Issue Date November 15, 2011 Audit Report Number 2012-FO-0003 TO: David Sidari, Acting Chief Financial Officer, F //s// FROM: Thomas R. McEnanly, Director, Financial Audits Division, GAF SUBJECT: Additional Details To Supplement Our Report on HUD’s Fiscal Years 2011 and 2010 Financial Statements HIGHLIGHTS What We Audited and Why We are required to annually audit the consolidated financial statements of the U.S. Department of Housing and Urban Development (HUD) in accordance with the Chief Financial Officers Act of 1990, as amended. Our report on HUD’s fiscal years 2011 and 2010 financial statements are included in HUD’s Fiscal Year 2011 Annual Financial Report. This report supplements our report on the results of our audit of HUD’s principal financial statements for the fiscal years ending September 30, 2011, and September 30, 2010. Also provided are assessments of HUD’s internal controls and our findings with respect to HUD’s compliance with applicable laws, regulations, and governmentwide policy requirements and provisions of contracts and grant agreements.1 In addition, we plan to issue a 1 Additional details relating to the Federal Housing Administration (FHA), a HUD component, are not included in this report but are included in the accounting firm of Clifton Gunderson LLP’s audit of FHA’s financial statements. That report has been published in our report, Audit of Federal Housing Administration Financial Statements for Fiscal Years 2011 and 2010 (2012-FO-0002, dated November 07, 2011). Additional details relating to the Government National Mortgage Association, (Ginnie Mae), another HUD component, are not included in this report but are included in the accounting firm of Clifton Gunderson LLP’s audit of Ginnie Mae’s financial statements. That report has been published in our report, Audit of Government National 1 letter to management on or before January 13, 2012, describing other issues of concern that came to our attention during the audit. What We Found In our opinion, HUD’s fiscal years 2011 and 2010 financial statements were fairly presented. Our opinion on HUD’s fiscal years 2011 and 2010 financial statements is reported in HUD’s Fiscal Year 2011 Agency Financial Report. The other auditors and our audit also disclosed the following ten significant deficiencies in internal controls related to the need to: Have financial management systems comply with Federal Financial Management System Requirements; Continue improvement in the processes for reviewing obligation balances; Ensure internal controls over Office of Community Planning and Development (CPD) grantees’ compliance with program requirements are operating effectively; Improve administrative control of funds; Continue improvements in the oversight and monitoring of subsidy calