirements,
Federal accounting standards, and application of the U.S. Standard General Ledger (USSGL) at
the transactions level.

This situation could negatively impact management’s ability to perform required financial
management functions; efficiently manage the financial operations of the agency; and report, on
a timely basis, the agency’s financial results, performance measures, and cost information.




    Agencywide Financial
    Management Systems Plan Did
    Not Meet Circular A-127
    Requirements



               In fiscal year 2010, we performed an audit to assess HUD’s compliance with the
               requirements specified in OMB Circular A-127.2 We found that HUD did not
               comply with the requirements. The Office of Inspector General (OIG) reported in its
               fiscal year 2008 financial statement audit report that HUD had not performed the

2
 Audit Report Number 2011-DP-0003, ―HUD Did Not Fully Comply With the Requirements of OMB Circular A-
127,‖ issued December 3, 2010

                                                  5
           OMB Circular A-127-required reviews of its financial management systems for
           compliance with computer security and internal control guidelines. During our
           review in fiscal year 2010, we determined that HUD had not taken corrective action
           to address this weakness and ensure that A-127 compliance reviews were conducted.
           In October 2011, HUD’s Risk Management Division submitted a revised corrective
           action plan, which allowed the recommendation from the fiscal year 2008 financial
           statement audit to be closed.

           As part of our fiscal year 2011 audit, we determined that the agencywide financial
           management systems plan developed by the Chief Financial Officer (CFO) did not
           fully meet requirements of OMB Circular A-127. Although the plan developed for
           fiscal year 2011 contained headers or specific sections for each of the required pieces
           of information according to Circular A-127, the information included within the
           document was not sufficient. Specifically, the plan did not address (1) specific
           modifications or enhancements needed for each financial management system; (2)
           equipment acquisition information and details regarding system modifications,
           enhancements, etc., necessary to implement the targeted architecture for each
           financial management system; (3) cost estimation data related to each specific
           project; (4) information regarding each financial management system’s life cycle;
           (5) a projection of the reasonable useful life of each investment; (6) details regarding
           system upgrades required for each system; or (7) existing problems related to each
           of the financial management systems. As a result, the plan was not an effective
           management tool. Without future system enhancement and modification, resource
           allocation, budgeting, and funding information in its financial management system
           plans, HUD has no single document that can be used to ensure that agency spending
           and funding are in line with its business plan and goals.


HUD Is Required To
Implement a Compliant
Financial Management System


           The Federal Financial Management Improvement Act of 1996 (FFMIA) requires,
           among other things, that HUD implement and maintain financial management
           systems that substantially comply with Federal financial management system
           requirements. The financial management system requirements include
           implementing information system security controls. The requirements are also
           included in OMB Circular A-127, ―Financial Management Systems.‖ Circular A-
           127 defines a core financial system as an information system that may perform all
           financial functions including general ledger management, funds management,
           payment management, receivable management, and cost management. The core
           financial system is the system of record that maintains all transactions resulting
           from financial events. It may be integrated through a common database or
           interfaced electronically to meet defined data and processing requirements. The
           core financial system is specifically used for collecting, processing, maintaining,

                                              6
         transmitting, and reporting data regarding financial events. Other uses include
         supporting financial planning, budgeting activities, and preparing financial
         statements.

         As in previous audits of HUD’s financial statements, in fiscal year 2011, there
         continued to be instances of noncompliance with Federal financial management
         system requirements. These instances of noncompliance have given rise to
         significant management challenges that have (1) impaired management’s ability
         to prepare financial statements and other financial information without extensive
         compensating procedures, (2) resulted in the lack of reliable, comprehensive
         managerial cost information on its activities and outputs, and (3) limited the
         availability of information to assist management in effectively managing
         operations on an ongoing basis.

HUD's Financial Systems Were
Not Adequate


         As reported in prior years, HUD did not have financial management systems that
         enabled it to generate and report the information needed to both prepare financial
         statements and manage operations on an ongoing basis accurately and in a timely
         manner. To prepare consolidated departmentwide financial statements, HUD
         required the Federal Housing Administration (FHA) and the Government
         National Mortgage Association (Ginnie Mae) to submit financial statement
         information on spreadsheet templates, which were loaded into a software
         application. In addition, all consolidating notes and supporting schedules had to
         be manually posted, verified, reconciled, and traced. To overcome these systemic
         deficiencies with respect to preparation of its annual financial statements, HUD
         was compelled to rely on extensive compensating procedures that were costly,
         labor intensive, and not always efficient.

         Due to a lengthy HUD Integrated Financial Management Improvement Project
         (HIFMIP) procurement process and lack of funding for other financial application
         initiatives, there were no significant changes made in fiscal year 2011 to HUD’s
         financial management processes. As a result, the underlying system limitations
         identified in past years remained. Due to the functional limitations of the three
         applications (HUD Central Accounting Processing System (HUDCAPS), Line of
         Credit Control System (LOCCS), and Program Accounting System (PAS))
         performing the core financial system function, HUD was dependent on its data
         mart and reporting tool to complete the accumulation and summarization of data
         needed for U.S. Department of the Treasury and OMB reporting.




                                          7
HUD’s Financial Systems Did Not
Provide Managerial Cost Data


         In fiscal year 2006, the U.S. Government Accountability Office (GAO) reported
         in GAO-06-1002R, Managerial Cost Accounting Practices, that HUD’s financial
         systems did not have the functionality to provide managerial cost accounting
         across its programs and activities. This lack of functionality resulted in the lack
         of reliable and comprehensive managerial cost information on its activities and
         outputs. HUD lacked an effective cost accounting system that was capable of
         tracking and reporting costs of HUD’s programs in a timely manner to assist in
         managing its daily operations. This condition rendered HUD unable to produce
         reliable cost-based performance information.

         HUD officials indicated that various cost allocation studies and resource
         management analyses were required to determine the cost of various activities
         needed for mandatory financial reporting. However, this information is widely
         distributed among a variety of information systems, which were not linked and,
         therefore, could not share data. This condition made the accumulation of cost
         information time consuming, labor intensive, untimely, and ultimately made that
         cost information not readily available. Budget, cost management, and
         performance measurement data were not integrated because HUD

             Did not interface its budget formulation system with its core financial system;

             Lacked the data and system feeds to automate a process to accumulate,
             allocate, and report costs of activities on a regular basis for financial reporting
             needs, as well as internal use in managing programs and activities;
             Did not have the capability to derive current full cost for use in the daily
             management of HUD operations; and
             Required an ongoing extensive quality initiative to ensure the accuracy of the
             cost aspects of its performance measures as they were derived from sources
             outside the core financial system.

         While HUD had modified its resource management application to enhance its cost
         and performance reporting for program offices and activities, the application did
         not use core financial system processed data as a source. Instead, HUD used a
         variety of applications, studies, and models to estimate the cost of its program
         management activities. One of these applications, TEAM/REAP, was designed
         for use in budget formulation and execution, strategic planning, organizational
         and management analyses, and ongoing management of staff resources. It was


                                            8
             enhanced to include an allocation module that added the capability to tie staff
             distribution to strategic objectives and HUD program offices’ management plans.

             Additionally, HUD had developed time codes and an associated activity for nearly
             all HUD program offices to allow automated cost allocation to the program office
             activity level. HUD indicated that the labor costs that would be allocated to these
             activities would be obtained from the HUD payroll service provider. However,
             because the cost information did not pass through the general ledger, current
             Federal financial management requirements were not met.

Financial Systems Did Not
Provide for Effective and
Efficient Financial
Management


             During fiscal year 2011, HUD’s financial information systems did not allow it to
             achieve its financial management goals in an effective and efficient manner in
             accordance with current Federal requirements. To perform core financial system
             functions, HUD depended on three major applications, in addition to a data
             warehouse and a report-writing tool. Two of the three applications that performed
             core financial system functions required significant management oversight and
             manual reconciliations to ensure accurate and complete information. HUD’s use
             of multiple applications to perform core financial system functions further
             complicated financial management and increased the cost and time expended.
             Extensive effort was required to manage and coordinate the processing of
             transactions to ensure the completeness and reliability of information.

             Additionally, the interface between the core financial system and HUD’s
             procurement system did not provide the required financial information. The
             procurement system interface with HUDCAPS did not contain data elements to
             support the payment and closeout processes. Also, the procurement system did
             not interface with LOCCS and PAS. Therefore, the processes of fund
             certification, obligation, deobligation, payment, and closeout of transactions that
             were paid out of the LOCCS system were all completed separately, within either
             PAS or LOCCS. This lack of compliance with Federal requirements impaired
             HUD’s ability to effectively monitor and manage its procurement actions.

 HUD’s Plans To Implement a
 Departmentwide Core
 Financial System Were
 Underway

             HUD’s plans to implement a commercial Federal certified core financial system
             and integrate the current core financial system into one departmentwide core
             financial system were underway. FHA and Ginnie Mae had implemented a

                                               9
            compatible and compliant system to support the transition to the enterprise core
            financial system. HUD originally planned to select a qualified shared service
            provider to host the enterprise system and integrate the three financial systems
            (HUD, FHA, and Ginnie Mae) into a single system by fiscal year 2015.
            Achieving integrated financial management for HUD would result in a reduction
            in the total number of systems maintained, provide online, real-time information
            for management decision making, enable HUD to participate in E-government
            initiatives, and align with HUD’s information technology modernization goals.

            HIFMIP, launched in fiscal year 2003, had been plagued by delays. HIFMIP was
            intended to modernize HUD’s financial management systems in accordance with
            a vision consistent with administration priorities, legislation, OMB directives,
            modern business practices, customer service, and technology. HUD believed that
            at some point, HIFMIP would encompass all of HUD’s financial systems,
            including those supporting FHA and Ginnie Mae. HUD had intended to begin the
            implementation in fiscal year 2006. Due to delays with the procurement process,
            however, the contract for HIFMIP was not awarded until September 2010.

            OMB reviewed HIFMIP and recommended that HUD give additional
            consideration to its (1) categorization of risk and mitigation strategies, (2)
            governance structure to ensure appropriate leadership is in place to support the
            project, and (3) funding strategy to give more time to assess whether the current
            approach is viable. As a result of OMB’s recommendations, HUD agreed to
            rescope HIFMIP to address only the department-level portion. Based on HUD’s
            agreement to rescope the project, OMB approved the 18-month base period.
            Additional approvals will be needed for the option periods associated with
            HIFMIP. The planned ―go live‖ date for the first phase of HIFMIP has been
            revised from March 2012 to May 2012. Until its core financial system is fully
            implemented, we believe the following weaknesses with HUD’s financial
            management systems will continue:

                HUD’s ability to prepare financial statements and other financial information
                will require extensive compensating procedures.

                HUD will have limited availability of information to assist management in
                effectively managing operations on an ongoing basis.


CFO is Required to Ensure CPD
Financial Management Systems
Are Compliant with OMB A-127
With OMB A-127
           The CFO is responsible for overseeing all financial management activities relating
           to the programs and operations of the agency and developing and maintaining an
           integrated agency accounting and financial management system, including
           financial reporting and internal controls, which complies with applicable

                                            10
                  accounting principles, standards, and requirements, and internal control standards,
                  as well as, any other requirements applicable to such standards. Additionally, the
                  CFO is responsible for directing, managing and providing policy guidance and
                  oversight of agency financial management personnel, activities, and operations,
                  including the approval and management of agency financial management systems
                  design or enhancement projects. A financial system is an information system that
                  may perform all financial functions including general ledger management, funds
                  management, payment management, receivable management, and cost
                  management. The core financial system is the system of record that maintains all
                  transactions resulting from financial events.3 The core financial system is
                  specifically used for collecting, processing, maintaining, transmitting, and
                  reporting data regarding financial events. Any data transfers to the core financial
                  system must be traceable to the transaction source, posted to the core financial
                  system in accordance with applicable guidance from the Federal Accounting
                  Standards Advisory Board (FASAB), and in the data format of the core financial
                  system. A mixed system is an information system that can support both financial
                  and nonfinancial functions.

                  A financial management system includes the core financial systems and the
                  financial portions of mixed systems necessary to support financial management,
                  including automated and manual processes, procedures, and controls; data;
                  hardware; software; and support personnel dedicated to the operation and
                  maintenance of system functions. The following are examples of financial
                  management systems: core financial systems, procurement systems, loan
                  systems, grants systems, payroll systems, budget formulation systems, billing
                  systems, and travel systems.

                  The Integrated Disbursement Information System (IDIS) Online and the Disaster
                  Recovery Grant Reporting (DRGR) systems are used by CPD to support both the
                  financial and nonfinancial functions necessary for the management of CPD’s
                  grant programs.4 The systems were developed to enable grantees to identify
                  activities funded under their action plans, to include budgets; report
                  accomplishments on the activities, which facilitate HUD’s reporting on
                  performance goals; and report program income when applicable. To receive
                  funding, these grantees must prepare a citizen participation plan, publish their
                  proposed use of the funds, and submit an action plan to HUD. Once an action
                  plan is submitted and approved, grantees can submit quarterly reports

3
  A financial event is any activity having financial consequences to the Federal Government related to the receipt of
appropriations or other financial resources; acquisition of goods or services; payments or collections; recognition of
guarantees, benefits to be provided, or other potential liabilities; distribution of grants; or other reportable financial
activities.
4
  IDIS supports the four CPD formula grant programs: Community Development Block Grant (CDBG), HOME
Investment Partnerships (HOME), Emergency Shelter Grants (ESG), and Housing Opportunities for Persons With
AIDS (HOPWA) and the related American Recovery and Reinvestment Act programs: CDBG-Recovery, Tax
Credit Assistance Payment (TCAP), and Homelessness Prevention and Rehabilitation Program (HPRP). DRGR
supports the Disaster Recovery CDBG program and other special appropriations, such as the three rounds of funding
of the Neighborhood Stabilization Program.

                                                           11
                summarizing obligations, expenditures, drawdowns, and accomplishments for all
                of their CPD-funded activities.

                Annually, IDIS’s and DRGR’s compliance status, as determined by HUD, is
                reported in HUD’s Agency Financial Report. The financial portions of IDIS and
                DRGR, which store the transaction-level detail of the grant payments, are
                interfaced with HUD’s core financial systems.5 Additionally, IDIS and DRGR
                are the systems through which the grantees request funding from their grants and,
                thus, perform the payment management function for those grants. As a financial
                management system, CPD and CFO are responsible for ensuring IDIS and DRGR
                comply with the standards included within OMB A-127. Therefore, the
                transaction-level data, which are summarized, must be posted to the core financial
                statements using proper USSGL accounts and accounting standards, and the
                systems must comply with Federal financial management system requirements.
                Although the OIG has reported significant internal control deficiencies6 and has
                reported IDIS non-compliant with FFMIA, OMB A-127, and federal financial
                accounting standards in fiscal years 2009, 20107, and 2011, the system is still
                reported, by the CFO, as compliant in the Department’s Agency Financial Report.
                The system is reported as compliant by the Department without CFO’s review or
                research into OIG’s basis for determining IDIS as noncompliant.

    CPD’s Grants Management
    Systems Did Not Comply With
    Federal Financial System
    Requirements


                The Federal financial management system requirements consist of three parts: (1)
                computer security requirements, which are defined by the Federal Information
                Security Management Act (FISMA) and Circular A-130 or successor documents;
                (2) internal controls requirements, which are the internal control objectives of
                Circular A-123; and (3) core financial system requirements, which are defined by
                the Federal Systems Integration Office (FSIO).

                First, OIG has determined that CPD’s financial management systems did not meet
                the computer security requirements of A-127. As part of the fiscal year 2010
                Federal Information System Controls Audit Manual (FISCAM) audit, OIG

5
  The payment requests from the systems are interfaced with LOCCS, which feeds into HUD’s core financial
systems and is used to disburse funds. LOCCS then passes the disbursement information to PAS and HUDCAPS,
which are the accounting systems used to generate the financial statements.
6
  Audit report number 2012-PH-0001, ―HUD Needed to Improve its Use of its Integrated Disbursement and
Information System to Oversee its Community Development Block Grant Program,‖ issued October 31, 2011.
7
  Audit Report number 2010-FO-0003, ―Additional Details to Supplement Our Report on HUD’s Fiscal Years 2009
and 2008 Financial Statements‖, issued November 16, 2009 and Audit Report number 2011-FO-0003, ―Additional
Details to Supplement Our Report on HUD’s Fiscal Years 2010 and 2009 Financial Statements‖, issued November
15, 2010.

                                                    12
                determined that HUD did not ensure that adequate application controls for the
                IDIS Online system were properly put in place and operating effectively.8 OIG
                noted the following deficiencies within IDIS: (1) incompatible functions such as
                system administration and security administration were not adequately separated,
                and (2) there was no formal user recertification process to ensure that all users
                were properly recertified. These weaknesses existed because CPD designed IDIS
                with decentralized security without adequate controls in place to ensure that the
                overall security of the application remained within the control of HUD staff. By
                not separating incompatible system administration and security responsibilities
                and reviewing the continued appropriateness of access to the financial systems,
                HUD increased its risk that sensitive financial data could be modified, disclosed,
                or misused or that erroneous or fraudulent transactions would be processed. The
                recommendations for the findings identified remained unimplemented.

                In an audit of DRGR during fiscal year 2011,9 OIG determined that the DRGR
                program office’s application security management program had weaknesses.
                Specifically, the DRGR system security documentation had not been updated to
                reflect current information about the system and its environment, and although the
                DRGR system had been classified as a mission-critical system, it was not tested
                during the most recent annual disaster recovery test. These conditions occurred
                because DRGR program officials failed to communicate with the Office of the
                Chief Information Officer (OCIO) to ensure that security controls of their system
                were adequate and their system documentation was up to date. As a result, the
                necessary security controls may not have been implemented. In addition, since
                the contingency plan had not been adequately tested, the effectiveness of the plan
                or the system’s readiness to deal with a potential disaster could not be determined.

                Control activities include policies, procedures, and mechanisms in place to help
                ensure that agency objectives are met and ensure that resource use is consistent
                with laws, regulations, and policies; resources are safeguarded against waste, loss,
                and misuse; and reliable data are obtained, maintained, and disclosed in reports.
                Internal controls also need to be in place over information systems, both general
                and application control. General control applies to all information systems such
                as the mainframe, network, and end-user environments and includes agencywide
                security program planning, management, control over data center operations,
                system software acquisition, and maintenance. Application control should be
                designed to ensure that transactions are properly authorized and processed
                accurately and that the data are valid and complete. Controls should be
                established at an application’s interfaces to verify inputs and outputs, such as edit
                checks. General and application controls over information systems are
                interrelated; both are needed to ensure complete and accurate information


8
 Audit report number 2011-DP-0004 –―Fiscal Year 2010 FISCAM Report,‖ issued January 14, 2011
9
 Audit report number 2011-DP-0008 – ―The Disaster Recovery Grant Reporting System That Maintained Recovery
Act Information Had Application Security Control Deficiencies,‖ issued July 28, 2011


                                                   13
                  processing. Due to the rapid changes in information technology, controls must
                  also adjust to remain effective.

                  Secondly, CPD management did not maintain effective internal controls over
                  financial reporting within the information systems. Our review found that DRGR
                  did not have a sufficient data modification process in place to protect financial
                  transaction data and audit trails from being overwritten. In addition, CPD did not
                  maintain proper internal controls or adequate audit trails in IDIS to ensure that
                  transactions were properly authorized and processed accurately and that the data
                  were valid and complete to ensure that agency objectives were met; resource use
                  was consistent with laws, regulations, and policies; and resources were
                  safeguarded against waste, loss, and misuse. In both systems, the transaction-
                  level data detailing how grantees used funding provided by HUD were not
                  transferred to HUD’s core financial applications. The detailed financial
                  transaction data were only maintained within the mixed systems; therefore, IDIS
                  and DRGR were the financial management systems of record for these data, since
                  only summary information was transferred and maintained in the core financial
                  systems. However, OIG found that grantees were able to modify the detailed
                  financial transactions within the systems, ultimately altering and in some cases,
                  eroding audit trails without approval by CPD. In addition, IDIS’s design and
                  implementation of adequate budget controls was deficient.

                  Specifically, CPD allowed DRGR grantee users to modify voucher transactions
                  (financial events or transactions) to reflect changes to program cost allocation
                  information between activities (the allocation of funds drawn for specific
                  activities). As a result, reconciliation between DRGR and HUD’s core financial
                  applications was cumbersome and time consuming. The situation was further
                  aggravated because (1) DRGR did not maintain the full voucher number for
                  payment transactions recorded in LOCCS, (2) CPD allowed revision of all or part
                  of the original distribution, (3) CPD did not require grantees to record a reason or
                  justification for making the change within DRGR, (4) CPD allowed voucher
                  modifications to be made until the grant was closed out, and (5) CPD did not
                  require grantee users to obtain approval from HUD for each modification
                  transaction.10

                  In addition, CPD did not adequately use IDIS to provide oversight of activities
                  under its CDBG program. As a result, HUD was unaware of how grantees used
                  almost $67 million that were provided to grantees to fund more than 1,300
                  activities that grantees later cancelled in IDIS. In addition, HUD lacked adequate
                  oversight of almost $3 billion used to fund more than 20,000 long-standing11 open
                  activities that grantees had reportedly not completed for up to 11 years. Further,
                  IDIS did not support internal control activities to help ensure that agency

10
   Notification of Finding and Recommendation - FISCAM-07, ―DRGR Does Not Have A Sufficient Process In
Place to Protect Detailed Financial Transaction Data From Being Overwritten‖, Issued October 17, 2011
11
   For purposes of this review, OIG defined a long-standing program activity as an activity that remained open for at
least 5 years after it was funded through a grantee’s annual consolidated plan.

                                                         14
                  objectives were met and ensure that resources used were safeguarded against
                  waste, loss, and misuse. 7

                  OIG also noted during the fiscal year 2011 audit that the IDIS system only stored
                  the last update to any given activity record, which would make it difficult for
                  CPD to provide oversight of activities, as well as obtain an adequate audit trail to
                  determine whether resources were spent to achieve expected results.

                  Without reliable and timely financial information, government managers have
                  limited assurance that resources were spent to achieve expected results. In
                  addition, the ability to evaluate program effectiveness and detect waste and
                  inefficiency is diminished when audit trails are cumbersome, detailed information
                  regarding transactions is not maintained, and approvals for data modifications are
                  not required.

                  Budget controls are part financial reporting and part compliance controls and
                  provide reasonable assurance that budgetary transactions, such as obligations and
                  outlays, are properly recorded, processed, and summarized to permit the
                  preparation of the financial statements; primarily the statement of budgetary
                  resources, in accordance with U.S. generally accepted accounting principles
                  (GAAP). Budget controls are generally compliance controls in that they provide
                  reasonable assurance that transactions are executed in accordance with laws
                  governing the use of budget authority. In fiscal year 2009, we found that the
                  design and implementation of adequate budget controls in IDIS were
                  deficient as a result of CPD’s decision to charge grant disbursement drawdowns
                  from the oldest budget fiscal year (BFY) appropriation funding source available at
                  the time of drawdown without regard for the original source of funding for the
                  corresponding obligation recorded. CPD refers to this practice as FIFO (first-in,
                  first-out). This process results in a mismatching of obligations and outlays.

                  We found the monetary impact of using FIFO and incorrectly mismatching BFY
                  fund sources to be significant, with almost $44 billion of CPD’s formula program
                  grants citing the mismatched BFY appropriation as a source of funds for
                  disbursement since fiscal year 2002.12 Our review of the payment transaction
                  history in IDIS indicated that beginning with fiscal years 2002 through October
                  13, 2011, approximately 4.5 billion payments were completed for a total of $72.4
                  billion, of which 57 percent, or 2.6 million payments, and approximately 61
                  percent, or $44 billion, did not match the source and use of funds. Thus, the funds
                  disbursed for activities set up13 under a given grant’s BFY appropriation were
                  disbursed from grants awarded with BFY appropriations before that grant year

12
   This is the first year that all CPD formula grants were appropriated under a fixed-year treasury symbol and no
longer received no-year annual appropriations.
13
   For purposes of the analysis, ―set up‖ refers to the process of specifically identifying an activity under a specific
BFY appropriation grant award and allocating estimated amounts expected to complete an activity in IDIS.
Activities are the manner in which grantees further identify the source and use of funds and reconcile to their annual
budget of their grant awards.

                                                          15
                  due to the FIFO process. For fiscal year 2011 alone, there were almost 226,000
                  payments totaling almost $4.1 billion which were mismatched. In addition, $55.7
                  million of disbursements made from fiscal year 2004 obligations during fiscal
                  year 2011, from fiscal year 2004 obligations, did not match the source of funds,
                  due to FIFO. These payments should have been disbursed from a fiscal year
                  subsequent to 2004. If FIFO was not used and the payments were properly
                  matched to the source of funds, in accordance with the National Defense
                  Authorization Act (NDAA) of 199114, the $55.7 million would have been
                  returned to the U.S. Treasury at the end of fiscal year 2011.

                  According to the grants’ funds control plans, the legal point of obligation is when
                  an acceptable annual plan is submitted, establishing what should be the BFY
                  projects and activities, and the assistance award or amendment is signed. The
                  point of obligation using the BFY defines the source of funds and establishes the
                  timeframes for suballocation, expenditures, and when the funds are returned to the
                  U.S. Treasury if not expended. This process is in accordance with GAO’s Title
                  2,15 which recognizes that the accounting for a Federal assistance award begins
                  with the execution of an agreement or the approval of an application in which the
                  amount and purposes of the grant, the performance periods, the obligations of the
                  parties to the award, and other terms are established. The execution of these
                  obligation agreements initiates a financial transaction and requires CPD to record
                  an obligation in its financial accounting records, and to identify a related BFY
                  source of funding for the agreement in accordance with Federal budgetary
                  accounting laws and GAAP. This source BFY, which is identified at the point of
                  obligation and at the initiation of the financial transaction event, is required by
                  budgetary internal controls to remain constant and be identified with each use of
                  the funds by the grantee. This is especially necessary for recording related
                  financial transactions and the event of the obligation established.

                  The logic used by IDIS and CPD to select the source of funds, rather than
                  properly identifying and matching the source and use of funds, demonstrates an
                  internal control deficiency. CPD’s definition of ―source of funds‖ takes into
                  account the source of funding being only that of either a State grantee or
                  entitlement grantee and the type of money (program income versus entitlement
                  grant funds, etc.). It disregards the Federal budgetary fiscal year source of funds.
                  CPD describes how FIFO is applied in a procurement document in the following
                  manner:



14
   The National Defense Authorization Act of 1991 (Public Law 101-510, November 5, 1990) established rules
governing the availability of appropriations for expenditure. This legislation mandates that on September 30th of the
fifth fiscal year after the period of availability for obligation of a fixed appropriation account ends, the account shall
be closed and any remaining balance (whether obligated or unobligated) in the account shall be canceled and
thereafter shall not be available for obligation or expenditure for any purpose.
15
    Accounting Principles, Standards and Requirements; Title 2 Standards Not Superseded by FASAB Issuances,
from GAO Policy and Procedures Manual for Guidance of Federal Agencies


                                                           16
       The FIFO technique is applied to funds having the same grant
       program, source of funds, recipient of funds, and type of funds.
       The grant year is used to order the funds from oldest year to
       newest year. When a grantee commits funds to an activity (by
       funding an activity using the activity funding function), the funds
       are committed from the oldest funds having the same source of
       funds, recipient of funds, and type of funds. The grantee is
       unaware of the year from which the funds are committed.
       Similarly, when a grantee draws funds, the funds are drawn from
       the oldest funds having the same source of funds, recipient of
       funds, and type of funds.

At issue is CPD’s and IDIS’s treatment of the source of grant funds. Based on
our review and discussion with CPD staff, we found that CPD used a different
meaning and application technique for source of funds depending on what action
was taken. At the point of obligation, a BFY appropriation source year was used
to obligate the funds to a State or entitlement grantee. When an activity was
established and funded, CPD would match the State or entitlement grantee source
and type of funding and may have used the oldest BFY appropriation source of
funds to allocate funds for the estimated costs for the activity. At disbursement,
CPD and IDIS would match the State or entitlement grantee source and type of
funding and use the oldest BFY appropriation source of funds to disburse funding
to pay for an activity.

While a grantee’s program year may not line up with a Federal fiscal year due to
when agreements are signed, the achievements, projects, and activity costs
recorded in the IDIS Online system must be reconcilable with the BFY
appropriation source year in which the funding was approved. Arbitrarily
liquidating the funding from the oldest available BFY appropriation source for the
fund type associated with the activity is not in line with budgetary internal
controls requirements.

As noted in CPD’s definition and application of FIFO, the BFY appropriation was
not considered except as identification for the source of funds. CPD described the
BFY as the grant year, and its only purpose was to order the funds from oldest to
newest. CPD’s position of mingling all of the grant year (BFY appropriation)
funds together and simply ordering them from oldest to newest and using FIFO is
based on its belief that the purpose of block grants is to provide the grantees a
great deal of flexibility in managing their projects. While this may have been the
simplest way to manage grants at the start of the programs, which was before
FASAB, budget controls, the NDAA, and other recently implemented Federal
financial management acts, it ignores how FIFO affects these aspects of financial
reporting and is also noncompliant with Federal financial reporting requirements.




                                17
                 During the fiscal year 2009 audit, OIG identified programmatic issues, which
                 resulted in the accumulation of undisbursed funds for the HOME program16.
                 However, during fiscal year 2010, CPD did not review the old Community
                 Housing Development Organizations (CHDO) and subgrantee commitments to
                 determine whether a use for the funding existed, and if not, whether de-obligation
                 of funds was warranted, and CPD did not develop a policy to track CHDOs and
                 subgrantees expenditures separately, as agreed. Instead, CPD decided to modify
                 IDIS to implement ‖Financial Control Enhancements‖, which CPD believes will
                 resolve the risk of HOME grantees losing project funds due to idiosyncratic
                 accounting rules in IDIS Online. CPD stated the changes would alter the way the
                 system currently operates under limited FIFO functionality for HOME, and
                 results in the system drawing newer money before older funds, unintentionally
                 leaving pockets of older funds that become subject to recapture – even if the funds
                 are reserved to organizations or committed to projects.

                 These modifications, also known as "true-FIFO" would no longer be challenged
                 by the recipient of funds for CHDOs and subgrantees and will only be challenged
                 by the source and type of funds in the HOME program by the participating
                 jurisdiction. OIG has previously communicated that the modifications to IDIS are
                 inappropriate and coupled with the internal control deficiencies previously cited,
                 would further erode CPD’s ability to monitor actual performance by its
                 participating jurisdictions and CHDOs.

                 As the CFO is responsible for the approval and management of agency financial
                 management systems design or enhancement projects, OIG recommended HUD
                 to suspend work on this task immediately until a review of how appropriate
                 compliant business processes can be integrated into IDIS’s programming was
                 conducted. However, CPD has disregarded OIG’s position, and has committed $1
                 million of HUD’s Transformation Initiative toward implementing these changes,
                 which are in direct contradiction to OIGs finding surrounding IDIS' non-
                 compliance with the internal control objectives of federal financial management
                 system requirements and federal accounting standards.

                 Lastly, the applicable FSIO financial system requirements for the CPD financial
                 systems are defined by the Grant Financial System Requirements, JFMIP-SR-00-
                 3 (June 2000). The Grant Financial System Requirements state that ―All grant
                 financial systems must provide, as a minimum, the following qualities:

                          Complete and accurate funds control;
                          Complete, accurate, and prompt recording of obligations;
                          Complete, accurate, and prompt payment of grantee payment requests;

16
  OIG determined that these funds had accumulated due to poor performing Community Housing Development
Organizations (CHDOs); subgrantees that were not expending funds timely; and the program’s cumulative
accounting techniques. This is discussed further under Significant Deficiency 3: Office of Community Planning and
Development's (CPD) Internal Controls over Monitoring Grantees’ Compliance with Program Requirements Were
Not Operating Effectively.

                                                       18
                  Complete, accurate, and prompt generation and maintenance of grant
                  financial records and transactions;
                  Timely and efficient access to complete and accurate information, without
                  extraneous material, to those internal and external to the agency who
                  require the information;
                  Timely and proper interaction of the grant financial system with core
                  financial systems and other existing automated systems; and
                  Adequate internal controls to ensure that the grant financial system is
                  operating as intended.

           Payment requests require the following information in the request:

                  Grantee name and identifier
                  Amount requested
                  Grantee official authorized to submit request
                  Authorized grantee’s information
                  Amount of funds authorized
                  Amount approved
                  Amount disallowed
                  Program funding codes
                  Appropriation code(s)

           In addition, the Financial Reporting Process Flow section of the Grant Financial
           System Requirements provides that ―sufficient and appropriate information must
           be maintained for reconciliation with the agency’s core financial system.‖

           As noted above, IDIS did not maintain grant financial records and transactions, as
           grantees had the ability to change the details of financial records and transactions.
           The system maintained only a record of the last change and did not maintain an
           audit trail. In addition, during the payment request process in IDIS, the request
           did not include or require the appropriation code; hence, the system arbitrarily
           selected the oldest appropriation code (BFY) to use for the payment.

CPD’s Grants Management
Systems Did Not Comply With
Federal Accounting Standards


           Agency financial management systems must maintain accounting data to permit
           reporting in accordance with Federal accounting standards and reporting
           requirements issued by the Director of OMB or the Secretary of the Treasury.
           Statement of Federal Financial Accounting Standards 4: Managerial Cost
           Accounting Standards states that cost assignments should be directly traceable to
           the original common data source.



                                            19
                    Statement of Federal Financial Accounting Concepts 1: Objective of Federal
                    Financial Reporting Standards states that financial reporting should assist in
                    fulfilling the Government’s duty to be publicly accountable for funds raised
                    through taxes and other means and for their expenditure in accordance with the
                    appropriations laws that establish the Government’s budget for a particular fiscal
                    year and related laws and regulations. Federal financial reporting should provide
                    information that helps the reader to determine how information on the use of
                    budgetary resources relates to information on the costs of program operations and
                    whether information on the status of budgetary resources is consistent with other
                    accounting information on assets and liabilities.

                    As grantees can change the information used to provide the data used for
                    performance reporting, the systems lack reliable and comprehensive managerial
                    cost information on grantee activities and outputs. When grantees alter the detail
                    of the accounting transactions and that information is in contrast to the
                    information reported in the core financial systems and reported in the external
                    financial reports, the information reported to external parties regarding the
                    performance is not traceable to the common data source. This is especially true as
                    the information has the ability to change across financial reporting periods
                    without CPD’s knowledge. CPD lacked an effective cost accounting system that
                    was capable of tracking and reporting costs of CPD’s programs in a timely
                    manner to assist in managing its daily operations. This condition rendered HUD
                    unable to produce reliable cost-based performance information. In addition, as
                    the process of FIFO does not allow the costs of performing the grantee activities
                    to be traceable to an original data source, the process of accumulating cost
                    information was time consuming, labor intensive, untimely, and ultimately made
                    that cost information not readily available. Without reliable and timely financial
                    information, government managers have limited assurance that resources were
                    spent to achieve expected results. In addition, the ability to evaluate program
                    effectiveness and detect waste and inefficiency is diminished when audit trails are
                    cumbersome, detailed information regarding transactions is not maintained, and
                    approvals for data modifications are not required.

                    HUD’s Uniform Administrative Requirements for Grants and Cooperative
                    Agreements17 requires that grantee financial management systems provide for (1)
                    accurate, current, and complete disclosure of the financial results of each federally
                    sponsored project or program and (2) records that identify adequately the source
                    and application of funds for federally sponsored activities. These records must
                    contain information pertaining to Federal awards, authorizations, obligations,
                    unobligated balances, assets, outlays, income and interest, and comparison of
                    outlays with budget amounts for each award. Whenever appropriate, financial
                    information should be related to performance and unit cost data and accounting
                    records including cost accounting records that are supported by source
                    documentation. Accordingly, grantees, to be in compliance with U.S. GAAP as
                    well as OMB and HUD requirements, are required to account for these grants on a
17
     24 Code of Federal Regulations (CFR), Title 24, Part 84 and 85

                                                          20
            BFY appropriation and grant-year basis and must identify the source and use of
            funds for all financial transactions and support cost accounting. However, as
            CPD has implemented the use of FIFO to arbitrarily record performance of
            financial transactions and allow grantees to alter the data related to cost
            accounting, their financial management systems are not capable of functioning at
            the same level they require their grantee’s financial management systems.

CPD’s Grants Management
Systems Did Not Comply
With the U.S. General Ledger
at the Transaction Level


            Financial events shall be recorded applying the requirements of the USSGL.
            Application of the USSGL at the transaction level means that each time an
            approved transaction is recorded in the system, it will generate appropriate
            general ledger accounts for posting the transaction according to the rules defined
            in the USSGL guidance.

            OIG noted during our review of DRGR, that when grantees altered the voucher
            transactions in the system, as voucher transactions are approved financial
            transactions, it altered the supporting detail of the financial transaction and did not
            generate the appropriate general ledger accounts for posting the transaction in
            accordance with USSGL at the transaction level.

            In addition, as noted above, during the payment request process in IDIS, the
            request did not include or require the appropriation code; hence, the system
            arbitrarily selected the oldest appropriation code (BFY) to use for the payment. It
            did not generate the correct appropriate general ledger accounts for posting the
            transaction according to the rules in the USSGL guidance, which requires outlays
            of obligations to be recorded against the obligation.




                                              21
Significant Deficiency 2: HUD’s Processes for Reviewing Its
Obligations Had Improved, but Deficiencies Still Existed
HUD had made progress over the past several years in improving its processes for reviewing its
outstanding obligations and recapturing amounts no longer needed to fund them. However,
deficiencies still existed that allowed invalid obligations to remain in HUD’s accounting records.
This condition occurred because of a lack of resources and inadequate procedures. This has been
a long-standing weakness.

In fiscal year 2011, HUD’S CFO coordinated a review of unliquidated obligations to determine
whether the obligations should be continued, reduced, or canceled. The review encompassed all
of HUD’s unliquidated obligations except those for the Section 8 project-based and tenant-based
moderate rehabilitation programs and Sections 235 and 236 interest reduction and rental
assistance and rent supplement programs, which were subjected to separate reviews led by the
program offices. We evaluated HUD’s internal controls for monitoring obligated balances and
found that HUD had continued its progress in implementing improved procedures and
information systems. However, additional improvements are needed. Our review of the fiscal
year 2011 yearend obligation balances showed that timely reviews and recaptures of unexpended
obligations for the CPD Supportive Housing Program, Section 202 and 811 programs, and
HUD’s administrative and other program obligations were not always performed. As a result,
$38.5 million in excess funds had not been recaptured, which, however, is a significant
improvement from past years. Our review also identified $100.6 million in unsupported
obligations for predevelopment and low-rent development grants that had not been closed out, of
which $76.6 million was identified in the prior year financial statement audit and remained open
in fiscal year 2011. Lastly, our review identified $18.3 million obligated for 154 expired
Housing Choice Voucher contracts.



 Administrative and Other
 Program Obligations

               Annually, the CFO forwards requests for obligation reviews to HUD’s
               administrative and program offices. The focus of the review is on administrative
               and program obligations that exceed threshold amounts established by the CFO.
               The thresholds are calculated so that if all obligations above the thresholds are
               reviewed, approximately 95 percent of HUD’s total open obligations will have
               been reviewed. For this year’s review, the thresholds were set at $23,000 for
               administrative obligations and $243,000 for program obligations. HUD identified
               1,758 obligations with remaining balances totaling $65.3 million for deobligation.
               We tested the 1,758 obligations HUD identified to determine whether the
               associated $65.3 million had been deobligated in HUD’s accounting systems. We
               found that, as of September 30, 2011, a total of 93 obligations with remaining
               balances totaling $1.7 million had not been deobligated. HUD had initiated the
               process of closing these contracts, and the associated funding should be
               recaptured in fiscal year 2012.

                                               22
     Supportive Housing Program
     Contracts

                  Our review of the obligation balances for the Office of Special Needs Assistance
                  Programs (SNAPs) as of September 30, 2011, showed approximately $57.8
                  million in undisbursed obligations recorded for expired contracts for Supportive
                  Housing Program contracts. These contracts expired on or before June 30, 2011.
                  CPD’s funds control plan allows a 90-day closeout period for expired contracts.
                  HUD regulations also state that HUD may authorize an extension for a recipient
                  to complete the closeout process and liquidate all obligations incurred under the
                  award.

                  Field offices were responsible for reviewing the status of contracts and
                  recommending that funds that have been obligated but not disbursed before the
                  expiration of the contract be deobligated and included in the next notification of
                  funding availability to be awarded to eligible grantees if they are deobligated
                  during the unexpired phase of the budget authority.18

                  During the fiscal year 2010 audit, OIG identified $97.8 million in unexpended
                  balances on expired contracts which had not been closed out during the 90-day
                  period. Additionally, OIG reported that SNAPs did not have an effective system
                  of internal controls with published control activities that included specific
                  policies, procedures, and mechanisms in place to help ensure that grants were
                  closed out and remaining balances recaptured, including appropriate
                  documentation of extensions granted and follow-up efforts with the grantees.

                  During fiscal year 2011, SNAPs documented policies and procedures to review
                  contracts approaching expiration to determine actions to take before the contracts
                  expired, as well as review procedures after contract expiration. As of September
                  30, 2011, SNAPs had reviewed the status of the $97.8 million identified in fiscal
                  year 2010 audit and taken action to deobligate $77 million in unexpended
                  balances on expired contracts. However, contracts that expired between July 1,
                  2010 and June 30, 2011 were not closed out during the 90-day period leaving an
                  additional $32 million19 in unexpended balances on expired contracts as of
                  September 30, 2011.

18
   Period of availability for making disbursements: Under a general law, funds annual budget authority and
multiyear budget authority may disburse during the first two phases of the life cycle of the budget authority. During
the unexpired phase, the budget authority is available for incurring ―new‖ obligations. You may make ―new‖ grants
or sign ―new‖ contracts during this phase, and you may make disbursements to liquidate the obligations. This phase
lasts for a set number of years. Annual budget authority lasts for up to 1 fiscal year. Multiyear authority lasts for
longer periods, currently from more than 1 fiscal year up to 15 fiscal years, and no-year authority lasts indefinitely.
19
   SNAPs made efforts to deobligate $77 million, disbursed $1.7 million, and extended $1.2 million for a total of
$79.9 million, leaving $17.9 million. As of September 30, 2011, SNAPs had identified an additional $7.9 million
for a total of $25.8 million in undisbursed balances on grants which expired before June 30, 2010. The $25.8
million and the $32 million which expired between July 1, 2010, and June 30, 2011 result in the $57.8 million in
undisbursed balances as of September 30, 2011.

                                                          23
             Due to the extensive backlog of expired contracts that expired before December
             31, 2010, SNAPs’ efforts were focused on deobligating the old balances and did
             not concentrate effort and resources to the contracts that were expiring during
             fiscal year 2011. SNAPs acknowledged that it would have to refocus and ensure
             that it becomes current with the review process.

             Excess funding on the $32 million from expired contracts identified during this
             year’s audit can be included in the next Continuum of Care competition, as
             announced in the notice of funding availability, and redistributed to eligible
             grantees. The excess funds should be recaptured and used to further accomplish
             the objectives of the program, which are to reduce the incidence of homelessness
             in Continuum of Care communities by assisting homeless individuals and families
             in moving to self-sufficiency and permanent housing.

Supportive Housing for the
Elderly and Disabled - Sections
202 and 811 Programs

             HUD’s Sections 202 and 811 programs provide affordable housing and supportive
             services for elderly families and families with disabilities. These programs
             provide capital advances to private nonprofit organizations to finance the
             construction of new facilities or the acquisition or rehabilitation of existing
             facilities. The capital advance is interest free and does not have to be repaid if the
             housing remains available for very low-income elderly or disabled families for at
             least 40 years. After the facility has been constructed and occupied, HUD
             provides additional project rental assistance contract funds to owners to cover the
             difference between the HUD-approved operating cost for the project and the
             tenants’ contribution toward rents. Funds for the Section 202 and 811 programs
             are also used to provide service coordinator grants, technical assistance, and
             inspections. Generally, funds appropriated for Section 202 and 811 programs are
             available for 3 years. After 3 years, the funds expire and will not be available for
             obligation, thus necessitating the need to track funds obligated under the program.

             At the beginning of fiscal year 2011, the Sections 202 and 811 programs had
             unliquidated obligation balances of $3.1 billion and $838 million, respectively.
             We reviewed the PAS subsidiary ledger supporting the unliquidated obligations to
             determine whether unliquidated program obligations reported were valid and
             whether invalid obligations had been cancelled and recaptured in PAS. Our
             review identified 154 Section 202 and 811 projects with available obligation
             balances totaling $4.8 million that had either expired or were no longer needed.
             HUD had initiated the process of closing out these projects, and the associated
             funding should be recaptured during fiscal year 2012. Additionally, the Office of
             Housing Assistance and Grant Administration within HUD’s Office of Housing,
             is taking steps to improve the monitoring of the Section 202 and 811 unliquidated

                                              24
         obligations, including issuing instructions to the Hubs and Program Center
         Directors to perform reviews on a semiannual basis, providing them with copies
         of the updated funds control plans, and working with CFO Systems staff to ensure
         expiration dates are entered for all Section 202 and 811 projects.

Public Housing Predevelopment
Grant Programs



         HUD’s Office of Public Housing Investments, within the Office of Public and
         Indian Housing (PIH), administers the Public Housing Capital Fund and
         development grant programs which provides public housing agencies with funds
         for development, financing, modernization, and management improvements.

         As of April 2011, the Office of Public Housing Investments grants subsidiary
         ledger contained 8,160 unliquidated obligations with remaining balances totaling
         $3.9 billion. Our review of the Capital Funds unliquidated obligations focused on
         170 grants funded with appropriations received before the enactment of the
         Quality Housing Work and Responsibility Act of 1998. The obligations for these
         grants were coded in HUD’s general ledger with fund codes that indicated the
         funds’ source year as fiscal year 1996 or earlier. Additionally, the obligations
         were recorded under program codes for predevelopment, development, and
         technical assistance activities in HUD’s grants management and disbursement
         system, LOCCS.

         Our fiscal year 2011 review identified 34 grants with remaining obligated
         balances totaling $24 million that should have been closed out. Of these, 16 with
         remaining balances totaling $12.8 million were predevelopment grants that had
         been left on the books after the grant activities had been completed. There were
         no cumulative disbursement records in LOCCS for these 16 predevelopment
         grants. These grants had been transferred from an older system to LOCCS, and
         there was no audit trail so the current balance could be verified. OIG Audit
         Report 97-SF-107-0001 reported similar problems with the transfer of low-rent
         development grants in 1996.

         We also followed up on the status of the $174 million in invalid obligations for
         434 grants from PIH’s low rent program that were recommended for recapture in
         our report on HUD’s fiscal year 2010 financial statements. As of September
         2011, there was $76.6 million obligated for 132 grants that had not been
         recaptured. HUD’s final action target date for the recapture of these funds is June
         30, 2012.

         The invalid obligations for the predevelopment grants and the low rent program
         grant remained on HUD’s books because PIH did not have a program office or
         division responsible for administering them. There was also a lack of adequate

                                         25
         procedures for the review of the remaining balances obligated for these grants.
         This condition led to difficulties in closing out the 132 remaining grants from our
         fiscal year 2010 audit recommendation as the PIH field offices had not been able
         to provide the documentation necessary for the grant closeouts and recapture of
         remaining balances.

         Last year, we recommended that the CFO develop desk procedures and perform
         reconciliations to ensure that the unpaid obligations subsidiary records for
         program grants accurately supports the general ledger balances. We reviewed the
         CFO reconciliation of the unpaid obligations for appropriation 0304 as of
         September 30, 2011. We noted that one grant for $2.3 million was repeated in
         two portfolios and used twice to support the balance. Also, we noted a $2 million
         reconciling item labeled ―Non-PAS Program‖ that was unsupported at the end of
         audit field work. Lastly, the $76.6 million from the low rent program portfolio
         containing invalid public housing grants that we identified and reported last year
         was used to support the general ledger balance.

         HUD’s CFO relied on PIH to review and certify the validity of its program
         obligations; however, it had no procedures in place to monitor or verify the
         accuracy and completeness of PIH’s unpaid obligations review. This condition
         led to an overstatement of HUD’s obligation balance by $100.6 million.

Section 8 Housing Choice
Voucher Contract Renewals
Obligations


         Starting January 1, 2005, Congress changed the basis of the tenant-based Section
         8 Housing Choice Voucher program funding from a ―unit-based‖ process to a
         ―budget-based‖ process that limits the Federal funding to a fixed amount. Under
         this legislation, HUD distributes Federal funding using a formula based on the
         prior 12 months reported by housing agencies. HUD disbursed on a monthly
         basis 1/12 of the annual funding allocated to the PHA, leaving no balance of
         unpaid obligations after the 12-month period.

         As of March 2011, the program’s subsidiary ledger had a total of 7,740 unpaid
         obligation contracts totaling $3.1 billion, which supported the program general
         ledger unpaid obligation accounts that had accumulated since fiscal year 2005.
         The data showed 1,123 contracts totaling $52 million in unpaid obligations that
         were expired as far back as fiscal year 2005. We tested 40 obligation contracts
         totaling $31 million (60 percent) and found that all were expired according to the
         terms of their funding notification letters. At least 14 contracts amounting to $14
         million related to Moving to Work Demonstration program (MTW) PHAs and 19
         contracts amounting to $6 million related to regular Section 8 PHAs should be
         have been deobligated years ago.



                                          26
PIH justifications for retaining MTW PHAs’ contracts obligated were not
substantiated by the MTW program director, whom was unaware about the funds
obligation status. This lack of communication among the PIH offices regarding
the status of obligations in the Section 8 program affected HUD’s ability to
maintain accurate accounting records. As of a result of our review, HUD’s
Financial Management Center (FMC) proposed to process recaptures for the $14
million MTW PHA contracts and the $6 million for other remaining contracts but
had not fully completed the process at yearend. As of September 2011, we noted
154 expired contracts (including MTW PHAs) totaling $18.3 million that should
have been deobligated.

In regard to regular Section 8 Housing Choice Voucher program expired
contracts, we attribute this condition to PIH management’s terminating the
reviewing of program obligations, believing that obligated contracts were fully
disbursed, leaving no unpaid obligated balance after implementing the Section 8
budget-based funding methodology in 2005. Nevertheless, our review showed
obligated contracts that had expired with outstanding balances that should be
deobligated.




                               27
Significant Deficiency 3: Office of Community Planning and
Development’s Internal Controls Over Monitoring Grantees’
Compliance With Program Requirements Were Not Operating
Effectively
CPD seeks to develop viable communities by promoting integrated approaches that provide
decent housing and a suitable living environment and expand economic opportunities for low-
and moderate-income persons. The primary means toward this end is the development of
partnerships among all levels of government and the private sector, including for-profit and
nonprofit organizations. To carry out its mission, CPD uses a mixture of competitive and
formula-based grants. OMB Circular A-123, Management’s Responsibility for Internal Controls,
requires that management, and ultimately HUD’s program offices implement an effective system
of internal controls to ensure that grantees for which funds are provided meet their goals and
objectives and carry out the program in accordance with program requirements. These
responsibilities include developing and maintaining internal control activities that comply with
standards to meet the three objectives of internal control: (1) effectiveness and efficiency of
operations, (2) reliability of financial reporting, and (3) compliance with applicable laws and
regulations.

In carrying out its internal control responsibility of grantee oversight, management is responsible
for assessing the risk of grantee noncompliance with program regulations and developing control
activities which collect and distribute timely and relevant information to those charged with
making informed decisions. Control procedures developed should be clearly communicated, be
written, provide an audit trail, and be located where they can be obtained by those carrying out
the activities. Proper design of control activities is important, as is the collection and
dissemination of timely and relevant information. However, effective use and proper analysis of
the information collected to facilitate timely follow-up on grantee deficiencies noted is equally
important. Moreover, monitoring and evaluating the effectiveness of control procedures is
critical to ensure correction of internal control deficiencies before they materially affect the
achievement of the program’s and the organization’s objectives and goals.

Based upon our review of CPD’s programs and internal controls implemented to monitor grantee
compliance with program regulations, we noted control deficiencies regarding the programs’
timely action and follow-up with noncompliant grantees, as well as inadequate procedures to
identify noncompliant grantees. The combination of the control deficiencies noted during our
audit have adversely affected the organization’s ability to meet its internal control objectives,
which are to not only determine grantee compliance with applicable laws and regulations, but to
also identify deficiencies in a timely manner and design and implement corrective actions to
improve or reinforce program participant performance.




                                                28
Subgrantees and Community
Housing Development
Organizations for the HOME
Program Did Not Always
Expend Grantee Funds in a
Timely Manner

          Our review of the HOME program found $16.3 million in unexpended grants
          funded with no-year expiration funds and dated from 1992 through 2001; $9.9
          million of the $16.3 million was uncommitted as of September 30, 2011. These
          no-year funds had accumulated due to (1) poorly performing community housing
          development organizations (CHDO) and subgrantees of the participating
          jurisdictions that did not expend funds in a timely manner, (2) a cumulative
          accounting process which allowed poor performance to go undetected, and (3) a
          recapture policy for noncompliant participating jurisdictions that recaptured funds
          from a current funding source. The $16.3 million in HOME grant funds were not
          used to expand the supply of decent, safe, sanitary, and affordable housing for
          low- and very low-income families.

          In addition, our review showed $2.6 million in unexpended fiscal year 2004
          HOME funds and $1.7 million in uncommitted funds. These funds, due to
          provisions of the NDAA, were cancelled and remitted to the U.S. Treasury by the
          Department on September 30, 2011.


                                      Table 1
                   Fiscal Year      Available To       Available To
                                      Commit              Draw
                 1992                     $40,324            $62,270
                 1993                     357,438            655,751
                 1994                     640,551          1,730,511
                 1995                     911,566          1,340,591
                 1996                     981,750          2,000,826
                 1997                     578,613            945,841
                 1998                  1,749,007           2,325,634
                 1999                  1,557,579           1,882,625
                 2000                     869,221          1,696,771
                 2001                  2,288,614           3,707,930
                 Subtotal              9,974,663          16,348,750
                 2004                  1,707,640           2,574,731
                 Grand Total         $11,682,303         $18,923,481


          Current HOME program regulations state that funds not expended in a timely
          manner can be reallocated in the next year’s formula allocation to further the

                                          29
mission of the program. It is the field offices’ responsibility to ensure that funds
from fiscal years 2001 and earlier that were not spent in a timely manner were
recaptured and used in the next year’s formula allocation.

HOME program regulations did not penalize or highlight poorly performing
grantees, subgrantees, or CHDOs for two reasons.

       First, CHDO subgranted or reserved funds and other subgranted funds
       were held to the 5-year disbursement deadline, but it was the participating
       jurisdiction that was ultimately responsible for meeting the disbursement
       deadline. Therefore, compliance was monitored at the participating
       jurisdiction’s level. To that end, if a CHDO or subgrantee did not draw
       down funds or complete projects in a timely manner, it could be masked
       by other well-performing or over-performing CHDOs, subgrantees, or the
       participating jurisdiction itself. In addition, it appears that the large
       number of subgrantees and CHDOs per participating jurisdiction within
       the HOME program and lack of field office staff made it difficult for the
       field offices to sufficiently monitor the status of subgranted funds.

       Second, the commitment, reservation, and disbursement deadlines were
       determined on an aggregate or cumulative basis versus a grant-year basis.
       This condition created a situation in which older funds remained available
       for drawdown because compliance with the disbursement deadline was
       determined cumulatively. Therefore, if a grantee was not performing as it
       should or not spending funds to complete its projects, the cumulative
       program requirements allowed a grantee’s poor performance for 1 grant
       year to remain undetected. As noted above, $11.6 million in funds was
       uncommitted. The cumulative process allowed these funds to remain
       uncommitted for almost 20 years, while the participating jurisdiction
       remained compliant with the regulations during the compliance reviews.
       In addition, if participating jurisdictions were found to be noncompliant,
       the recapture process deobligated funds from current multiyear funding
       sources and not the older no-year expiration funds, which also remained as
       obligated balances.

As part of the fiscal year 2011 audit, OIG recalculated Jacksonville – Duval
County’s 2008 commitments based upon the commitments made only between
the date of the 2008 grant award and its October 31, 2010, deadline date. OIG
determined that, based upon only applying the commitments made toward the
participating jurisdiction’s 2008 planned budget and actual commitments signed
during that 2-year period, the participating jurisdiction did not commit 100
percent of its 2008 grant before the deadline and was short of the 100 percent
requirement by $464,715. Additionally, OIG reviewed the De Kalb County
participating jurisdiction and determined that it fell short of committing $391,298
before its June 30, 2011, deadline for its fiscal year 2009 grant. However, based
upon HUD’s cumulative technique, which allows the inclusion of commitments

                                 30
                for grants awarded prior to and subsequent to the grant year, neither participating
                jurisdiction was considered to be non-compliant.

                During the fiscal year 2009 audit,20 OIG recommended that CPD ensure that field
                offices encourage participating jurisdictions to review the expiring funds report,
                as well as the performance of CHDOs and subgrantees, to determine whether the
                unused funds should be deobligated. We also recommended that CPD develop a
                policy that would track expenditure deadlines for funds reserved and committed
                to CHDOs and subgrantees separately.

                However, as part of the fiscal year 2010 audit, CPD informed OIG that to rectify
                this problem and in response to our recommendations, it contracted with an
                independent company to modify IDIS21 so that one CHDO’s or subgrantee’s
                funds under one participating jurisdiction could be used by another in the event of
                untimely use of funds by another CHDO or subgrantee. CPD calls this process
                ―true-FIFO.‖ CPD officials stated this process will keep unused funds from being
                ―held‖ to one CHDO. HUD estimated that the proposed change in IDIS would
                result in the drawdown of grant funds on a true-FIFO basis and would eliminate
                the fiscal years 1992-2001 HOME grant balances in less than 1 fiscal year. The
                project was expected to have been implemented by December 31, 2010.

                OIG communicated to CPD that the implementation of ―true-FIFO‖ modifications
                to IDIS were inappropriate and would further erode CPD’s ability to monitor
                actual performance by its participating jurisdictions and CHDOs and sufficiently
                manage its grant funds and recommended that CPD suspend work pending
                completion of a review of how appropriate compliant business processes could be
                integrated into IDIS’s programming.

                CPD has delayed implementing the system changes until further instruction from
                Management due to OIG's concerns. At the conclusion of the fiscal year 2011
                audit, the recommendations from OIG from the 2009 and 2010 audit had not been
                implemented, and $18.9 million remained undisbursed. OIG maintains its
                position that the modifications prevent CPD from sufficiently managing its grant
                funds and, thus, should be suspended.




20
   Audit Report number 2010-FO-003, ―Additional Details to Supplement Our Report on HUD’s Fiscal Years 2010
and 2009 Financial Statements‖, issued November 15, 2010‖, Subgrantees and Community Housing Development
Organizations for the HOME Program Do Not Always Expend Grant Funds in a Timely Manner, identified $24.7
million in undisbursed HOME funds on grants from 1992 through 2001.
21
   As a nationwide database, IDIS provides HUD with current information regarding the program activities
underway across the Nation, including funding data. HUD uses this information to report to Congress and to
monitor grantees. IDIS is the drawdown and reporting system for the four CPD formula grant programs: CDBG,
HOME, ESG, and HOPWA and Recovery Act programs: CDBG-R, TCAP, and HPRP. The system allows grantees
to request their grant funding from HUD and report on what is accomplished with these funds.

                                                    31
     Completed Projects for the HOME
     Program Were Not Always Closed
     Out in IDIS in a Timely Manner

                  A review of the HOME program open activities report,22 dated September 30,
                  2011, showed 6,994 of 21,121 open activities (33 percent), in which the
                  participating jurisdiction had made its final draw but the activity was still listed on
                  the report. Thus, these projects were not closed in the system, although all funds
                  had been drawn. HOME program regulations required participating jurisdictions
                  to enter project completion information into IDIS within 120 days of making a
                  final draw for a project. A similar finding was reported by OIG during the fiscal
                  years 2009 and 2010 audits.23

                  The report also showed 307 activities which were funded between April 2000 and
                  September 2010 that had a funded and remaining amount of $63.9 million, as no
                  draws had been made against the activities since they were initially funded. The
                  report further showed 190 activities funded between 1999 and 2009 wherein the
                  percentage of amounts drawn on the activity was 50 percent or less. These
                  activities had incurred no drawndowns on the funds since 2009 and had balances
                  of $24 million still available for draw.


                                                    Table 2
                                                                      Number
                                   Funding          Amount
                                                                          of
                                    year           remaining
                                                                      activities
                                   2000                $14,803                  2
                                   2004                 40,000                  1
                                   2007              3,459,218                  5
                                   2008              2,084,863                  8
                                   2009              7,431,133                21
                                   2010             50,932,456               270
                                   Total           $63,962,473               307




22
   The open activities report is issued monthly and used by CPD field offices and participating jurisdictions within
the HOME program to review open activities in IDIS. Open activities are those that have not been closed in the
system.
23
   Audit Report number 2010-FO-003, ―Additional Details to Supplement Our Report on HUD’s Fiscal Years 2010
and 2009 Financial Statements‖, issued November 15, 2010‖, Completed Projects for the HOME Program Not
Always Closed Out in IDIS in a Timely Manner, identified 5,972 of 29,216 projects (20 percent), in which the
participating jurisdiction had made its final draw but the activity was still listed on the August 31, 2009, open
activities report.

                                                         32
                                              Table 3
                                                             Number
                              Funding        Amount
                                                                Of
                               Year         Remaining
                                                             Activities
                              1999                $3,614              1
                              2000               116,264              2
                              2001             1,011,025              6
                              2002               462,728              9
                              2003               563,849              6
                              2004             1,358,092             10
                              2005               729,547             13
                              2006             1,739,786             25
                              2007             6,976,759             35
                              2008             8,315,926             56
                              2009             2,764,160             27
                              Total          $24,041,748           190

               The open activities report also allows participating jurisdictions to view activities
               that have been open for several years with little or no HOME funds drawn. Field
               offices can use this report as a desk-monitoring tool to view each participating
               jurisdiction’s open activities in need of completion or possibly cancellation in
               IDIS. If the report indicates that funds have not been drawn for an extended
               period, the field office can use the report to follow up with the participating
               jurisdiction to determine the reason for the slow progress on the project and
               whether it should be cancelled.

               However, it appeared that the field offices were not using the open activities
               report to follow up with participating jurisdictions on slow-moving projects listed
               on the report. It also appeared that participating jurisdictions were not using the
               report as a reference to determine projects that should be cancelled or closed in
               IDIS. The report was created to alleviate the widespread problem of participating
               jurisdictions not entering project completion data into IDIS in a timely manner. A
               similar finding was reported by OIG concerning HUD’s needs to improve efforts
               to require participating jurisdictions to cancel HOME fund balances for open
               activities.24

               As a response to the OIG findings, HOME published a new HOME FACTS
               policy (HOME FACTS - Vol. 3 No. 1, June, 2010). The HOME FACTS
               announces and explains the change in HUD’s treatment of HOME activities with
               commitments in the IDIS that are more than 12 months old with no funds
               disbursed being automatically cancelled within the system. Additionally, HUD
               reported that it would review the open activities report annually for stalled

24
  Audit Report number 2009-AT-0001, ―HUD Lacked Adequate Controls to Ensure the Timely Commitment and
Expenditure of HOME Funds‖, issued September 28, 2009

                                                  33
          activities and follow up on them until resolution. However, the HOME FACTS
          did not address participating jurisdictions entering completion data into IDIS in a
          timely manner, nor did it address a system of internal controls, wherein control
          activities would be established and implemented to ensure compliance and that
          instances of noncompliance would be communicated to management in a timely
          manner to effect change.

          During the fiscal year 2011 audit, OIG noted that effective January 1, 2011,
          activities were automatically cancelled by HUD. However, grantees were able to
          reinstate and open activities which were cancelled through HUD’s automated
          cancellation process; hence, the September 30, 2011, report showed 307 old
          activities funded before September 2010 which had not had any draws since they
          were funded with an open status. In addition, the annual review for stalled
          activities had not been implemented in a formal policy or completed. Projects
          which appeared to be stalled remained ―open‖. CPD also did not explain the
          cause for the stalled projects identified during fiscal year 2010 audit which
          remained stalled in fiscal year 2011.

          Participating jurisdictions that do not enter completion data in a timely manner are
          in violation of the HOME regulations. Failure to enter project completion data in
          IDIS negatively affects a participating jurisdiction’s score on several HOME
          performance SNAPSHOTS indicators, understating actual accomplishments and
          reducing the participating jurisdiction’s statewide and national overall rankings.

          The widespread failure of participating jurisdictions to enter completion and
          beneficiary data in a timely manner resulted nationally in underreporting of actual
          HOME program accomplishments to Congress and OMB and may negatively
          impact future funding for the program. Failure to cancel stalled or inactive
          activities in a timely manner leaves unused funds committed to activities and
          keeps them from being committed to new activities.

Findings Cited During CPD’s Onsite
Grantee Monitoring Were Not
Followed Up and Closed in the
Grants Management Process
Information System in a Timely
Manner

          A review of several key elements of the grantee monitoring process established
          under CPD’s Office of Field Management revealed that the CPD field offices,
          which are responsible for conducting monitoring reviews of CPD program
          grantees, did not always follow the CPD Monitoring Handbook or the annual risk
          assessment notice. The review also revealed that the Grants Management Process




                                           34
                 (GMP) information system25 was not always updated to reflect the current status
                 of the monitoring reviews.

                 We reviewed the risk analyses performed in accordance with CPD Notice 09-04,
                 Implementing Risk Analyses for Monitoring Community Planning and
                 Development Grant Programs in FYs [fiscal years] 2010 and 2011, and the
                 monitoring activities in accordance with the CPD Monitoring Handbook. For 20
                 of the 43 CPD field offices responsible for conducting the monitoring reviews, we
                 reviewed a notification letter, a monitoring letter, and the field office’s annual
                 work plan. We selected a sample of 24 individual grantees within each of the 20
                 field offices sampled and reviewed their individual work plans. Our review
                 revealed that although the handbook requires it, (1) field offices did not always
                 include an individual grantee monitoring strategy for a high-risk grantee or
                 program, (2) one field office did not prepare an overall workplan for the fiscal
                 year’s monitoring strategy, (3) one field office excluded a grantee from the risk
                 analysis process, (4) field offices did not send a notification letter to the grantee
                 more than 14 days before the monitoring, (5) monitoring report letters were sent
                 to the grantee after the 60-day deadline, (6) required exhibits were not always
                 used, and (7) a required finding was not issued. A similar finding was reported in
                 the fiscal year 2010 audit management letter.

                 As part of the fiscal year 2011 audit, we reviewed a sample of open findings
                 identified during the fiscal years 2006 through 2010 onsite grantee monitoring
                 reviews conducted by the CPD field offices. Our review revealed that although
                 required by the handbook, (1) HUD reviewers in the field offices did not
                 document follow-up with a program participant when it did not meet the
                 established target date, (2) field offices did not always send an additional letter if
                 the program participant was nonresponsive to the first reminder, and (3) field
                 offices did not respond to the program participant within the 30-day requirement
                 to communicate the status of their finding after review of the documentation
                 submitted by the program participant to attempt to close the finding. We found
                 that responses ranged between 22 and 883 days.

                 The deadlines and responsibilities outlined in the CPD Monitoring Handbook
                 provide an effective system of monitoring internal controls. They include
                 providing timely and relevant information to those charged with making decisions
                 as well as timely follow-up for deficiencies identified. However, all field offices
                 had not implemented the internal controls outlined in the handbook, which led to
                 properly designed controls being ineffective. Not following the handbook
                 prohibits the field offices from indentifying instances of noncompliance and
                 potential fraud, waste, and abuse by program participants and prohibits the
                 grantees from rectifying deficiencies in a timely manner.



25
  The GMP system is a computer-based information system that is used to provide a documented record of
conclusions and results.

                                                      35
The Office of Affordable
Housing Did Not Adequately
Monitor Grantees of the Tax
Credit Assistance Program or
Document Their Compliance
with OMB Regulations

        The Office of Affordable Housing Programs (OAHP) did not have adequate
        internal controls in place to monitor Tax Credit Assistance Program (TCAP)
        grantees for compliance with the program regulations or to ensure onsite
        monitoring of the $2.082 billion disbursed of the $2.244 billion in grants awarded.
        OAHP lacked staff, expertise, and funding to perform onsite monitoring reviews.
        Compliance with program regulations, Federal requirements, and completion of
        program goals were not monitored.

        Although the TCAP grant agreements require grantees to monitor the grant-
        supported activities to assure compliance with applicable Federal requirements
        and that performance goals were achieved as a term of the grant agreement,
        OAHP did not monitor grantees to ensure that they complied with the terms of the
        grant agreement. Additionally, TCAP was explicitly excluded from CPD’s
        annual risk analysis for determining which grantees would be selected for onsite
        monitoring, and no monitoring exhibits were developed for TCAP for onsite
        monitoring reviews. OAHP indicated during the program’s front-end risk
        assessment that OAHP lacked staff expertise in the low-income housing tax credit
        program, so monitoring for compliance was not feasible. Additionally, OAHP
        lacked the staffing, and since no administrative funds were appropriated in the
        TCAP legislation funding to administer and manage onsite monitoring of TCAP
        grantees, OAHP did not have the funds necessary to conduct the onsite
        monitoring.

        Instead, OAHP indicated that it would rely on the controls in place at outside
        entities; however, it did not ensure that the controls on which it relied were
        operating effectively. It would also perform limited procedures remotely and
        perform reviews of the Federal Audit Clearinghouse (FAC) for TCAP grantees
        with findings and follow up on the findings indentified in the A-133 single audit
        reports. However, there were no written procedures or policies in place to ensure
        that the review of the Clearinghouse took place and proper follow-up measures
        were completed in accordance with OMB Memorandum 10-14, Updated
        Guidance on the American Recovery and Reinvestment Act. In addition,
        evidence of OAHP’s review of the FAC and follow-up procedures for findings
        identified was not maintained, and OAHP did not demonstrate its compliance
        with OMB Memorandum 10-14 regarding Federal agencies’ requirements for
        review and action on the A-133 single audit reports.



                                        36
OIG reviewed the FAC for TCAP A-133 single audit reports, which identified
findings during the audit and identified seven TCAP grantees. However, OAHP
was not able to provide OIG with documentation demonstrating that in
accordance with OMB Memorandum 10-14, it had expeditiously reviewed and
resolved the audit findings for the seven grantees within 6 months after the date
on which the FAC showed filing status as complete.

OAHP’s internal control procedures for monitoring TCAP grantees to determine
whether they have performed monitoring procedures in accordance with the terms
of the grant agreements have not been adequately developed, documented or
implemented. In addition, OAHP has not adequately developed, documented or
implemented internal controls procedures for reviewing and resolving audit
findings identified in the OMB A-133 Single Audit Reports reported in the FAC,
as required by OMB Memorandum 10-14.




                                37
Significant Deficiency 4: HUD Needs To Improve Administrative
Control of Funds
HUD needs to improve its accounting and administrative controls of funds to ensure that (1) all
programs that incurred obligations or disbursements have acceptable funds control plans and (2)
the funds control plans are complete, accurate, updated and complied with by the program
offices. During our review, we identified a number of program codes that did not have funds
control plans. Additionally, we noticed that funds control plans were not always updated to
reflect all program codes and did not always include the correct appropriations. We also noted
that the Office of the Chief Financial Officer (OCFO) had not ensured the effective
administrative control of funds process as required by HUD’s Policies Handbook 1830.2.
Incomplete implementation of administrative control of funds has been a long-standing issue and
has been previously reported since fiscal year 2005 in our audit reports and management letters.



 Certain HUD Programs Were
 Operating Without Funds
 Control Plans and Funds
 Control Plans Were Not
 Complete and Accurate

              The Federal Managers’ Financial Integrity Act (FMFIA) of 1982 provides that
              ―internal accounting and administrative controls of each executive agency shall be
              established to ensure (1) obligations and costs are in compliance with applicable
              law; (2) funds, property, and other assets are safeguarded against waste, loss,
              unauthorized use, or misappropriation; and (3) revenues and expenditures
              applicable to agency operations are properly recorded and accounted for to permit
              the preparation of accounts and reliable financial and statistical reports and to
              maintain accountability over the assets.‖

              HUD’s Policies Handbook 1830.2 set forth the authorities and responsibilities to
              administer control of HUD’s funds. The handbook states that Congress has
              vested overall responsibility for establishing an effective administrative control of
              funds process with the OCFO. It provides the internal guidance for the
              preparation of the funds control plans to comply with the provisions of the
              Antideficiency Act (ADA) and FMFIA as well as the overall process for
              reviewing and approving the funds control plans. It states that before the CFO
              can issue an advice of allotment to an allotment holder, he or she must provide (1)
              certification of knowledge and acceptance of responsibility to assure that he or
              she has established and will properly execute a funds control plan that provides
              reasonable assurance that obligations and expenditures will not exceed the
              authorized limits of the funds allotted to him or her and (2) submission of an
              acceptable funds control plan. It also states that OCFO will conduct periodic
              reviews of compliance with funds control plans to ensure that adequate funds
              control is being applied in actual practice.

                                               38
HUD has established a program code to account for and record the use of HUD’s
funds at the detail transaction level. Each program code must have an acceptable
funds control plan before it can incur the obligations and disburse the funds. One
funds control plan can cover more than one program code.

During our fiscal year 2011 internal controls review phase, we reviewed 242
program codes excluding the program codes associated with salaries and expenses
funds. We identified 151 program codes, with the fiscal year 2011 disbursement
total of $1.8 billion, that did not have funds control plans or the funds control
plans were not complete and accurate as follows:

                                    Table 4
                                   Fiscal Year 2011
                 Number Of                              Fiscal Year 2011
  Program                              Incurred
                  Program                                Disbursement
   Office                             Obligation
                   Codes                                    Amount
                                        Amount
 CPD                         26      $119,714,525.00      $104,017,458.09
 FHEO*                        2        10,915,354.54         2,483,583.43
 HSNG**                      70       896,693,039.53     1,406,572,994.93
 LBPA***                      2         3,034,169.98         1,207,549.77
 PDR****                      4                 0.00         3,026,965.49
 PIH                         45       157,391,136.28       251,498,961.10
 SHC*****                     2       101,607,851.69         4,626,566.88
   Total                    151    $1,289,356,077.02    $1,773,434,079.69
* FHEO = Office of Fair Housing and Equal Opportunity
** HSNG = Office of Housing
*** LBPA = Office of Lead-Based Paint Abatement
**** PDR = Office of Policy Development and Research
***** SHC = Self-Help Center

Note: The numbers include total incurred obligation and disbursement for the full
      fiscal year.

As a result of the missing or incomplete funds control plans, HUD did not
adequately document its controls over approximately 2.6 percent of fiscal year
2011 obligations and 3.2 percent of fiscal year 2011 disbursements. Without this
documentation, HUD management does not have the assurance needed that the
policy, procedures, and systems in place can support the preparation of accounts
and reliable financial and statistical reports and to maintain accountability fir the
assets and ensure compliance with ADA and FMFIA.

During our reconciliation with OCFO in August 2011, OCFO confirmed that 11
of 151 program codes did not have funds control plans because either (1) the
programs were old (7 program codes), (2) the funds control plans had been in the
draft status since 2009 (3 program codes), or (3) the funds control plan had not
                                    39
          been received by OCFO (1 program codes). We could not find any statements in
          HUD’s Policies Handbook 1830.2 that allow HUD to not control the funds for
          programs that are old or inactive. OCFO stated that the rest, 140 of 151 program
          codes, did have funds control plans but they were not complete and accurate since
          they did not contain any pertinent information concerning the subject program
          codes including the appropriation amounts. We reviewed 140 program codes for
          which OCFO claimed to have funds control plans and found that funds control
          plans for 9 of 140 program codes had additional inaccuracies. HUD had
          disbursed funds for these nine program codes to different appropriations than
          those stated in the funds control plans.

          Lacking a funds control plan for a specific program can cause confusion in
          administering the controls of the specific funds and increase the risk for fraud and
          ADA violations.


HUD Needs To Ensure
Compliance With Funds Control
Plans

          HUD’s Policies Handbook 1830.2 states that OCFO will conduct periodic reviews
          of compliance with funds control plans to ensure that adequate funds control is
          applied in actual practice.

          At the end of fiscal year 2011, HUD had a total of 167 approved funds control
          plans as follows:

                                       Table 5
                                       Number Of Funds
                            Office
                                        Control Plans
                           CPD                        65
                           FHEO                        5
                           HSNG                       33
                           LBPA                        5
                           PDR                         6
                           PIH                        50
                           SHC                         3
                           Total                     167


          During the fiscal year, OCFO perform funds control compliance assessments for
          four offices: Office of Sustainable Housing and Communities (appropriation
          0162), Public Housing Operating Subsidy (appropriation 0163), Asset
          Management Technical Assistance (appropriation 0163), and Office of Housing

                                           40
Transformation Initiative – Technical Assistance (appropriation 0402). OCFO
did not performed funds control compliance assessments for one-third of the
approved funds control plans in fiscal year 2011 as provided by its management
decision in response to the prior-year findings. As a result, it had not ensured the
effective administrative control of funds process as required by HUD’s Policies
Handbook 1830.2.




                                 41
Significant Deficiency 5: Continued Improvements Over the
Oversight and Monitoring of Subsidy Calculations, Intermediaries’
Performance, and Utilization of Housing Choice Voucher and
Operating Subsidy Program Funds Are Needed
Under the provisions of the U.S. Housing Act of 1937, HUD provides housing assistance funds
through various grant and subsidy programs to multifamily project owners (both nonprofit and
for profit) and housing agencies. These intermediaries, acting for HUD, provide housing
assistance to benefit primarily low-income household and individuals (families) that live in
public housing, Section 8 and Section 202-811 assisted housing, and Native American housing.
HUD spent $32 billion and $33 billion in FY 2010 and FY 2011 respectively to provide rent and
operating subsidies that could benefit an estimated 5.38 million households.
Since 1996, we have reported on weaknesses with the monitoring of the housing assistance
program’s delivery and the verification of subsidy payments. We focused on the impact these
weaknesses had on HUD’s ability to (1) ensure that intermediaries correctly calculated housing
subsidies and (2) verified tenant income and billings for subsidies. During the past several years,
HUD has made progress in correcting this deficiency. From fiscal years 2002 to 2009, PIH used
comprehensive consolidated reviews to address PHAs’ improper payments and other high-risk
elements. In fiscal year 2010, PIH discontinued the comprehensive consolidated reviews and
focused most of its resources on the review of American Recovery and Reinvestment Act
(ARRA) grants and other high-priority goals. In fiscal year 2010, HUD began implementing
plans to comply with the Improper Payments Elimination and Recovery Act of 2010 (IPERA)
and Presidential Executive Order 13520, Reducing Improper Payments issued in 2009.
Additionally, in consultation with OMB, HUD developed six supplemental measures for PIH and
four supplemental measures for the Office of Multifamily Housing to track and report on
intermediaries’ efforts for addressing improper payments.

HUD demonstrated improvements in its internal control structure to address the significant risk
that HUD’s intermediaries did not properly carry out their responsibility to administer assisted
housing programs in accordance with HUD requirements. HUD’s increased and improved
monitoring resulted in a significant decline in improper payment estimates over the last several
years. However, HUD needs to continue to place emphasis on its onsite monitoring and
technical assistance to ensure that acceptable levels of performance and compliance are achieved
and periodically assess the accuracy of intermediaries’ rent determinations, tenant income
verifications, and billings.
Tenant income is the primary factor affecting eligibility for housing assistance, the amount of
assistance a family receives, and the amount of subsidy HUD pays. Generally, HUD’s subsidy
payment makes up the difference between 30 percent of a household’s adjusted income and the
housing unit’s market rent or, under the Section 8 voucher program, a payment standard. The
admission of a household to these rental assistance programs and the size of the subsidy the
household receives depend directly on the household’s self-reported income. However,
significant amounts of excess subsidy payments occur because of errors in intermediaries’ rent
determinations and undetected, unreported, or underreported income. By overpaying rent


                                                42
subsidies, HUD serves fewer families. Every dollar paid in excess subsidies represents funds
that could have been used to subsidize other eligible families in need of assistance.



 HUD’s Gross Estimate of
 Erroneous Payments Slightly
 Increased in Fiscal Year 2010

                  The estimate of erroneous payments that HUD reports in its Agency Financial
                  Report (AFR) relates to HUD’s inability to ensure or verify the accuracy of
                  subsidy payments being determined and paid to assisted households. This year’s
                  contracted study of HUD’s three major assisted housing programs estimated that
                  the rent determination errors made by the intermediaries and intentional
                  underreporting of income by the tenants resulted in substantial subsidy
                  overpayments and underpayments. The study was based on analyses of a
                  statistical sample of tenant files, tenant interviews, and income verification data
                  for activity that occurred during fiscal year 2010.

                  From the HUD study, we determined the total gross error of $95926 million,
                  which represents 3.6427 percent of the rental housing assistance program
                  expenditures tested. We found that HUD reported in the AFR a gross error rate of
                  2.9 percent using the $32 billion total housing assistance expenditures reported in
                  the fiscal year 2010 financial statements. However, the $32 billion includes $6
                  billion in administrative fees and Moving to Work program subsidies. The $6
                  billion is the difference between the more than $32 billion that HUD reported in
                  fiscal year 2010 financial statements and the $26 billion in disbursements that we
                  found to be attributable to the quality control and income match studies. Our
                  calculation differs from HUD’s because we excluded program expenditures for
                  Moving to Work PHAs that were not included in the universe for testing (in
                  HUD’s Quality Control Study and Income Match Study) and administrative fees.
                  For fiscal year 2011, we are reporting the 2010 improper payments projections
                  and error without comparing the results to the previous years. The result this year
                  is not comparable to the projections in the prior years.

                  HUD continues to report a substantial amount of gross dollar erroneous payments
                  in the rental housing assistance program. In fiscal year 2011, HUD reported in its
                  AFR a combined gross improper payment estimate of $853 million in fiscal year
                  2010. These estimated gross improper payments exclude the $106 million in
                  billing errors. Furthermore, in its fiscal year 2010 AFR, HUD did not report the
                  administrator error, income reporting error, or billing error for the Public Housing

26
  The $959 million is the sum of $650 million in administrative error plus $203 million income matching errors
from the 2010 QC study plus $106 million billing errors not tested in fiscal year 2010 QC study.
27
  The 3.64 percent is calculated by dividing $959 million by $26 billion of total rental assistance program
expenditures tested by 2010 HUD’s quality control study.

                                                         43
                  rental assistance program. Additionally, HUD did not report the billing error for
                  the Section 8 Voucher program.28 The three elements of the payment error
                  estimates reported by HUD in fiscal years 2010 and 2009 are provided in detail
                  below.

                           Administrator error29 - This error represents the program administrators’
                           failure to properly apply income exclusions and deductions and correctly
                           determine income, rent, and subsidy levels. HUD reported a slight
                           increase from $649 million in estimated gross erroneous payments due to
                           administrator error in fiscal year 2010 to $650 million in fiscal year 2011.

                           Income reporting error30 - This error represents the tenant beneficiary’s
                           failure to properly disclose all income sources and amounts upon which
                           subsidies are determined. HUD reported $203 million in estimated gross
                           erroneous payments in income reporting error in fiscal year 2011. This is
                           a 6.7 percent decrease compared to prior-year estimates of $218 million.

                           Billing error31 - This error represents errors in the billing and payment of
                           subsidies between HUD and third-party program administrators, housing
                           providers, or both. HUD did not conduct a billing study for fiscal year
                           2010. However, in FY 2011 HUD reported $106 million gross erroneous
                           payments using data for fiscal year 2004 for public housing and fiscal year
                           2009 data for housing.

     Initiatives To Mitigate Risks That
     Contribute to Improper
     Payments Should Be Continued


                  Effective January 31, 2010, HUD required all public housing agencies and owners
                  and management agents to use the Enterprise Income Verification (EIV) systems

28
   In FY 2007, HUD made structural changes in the Public Housing rental assistance program so that the Public
Housing Operating Fund would be distributed by formula. According to HUD, this change effectively eliminated
improper payments due to administrator, income reporting, or billing errors for the Public Housing rental assistance
program because the effect of these errors would be borne by the PHA and HUD’s subsidy payment would remain
unchanged. Starting in 2010, the Public Housing Operating Fund was no longer frozen; thus, HUD is reporting
administrator, income reporting, and billing error for the current year. For the Section 8 Voucher program, HUD
implemented budget-based funding in FY 2005, which eliminated billing errors in the program.
29
   The $649 million estimate for the 2009 study does not include $130 million in administrator error for the public
housing rental assistance program. The $650 million estimate for the 2010 study does not include $141 million in
administrative error as well.
30
   The $203M reported estimates in FY 2011 include the $80, $45, and $35 million, while $218M estimates
reported in FY 2010 does not include $45 and $85 million in income reporting error for the Public Housing rental
assistance program.
31
   The estimate of billing error only covers the Office of Housing’s Section 8 multifamily project-based Section 202
project rental assistance projects (PRAC), Section 811 PRAC, and Section 202 project assistance contracts. HUD
does not include the public housing rental assistance program or the Section 8 Housing Choice Voucher program in
the study used to determine the estimated erroneous payments due to billing error.

                                                         44
to verify the identity, employment, and income of program participants to
improve the eligibility and accuracy of income and rent determinations in the
Rental Housing Assistance Program (RHAP). PIH and the Office of Housing
have separate EIV systems, but they have similar designs according to HUD’s
Office of Housing staff. The EIV systems are Web-based systems, which compile
tenant income information and make it available online to HUD business partners
to assist in determining accurate tenant income as part of the process of setting the
rental subsidy. EIV matches tenant data against Social Security Administration
information, including Social Security benefits and Supplemental Security
Income, and with the U.S. Department of Health and Human Services National
Directory of New Hires database, which provides information such as wages,
unemployment benefits, and Internal Revenue Service form W-4 (―new hires‖)
data, on behalf of PIH and multifamily housing programs. The EIV systems are
available to PHAs nationwide and to owner-administered project-based assistance
programs, and they are required to use the EIV systems in their day-to-day
operations pursuant to 24 CFR (Code of Federal Regulations) 5.233.

In response to Presidential Executive Order 13520, PIH established six
supplemental measures to manage the risk from improper payments: (1) Public
and Indian Housing Information Center (PIC) reporting rate, (2) EIV system
access rate, (3) EIV system usage rate, (4) failed identity verification rate, (5)
deceased single-member households, and (6) income discrepancy rate. Because
PIH’s EIV system relies on tenant data from PIC, the PIC reporting rate is an
important supplemental measure. The other five supplemental measures are
based on reports from the EIV system and are potential risk factors for improper
payments. In our fiscal year 2011 review of HUD’s supplemental measures for
improper payments, we found that HUD generally complied with the IPERA
requirements. By August 2011, PIH completed the development of the strategy to
identify the most critical PHA’s that showed the most income discrepancies and
the largest number of overdue tenant recertifications. Additionally, PIH was in
the process of implementing the electronic notification process for these PHAs.
The majority of administrator errors identified in the fiscal year 2010 quality
control report occurred in the Section 8 Housing Choice Voucher program, which
is reported on by HUD as part of its estimate of gross erroneous payments. Two
major sources of administrator error identified by the report were overdue tenant
recertification and verification errors. However, PIH had developed corrective
actions to reduce the incidence of these two sources of error.

In response to the Executive Order 13520, the Office of Multifamily Housing
(Housing) established four supplemental measures to manage the risk from
improper payments: (1) EIV access rate, (2) EIV usage rate, (3) failed identity
verification rate, and (4) deceased single-member households. Housing derived
the EIV access rate and EIV usage rate through ad hoc reports. However, an EIV
access report and an EIV usage report were being developed, and the reports were
expected to be available by April 2012. Unlike PIH, Housing’s supplemental
measures did not track or report on income discrepancies at the 100 percent

                                 45
                threshold, as the tenant-income reporting error was one of the three major sources
                of error for improper payments.

                A recent OIG audit32 highlighted problems with Housing’s oversight and
                monitoring of Performance Based Contract Administrators (PBCA) due to
                insufficient staff and travel funds. Housing relies on the Management and
                Occupancy Reviews (MOR) conducted by the PBCAs to detect all three sources
                of error for improper payments. Since the recommendations proposed by OIG are
                still open for this audit, we cannot be certain that the issues elevated regarding
                Housing's staffing and its oversight of PBCAs have been resolved. Housing has
                been working on the development of the Integrated Subsidy Error Reduction
                System (iSERS), which would collect data on specific errors in rental subsidy
                calculations detected during MORs, but iSERS will not be operational until fiscal
                year 2013 at the earliest.

                HUD made substantial progress in taking steps to reduce erroneous payments.
                We are encouraged by the ongoing actions to focus on improving controls
                regarding income verification. However, as noted above, there are several areas
                in which HUD needs to improve. In addition, PIH needs to continue addressing
                administrator error through increased electronic remote and onsite monitoring as
                needed and ensure that correct income and allowance amounts are used in rent
                calculations. In the Office of Housing, there are insufficient staff and travel funds
                to provide adequate oversight and monitoring of PBCAs, making reliance on the
                MORs to detect erroneous payments by owners and management agents a
                questionable strategy. Until these problems are resolved, Office of Housing staff
                needs to review the EIV reports and MORs, following up with owners and
                management agents.

Monitoring Public Housing
Agencies’ Utilization of Section 8
Housing Choice Voucher
Program Funds Has Improved


                The Section 8 Housing Choice Voucher program is HUD’s largest housing
                assistance program, with an annual appropriation of $18 billion, and provides
                assistance to around 2.1 million families. The annual appropriation acts require
                HUD to distribute the full amount of funding appropriated using a formula based
                on the housing agencies’ self-reported prior-year costs reported in the Voucher
                Management System (VMS). HUD expects PHAs to retain and use the funds
                provided in their entirety for authorized program activities and expenses within
                the time allowed. Program guidance states that any budgetary authority provided
                to PHAs that exceeds actual program expenses for the same period must be
                accounted for and maintained as restricted cash and made available for housing

32
  Audit report number 2009-SE-0003, ―HUD’s Monitoring of the Performance-Based Contract Administrators Was
Inadequate‖, issued September 1, 2009

                                                   46
assistance. Although these funds are retained by the PHA, HUD relies on the
PHAs to hold excess budgetary authority in reserve and make funds available for
serving more families. According to HUD’s monitoring systems, as of June 30,
2011, PHAs’ net restricted assets (NRA) accounts showed an estimated balance of
$1.39 billion in excess funding.

HUD’s monitoring of PHAs’ budgetary authority utilization is an essential
internal control to provide accountability of program resources and ensure that
excess funds are safeguarded and only used for authorized program activities.
Accurate VMS cost data are essential to (1) correctly calculate the $18 billion in
annual PHA budget allocations, (2) determine overutilization and underutilization
of funds and excess budget authority available for unanticipated cost increases
and budget offsets, and (3) evaluate PHAs’ performance in ensuring that the
maximum numbers of families are served.

In prior years, we recommended that HUD increase its monitoring efforts
regarding the excess budget authority, seek legislative authority to annually offset
excessive funding reserves, reconcile PHAs’ accounting with HUD-estimated
funds to ensure that funds exist, and improve its onsite monitoring by including
the confirmation of excess budget authority as part of the VMS reviews.

Since fiscal year 2009, HUD has addressed our audit recommendation to
reconcile the PHAs’ NRA account balances reported in the Real Estate
Assessment Center’s (REAC) Financial Assessment Subsystem-Public Housing
(FASS-PH) against the HUD-estimated NRA balances based on VMS
expenditure data. During fiscal year 2010, the responsibility for completing the
NRA reconciliations shifted from the FMC to the REAC FASS Team. The NRA
estimation process had been improved as a result of the reconciliation initiative,
and the use of audited financial data in FASS-PH and program data from VMS to
support the NRA values. The resulting changes led to an increase in the
recognized value of the NRA held by PHAs. According to a report relying only
on VMS data, the total NRA held by PHAs as of December 31, 2009, was
approximately $838 million. As a result of the reconciliation, that value was
corrected and increased to nearly $1.1 billion. Additionally, HUD developed a
Web tool for PHAs to use in projecting their future funding utilization and
reserves balances.

In an attempt to control the excessive NRA accumulation, HUD included
language in its fiscal year 2011 congressional budget justification seeking
authority to reduce the budget allocation to those PHAs holding reserves
exceeding 6 percent of their annual budget. This legislation was not approved
during the 2011 budget process. If the legislation had been approved, HUD
would have obtained permanent authority to perform budgetary offsets to those
PHAs that are not maximizing the use of funds.




                                 47
          The total NRA account balances held by PHAs as of June 30, 2011, was $1.39
          billion. Of that value we calculated that 1,891 PHAs held $1.01 billion in excess
          of six percent of their annual budgetary authority representing the amount of
          excess unused funds that could be recaptured (or offset) if the funds are still not
          used by year-end.

          PIH officials indicated that Congress was considering offsetting $350 to $750
          million in unused reserves as part of the fiscal year 2012 appropriations bill.
          However, based on our analysis, we recommend increasing the budget offset
          request up to $820 million. Starting in fiscal year 2012, in a measure to safeguard
          and reduce the risk of funds being misused, PIH plans to continue allocating the
          entire amount appropriated by Congress but will scrutinize PHAs’ reserves
          quarterly and reduce or withhold disbursements to PHAs holding excessive
          reserves until funding reserves decrease to acceptable levels. However,
          depending on whether HUD obtains permanent authority to offset funding, HUD
          could end accumulating and accounting for the PHAs’ reserves withheld as
          unpaid obligations. As a consequence, HUD must ensure that unpaid obligations
          are accounted for and reported properly in HUD’s financial statements. HUD
          must review the unpaid obligations at least annually, deobligate any unneeded
          undisbursed reserves amount assigned to PHAs during the budget allocation, and
          present those unneeded reserves as unobligated balances in HUD’s financial
          statements.

          Lastly, because the NRAs are held in PHA accounts, it is our belief that there is a
          higher potential for waste, fraud, and mismanagement than if the funds were
          controlled by HUD. Further, we are concerned that the existence of the NRA
          account balance may affect the accuracy of HUD’s financial reporting if the funds
          allocated to PHAs are being treated as program costs, although the funds are not
          being disbursed for program purposes in the current fiscal year.

Monitoring of Public Housing
Agencies’ Utilization of
Operating Subsidy Program
Funds Had Weaknesses


          The Public Housing Operating Fund provides operating subsidies to 3,137
          housing authorities to assist in funding the operating and maintenance expenses of
          their own dwellings in accordance with Section 9 of the U.S. Housing Act of
          1937, as amended. The subsidies are required to help maintain services and
          provide minimum operating reserves. The operating subsidy is authorized under
          42 U.S.C. (United States Code) 1437g and the regulations under 24 CFR Part 990.
          The regulations establish the eligibility requirements for a PHA to receive an
          operating subsidy, explain the components of the subsidy formula, and describe
          how the subsidy is disbursed to eligible recipients. In accordance with HUD
          Financial Management Handbook 7475.1, PHAs are allowed to establish reserves

                                           48
for such purposes and in such reasonable amounts as may be required in the
prudent operation of the projects and as may be approved by the Government
using the operating receipts of the projects.

The operating subsidy is determined as the difference between formula expense
and formula income. If a PHA’s formula expense is greater than its formula
income, the PHA is eligible for an operating subsidy. Formula expense is an
estimate of a PHA’s operating expense and is determined using three components:
(1) project expense level (PEL), (2) utility expense level (UEL), and (3) other
formula expenses. Formula income is an estimate of a PHA’s non-operating
subsidy revenue.

During fiscal year 2011, we assessed HUD’s funding allocation process for the
Operating Subsidy program. Specifically, we wanted to determine whether HUD
prudently determined the operating subsidies funding allocations needed in a
reasonable manner. We found that HUD analyzed the PHAs’ financial statements
data to monitor the program funding utilization and funding reserves accumulated
over time. HUD records indicated that the total operating subsidy that HUD
provided to the PHAs in fiscal years 2009 and 2010 was $4.45 billion and $4.76
billion, respectively. Our analysis found that the total reserves held were
equivalent to an entire year’s worth of funding and appeared excessive. HUD’s
data showed that as of the last financial statement, the PHAs’ total operating
reserves held was $4.06 billion.

Increases in Operating Subsidy reserves were due to three factors: (1) there were
inaccuracies in the Information Management System (IMS)-PIC, which tracks
PHAs’ total number of units eligible and available for inclusion in funding
calculations; (2) the operating funding formula used multifamily housing project
cost data to estimate the PHA project level cost for PHAs, and this variable did
not consider synergies obtained from PHAs managing larger projects; and (3) the
formula funding process did not factor the actual cost and actual tenant income
reported by the PHAs in FASS-PH. Making these comparisons would have
helped determine the actual need for funding, rather than allocating and
disbursing the total amount appropriated by Congress, and reduced the
accumulation of reserves.

HUD was aware of the problem and was working to perform up to a $1 billion
nationwide offset if authorized by the fiscal year 2012 budget. However, the
planned budget offset only represents 25 percent of the total excess reserves.
PHAs have $4.06 billion in total reserves, of which $1.89 billion is in excess of
the recommended 6-month operating reserves PHAs should maintain. In addition
to the $1 billion that should be offset, there is a potential of an additional $890
million in PHAs’ accrued expenses and long term liabilities that constitute the
remaining excess reserves that HUD needs to evaluate. If not needed HUD
should also include these funds in the request for a funding offset.



                                49
Significant Deficiency 6: Controls Over HUD’s Computing
Environment Can Be Further Strengthened
HUD’s computing environment, data centers, networks, and servers provide critical support to
all facets of HUD’s programs, mortgage insurance, financial management, and administrative
operations. In prior years, we reported on various weaknesses with general system controls and
controls over certain applications, as well as weak security management. These deficiencies
increase risks associated with safeguarding funds, property, and assets from waste, loss,
unauthorized use, or misappropriation.

We evaluated selected information systems’ general controls of HUD’s computer systems on
which HUD’s financial systems reside. We also followed up on the status of previously reported
application control weaknesses. Our review found information systems control weaknesses that
could negatively affect HUD’s ability to accomplish its assigned mission, protect its data and
information technology assets, fulfill its legal responsibilities, and maintain its day-to-day
functions. Presented below is a summary of the control weaknesses found during the review.



 Security Management Program


              HUD had continued its progress in implementing a comprehensive, entitywide
              information system security program. Specifically, HUD had (1) created a new
              Cyber Security Awareness and Training Program that addresses specialized security
              roles and responsibilities, (2) issued a memorandum to the program offices
              requesting confirmation of separate accounts for administrative and
              nonadministrative duties, and (3) developed appropriate interconnectivity service
              agreements and memorandums for contractor systems. Additionally, HUD had
              provided corrective action plans that will address continuous monitoring, two-factor
              authentication, and the user management identity management program.

              Although HUD had made improvements, management attention is needed to ensure
              that all individuals are properly trained on their security responsibilities before
              allowing them continued access to information systems. Twenty six percent of
              HUD employees accessing information systems had not taken security awareness
              training during fiscal year 2011. Security awareness training is to be used by
              organizations to inform users of the common goal of protecting information and
              information technology-related resources of the agency.




                                               50
     Security Weaknesses in HUD’s
     Network Devices


                During fiscal year 2010, we audited security controls over HUD’s network devices33
                to determine whether the security configurations implemented on the devices
                provided adequate controls to prevent abuse or unauthorized access to HUD’s
                information resources. We evaluated security measures that protect HUD
                information by scanning identified network devices and identifying vulnerabilities
                and suspect configurations that place sensitive information at risk.

                Security configurations implemented on HUD’s network devices were weak.
                Specifically, HUD did not (1) maintain a complete inventory of network devices, (2)
                implement strong security configurations on network devices, and (3) implement
                security configurations that sufficiently protected network paths. If HUD cannot
                comprehensively identify devices within its network, it cannot determine when there
                is unauthorized access to its network. An attacker could potentially exploit the weak
                security configurations to obtain information on the network and gain access to
                HUD’s systems and sensitive information. Failure to securely configure network
                devices and analyze information flow within a network increases the chances of
                sensitive information disclosure occurring without detection.

                We followed up on the status of these weaknesses during fiscal year 2011 and
                determined that corrective actions had been implemented for most of these
                weaknesses. HUD planned to complete corrective actions for the remaining
                recommendation by December 2, 2011.

     Preventive Maintenance Not
     Performed for the IBM
     Mainframe Operating System
     and Database Software


                HUD’s information technology (IT) support contractor did not perform preventive
                maintenance on the IBM mainframe system software34 to keep products up to date
                and available for support and enhancements. Software patches were not always
                installed, and software versions were not always upgraded to the minimum level that
                is supported by IBM. At least one issue was identified due to software patches not
                being applied as part of preventive maintenance. Specifically, during September
                2009, the owner of the Tenant Rental Assistance Certification System requested
                installation of the DB235 Connect Enterprise software to allow connectivity to the

33
   Audit report number 2010-DP-0004, ―Security Weaknesses on HUD’s Network Devices,‖ issued September 30,
2010
34
   Audit report number 2011-DP-0001, ―HUD Did Not Properly Manage HITS Contracts and Contractors To Fully
Comply With Contract Requirements and Acquisition Regulations,‖ issued October 6, 2010
35
   DB2 is a database management system.

                                                    51
                  DB2 databases on the IBM mainframe from applications based on other platforms.
                  The request was approved, but the installation was delayed because software patches
                  for the DB2 version 7.1 running on the IBM mainframe had not been installed up to
                  the minimum supported level for processing with the new DB2 Connect Enterprise
                  version 9.5 software. Also, DB2 version 7.1 had reached its end of support life36 as
                  of June 30, 2008.

                  In addition to the DB2 software, we found two other system software products
                  that had reached or were close to reaching their end of support life. The CICS37
                  software, used to support the online transaction processing on the IBM
                  mainframe, was upgraded to CICS Transaction Server version 2.3 in June 2010,
                  but had reached its end of support life in September 2009. Also, the z/OS
                  mainframe operating system was upgraded in July 2010 from z/OS 1.7 to z/OS
                  1.9, which reached its end of support life in September 2010.

                  Preventive maintenance was not generated and distributed for products that had
                  reached end of support life; therefore, preventive maintenance could not be
                  performed to mitigate future potential problems as recommended by industry
                  standards best practices. The use of system software, which was not maintained at
                  the recommended level of service, could result in system outages, delays in service,
                  and the inability to implement changes required by new initiatives or legislation.

                  We followed up on the status of these weaknesses during fiscal year 2011 and
                  determined that HUD had made progress in remediating these weaknesses. The
                  z/OS operating system was upgraded, and CICS was scheduled for upgrade in
                  November 2011. Additionally, HUD’s IT support contractor included maintenance
                  upgrades in the latest version of the MVS Implementation and Maintenance guide.
                  HUD planned to complete corrective actions for these weaknesses by November 30,
                  2012.


      IBM Mainframe Libraries Not
      Properly Managed


                  In fiscal year 2010, we reported that HUD’s IBM Mainframe z/OS38 authorized
                  program facility (APF)39 libraries were not adequately controlled. We reviewed
                  the IBM mainframe authorized libraries and identified weaknesses that left
                  HUD’s IBM mainframe vulnerable to unauthorized access. Three libraries were



36
   End of support life is when the vendor stops providing basic support (e.g., problem resolution, providing software
patches, etc.) for a product.
37
   CICS is a transaction manager designed for rapid, high-volume online processing.
38
   z/OS is the computer operating system for IBM's z-Series 900 (z900) line of large (mainframe) servers.
39
   The authorized program facility is an IBM tool that limits the use of sensitive system services and resources to
authorized system and user programs.

                                                         52
                 not under CA Top Secret40 resource security protection.41 The resource level of
                 protection is the most secure level of protection because it prevents programmers
                 from linking into protected programs and files. Additionally, the APF list
                 included the names of libraries that did not exist, increasing the risk that
                 unauthorized programs could be inserted and executed in the IBM mainframe
                 z/OS environment. This type of weakness could seriously diminish the reliability
                 of information produced by all of the applications supported by the computer
                 system and increase the risk of fraud and sabotage.

                 We followed up on the status of this weakness during fiscal year 2011. We once
                 again identified APF libraries that were not under CA Top Secret resource
                 security protection. We determined that HUD’s IT support contractor did not
                 always follow the procedures in place for ensuring the APF libraries were
                 properly controlled. Further, the support contractor did not always follow
                 procedures for notifying ADP Security when adding libraries to the APF. Details
                 of these findings will be included in our report for our fiscal year 2011 review of
                 information systems controls in support of the financial statement audit to be
                 issued in January 2012.

     Disaster Recovery Grant
     Reporting System

                 In fiscal year 2009, we reported on selected controls within the Disaster Recovery
                 Grant Reporting System (DRGR)42 related to Neighborhood Stabilization
                 Program (NSP) funding. We found that (1) access control policies and
                 procedures for DRGR violated HUD policy, (2) the system authorization to
                 operate was outdated and based upon inaccurate and untested documentation, (3)
                 the Office of Community Planning and Development (CPD) did not adequately
                 separate the DRGR system and security administration functions, and (4) CPD
                 had not sufficiently tested interface transactions between DRGR and LOCCS. As
                 a result, CPD could not ensure that only authorized users had access to the
                 application, user access was limited to only the data that were necessary for them
                 to complete their jobs, and users who no longer required access to the data in the
                 system had their access removed. Further, the failure to sufficiently test interface
                 transactions between DRGR and LOCCS left HUD with limited assurance that
                 the $5.9 billion in NSP funding would be accurately processed.

                 During fiscal year 2011, HUD made additional progress toward resolving the
                 issues identified in fiscal year 2009. HUD completed actions to address the


40
   CA-Top Secret is the software used on the IBM mainframe to secure resources from unauthorized exposure .
41
   Resource security protection prevents unauthorized updates to programs within the libraries.
42
   Audit Report No. 2009-DP-0007, Review of Selected Controls within the Disaster Recovery Grant Reporting
System, issued September 30, 2009.


                                                      53
                weaknesses pertaining to system access controls, system documentation,
                inadequate separation of duties, and insufficient testing of controls with LOCCS.

                Additionally, we audited the DRGR system during fiscal year 201143 to determine
                whether adequate controls were in place to safeguard, accurately track, and report
                $1.93 billion in ARRA funds allocated to CPD’s NSP2. We found that the
                improvements CPD made to the DRGR system within the last year were
                beneficial to the overall assurance that the system’s data were properly
                maintained, safeguarded, and in compliance with Federal regulations. However,
                for HUD to address ARRA requirements for accurate data requirements,
                additional improvements should be made to the DRGR system. We
                recommended that CPD modify the DRGR system to improve its application
                controls. Also, the DRGR system owner needs to coordinate with OCIO to
                ensure that the (1) security documentation is updated, (2) contingency plan is
                adequately tested, and (3) DRGR system is included in the annual disaster
                recovery test as it is a mission-critical application.

 Integrated Disbursement and
 Information System

                During our fiscal year 2010 review of information system controls,44 we found
                that application controls for IDIS were not properly placed and operating
                effectively. We noted the following deficiencies: (1) incompatible functions such
                as system administration and security administration were not adequately
                separated, and (2) there was no formal user recertification process to ensure that
                all users were properly recertified.

                We found that (1) HUD field office personnel were granted access to the data for
                one grantee organization without oversight beyond the field office level, (2) field
                office personnel were granted headquarters level access45 as part of the continuity
                of operations plan without sufficient compensating controls, and (3) HUD users
                with administrative access within IDIS were granted access to production data
                within the application. These weaknesses existed because CPD designed IDIS
                with decentralized security without adequate controls in place to ensure that the
                overall security of the application remained within the control of HUD staff. By
                not separating incompatible system administration and security responsibilities
                and reviewing the continued appropriateness of access to the financial systems,
                HUD increased its risk that sensitive financial data could be modified, disclosed,
                or misused or that erroneous or fraudulent transactions would be processed.


43
   Audit Report No. 2011-DP-0008: The Disaster Recovery Grant Reporting System That Maintained Recovery Act
Information Had Application Security Control Deficiencies, issued July 28, 2011
44
   Audit Report No. 2011-DP-0004: Audit Report on the Fiscal Year 2010 Review of Information Systems Controls
in Support of the Financial Statements Audit, issued January 14, 2011
45
   A user with headquarters administrative access has access to nationwide data within the application.

                                                     54
                   We also found that CPD did not require all users to sign and acknowledge the
                   specific rules of behavior form created for the IDIS application. In addition, CPD
                   did not implement a formal user recertification process for IDIS. Instead, CPD
                   implemented controls within IDIS that allowed ―administrators‖ from the grantee
                   organization the ability to edit the profiles for users with access to the data for that
                   grantee. These controls, however, shifted the responsibility of user access to the
                   grantee administrator. Proper access controls place the responsibility with HUD
                   staff. This condition occurred because management in the CPD Systems Division
                   was not aware that there was an IDIS-specific rules of behavior form. In addition,
                   IDIS was designed with decentralized security controls, which did not ensure that
                   overall security of the application remained within the control of HUD staff.
                   Instead, ―administrators‖ from grantee organizations were given the ability to
                   modify user access. By not implementing strong access controls, HUD cannot
                   ensure that users have access to only the data that are necessary for them to
                   complete their jobs. In addition, they are unable to ensure that only authorized
                   users have access to the system and that users who no longer require access to the
                   data in the system have had their access removed.


 HUD Procurement System


                   We audited HUD’s procurement systems in fiscal year 2006.46 Through actions
                   taken during fiscal years 2007 through 2010, the Office of the Chief Procurement
                   Officer (OCPO) had made progress toward resolving the issues identified during
                   the audit. However, two significant recommendations remained open during
                   fiscal year 2011. The procurement systems continued to be noncompliant with
                   Federal financial management requirements. In addition, OCPO had not yet
                   implemented functionality to ensure that there was sufficient information within
                   HUD’s current procurement systems to support the primary acquisition functions
                   of fund certification, obligation, deobligation, payment, and closeout. During
                   fiscal year 2011, OCPO worked to implement a replacement application for the
                   current procurement systems. The HUD Integrated Acquisition Management
                   System (HIAMS) will completely replace OCPO’s legacy procurement systems,
                   using a widely adopted acquisition management software system. Initial
                   deployment of the application began in October 2011 and is planned for
                   completion in January 2012.




46
     Audit Report No. 2007-DP-0003: Review of HUD’s Procurement Systems, issued January 25, 2007

                                                      55
Configuration Management


                 During fiscal year 2010, we performed an audit of controls over selected
                 configuration management (CM) activities within HUD.47 Although HUD had
                 processes and procedures for managing the configurations of systems in HUD’s
                 computing environment, those procedures were not always followed. HUD’s help
                 desk application was not approved by the Configuration Change Management
                 Review Board48 (CCMB), although the application had been in use since 2007.
                 As a result of our audit, the CCMB did approve the application as a HUD
                 standard. Additionally, a software tool for use in the CM for source code and
                 other software development assets went through multiple pilot tests without prior
                 CCMB approval. Compounding the issue, OCIO’s Office of Enterprise
                 Architecture determined in November 2007 that the tool would not meet user
                 needs and would not be cost effective.

                 We also reviewed CM plans for the eTravel system and IDIS Online to determine
                 whether they were kept up to date. The CM plans for each system did not include
                 all required information or contained outdated information for the areas of system
                 overview, project references, roles and responsibilities, and supporting group
                 contact information. In addition, the eTravel CM plan did not include sections
                 such as baseline identification, measurements, configuration status accounting,
                 configuration management libraries, release management, and configuration
                 audits.

                 As part of our fiscal year 2011 audit, we reviewed the CM plan and selected
                 controls for the DRGR system. The DRGR CM plan also did not include required
                 information and contained outdated information. In addition, we identified
                 weaknesses related to the DRGR testing environment and required testing
                 documents. Details of these findings will be included in our report for our fiscal
                 year 2011 review of information systems controls in support of the financial
                 statement audit to be issued in January 2012.

Contingency Planning and
Physical Security

                 In fiscal year 2009, we found that disaster recovery exercises did not fully test
                 system functionality because critical applications were not verified through
                 transaction and batch processing and the exercises did not include recovery of all
                 applications that interface with the critical systems. By not having current

47
   Audit Report Number 2011-DP-0006, ―HUD’s Controls Over Selected Configuration Management Activities
Need Improvement‖, issued March 24, 2011
48
   The CCMB was established to ensure that all changes made to the HUD IT infrastructure and system development
platforms take place through a rational and orderly process.

                                                      56
          information in the disaster recovery plan and fully testing system functionality
          during disaster recovery exercises, HUD could not ensure that its systems and
          applications would function as intended in an actual emergency.

          We also determined that sensitive data stored on backup tapes, transported and
          stored offsite, were not adequately protected. HUD’s information IT support
          contractor is required to create backup tapes of HUD’s mission-critical data and
          store the backup tapes at an offsite storage facility. These backup tapes are
          created for use in contingency operations and disaster recovery events and
          exercises. However, during the 2009 disaster recovery exercises, we observed
          that backup tapes from the offsite storage facility were not in encrypted form.
          HUD planned to include requirements to fully test system functionality during
          disaster recovery exercises and encrypt backup tapes being transported to and
          from the offsite storage facility in the next IT support contract.

          For fiscal year 2011, we evaluated physical security controls at HUD’s data
          centers. We determined that weaknesses existed with regard to access to sensitive
          areas within the data center. Specifically, temporary access to the computer room
          for a special project was not removed upon completion, an obsolete job function
          (phased out in March 2011) was on the access list to the computer room, and
          reviews of the access list for individuals with physical access to sensitive areas
          within the data center were not performed regularly and results of reviews were
          not documented. Access to sensitive areas allows individuals to be in direct
          physical contact with data center equipment such as the hardware, network
          equipment, cables and power cords, and physical storage media containing large
          amounts of electronic information. Inadequate controls over access to sensitive
          areas within the data center facility could lead to equipment damage, data loss,
          equipment downtime, theft and sabotage of equipment, and unintentional
          wrongdoing by personnel. HUD provided explanations for the weaknesses
          identified, and plans to revise procedures to ensure that review of access to
          sensitive areas properly includes documenting the date and results of the reviews.

FHA Information Technology
Weaknesses


          In fiscal year 2011, FHA’s independent public auditor (IPA) reported as a significant
          deficiency that the information security control over FHA systems related to security
          and access controls, as well as in configuration management and contingency
          planning, were deficient. The report noted the following information security
          weaknesses by control area:

          Security Management

              HUD’s IT security policies and procedures had not been updated to
              comply with the National Institute of Standards and Technology (NIST)

                                           57
   Special Publication (SP) 800-53 Revision 3, Recommended Security
   Controls for Federal Information Systems and Organizations.

   The system security plans for FHA applications and general support
   systems were not being reviewed and updated in accordance with HUD
   policy or NIST standards.

   Vulnerability scanning practices did not agree with written HUD policy,
   and identified vulnerabilities were not being tracked for remediation.

   Specialized security training required by HUD policy and NIST
   standards was not being monitored and enforced.

   Agreements for external information systems and interface control
   documentation were not being maintained in accordance with HUD
   policy and NIST standards.

Access Control

   Management of user accounts was not being performed in accordance
   with HUD policy and NIST standards.

   Password and security parameter settings were not being consistently
   applied in accordance with HUD policy.

   Remote access authentication did not meet HUD policy and was not in
   compliance with NIST standards.

   Inactive user accounts were not always deactivated as required by HUD
   policy and in compliance with NIST standards.

Configuration Management

   Standard baseline configuration policies for FHA’s general support
   systems were not fully documented and implemented in accordance with
   HUD policy and NIST standards.

Contingency Planning

      Systems supporting critical operations were not consistently
      identified and tested in accordance with HUD policy and in
      compliance with NIST standards.

      Contingency plans for certain systems were incomplete or not
      updated in accordance with HUD policy and NIST standards.



                               58
Many of these weaknesses were observed and reported in prior FHA audits and
management letters. FHA tracks actions to improve controls using corrective action
plans and plans of action and milestones. While these plans often result in
improvements to the specific system weaknesses reported, the IPA found that the
weaknesses had not been remediated. Further, it found the same type of weaknesses
when it examined different systems. This finding indicated that the root causes of
the deficiencies were not being effectively addressed for all systems. The IPA’s
recommendations requested FHA to work with HUD OCIO to resolve these long-
standing issues.




                                59
Significant Deficiency 7: Weak Personnel Security Practices
Continued To Pose Risks of Unauthorized Access to HUD’s Critical
Financial Systems
For several years, we have reported that HUD’s personnel security practices regarding access to
its systems and applications were inadequate. Deficiencies in HUD’s IT personnel security
program were found, and recommendations were made to correct the problems. However, the
risk of unauthorized access to HUD’s financial systems remains a critical issue. We followed up
on previously reported IT personnel security weaknesses and deficiencies and found that
deficiencies still existed.



     HUD Did Not Have a Central
     Repository Listing of All Users
     With Access to HUD’s General
     Support and Application
     Systems


                 Since 2004, we have reported that HUD did not have a complete list of all users
                 with greater than read access at the application level. Those users with greater
                 than read access to sensitive application systems are required to have a
                 background investigation. Our review this year found that HUD still did not have
                 a central repository that listed all users with greater than read access to HUD’s
                 general support and application systems.

                 While HUD’s implementation in 2007 of the Centralized HUD Account
                 Management Process (CHAMP) was a step toward improving its user account
                 management practices, CHAMP remained incomplete and did not fully address
                 OIG’s concerns. Specifically, we noted that

                        CHAMP did not contain complete and accurate data. OCIO did not
                        electronically update CHAMP with data from the HUD Online User
                        Registration System. Instead, it chose to enter the legacy data manually.
                        However, this process had not been completed. In a January 2009 audit
                        report,49 we recommended that all offices within HUD provide the historical
                        information necessary to update CHAMP. OCIO agreed with our
                        recommendation, and corrective action was scheduled for completion in
                        December 2009. We followed up on this recommendation and found that as
                        of September 30, 2011, OCIO had not completed entering user access data
                        into CHAMP for all of HUD’s systems. Information provided by OCIO
                        showed that user data had been entered into CHAMP for only 112 systems.

49
  Audit report number 2009-DP-0003, ―Review of the Centralized HUD Account Management Process‖, issued
January 9, 2009

                                                   60
                        As of September 16, 2011, HUD’s inventory of automated systems
                        contained 208 active systems.

                        HUD did not conduct a security categorization and a risk assessment for
                        CHAMP as required by Federal Information Processing Standards
                        Publications 199 and 200. HUD’s OCIO chose not to do so because it
                        believed that these items were not required for CHAMP, which it considered
                        to be a process rather than a system. HUD also believed that since CHAMP
                        was exclusively owned by its IT contractor, it was not subject to these
                        requirements. Without a security categorization and risk assessment of
                        CHAMP, HUD cannot know the full extent of risks to which the CHAMP
                        process is vulnerable or whether adequate levels of security controls have
                        been put into place to protect data and applications impacted by CHAMP. In
                        the January 2009 audit report, OIG recommended that OCIO conduct a
                        security categorization and a risk assessment for CHAMP. OCIO agreed
                        and originally expected to complete this task by August 31, 2009, but did not
                        do so. We followed up on this recommendation and found that a contract
                        was awarded on August 2, 2011, to perform the certification and
                        accreditation for 30 systems, including CHAMP. However, due to the
                        contract delay, OCIO was expecting to complete it by December 31, 2011.

     Lack of Reconciliations To
     Identify Sensitive System Users
     Without Appropriate
     Background Investigations
     Remains a Concern

                 In prior audits, we found that HUD did not routinely identify users with greater
                 than read access to HUD sensitive systems that had not undergone appropriate
                 background checks. Granting people access to HUD’s information and resources
                 without appropriate background investigations increases the risk that unsuitable
                 individuals could gain access to sensitive information and inappropriately use,
                 modify, or delete it. HUD’s Personnel Security Division is required to reconcile
                 listings of users with above-read access to HUD’s sensitive systems to the
                 database containing background investigation information to ensure that each user
                 has had the appropriate background investigation. In our May 2010 audit report,50
                 we recommended that HUD develop and implement a plan to routinely perform
                 the quarterly reconciliation of users with above-read access to sensitive systems
                 and general support systems to identify those without appropriate background
                 investigations. However, no reconciliations were performed for fiscal year 2011.

                 We have reported since 2006 that the list of sensitive systems to be included in
                 the reconciliation was incomplete. In response to a recommendation in our fiscal

50
 Audit report number 2010-DP-0002, ―Audit Report on the Fiscal Year 2009 Review of Information Systems
Controls in Support of the Financial Statements Audit,‖ issued May 14, 2010

                                                    61
                year 2008 audit report,51 OCIO planned to update the sensitive system list by
                April 30, 2010. OCIO recently provided clarification that HUD had 15 systems
                that were considered sensitive because of the financial and personally identifiable
                information they contained. However, the original condition still existed; only
                one system was required to be included in the reconciliation.

                In fiscal year 2007, we first reported that the general support systems on which
                HUD’s mission-critical and sensitive applications resided were not included in the
                reconciliations because they were not classified as mission critical.52 Granting
                people access to general support systems without appropriate background
                investigations increases the risk that unsuitable individuals could gain access to
                sensitive information and inappropriately use, modify, or delete it. We
                recommended that the Office of Security and Emergency Planning update its
                policies and procedures to include users of HUD’s general support systems in the
                user access reconciliation process. The Personnel Security and Suitability
                Handbook was updated in September 2009 but did not include language requiring
                general support systems to be included in the reconciliation process. Having
                access to general support systems typically includes access to system tools, which
                provide the means to modify data and network configurations. We previously
                identified IT personnel, such as database administrators and network engineers,
                who had access to these types of system tools but did not have appropriate
                background checks. These persons were not identified as part of the
                reconciliation process. This issue still existed during fiscal year 2011.




51
   Audit report number 2009-DP-0004, ―Fiscal Year 2008 Review of Information Systems Controls in Support of
the Financial Statements Audit,‖ issued May 29, 2009
52
   Audit report number 2008-DP-0003, ―Fiscal Year 2007 Review of Information Systems Controls in Support of
the Financial Statements Audit,‖ issued March 4, 2008

                                                     62
                    Compliance With Laws and Regulations

In fiscal year 2011 we found instances where HUD did not ensure transactions were executed in
accordance with laws governing the use of budget authority and with other laws and regulations
that could have a direct and material effect on the financial statements and any other laws,
regulations, and government wide policies identified in OMB audit guidance.



HUD Did Not Substantially Comply With the Federal Financial Management
Improvement Act

FFMIA requires auditors to report whether the agency’s financial management systems
substantially comply with the Federal financial management systems requirements and
applicable accounting standards and support the USSGL at the transaction level. We found that
HUD was not in substantial compliance with FFMIA because CPD’s IDIS grant information
system was not in compliance with Federal GAAP, FFMIA, and its internal controls over
financial reporting as well as HUD’s financial management systems’ noncompliance with
Federal financial management system requirements.

During fiscal year 2010, we found that CPD’s IDIS was determined to be noncompliant with
FFMIA due to deficiencies in internal controls over financial reporting and its ability to process
transactions that would follow Federal GAAP. These deficiencies were described in detail in
Significant Deficiency 1: HUD Financial Management Systems Did Not Comply With the
Federal Financial Management Improvement Act of 1996 (FFMIA) of the prior-year report.

HUD on an entitywide basis made limited progress as it attempted to address its financial
management deficiencies to bring the agency’s financial management systems into compliance
with FFMIA. Deficiencies remained as HUD’s financial management systems continued to not
meet current requirements and were not operated in an integrated fashion and linked
electronically to efficiently and effectively provide agencywide financial system support
necessary to carry out the agency’s mission and support the agency’s financial management
needs.

HUD was not in full compliance with OMB Circular A-127. The circular requires each agency
to perform reviews of its financial management systems. However, HUD did not complete any
OMB Circular A-127 reviews in fiscal year 2011. HUD is also required to maintain financial
management system plans for each of their financial management applications. We determined
that HUD’s financial management systems plan document for fiscal year 2011 did not meet the
requirements specified in the circular.




                                                63
     Federal Financial Management
     System Requirements


                In its Fiscal Year 2011 Agency Financial Report, HUD reported that 3 of its 41
                financial management systems did not comply with the requirements of FFMIA
                and OMB Circular A-127, Financial Management Systems. Although 38
                individual systems had been certified as compliant with Federal financial
                management systems requirements, HUD performed only one OMB Circular A-
                127 review (FHA-SL) in the last two years and relied upon the results of OMB
                Circular A-123 and FISMA annual internal control reviews for individual
                applications. For the past two years, HUD has reported the ongoing OMB
                Circular A-127 evaluation of one core system, Federal Housing Administration
                Subsidiary Ledger (FHA-SL). Since the final report for the A-127 evaluation
                performed is not expected to be completed until December 2011, HUD continues
                to be noncompliant.

                Additionally, in fiscal year 2010 OIG reported that IDIS was noncompliant with
                the requirements of OMB Circular A-12753. However, HUD continues to report
                IDIS as compliant54. Further, in fiscal year 2011, OIG determined that CPD’s
                financial management systems did not meet the computer system requirements of
                OMB A-127. Specifically, OIG determined that the DRGR program office’s
                application security management program had weaknesses. The weaknesses in
                DRGR are identified in Significant Deficiency 1: HUD Financial Management
                Systems Do Not Fully Comply With Federal Financial Management System
                Requirements. Therefore, collectively and in the aggregate, deficiencies
                continued to exist.

                We continue to report as a significant deficiency that HUD financial management
                systems need to comply with Federal financial management systems
                requirements. The significant deficiency addresses how HUD’s financial
                management systems remained substantially noncompliant with Federal financial
                management requirements.

                FHA’s auditor reported as a noncompliance that FHA’s financial management
                infrastructure was comprised of many aging information systems developed over
                the last 30 years that were connected to each other, customers, and the general
                ledger through hundreds of electronic interfaces. FHA’s auditor stated that this
                complex and outdated infrastructure was becoming increasingly difficult and

53
   Audit Report 2011-FO-0003, Additional Details to Supplement Our Report on HUD’s Fiscal Years 2010 and
2009 Financial Statements, Significant Deficiency 1: HUD Financial Management Systems Do Not Comply with
the Federal Financial Management Improvement Act of 1996 (FFMIA).
54
   See Appendix C of this report

                                                    64
           costly to maintain. FHA’s auditor reported that these limitations impacted FHA’s
           ability to ―continue to operate in an effective and efficient manner‖ and to support
           its ―changing business practices‖ as required by OMB Circular No. A-127,
           Financial Management Systems. FHA had also implemented many expensive and
           manual compensating controls to ensure the reliability of its day-to-day financial
           reporting.

           We also continue to report as significant deficiencies that (1) controls over HUD’s
           computing environment can be further strengthened and (2) weak personnel
           security practices continue to pose risks of unauthorized access to HUD’s critical
           financial systems. These significant deficiencies discuss how weaknesses with
           general controls and certain application controls and weak security management
           increase risks associated with safeguarding funds, property, and assets from
           waste, loss, unauthorized use, or misappropriation.

           We have included the specific nature of noncompliance issues, responsible
           program offices, and recommended remedial actions in appendix C of this report.


HUD Did Not Substantially Comply With the Antideficiency Act

HUD Had Not Made Progress in
Reporting ADA Violations as
Required

           Our fiscal year 2011 audit found that HUD had not improved its process for
           conducting, completing, reporting, and closing the investigation of potential 31
           U.S.C. 1351.1517(b) ADA violations. Our review found that none of the six
           cases identified as a potential deficiency in fiscal year 2009 were reported to the
           President through OMB, Congress, or GAO as required or determined not to be a
           violation. Of the six cases in which OCFO was notified of a potential violation,
           two of the six case files were opened in fiscal year 2003, two cases were opened
           in fiscal year 2004, one case file was opened in fiscal year 2005, and the
           remaining case was opened in fiscal year 2008. In all six cases, OCFO had not
           completed its review to report the violations to the President through OMB,
           Congress, or GAO as required. Additionally, in four of the six cases, the
           Appropriations Law Division (ALD) had not completed its review as required.
           Therefore, we did not find any improvement in HUD’s conducting, completing,
           reporting, or closing potential ADA violation investigations.

           We have reported in prior-year reports that HUD continued to show no substantial
           improvement to its process for conducting, completing, reporting, and closing the
           investigation of potential ADA violations. Since fiscal year 2009, we have
           reported HUD’s failure to report six cases identified as a potential deficiency to


                                            65
            the President through OMB, Congress, or GAO as required or make a
            determination that no violation had occurred.

            OCFO is responsible for conducting investigations and reporting on violations of
            ADA. HUD’s continued delay in completing ADA investigations and reporting
            known violations results in ADA violators avoiding timely reprimands or
            punishments and prevents timely correction of violations. In all six of the cases,
            OCFO had not completed its review as required to report the violation to the
            President through OMB, Congress, or GAO as required.

            The lack of adequate oversight of the investigative process impeded the
            completion of the review process. The review process requires that in ADA cases
            for which the Funds Control Assurance Division has determined that an ADA
            violation has occurred, the case must be reviewed by the ALD before the report is
            reviewed by OCFO. However, in four of the six cases reported since fiscal year
            2009, ALD had not completed its review. Therefore, no progress had been made
            by OCFO in the 3 years since OIG first began reporting this finding.



HUD Did Not Comply With Laws and Regulations Governing Claims of the
United States Government

Inadequate Efforts To Collect on
Delinquent Direct Loans
Continued

            Regulations at 31 CFR Part 901, Standards for the Administrative Collection of
            Claims, holds HUD responsible for aggressively collecting all debts arising out of
            activities performed by the agency. These activities include notifying debtors of a
            delinquency and performing timely follow-up activities. As reported in the prior
            year, follow-up activities were not being substantially and promptly performed for
            Section 202 delinquent loans as required by HUD Handbook 1900.25, REV-3,
            and 31 CFR Part 901. Our review of the Section 202 delinquent loans determined
            that inadequate collection efforts continued. A sample of 13 projects with Section
            202 loans delinquent more than 90 days noted 7 (54 percent) projects which did
            not show evidence that the owner was notified of the delinquency or that efforts
            were attempted to cure the delinquency 30 days after the delinquency occurred.
            While project managers started to follow up with property owners on the
            delinquent loan at the beginning of fiscal year 2011, follow-up activities were not
            performed for two delinquent loans before our review. These seven loans had
            delinquent payments aged between 242 days and 7 years.

            In addition, our review of the Flexible Subsidy loan portfolio determined that
            follow-up activities were not performed in a timely manner for two of three
            delinquent loans that were more than 90 days delinquent as of March 31, 2011.

                                            66
            One of the two loans was delinquent before January 31, 2003, and the property
            owner submitted a proposal to address the delinquent payment on January 31,
            2003, but was not approved until March 2011 due to inadequate follow-up efforts
            by the project manager. The project manager of the second loan did not follow up
            on the delinquent payment until the loan was delinquent for 26 months.

            In response to our prior-year finding, the Office of Housing drafted guidance to
            address required collection procedures for Section 202 delinquent loans; however,
            the guidance had not been finalized and issued to project managers by the end of
            fiscal year 2011. In addition, the Office of Housing worked with OCFO to
            develop accurate delinquency reports to be provided to project managers and they
            were monitoring each hub’s progress in collecting delinquent loans. The Office
            of Housing was drafting guidance to address the collection procedures for
            Flexible Subsidy delinquent loans, which will be similar to the guidance drafted
            for the Section 202 loans. Inadequate efforts to collect on delinquent balances
            result in a higher risk of HUD’s assets becoming uncollectable. If insufficient
            follow-up continues, over time, more direct loans that fall into delinquent status
            will be at a higher risk of becoming uncollectable.

Nonreporting of Delinquent Loan
Information to Third Parties
Continued

            As reported in the prior year, OCFO did not report delinquent direct loans to
            third-party entities, such as credit bureaus and CAIVRS (Credit Alert Verification
            Reporting System) as required by 31 U.S.C. 3711. As a result, the delinquent
            status of debt due to HUD was not reported to other Federal credit agencies.
            Consequently, other agencies did not have all delinquent information available to
            perform prescreening procedures as required by 31 U.S.C. 3711 and OMB.
            HUD’s failure to report its delinquent debtors might have resulted in other
            agencies’ improperly qualifying ineligble debtors for a Federal loan. This
            reporting failure would prevent other agencies from effectively protecting the
            Government’s assets and curtailing the losses in relation to Government benefits
            provided.

            Ensuring that this information is reported to third parties became even more
            important after HUD implemented the Emergency Homeowners’ Loan Program
            in fiscal year 2011, obligating more than $209 million in new direct loans to
            homeowners. The loans issued under the program will eventually be maintained
            in the Nortridge Loan System, thereby increasing the significance of having this
            reporting requirement functional in the immediate future.

            During fiscal year 2011, HUD made significant efforts to configure the NLS to
            allow for the reporting of delinquent loan information to CAIVRS. OCFO was
            waiting for the Office of Housing to finalize its formal notice, which describes the

                                             67
criteria for reporting delinquent direct loan debts to credit bureaus and CAIVRS,
before initiating the reporting process. However, OCFO was still working on
determining how to report delinquent loan information to credit bureaus.




                                68
                               OTHER MATTERS

HUD Did Not Obligate All of the Funds Appropriated for the
Emergency Homeowners’ Loan Program
          The Dodd-Frank Wall Street Reform and Consumer Protection Act, P.L. 111-203
          (Dodd-Frank Act), enacted July 21, 2010, provided $1 billion in assistance
          through the Emergency Homeowners’ Relief Fund. HUD administered these
          funds under the Emergency Homeowners’ Loan Program (EHLP). Through
          EHLP, homeowners may receive a maximum of $50,000 in assistance in the form
          of a declining balance, nonrecourse, zero-interest, subordinate secured loan with a
          term of up to 7 years. No payment is due from homeowners during the term of
          the loan provided they remain current in their monthly homeowner contribution
          payments. If the homeowner meets this requirement, the balance due will decline
          by a HUD-designated percentage until the loan is fully satisfied.

          Due to delays in establishing EHLP, HUD only obligated $528.2 million of the $1
          billion appropriated for EHLP. The $528.2 million in obligations included $46.8
          million for a cooperative agreement with NeighborWorks America to facilitate
          outreach and application processing, $25.5 million for a fiscal agent agreement
          with Bank of New York Mellon to review application packages and service the
          loans issued by HUD, $246.6 million in grants to five States to operate programs
          deemed substantially similar to the EHLP, and $205.2 million for the credit
          subsidy portion of the direct loans issued by HUD. The Dodd-Frank Act
          specified a period, October 1, 2010, to September 30, 2011, when emergency
          mortgage relief payments could be obligated. As a result of the difficulties HUD
          encountered establishing the program, $471.8 million in funds not obligated by
          September 30, 2011, are not available for additional loans.

          The delays HUD experienced in setting up EHLP were due to the uniqueness of
          the program, outsourced application intake and evaluation, lack of a permanent
          management structure, and the aggressive timeframe for obligating the funds.
          While EHLP was originally authorized by the Emergency Homeowners’ Relief
          Act of 1975, the program was never used, and it was removed from the Code of
          Federal Regulations in 1995. Additionally, HUD did not have any similar
          programs in operation or the in-house expertise to manage such a program.
          Further, HUD did not enter into agreements with NeighborWorks and Bank of
          New York Mellon until May 2011 and did not begin accepting applications from
          distressed homeowners until June 20, 2011, 10 and 11 months, respectively, after
          the passage of the Dodd-Frank Act. NeighborWorks and its network of housing
          counseling agencies identified and contacted 43,000 applicants having a ―good
          chance‖ of meeting the eligibility requirements of EHLP. However, a higher
          number of applicants were disqualified than HUD had anticipated, which led
          HUD to reopen the application window. The high disqualification rate, combined
          with the lengthy application process, led to HUD’s approving and obligating

                                          69
funds for 5,823 loans, as opposed to the approximated 19,000 HUD expected.
While the loans were obligated by September 30, HUD had not completed the
application evaluation for more than 5,000 loans. When the loan application
evaluation is complete, there are likely to be fewer loans than obligated. While
the funds for this program were ―no year‖ money, HUD had no authority to make
new loans and had already obligated the funds needed to administer the
outsourced portions of this program. As result, the unobligated balance of $471.8
million should be returned to the U.S. Treasury, less amounts needed for upward
adjustments for current loan obligations and expected administrative expenses for
the current program.




                                70
Appendix A

                       Objectives, Scope, and Methodology

Management is responsible for

*      Preparing the financial statements in conformity with accounting principles generally
       accepted in the United States of America;
*      Establishing, maintaining, and evaluating internal controls and systems to provide
       reasonable assurance that the broad objectives of FMFIA are met; and
*      Complying with applicable laws and regulations.

In auditing HUD’s principal financial statements, we were required by Government Auditing
Standards to obtain reasonable assurance about whether HUD’s principal financial statements
were presented fairly, in accordance with generally accepted accounting principles, in all
material respects. We believe that our audit provides a reasonable basis for our opinion.

In planning our audit of HUD’s principal financial statements, we considered internal controls
over financial reporting by obtaining an understanding of the design of HUD’s internal controls,
determined whether these internal controls had been placed into operation, assessed control risk,
and performed tests of controls to determine our auditing procedures for the purpose of
expressing our opinion on the principal financial statements. We are not providing assurance on
the internal control over financial reporting. Consequently, we do not provide an opinion on
internal controls. We also tested compliance with selected provisions of applicable laws,
regulations, and government policies that may materially affect the consolidated principal
financial statements. Providing an opinion on compliance with selected provisions of laws,
regulations, and government policies was not an objective, and, accordingly, we do not express
such an opinion.

We considered HUD’s internal control over required supplementary stewardship information
reported in HUD’s Fiscal Year 2011 Agency Financial Report by obtaining an understanding of
the design of HUD’s internal controls, determined whether these internal controls had been
placed into operation, assessed control risk, and performed limited testing procedures as required
by AU Section 558, Required Supplementary Information. The tests performed were not to
provide assurance on these internal controls, and, accordingly, we do not provide assurance on
such controls.

With respect to internal controls related to performance measures to be reported in the
Management’s Discussion and Analysis and HUD’s Fiscal Year 2011 Agency Financial Report,
we obtained an understanding of the design of significant internal controls relating to the
existence and completeness assertions as described in section 230.5 of OMB Circular A-11,
Preparation, Submission and Execution of the Budget. We performed limited testing procedures
as required by AU Section 558, Required Supplementary Information, and OMB Bulletin 07-04,
Audit Requirements for Federal Financial Statements, as amended. Our procedures were not

                                               71
designed to provide assurance on internal control over reported performance measures, and,
accordingly, we do not provide an opinion on such controls.

To fulfill these responsibilities, we

*      Examined, on a test basis, evidence supporting the amounts and disclosures in the
       consolidated principal financial statements;
*      Assessed the accounting principles used and the significant estimates made by
       management;
*      Evaluated the overall presentation of the consolidated principal financial statements;
*      Obtained an understanding of internal controls over financial reporting (including
       safeguarding assets) and compliance with laws and regulations (including execution of
       transactions in accordance with budget authority);
*      Tested and evaluated the design and operating effectiveness of relevant internal controls
       over significant cycles, classes of transactions, and account balances;
*      Tested HUD’s compliance with certain provisions of laws and regulations;
       governmentwide policies, noncompliance with which could have a direct and material
       effect on the determination of financial statement amounts; and certain other laws and
       regulations specified in OMB Bulletin 07-04, as amended, including the requirements
       referred to in FMFIA;
*      Considered compliance with the process required by FMFIA for evaluating and reporting
       on internal control and accounting systems; and
*      Performed other procedures we considered necessary in the circumstances.

We did not evaluate the internal controls relevant to operating objectives as broadly defined by
FMFIA. We limited our internal control testing to those controls that are material in relation to
HUD’s financial statements. Because of inherent limitations in any internal control structure,
misstatements may, nevertheless, occur and not be detected. We also caution that projection of
any evaluation of the structure to future periods is subject to the risk that controls may become
inadequate because of changes in conditions or that the effectiveness of the design and operation
of policies and procedures may deteriorate.

Our consideration of the internal controls over financial reporting would not necessarily disclose
all matters in the internal controls over financial reporting that might be significant deficiencies.
We noted certain matters in the internal control structure and its operation that we consider
significant deficiencies under OMB Bulletin 07-04, as amended.

Under standards issued by the American Institute of Certified Public Accountants, a significant
deficiency is a deficiency or a combination of deficiencies in internal control that is less severe
than a material weakness yet important enough to merit attention by those charged with
governance.

A material weakness is a deficiency or combination of deficiencies in internal controls, such that
there is a reasonable possibility that a material misstatement of the financial statements will not
be prevented or detected and corrected on a timely basis.



                                                 72
Our work was performed in accordance with generally accepted government auditing standards
and OMB Bulletin 07-04, as amended.

This report is intended solely for the use of HUD management, OMB, and Congress. However,
this report is a matter of public record, and its distribution is not limited.




                                            73
Appendix B

                                  Recommendations

To facilitate tracking recommendations in the Audit Resolution and Corrective Action Tracking
System (ARCATS), this appendix lists the newly developed recommendations resulting from our
report on HUD’s fiscal year 2011 financial statements. Also listed are recommendations from
prior years’ reports that have not been fully implemented. This appendix does not include
recommendations pertaining to FHA and Ginnie Mae issues because they are tracked under
separate financial statement audit reports of that entity.

                    Recommendations From the Current Report
With respect to the significant deficiency that HUD’s financial management systems need to
comply with Federal financial management system requirements, we recommend that the CFO:

     1.a. In coordination with the OIG, CFO Systems, CFO Accounting, CFO Financial
          Management, CPD Management, and CPD Systems, review the methodology used by
          CPD for assigning and disbursing budget fiscal year funding sources to activities
          within IDIS.

     1.b. Based upon the understanding obtained of the methodology used by CPD, develop
          and execute procedures to determine whether the methodology used by CPD for
          assigning and disbursing budget fiscal year funding sources to activities within IDIS
          is in accordance with federal financial accounting standards and whether the
          budgetary and internal controls over financial reporting are adequately designed
          provide reasonable assurance that misstatements, losses, or noncompliance material
          in relation to the financial statements would be prevented or detected on a timely
          basis.

     1.c. In coordination with CPD, develop modifications, to IDIS and DRGR to correct the
          unacceptable errors or discontinue the use of these systems for any financial and
          budgetary information.

With respect to the significant deficiency that HUD needs to improve the process for reviewing
obligation balances, we recommend that the CFO, in coordination with the appropriate program
offices:

     2.a. Recapture the $1.7 million for the 93 administrative and program unliquidated
          obligations that were marked for deobligation during the fiscal year 2011 open
          obligations review.




                                              74
With respect to the significant deficiency that HUD needs to improve the process for reviewing
obligation balances, we recommend that CPD:

     2.b. Review the status of each of its homeless assistance contracts that make up the $32
          million OIG identified as excess funding and recapture excess funds for expired
          contracts, which have not been granted extension.

     2.c. Fully implement the internal control procedures and control activities that were
          drafted as a result of the fiscal year 2010 audit finding, that include specific policies,
          procedures and mechanisms, including appropriate documentation of extensions
          granted and follow-up efforts with the grantees to obtain the close-out documents, to
          ensure that grants are closed out within the 90-day period after the contract expiration
          or after the extension period, so that remaining balances are recaptured on a periodic
          basis.

With respect to the significant deficiency that HUD needs to improve the process for reviewing
obligation balances, we recommend that the Office of Housing, in coordination with the CFO:

     2.d. Recapture the $3.8 million tied to the 78 inactive or expired obligations for the
          Section 202 and 811 programs.

With respect to the significant deficiency that HUD needs to improve the process for reviewing
obligation balances, we recommend that the Office of the Chief Procurement Officer, in
coordination with the Office of Housing:

     2.e. Review and if necessary close-out the 76 obligations with remaining balances totaling
          $991 thousand that were forwarded by the Office of Housing Assistance and Grants
          Administration.

With respect to the significant deficiency that HUD needs to improve the process for reviewing
obligation balances, we recommend that the CFO, in coordination with PIH:

     2.f. For the Office of Public Housing Investment grants,
             i) Close out the 34 predevelopment grants and recapture $24 million in unpaid
                  obligations in LOCCS; and
             ii) Perform a review of the 170 grants coded PDEV, LBAC, and COMP and any
                  other grants not subject to or obligated before the Quality Housing Work and
                  Responsibility Act of 1998 to ensure that the grants were obligated properly
                  and not transferred to LOCCS, correct any inaccuracies, and ensure that the
                  accounting records are complete.

     2.g. For the Office of the Chief Financial Officer (in regards to Office of Public Housing
          Investment grants),
             i) Perform a $2 million downward and withdrawal adjustment for the
                  unliquidated obligations that are unsupported in the Non PAS Program ledger
                  or provide evidence of the grants for the unpaid obligations; and

                                                75
               ii) Perform a $2.3 million downward and withdrawal adjustment for the
                   duplicated grants.

     2.h. For the Office of Public Housing Investment grants,
             i) Improve the PIH and CFO internal control environment to ensure that all
                  grants in appropriation 0304 have a program office responsible for their
                  administration and oversight and periodically conduct reviews of all
                  predevelopment grants;
             ii) For those low-rent grants without supporting documentation, obtain a
                  statement from the field office directors certifying that no documentation is
                  available to support the obligations as evidence to process the grants’ closeout
                  and recapture; and
             iii) Improve the open obligation review process by including all PIH programs in
                  the open obligation review and include quality control testing in the obligation
                  reviews performed by the program offices.

     2.i. For the Section 8 Housing Choice Voucher tenant-based program,
             i) Develop formal written procedures to review the program obligations;
             ii) Deobligate $18.3 million in expired contracts; and
             iii) Include the Section 8 tenant-based program obligations in the departmental
                  open obligation review process.

With respect to the significant deficiency that CPD needs to improve its oversight of grantees,
we recommend that CPD:

     3.a. Consult with OCFO to determine whether the implementation of "true-FIFO"
          complies with the Federal financial accounting standards and adequate budgetary and
          internal control requirements over financial reporting.

     3.b. Implement a policy to require grantees to include the reason for reopening activities
          cancelled on the HUD-initiated activity cancellation reports.

     3.c. Implement a policy to require CPD field offices to review the HUD-initiated activity
          cancellation reports for activities that have been cancelled and reopened to follow up
          and verify the validity of the activity.

     3.d. Ensure that field offices have developed and implemented control activities, which
          are documented and can be periodically tested and monitored by the Office of Field
          Management, to ensure that the field offices have a system to ensure compliance with
          the requirements within the biennial risk analysis process Notices for Implementing
          Risk Analyses (CPD Notice 09-04) for Monitoring Community Planning and
          Development Grant Programs and the CPD Monitoring Handbook.

     3.e. Review information within the GMP system for consistency and completeness and
          follow up with field offices when information is incomplete or inconsistent among the
          risk analysis, work plans, and completed monitoring efforts.


                                                76
     3.f. Ensure that all required information has been updated and entered into GMP after the
          due dates for submissions have passed and follow up with field offices that have not
          entered their information.

     3.g. Follow up on information in GMP to ensure that findings which had questioned costs
          have been repaid and noncompliance and internal control deficiencies have been
          addressed.

     3.h. Develop, document, and implement internal control procedures for OAHP’s review to
          ensure that grantees comply with the terms of the grant agreement, which require the
          grantees to perform monitoring procedures.

     3.i. Develop, document, and implement internal control procedures for the review and
          resolution of audit findings identified in the A-133 single audit reports as reported in
          the FAC, including measures to ensure that all grantees have reported to the FAC.

     3.j.    Maintain documentation readily available to support OAHP’s compliance with the
            requirements of OMB Memorandum M-10-14.

With respect to the significant deficiency that HUD needs to improve its administrative control
of funds, we recommend that OCFO:

     4.a    Establish and implement procedures to ensure that all program codes that disburse
            HUD’s funds have complete and approved funds control plans before the funds can
            be disbursed.

     4.b Establish and implement procedures to ensure that the funds control plans are updated
         to include the new program codes and new appropriation requirements.

     4.c    Develop and implement a 3-year cycle of funds control compliance reviews for all
            approved funds control plans by completing the assessments of 1/3 of approved funds
            control plans each fiscal year.

With respect to the significant deficiency that HUD needs to continue improving its oversight
and monitoring of subsidy calculations, intermediaries’ performance, and use of Housing Choice
Voucher and operating subsidy program funds, we recommend that PIH:

     5.a. Conduct remote monitoring and onsite monitoring as necessary to ensure that PHAs
          have a review process in place to prevent consistency and transcription errors and to
          ensure that income and allowance amounts used in the rent calculation are correct.

     5.b. The Office of Housing report on income discrepancies at the 100 percent threshold
          level as a supplemental measure; assign staff to review the deceased single-member
          household and income discrepancy reports at least quarterly and follow up with
          owners and management agents (O-A) listed on these reports; and include in the
          contract between HUD and O-As a provision for improper payments that requires O-


                                                77
           and resolve in a timely manner income discrepancies, failed identity verifications, and
           cases of deceased single-member households.

     5.c. Request Congress provide an NRA offset amount for program reserves in excess of 6
          percent of the PHAs’ annual Budgetary Authority up to the estimated $820 million
          and provide HUD with legislative authority to annually perform offsets of NRA
          balances in excess of 6 percent of the PHAs’ Budgetary Authority.

     5.d. For the Operating Subsidy, PIH request congressional approval to perform a $1
          billion offset or offset the held reserve exceeding 6 months of operating reserves.

     5.e. For the Operating Subsidy, PIH should evaluate and document the nature of the
          remaining $890 million of PHA operating subsidies reserve and request congressional
          approval for an offset if it is determined these funds are excess.

With respect to HUD’s substantial noncompliance with ADA, we recommend that the CFO, in
coordination with the appropriate program offices:

     6.a   Amend the current ADA case processing timelines policy to establish a timeframe for
           completion of review of the preliminary assessment report by the CFO and Deputy
           CFO.

With respect to HUD’s substantial noncompliance with the laws and regulations governing
claims of the U.S. Government, we recommend that the Office of Housing:

     7.a. Draft and issue guidance regarding collection procedures for delinquent Flexible
          Subsidy loans and ensure the policy is communicated to each applicable project
          manager and implemented after issuance.

With respect to ―Other Matters‖ that HUD did not obligate all of the funds appropriated for the
Emergency Homeowners’ Loan Program, we recommend that the CFO:

     8.a Determine the amount of funds needed to cover future administrative costs and
         possible upward adjustments of obligations to current EHLP beneficiaries.

     8.b   Seek the authority from Congress to return to the U.S. Treasury up to $471.8 million
           in funds not needed for potential upward adjustments to current loan obligations and
           future administrative costs for the existing program.




                                               78
         Unimplemented Recommendations From Prior Years’ Reports

Not included in the recommendations listed above are recommendations from prior years’
reports on HUD’s financial statements that have not been fully implemented based on the status
reported in ARCATS. HUD should continue to track these under the prior years’ report numbers
in accordance with departmental procedures. Each of these open recommendations and its status
is shown below. Where appropriate, we have updated the prior recommendations to reflect
changes in emphasis resulting from recent work or management decisions.


OIG Report Number 2011-FO-0003 (Fiscal Year 2010 Financial Statements)

With respect to the significant deficiency that HUD’s Financial Management Systems Need to
Comply with Federal Financial Management System Requirements, we recommend CPD:

     1.a. Cease the changes being made to IDIS for the HOME program related to the FIFO
          rules until the cumulative effect of using FIFO can be quantified on the financial
          statements. (Final action target date is June 21, 2012; reported in ARCATS as
          recommendation 1A.)

     1.b. Change IDIS so that the budget fiscal year source is identified and attached to each
          activity from the point of obligation to disbursement. (Final action target date is June
          21, 2012; reported in ARCATS as recommendation 1B.)

     1.c. Cease the use of FIFO to allocate funds (fund activities) within IDIS and disburse
          grant payments. Match outlays for activity disbursements to the obligation and
          budget fiscal source year in which the obligation was incurred and in addition, match
          the allocation of funds (activity funding) to the budget fiscal year source of the
          obligation. (Final action target date is June 21, 2012; reported in ARCATS as
          recommendation 1C.)

     1.d. Include as part of the annual CAPER [consolidated annual performance and
          evaluation report] a reconciliation of HUD’s grant management system, IDIS, to
          grantee financial accounting records on an individual annual grant basis, not
          cumulatively, for each annual grant awarded to the grantee. (Final action target date
          is June 21, 2012; reported in ARCATS as recommendation 1D.)

With respect to the significant deficiency that HUD needs to improve the process for reviewing
obligation balances, we recommend that the CFO, in coordination with the appropriate program
offices:




                                               79
      2.a. Deobligate the $3.2 million in administrative and program unliquidated obligations
           that were marked for deobligation. (Final action target date is October 31, 2011;
           reported in ARCATS as recommendation 2A. 55)

      2.b. Promptly perform contract closeout reviews and recapture of invalid obligations.
           (Final action target date is October 31, 2011; reported in ARCATS as
           recommendation 2B. 55)

      2.c. Review the 510 obligations which were not distributed to the program offices during
           the open obligations review and deobligate amounts tied to closed or inactive
           projects, including the $27.5 million we identified during our review as expired or
           inactive. (Final action target date is October 31, 2011; reported in ARCATS as
           recommendation 2C. 55)

With respect to the significant deficiency that HUD needs to improve the process for reviewing
obligation balances, we recommend that CPD:

       2.d. Investigate, through reviewing each individual obligating document and contacting
            the grantee, the $1.62 billion in obligations, which were originally obligated in 2005
            and prior, to obtain the intended use for open obligation amount (commitments, etc.).
            For those which do not have a specific intended use, CPD should recapture the open
            obligation amount. Where applicable for non-fixed-year funds, CPD should include
            the deobligated amounts in next year’s formula allocation. (Final action target date
            is October 14, 2011; reported in ARCATS as recommendation 2E. 55)

       2.e. For grantees which do not comply with program regulations, deobligate the funds
            related to the noncompliance from the older applicable grant award and not the
            current available for obligation awards. (Final action target date is June 21, 2012;
            reported in ARCATS as recommendation 2F.)

        2.f. In coordination with the CFO, develop and publish written guidance and policies to
             establish a benchmark for field directors to use to determine the validity of the open
             obligation. The guidance should include specific procedures for open obligation
             amounts, wherein the obligation was made before a specified amount of time, as
             well as disbursement inactivity beyond a specified amount of time. (Final action
             target date is October 31, 2011; reported in ARCATS as recommendation 2G. 55)

       2.g. In coordination with the CFO, develop procedures to periodically evaluate HUD’s
            program financial activities and operations to ensure that current accounting policies
            are sufficient and appropriate and to ensure that they are implemented and operated
            by program and accounting staff as intended. (Final action target date is October 31,
            2011; reported in ARCATS as recommendation 2H. 55)


55
  As of the date of this report, this unimplemented recommendation had a corrective action plan that is overdue for
completion. OIG has performed audit follow-up activities to determine the status of the corrective action plan and is
working with the Department to ensure it is completed and the recommendation is addressed.

                                                         80
With respect to the significant deficiency that HUD needs to improve the process for reviewing
obligation balances, we recommend that the Office of Housing, in coordination with the CFO,

      2.h. Implement a long-term financial management strategy and improvement plan to
           address data and system weaknesses to ensure that information for the Office of
           Housing’s obligations is kept up to date and accurate. (Final action target date is
           May 8, 2012; reported in ARCATS as recommendation 2K.)

With respect to the significant deficiency that HUD needs to improve the process for reviewing
obligation balances, we recommend that the CFO, in coordination with PIH:

      2.i. Coordinate a review and close out each of the 434 PIH low-rent grants in PAS
           subsidiary and determine the status of any other grants included in the OIG audit
           report SF-1997-107-0001 that remain open. (Final action target date is June 30,
           2012; reported in ARCATS as recommendation 2L.)

      2.j. After reviewing and closing out these 434 PIH low-rent grants, determine whether
           there are any overpayments that need to be recovered from any housing authority
           grants that were overpaid. (Final action target date is June 30, 2012; reported in
           ARCATS as recommendation 2M.)

      2.k. Recapture the full amount of obligations from these 434 PIH low-rent grants totaling
           $174 million and return to the U.S. Treasury the total balance of budgetary resources
           from invalid grants. (Final action target date is June 30, 2012; reported in ARCATS
           as recommendation 2N.)

      2.l. Update its funds control plans, adding procedures to ensure that any unexpended
           obligation portfolios are excluded from the open obligation review and for
           accurately documenting the entire accounting process and responsibilities. (Final
           action target date is December 30, 2011; reported in ARCATS as recommendation
           2O.)


      2.m. Develop procedures to periodically evaluate HUD’s program financial activities and
           operations to ensure that current accounting policies are sufficient and appropriate
           and to ensure that they are properly carried out by the program and accounting staff.
           (Final action target date is December 30, 2011; reported in ARCATS as
           recommendation 2Q.)

With respect to the significant deficiency that CPD needs to improve its oversight of grantees,
we recommend that CPD:

     3.a. Review the status of each of its homeless assistance contracts that make up the $97.8
          million OIG identified as excess funding and recapture excess funds for expired

                                               81
           contracts, which have not been granted extensions. (Final action target date is
           February 2, 2012; reported in ARCATS as recommendation 4A.)

     3.b. Implement the guidance as instructed in the new HOME FACTS regarding activities
          that are over 12 months old with no funds disbursed; these activities will be
          automatically cancelled by HUD and the funds uncommitted. (Final action target
          date is May 31, 2011; reported in ARCATS as recommendation 4D. 55)

     3.c. Establish internal control procedures or internal regulations that require field offices
          to perform follow-up measures for participating jurisdictions (PJ) with slow-moving
          projects on an annual basis, including contacting the PJs and requiring the PJs to
          respond with an action plan for disbursing the unused funds on slow-moving projects.
          (Final action target date is February 29, 2012; reported in ARCATS as
          recommendation 4E.)

     3.d. Investigate the progress of the 350 stalled activities with funding dates 2005 and prior
          wherein the percentage of amounts drawn on the activity was 50 percent or less with
          a remaining undrawn amount $27.5 million and recapture those amounts in which the
          activity can be cancelled. (Final action target date is October 14, 2011; reported in
          ARCATS as recommendation 4F. 55)

With respect to the significant deficiency that HUD needs to improve its administrative control
of funds, we recommend that OCFO:

     4.a   Enhance the low-rent funds control plans to verify that the legislation changes are
           incorporated; ensure that the accounting treatment and policies employed are
           appropriate; and include the OCFO accounting and reporting staff in the review of the
           classification, disclosure, and presentation of programmatic accounting information.
           (Final action target date is December 30, 2011; reported in ARCATS as
           recommendation 5A.)

     4.b Establish and implement procedures to ensure accuracy and completeness of ARRA
         funds control plans. (Final action target date is December 30, 2011; reported in
         ARCATS as recommendation 5B.)

     4.c   Conduct periodic reviews of the program offices’ compliance with requirements of
           the funds control plans. (Final action target date is December 30, 2011; reported in
           ARCATS as recommendation 5D.)

With respect to the significant deficiency that HUD needs to improve its administrative control
of funds, we recommend that OCFO, in coordination with the appropriate program offices:

     4.d Develop and implement funds control plans for any program found to be without an
         up-to-date funds control plan. (Final action target date is December 30, 2011;
         reported in ARCATS as recommendation 5J.)



                                               82
With respect to HUD’s substantial noncompliance with ADA, we recommend that the CFO, in
coordination with the appropriate program offices:

     5.a   Complete required steps on the six known potential ADA issues and report those
           determined to be violations immediately to the President, Congress, and GAO as
           required by 31 U.S.C., and OMB Circular A-11. (Final action target date is
           December 30, 2011; reported in ARCATS as recommendation 6A.)

     5.b Investigate the potential ADA violation and other interagency agreements that were
         similarly executed. If the investigation determines that an ADA violation occurred,
         immediately report it to the President, Congress, and GAO as required by 31 U.S.C.,
         and OMB Circular A-11. (Final action target date is December 30, 2011; reported in
         ARCATS as recommendation 6B.)

     5.c   Develop or. where appropriate. modify and implement measures to prevent future
           potential ADA violations resulting from contracts funded over multiple fiscal years.
           (Final action target date is December 30, 2011; reported in ARCATS as
           recommendation 6C.)

With respect to HUD’s noncompliance with the laws and regulations governing claims of the
U.S. Government, we recommend that the Office of Housing:

     6.a   Finalize and issue the draft notice regarding collection procedures for delinquent
           Section 202 loans. (Final action target date is September 25, 2011; reported in
           ARCATS as recommendation 7A. 55)

     6.b After issuance of the notice, ensure that the policy is effectively communicated to
         each applicable project manager and hub director nationwide. (Final action target
         date is September 25, 2011; reported in ARCATS as recommendation 7B.55)

     6.c   Ensure adherence to the notice by establishing internal controls to record activities to
           collect on delinquent loans. (Final action target date is October 14, 2011; reported in
           ARCATS as recommendation 7C. 55)

With respect to HUD’s noncompliance with the laws and regulations governing claims of the
U.S. Government, we recommend that the CFO:

     6.d Activate the delinquent debt reporting functionality to enable NLS to report HUD’s
         delinquent debt to credit bureaus and CAIVRS. (Final action target date is March 15,
         2012; reported in ARCATS as recommendation 7D.)

     6.e   Establish criteria to determine what delinquent debt should be subject to reporting.
           (Final action target date is March 15, 2012; reported in ARCATS as recommendation
           7E.)

     6.f   Based on the criteria established, identify delinquent debts and report those to credit

                                                83
           bureaus and CAIVRS as required. (Final section target date is March 15, 2012;
           reported in ARCATS as recommendation 7F.)

OIG Report Number 2010-FO-0003 (Fiscal Year 2009 Financial Statements)

With respect to the significant deficiency that the CPD needs to improve its oversight of
grantees, we recommend that CPD:

     7.a   Determine whether the $24.7 million in unexpended funds for the HOME program
           from fiscal years 2001 and earlier that are not spent in a timely manner should be
           recaptured and reallocated in next year’s formula allocation. (Final action target date
           is April 1, 2011; reported in ARCATS as recommendation 1E. 55)

     7.b Develop a policy for the HOME program that would track expenditure deadlines for
         funds reserved and committed to community housing development organizations and
         subgrantees separately. (Final action target date is September 30, 2011; reported in
         ARCATS as recommendation 1F. 55)

With respect to the significant deficiency that HUD needs to improve the process for reviewing
obligation balances, we recommend that the CFO, in coordination with the appropriate program
offices:

     8.a   Deobligate the $8.8 million in administrative and program unliquidated obligations
           that were marked for deobligation. (Final action target date is March 11, 2011;
           reported in ARCATS as recommendation 3A. 55)

     8.b Promptly perform contract closeout reviews and recapture of invalid obligations.
         (Final action target date is March 11, 2011; reported in ARCATS as recommendation
         3B. 55)

With respect to HUD’s substantial noncompliance with ADA, we recommend that the CFO, in
coordination with the appropriate program offices:

     9.a   Complete the investigations and determine whether ADA violations have occurred
           and if an ADA violation has occurred, immediately report to the President, Congress,
           and GAO. (Final action target date is March 11, 2011; reported in ARCATS as
           recommendation 5A. 55)

     9.b Report the six ADA violations immediately to the President, Congress, and GAO as
         required by 31 U.S.C. and OMB Circular A-11, upon receiving OCFO legal staff
         concurrence with the investigation results. (Final action target date is March 16,
         2011; reported in ARCATS as recommendation 5B. 55)




                                               84
Appendix C

Federal Financial Management Improvement Act Noncompliance,
Responsible Program Offices, and Recommended Remedial Actions


This appendix provides details required under FFMIA reporting requirements. To meet those
requirements, we performed tests of compliance using the implementation guidance for FFMIA
issued by OMB and GAO’s Financial Audit Manual. The results of our tests disclosed that
HUD’s systems did not substantially comply with requirements. The details for our basis of
reporting substantial noncompliance, responsible parties, primary causes, and HUD’s intended
remedial actions are included in the following sections.

Federal Financial Management Systems Requirements
1. HUD’s annual assurance statement, issued pursuant to Section 4 of the Financial Manager’s
Integrity Act, will report three nonconforming systems.56

         The organizations responsible for systems that were found not to comply with the
         requirements of OMB Circular A-127 based on HUD’s assessments are as follows:

     Responsible office                                Number of systems     Nonconforming systems
     Office of Housing                                        18                        0
     Office of the Chief Financial Officer                    14                        0
     Office of Chief Human Capital Officer                     1                        1
     Office of the Chief Procurement Officer                   0                        2
     Office of Community Planning and Development              3                        0
     Office of Public and Indian Housing                       1                        0
     Government National Mortgage Association                  1                        0
     Totals                                                   38                        3



In fiscal year 2010 OIG reported that C04 – Integrated Disbursement & Information System
(IDIS) was noncompliant with the requirements of OMB Circular A-12757. Additionally, OIG
has determined that CPD’s financial management systems did not meet the computer system
requirements of OMB A-12758.



56
   The three nonconforming systems are (1) A35-HUD Procurement System, (2) P035-Small Purchase System, and
(3) D67A-Facilities Integrated Resources Management System,
57
   2011-FO-0003, Additional Details to Supplement Our Report on HUD’s fiscal years 2010 and 2009 Financial
Statements, Significant Deficiency 1: HUD Financial Management Systems Do Not Comply with the Federal
Financial Management Improvement Act (FFMIA) of 1996.
58
   Significant Deficiency1: HUD Financial Management Systems Do Not Fully Comply With Federal Financial
Management System Requirements – ―CPD’s Grants Management Systems are Not Compliant with Federal
Financial System Requirements‖.

                                                    85
The following section outlines HUD’s plan to correct noncompliance with OMB Circular A-127
as submitted to us as of September 30, 2011, and unedited by us.




                                            86
                     OFFICE OF THE CHIEF PROCURMENT OFFICER
                           REMEDIATION PLAN AS of 08/05/2011


                              A35 HUD Procurement Systems (HPS)
                                P035 Small Purchase System (SPS)
     Noncompliance Issue(s)                         Tasks/Steps                              Target       Actual
                                              (including Milestones)                       Completion   Completion
                                                                                             Dates        Dates
INTERNAL CONTROLS
                              Intermediate Resolution Plan

1. HUD’s Procurement          1A   Review transactions of the four contracting officers
   Systems Do Not Have             who input records in excess of their contract
   Adequate Controls for           authority and take actions as appropriate.
   Monitoring the                    OCPO researched the transactions in question to       12/23/2006   12/14/2006
   Procurement Process               determine if the obligations were appropriate or
                                     not.
                                     OCPO determined that the transactions were            3/31/2007    12/14/2006
                                     properly executed by contracting officers acting
                                     within their authority. No further action is
                                     necessary.
                              1B   Implement system controls to ensure that
                                   contracting officers are not able to exceed their
                                   procurement authority.
                                     The OCPO will implement procurement authority         3/31/2007    4/25/07
                                     control procedures.
                                     The OCPO will include validation of contracting       1/08/2007    1/08/2007
                                     officer authority as part of each Procurement                      On-Going
                                     Management Review.

                              1C   Implement controls to ensure that contracting
                                   officers are required to either input or approve all
                                   transactions that record funds through the
                                   HUDCAPS interfaces.                                     4/30/2007    4/25/2007
                                      The OCPO will implement procedural controls to
                                      require contracting officers to validate
                                      transactions in HPS.

                              1D   Modify the systems to make the contracting officer
                                   field mandatory.                                        4/30/2007    6/20/2008
                                      The OCPO will implement procedures for               Revised—
                                      electronic records, which are recorded in HPS, are   11/30/2008
                                      reviewed to ensure that a Contracting Officer is
                                      identified for each record.
                                      The OCPO will implement validation of the            1/8/2007     1/08/2007
                                      contracting officer identification as part of each                On-Going
                                      Procurement Management Review.
                                      (See 1B bullet 2 above. Validation of contracting
                                      authority is the same as implementation of task)

2.    HUD Procurement         2A      Ensure that system administration and security


                                                        87
  Noncompliance Issue(s)                                Tasks/Steps                               Target       Actual
                                                  (including Milestones)                        Completion   Completion
                                                                                                  Dates        Dates
Systems’ Separation of Duties             administration functions are separate
Controls Were Bypassed                       The OCPO will formally appoint separate            4/16/2007    05/01/2007
                                             individuals to act as security administrator
                                             and system administrator for each OCPO
                                             system and that the individuals will not be
                                             performing conflicting duties.

                                2B       Ensure that staff are not assigned conflicting
                                         duties, that separate functions are performed by
                                         separate individuals, and that the concept of least
                                         privilege is applied.
                                              OCPO will determine if multiple system
                                              profiles are actually a valid requirement on
                                              an individual basis in HPS. The goal is to
                                              eliminate all unnecessary and redundant
                                              profiles in HPS and that the individuals will
                                              not be performing conflicting duties.
                                              o The OCPO will Identify users with               2/15/2007    12/21/2006
                                                   multiple HPS profiles
                                              o The OCPO will deactivate                        07/31/2007   07/19/2007
                                                   unnecessary/redundant profiles
                                NOTE: While we can separate the duties procedurally, the
                                separation cannot be enforced in HPS or SPS without
                                reprogramming.

                                2C        Implement formal policies and procedures to
                                          recertify the access granted to users at least
                                          annually.
                                             The OCPO will develop and implement
                                             formal procedures for granting access by
                                             using the concept of least privilege to OCPO
                                             systems, as well as annual user access
                                             reviews by:
                                             o Revise system access request forms               1/31/2007    12/31/2006
                                             o Revise process in which user requests            2/28/2007    1/31/2007
                                                   system access
                                             o Revise procedure in which system                 3/31/2007    1/31/2007
                                                   access is granted
                                             o Develop formal procedure to enforce              06/30/2007   07/18/2007
                                                   annual user access review

                                2D        Create and implement routing functionality
                                          within the Small Purchase System to allow users
                                          to be granted access to more than one office or
                                          region.
                                              OCPO recommends implementing the
                                              following tasks to alleviate the routing issue.
                                              OCPO will determine if multiple SPS system
                                              profiles are actually a valid requirement on
                                              an individual basis. The goal is to eliminate
                                              all unnecessary and redundant profiles in
                                              SPS.


                                                            88
  Noncompliance Issue(s)                                Tasks/Steps                                  Target        Actual
                                                  (including Milestones)                           Completion   Completion
                                                                                                      Dates        Dates
                                              o     The OCPO will identify users with             2/15/2007     12/21/2006
                                                    multiple SPS profiles
                                               o The OCPO will restructure the issuing            11/30/2007    12/14/2007
                                                    office hierarchy to alleviate the necessity
                                                    of multiple profiles for a given user.
3. HUD’s Procurement              3A   Perform a cost benefit analysis to determine whether
   Systems Do Not Contain              it is more advantageous to modify or replace the
   Sufficient Financial Data to        procurement systems to ensure compliance with
   Allow It to Effectively             Joint Federal Management Improvement Program
   Manage and Monitor                  Requirements.
   Procurement Transactions               The OCPO will perform a cost benefit analysis to        05/31/2008    2/12/2008
                                          replace the OCPO systems.
                                  3B   Implement functionality to ensure that there is
                                       sufficient information within HUD’s procurement
                                       systems to support the primary acquisition functions
                                       of fund certification, obligation, deobligation,
                                       payment, and closeout.
                                              Based on the availability of funds, OCPO
                                              will replace its systems with COTS software
                                              to ensure identified issues with security
                                              controls are addressed.
                                              Milestones – Not later than
                                                   Develop Independent Government
                                                   Estimate                                       5/4/2007      05/03/2007
                                                   Conduct Market Research
                                                   Source Selection                               04/6/2007     04/06/2007
                                                                                                  7/31/2010     09/30/2010
                                                   Roll-out pilot of production system
                                                                                                  10/15/2011    TBD
SECURITY CONTROLS
4. The Office of the Chief        4A   Obtain the training and or resources necessary to
   Procurement Officer Did             develop or perform compliant (1) information
   Not Design or Implement             system categorization analyses; (2) risk
   Required Information                assessments; (3) security plans; (4) contingency
   Security Controls                   plans and tests; (5) monitoring processes, which
                                       include applicable Federal Information Processing
                                       Standards Publication 200 managerial, operational,
                                       and technical information security controls; and (6)
                                       evaluations of the managerial, operational, and
                                       technical security controls.
                                           OCPO will ensure that training or other
                                           resources are obtained to develop or perform
                                           required managerial, operational, and technical
                                           security controls.
                                              Update Risk Assessments                             12/31/2008    08/31/2007
                                              Update Security Plans                               12/31/2008    08/31/2007
                                                                                                  12/31/2008    12/13/2007
                                              Update Annual Contingency Plans and Tests
                                                                                                                On Going
                                              Monitoring processes, which includes                09/01/2008    08/29/2008
                                              applicable Federal Information Processing                         On Going
                                              Standards (FIPS) Publication 200 managerial,
                                              operational, and technical information

                                                             89
Noncompliance Issue(s)                         Tasks/Steps                             Target         Actual
                                         (including Milestones)                      Completion     Completion
                                                                                       Dates          Dates
                                    security controls; and

                                    The OCPO continues to work the OCIO to
                                    monitor the above mentioned areas on an
                                    annual basis through updates to the
                                    Contingency plans, Security Plans, and BIA.


                                    Evaluations of the managerial, operational,      09/01/2008     08/29/2008
                                    and technical security controls.                                On Going
                                    The OCPO continues to work the OCIO to
                                    evaluate the above mentioned areas on an
                                    annual basis.

                         4B   Complete the corrective actions for the known open
                              information security vulnerabilities or develop
                              mitigation strategies if new system development is
                              underway.
                                   OCPO will ensure it develops mitigation
                                   strategies for the known open information
                                   security vulnerabilities.
                                      Review vulnerabilities
                                                                                     11/30/2008
                                      NOTE: Vulnerability scans were requested
                                                                                     Requested an
                                      by OCPO 06/09/2010 through OIT and
                                                                                     Extension—
                                      security office – estimated scan date by
                                                                                     12/31/2009
                                      06/14/2010 – Received the scans on
                                                                                     7/31/2010      09/13/2010
                                      09/13/2010. Working with OITS to analyze
                                      the results


                                    Develop mitigation strategy
                                    NOTE: Upon completion of the scans,              09/13/2010     09/13/2010
                                    mitigating strategies will be developed for      See Note       On Going
                                    known vulnerabilities. Completion time is
                                    dependent on the number of vulnerability
                                    discovered



                         4C   Designate a manager to assume responsibility for
                              ensuring the Office of the Chief Procurement
                              Officer’s compliance with federal certification and
                              accreditation process requirements and to provide
                              ―continuous monitoring‖ of the office’s information
                              systems security.
                                   OCPO will designate a manager responsible for     1/15/2007      03/13/2007
                                   ensuring compliance with information systems
                                   security and federal certification and
                                   accreditation process.
                                   OCPO will work with OCIO to define roles and
                                   responsibilities and to ensure that appropriate   2/1/2007       2/1/2007


                                                  90
Noncompliance Issue(s)                        Tasks/Steps                             Target       Actual
                                        (including Milestones)                      Completion   Completion
                                                                                      Dates        Dates
                                  resources are provided to perform required
                                  monitoring and certification and accreditation.


                         4D   Reevaluate the HUD Procurement System and
                              Small Purchase System application systems’
                              security categorization in light of Office of
                              Management and Budget guidance on personally
                              identifiable information.
                                  OCPO will reevaluate the HUD Procurement          8/31/2007    8/31/2007
                                  System and Small Purchase System application
                                  systems’ security categorization in light of
                                  Office of Management and Budget guidance on
                                  personal identifiable information.

                         4E   Perform a business impact analysis for the
                              procurement systems. Based on the results of the
                              impact analysis, determine what actions HUD can
                              take to limit the amount of time needed to recover
                              from the various levels of contingencies that can
                              occur and include the determined actions in the
                              contingency plans for the systems.
                                   OCPO will develop a business impact analysis
                                   for the procurement systems and revise the
                                   contingency plan based on the BIA.
                                        Develop business impact analyses            4/30/2007    06/06/2007
                                        Incorporate BIA into contingency plans      9/30/2007    12/13/2007
                         5A   Implement the HUD Integrated Acquisition
                              Management System (HIAMS)
                                   Complete Requirements Document                   06/26/2009   07/15/2009
                                   Complete Statement of Work                       06/26/2009   07/15/2009
                                   Re-Issue RFI to receive comments on SOW and      12/18/2009   12/18/2009
                                   requirements
                                   Review comments from RFI and update SOW          01/31/2010   01/31/2010
                                   and requirements
                                   Issue solicitation                               02/01/2010
                                                                                    05/31/2010   06/02/2010
                                  Purchase software                                 07/31/2010
                                                                                    09/30/2010   09/27/2010
                                  Configuration of software                         12/31/2010   07/29/2011
                                    Configuration of the software has begun.        07/08/2011
                                    The complete configuration will be
                                    completed by October 2011 (FY 2012)
                                  Testing/Training/Implementation                   10/28/2011




                                                  91
                 OFFICE OF THE CHIEF HUMAN CAPITAL OFFICER
                        REMEDIATION PLAN AS of 09/30/2011

           D67A Facilities Integrated Resources Management System (FIRMS)
  Noncompliance Issue(s)                             Tasks/Steps                             Target         Actual
                                               (including Milestones)                      Completion     Completion
                                                                                             Dates          Dates
INTERNAL CONTROLS
OIG Audit Report #: 2010-     1A. Work with the Office of the Chief Information Officer    1/31/2011      Completed
F0-0004                       to develop and implement a system that would allow                          1/31/2011
Review of HUD's Property      OFMS to identify when equipment is purchased.
and Equipment, issued 8-17-            The Office of the Chief Information Officer had
10                                     developed and implemented the Automated
                                       Bankcard System for tracking government credit
Finding:                               card purchases. This system allows the Property
                                       Management Branch (PMB) to view purchases to
1. HUD lacked control over             determine accountability status. OCFS currently
   the acquisition of
                                       uses ANSWERS and provides a monthly report
   accountable equipment
                                       to PMB of all government credit card purchases
      .
                                       that are determined accountable.
                                                                                           October 2011
                              1B. Update and reissue the standard operating procedures
                              and HUD handbooks for reporting the purchases and lease
                              (when applicable) of equipment and implement a set of
                              standard operating procedures for users of purchase cards,
                              including procedures for but not limited to notifying
                              OFMS of the purchase and delivery/receipt of accountable
                              and sensitive equipment, so that the items can be recorded
                              and bar coded by OFMS.
                                       The SOPs have been updated and distributed to
                                       OCPO, OCIO, OCHCO Support Services, and
                                       OCFS. As of 3/21/2011 OCPO and OCIO have
                                       concurred with the revisions in the SOP and will
                                       begin implementation. Comments are
                                       forthcoming from OCHCO Support Services and
                                       OCFS for review and possible implementation.
OIG Audit Report #: 2010-     2A. Coordinate with the Office of the Chief Financial        TBD
F0-0004                       Officer, Office of the Chief Information Officer, and
Review of HUD's Property      Office of the Chief Procurement Officer to develop and
and Equipment, issued 8-17-   implement system interfaces, including but not limited to
10                            interfaces between FIRMS and the core financial system
                              and the acquisition system.
Finding:
                              2B. Develop and implement a process that can distinguish
2. HUD’s Property             between capitalized and expensed equipment in the            May 2010       Completed
   Management System Had                                                                                  May 2010
                              property management system.
   Weaknesses




                                                         92
  OFFICE OF THE COMMUNITY PLANNING AND DEVELOPMENT
              REMEDIATION PLAN AS of 10/25/2011


                  Integrated Disbursement and Information System (IDIS)
                     Disaster Recovery and Grant Reporting System (DRGR)
                                                  Tasks/Steps                          Target        Actual
Non-Compliance Issue(s)                     (including Milestones)                   Completion     Completio
                                                                                       Dates         n Dates
INTERNAL CONTROLS
OIG Audit Report #2011-FO-0003, Issued 11/15/2010

OIG Recommendations          Intermediate Resolution Plan
1A.Cease the changes being   For OIG Recommendations 1A, 1B, 1C, 1D, 2F
  made to IDIS for the       OIG is seeking a formal legal opinion from GAO
  HOME program related       regarding the use of FIFO. Upon CPD’s receipt of
  to the FIFO rules until    GAO’s legal opinion, CPD will begin preparing
  the cumulative effect of   appropriate revised management decisions for the
  using FIFO can be          recommendations and provide these revised proposed
  quantified on the          management decisions to OIG within 60 days of the
  financial statements.      receipt of the opinion. These proposals will include
                             new final action target dates (FATD) to complete any
1B. Change IDIS so that the actions in accordance with the legal opinion or a
  budget fiscal year source request for concurrent closure, should the
  is identified and attached Department’s position prevail.
  to each activity from the
  point of obligation to     CPD will begin preparing appropriate revised
  disbursement.              management decisions for recommendation 1A-D
                             and provide these revised proposed management
1C. Cease the use of FIFO    decisions to OIG within 60 days of the receipt of the
  to allocate funds (fund    opinion.
  activities) within IDIS
  and disburse grant         Planned Timetable:
  payments. Match outlays OIG submitted their formal request for legal opinion       5/17/11
  for activity               regarding the use of FIFO - 5/17/11;
  disbursements to the
  obligation and budget      GAO provides their legal opinion - 7/31/11- Date not    7/31/11
  fiscal source year in      met;                                                    OIG HAS
  which the obligation was                                                           not received
  incurred, and in addition,                                                         a response
  match the allocation of                                                            from GAO.
  funds (activity funding)
  to the budget fiscal year  CPD provides revised management decisions based         6/21/2012
  source of the obligation. on their interpretation of the legal opinion -
                             6/21/2012.
1D. Include as part of the
  annual CAPER, a
  reconciliation of HUD's
  grant management


                                                 93
                                                    Tasks/Steps                           Target        Actual
Non-Compliance Issue(s)                       (including Milestones)                    Completion     Completio
                                                                                          Dates         n Dates
  system, IDIS, to grantee
  financial accounting
  records on an individual
  annual grant basis, not
  cumulatively, for each
  annual grant awarded to
  the grantee.
OIG Audit Report #2011-FO-0003, Issued 11/15/2010
OIG Recommendations            For OIG Recommendation 2F
2F. For grantees which do      CPD will revisit the issue after GAO issues its
  not comply with              opinion to determine what impact if any that it has on
  program regulations, de-     Grant Reductions. OIG is seeking a formal legal
  obligate the funds related   opinion from GAO regarding the use of FIFO. Upon
  to the non-compliance        CPD’s receipt of GAO’s legal opinion, CPD will
  from the older applicable    begin preparing appropriate revised management
  grant award and not the      decisions for recommendations 1A, 1B, 1C, 1D and
  current available for        2F and provide these revised proposed management
  obligation awards.           decisions to OIG within 60 days of the receipt of the
                               opinion. These proposals will include new final
                               action target dates (FATD) to complete any actions
                               in accordance with the legal opinion or a request for
                               concurrent closure, should the Department’s position
                               prevail.

                               CPD will begin preparing appropriate revised
                               management decisions for recommendation 1A-D
                               and provide these revised proposed management
                               decisions to OIG within 60 days of the receipt of the
                               opinion.
                                                                                                       .
                               Planned Timetable:
                               OIG submits their formal request for legal opinion       5/17/11
                               regarding the use of FIFO - 5/17/11;
                               GAO provides their legal opinion - 7/31/11- Date not     7/31/11
                               met;                                                     OIG HAS
                                                                                        not received
                                                                                        a response
                                                                                        from GAO

                            CPD provides revised management decisions based             6/21/2012
                            on their interpretation of the legal opinion -
                            6/21/2012.
OIG Audit Report # 2009-DP-0007, Issued 9-30-2009
OIG Recommendations         Recommendation 1A                                           3/26/2010      3/26/2010
1A. Complete                Completed establishment of policies and procedures
  establishment of policies requiring that all access-related requests for HUD
  and procedures requiring employees be processed through CHAMP.

                                                   94
                                                    Tasks/Steps                           Target      Actual
Non-Compliance Issue(s)                       (including Milestones)                    Completion   Completio
                                                                                          Dates       n Dates
  that all access-related
  requests for HUD
  employees be processed
  through CHAMP
1B. Provide a listing of all   Recommendation 1B                                        3/26/2010    3/26/2010
  HUD employees with           Provided a listing of all HUD employees with access
  access to the DRGR           to the DRGR application and their access level to the
  application and their        Office of the Chief Information Officer, Office of
  access level to the Office   Information Technology Support Services, for
  of the Chief Information     recording in CHAMP.
  Officer, Office of
  Information Technology
  Support Services, for
  recording in CHAMP
1C. Establish rules of         Recommendation 1C                                        3/26/2010    8/1/2010
  behavior for each type of    Electronic acceptance of Rules of Behavior (ROB)
  DRGR user. Implement         in DRGR were included in Release 7.0 deployed
  policies and procedures      September 2, 2010. HUD has implemented a
  requiring users to           standard CIO and/or CPD rules of behavior forms
  complete and sign the        for DRGR as part of this release along with a time
  rules of behavior form       stamp for electronic signature of the ROB.
  when access is granted       Standard rules can be modified by user role, as
  and annually at              needed. Copies of the standard ROB are attached.
  recertification.
1D.Establish a formal          Recommendation 1D Established Prior to Release           3/26/2010    3/26/2010
  process for grantee users    7.0, DRGR had a formal process in place that
  requesting access to the     incorporates verifications of each grantee user both
  application. This            by HUD field staff and by the grantee’s own system
  process should include a     administrator by email. DRGR already required
  requirement that an          grantees to submit email requests to CPD field
  official from the            offices for verification and approval. DRGR also
  applicant’s organization     required that grantee system administrators
  authorize the request and    authorize each user’s access to each grant. Under
  the type of access           Release 7.0 deployed Sept. 2, 2010, DRGR now
  required.                    requires additional certifications within DRGR based
                               on user roles for new accounts. HUD headquarters
                               DRGR system administrators in CPD will certify CPD
                               field managers. CPD field managers will certify their
                               CPD field staff accounts in DRGR. CPD field staff will
                               certify grantee contacts and grantee system
                               administrators by email and within DRGR. Grantee
                               DRGR administrators will in turn certify other
                               grantee users. Copies of these screens are shown in
                               the attached summary of new functions under
                               Release 7.0.
1E. Implement a formal         Recommendation 1E Under Release 7.0                      3/26/2010    8/1/2010
user recertification process   deployed September 2, 2010, DRGR now requires
for all DRGR users.            additional semi-annual re-certifications within

                                                   95
                                                    Tasks/Steps                         Target      Actual
Non-Compliance Issue(s)                       (including Milestones)                  Completion   Completio
                                                                                        Dates       n Dates
                                DRGR based on user roles for new accounts. HUD
                                headquarters DRGR system administrators in CPD
                                will recertify CPD field managers. CPD field
                                managers will recertify their CPD field staff
                                accounts in DRGR. CPD field staff will recertify
                                grantee contacts and grantee system
                                administrators by email and within DRGR.
                                Grantee DRGR administrators will in turn
                                recertify other grantee users. Each user
                                authorized to certify other users may also
                                decertify users at any time, as needed. Copies of
                                these screens are shown in the attached summary
                                of new functions under Release 7.0.
2A. Work with its               Recommendation 2A                                      3/26/2010   8/1/2010
contractors to update           CPD and CIO have been working on updated
configuration management        configuration and contingency plans as part of its
and contingency plans.          ongoing system development and management efforts.
                                These plans are done by HUD staff rather than
                                contractors. This effort is targeted to be complete as
                                part of a summer 2010 release in production. All
                                updated plans from Release 6.5.3 are attached.
2B. Work with its               Recommendation 2B Work with its contractors            3/26/2010   3/26/2010
contractors to create system    to create system and user manuals for the
and user manuals for the        application.
application.
2C. Initiate testing of the     Recommendation 2C                                     3/26/2010    3/26/2010
application contingency         CPD and CIO have been working on updated
plan, once updated, and         configuration and contingency plans as part of its
procedures to ensure that       ongoing system development efforts. Updated
annual testing is completed.    documents from Release 6.5.3 are attached. CPD’s
                                System Development and Evaluation Division
                                (SDED) submitted a request in September of 2010
                                that DRGR be tested as a major system, but no test
                                has been scheduled yet.
2D. Review and revise the       Recommendation 2D CPD and CIO have been               3/26/2010    8/1/2010
risk assessment to include      working on updated configuration and
only controls that are active   contingency plans as part of its ongoing system
and in place.                   development efforts. Update of Risk Assessment
                                is scheduled for next release as part of Work
                                Request 2009-003a. Updated documents related
                                to Risk Assessments from Release 6.5.3 are
                                attached.
2E. Review and revise all       Recommendation 2EFunctional requirements              3/26/2010    8/1/2010
system documentation to         documents discussed during the audit are design
ensure that the information     documents intended to guide development for
is accurate and that only       system programmers. HUD will continue to work
valid information are

                                                   96
                                                  Tasks/Steps                        Target      Actual
Non-Compliance Issue(s)                     (including Milestones)                 Completion   Completio
                                                                                     Dates       n Dates
maintained within the          with contractors to ensure that official
document.                      documentation for the DRGR system includes only
                               accurate and valid information. CPD and OCIO
                               will continue to require contractors to update
                               functional requirements and other required
                               system documentation as changes are made to the
                               system. CPD and OCIO will continue to review
                               these documents with each new set of
                               enhancements. Updated functional requirement
                               documents from Release 6.5.3 are attached.
2F. Submit the revised         Recommendation 2F CPD and CIO have been             3/26/2010    3/26/2010
documentation to the           working on updated configuration and
authorizing official for use   contingency plans as part of its ongoing system
in the certification and       development efforts. All revised documentation
accreditation process.         for use in the C & A process was approved by CPD
                               in June of 2010. Updated materials related to
                               Release 6.5.3 are attached.
OIG Recommendations            Recommendation 3A CPD separated the duties          3/26/2010    3/26/2010
3A. Separate the duties of     of security administration and system
security administration and    administration for the DRGR application.
system administration for
the DRGR application.
3B. Remove the ability to      Recommendation 3B CPD will continue to              3/26/2010    9/15/2010
modify grantee data from       restrict HUD accounts that allow edits to grantee
HUD staff members that do      reporting data using the grantee simulator role.
not require it.                CPD has enforced DRGR controls that will not
                               permit any HUD super-users to alter any
                               drawdown data under DRGR Release 6.3 deployed
                               in January of 2009. Financial data of this nature
                               can only be directly altered by DRGR grantee
                               users that have been authorized by the grantee
                               and HUD field staff familiar with grantee
                               operations. The ability to edit grantee reporting
                               data on their behalf will remain restricted to a
                               very small number of HUD HQ users in order to
                               provide technical assistance for DRGR data entry
                               problems, as needed. HUD will continue to
                               document any such requests by email and will
                               issue a contractor work request to support the
                               creation of DRGR reports which track all data
                               edits performed using the grantee simulator. A
                               work request, including this item was approved
                               by GSA in August of 2010. Copies are attached.
3C. Take steps to fund the     Recommendation 3C CPD Took steps to fund the        3/26/2010    3/26/2010
use of the CPD contractor      use of the CPD contractor to perform the help
to perform the help desk       desk function for the DRGR application.


                                                 97
                                                  Tasks/Steps                      Target      Actual
Non-Compliance Issue(s)                     (including Milestones)               Completion   Completio
                                                                                   Dates       n Dates
function for the DRGR
application.
OIG Recommendations            Recommendation 4A CPD and OCIO will work          3/26/2010    8/1/2010
4A. Work with its              with contractor (CACI) to ensure computer
contractors to ensure that     processes, both internal and external to the
computer processes, both       system, are documented and tested in accordance
internal and external to the   with NIST 800-53. Updated functional
system, are documented         requirement documents from Release 6.5.3 are
and tested in accordance       attached.
with NIST SP 800-53,
which is incorporated in
HUD policy (HUD
Handbook 2400.25, REV-
2).
4B. Work with its              Recommendation 4B CPD and CIO will continue to    3/26/2010    8/1/2010
contractors to ensure that     work with contractors to ensure that official
tests of drawdown controls     documentation for the DRGR system includes only
and transaction processing     accurate and valid information. Updated
reports are performed as       functional requirement documents from Release
stated in the functional       6.5.3 are attached.
requirements
documentation or if other
controls are used, removes
stated controls not in use
from system
documentation.




                                                98
Appendix D


     SCHEDULE OF FUNDS TO BE PUT TO BETTER USE

                           Recommendation         Funds to be put
                               number             to better use 1/
                                   2.a.                $1.7M
                                   2.b.                $32M
                                   2.d.                $3.8M
                                   2.e.                $0.9M
                                   2.f.                $24M
                                   2.i.               $18.3M
                                   5.c.               $820M
                                   5.d.                 $1B
                                   7.b.              $471.8M



1/   Recommendations that funds be put to better use are estimates of amounts that could be
     used more efficiently if an OIG recommendation is implemented. These amounts include
     reductions in outlays, deobligation of funds, withdrawal of interest, costs not incurred by
     implementing recommended improvements, avoidance of unnecessary expenditures
     noted in preaward reviews, and any other savings that are specifically identified.




                                             99
Appendix E

             AUDITEE COMMENTS




                    100
101
102
Appendix F

                      OIG Evaluation of Agency Comments

HUD’s management generally disagrees with our presentation of the findings in this report.
While management only provided formal comments on 3 of the 7 Significant Deficiencies, they
non concurred on the significant deficiencies related to the noncompliance of financial
management systems with FFMIA; oversight and monitoring of subsidy calculations and the use
of HCVP and Operating Subsidy program funds; the need to improve administrative control of
funds. HUD was in general agreement with our presentation of the findings related to the need
to improve information security.

In regards to HUD management’s formal comments:

Emergency Home Loan Program
HUD disagreement with our reporting of the Emergency Home Loan Program relates to the
return of $472 million of unobligated funds. Due to delays in establishing the EHLP, HUD only
obligated $528 million of the $1 billion appropriated for the EHLP. The Dodd-Frank Act
specified a time period, October 1, 2010 to September 30, 2011 when emergency mortgage relief
payments could be obligated. Under current law, no additional loans can be made and additional
obligations can only be made for increases to existing loan amounts and administrative costs.
Therefore, HUD has no legal basis for retaining the remaining unobligated funds beyond the
stated needs We are recommending that HUD seek the authority from Congress to return to the
U.S. Treasury up to $472 million in funds not needed for potential upward adjustments to current
loan obligations and future administrative costs for the existing program.

Federal Financial Management Improvement Act of 1996
HUD’s disagreement on its non compliance with FFMIA has two components, HUD’s entity
wide integrated financial management system and CPD formula grant accounting.

 First, HUD continues to hold their long stated position, that while acknowledging deficiencies,
its entity wide integrated financial management system is compliant with FFMIA. HUD agrees
that their systems processes can be more efficiently integrated to eliminate the need for existing
compensating controls, nevertheless management feels the existing environment is substantially
compliant and not at material risk of misreporting. The deficiencies noted in HUD’s financial
management systems are due to the current financial system being developed prior to the
issuance of current requirements. The system is also technically obsolete, has inefficient multiple
batch processes, and requires labor-intensive manual reconciliations. Because of these
inefficiencies, HUD’s management systems are unable to routinely produce reliable, useful, and
timely financial information. This weakness manifests itself by limiting HUD’s capacity to
manage with timely and objective data, and thereby hampers its ability to effectively manage and
oversee its major programs. In addition, the Department has not met the minimum set of
automated information resource controls relating to Entity-wide Security Program Planning and
Management as required by FISMA and OMB Circular A-130 Appendix III.

                                               103
Second, HUD still believes that the CPD’s formula grant programs are compliant and that our
FFMIA noncompliance conclusion due to CPD grant accounting departures from U.S.GAAP and
weaknesses in internal controls over financial reporting do not fully take into account the nature
of block grants. We disagree with their assessment and believe that CPD formula grants need to
comply with budgetary controls and Federal financial management requirements related to the
matching of outlays to source of funds by appropriation year.

We will continue to work with HUD so that they can understand and correct the control
deficiencies in their grant management systems as well as remedy the accounting and financial
reporting non compliance issues related to CPD formula grants.

Erroneous Payments
In their response to this report, HUD takes exception to our methodology in calculating this
percentage. Our calculation differs from HUD’s because we excluded program expenditures for
Moving to Work PHAs not included in the universe for testing (in HUD’s Quality Control (QC)
Study and Income Match Study) and administrative fees.

We found that HUD calculated the projected gross error using the $32 billion total housing
assistance expenditures reported in the fiscal year 2010 financial statements. However, the $32
billion includes $6.2 billion in administrative fees and Moving to Work program subsidies. The
$6 billion is approximately the difference between the $32 billion that HUD reported in fiscal
year 2010 financial statements and the $26 billion in disbursements that we found to be
attributable to the quality control and income match studies.

The MTW PHAs transactions were removed from the population before the sample was selected,
and they were not part of the population when the error was projected. HUD was aware of their
removal from the population. Therefore, their inclusion in the total program payments to
calculate the improper payments errors can mislead the readers of HUD’s financial statements.

For the administrative expenses, a HUD official justified that these expenses paid to the
―program administrators are an integral part of the program payments.‖ However, the fiscal year
2010 QC study only tested the rental subsidies paid to the tenants; the administrative expenses
were not tested for improper payments. The fiscal year 2010 QC study population included ―all
projects and tenants.‖ Hence, the population consisted only of units occupied by the tenants. It
was the tenant files, selected by the contractor. that were reviewed, and tenants that were
interviewed not the administrators of the PHAs and/or owners of administered homes. As a
result, because the administrative money paid to the PHA administrators and/or owner
administered homes were not tested; the expenses should be excluded from the total program
payments.

As a result for fiscal year 2011, we are reporting the fiscal year 2010 improper payments
projections and errors without comparing the results to the previous years as this year’s result is
not comparable to the projections in the prior years.

We believe our method and calculations to be valid and accurate. We will continue to work with
HUD on this issue.
                                                104
Administrative Control of Funds
HUD also did not agree with the categorization of our observation that HUD Needs to Improve
Administrative Control of Funds as a significant deficiency. We take exception to HUD’s
position that the requirement for documenting controls over funds administration ends at the
point of obligation when compliance with the provisions of the Anti Deficiency Act is ensured.
Defects in HUD’s design and implementation of the administrative control of funds have been
identified and discussed with HUD since fiscal year 2005. Our justification for reporting this
issue as a significant deficiency this year was that (1) not all programs that incurred obligations
or disbursements had acceptable funds control plans and (2) the funds control plans were not
complete, accurate, updated and complied with by the program offices. Additionally, we noticed
that funds control plans were not always updated to reflect all program codes and did not always
include the correct appropriations. We also noted that the Office of the Chief Financial Officer
(OCFO) had not ensured the effective administrative control of funds process as required by
HUD’s Policies Handbook 1830.2. Incomplete implementation of administrative control of
funds has been a long-standing issue and has been previously reported since fiscal year 2005 in
our audit reports and management letters.




                                               105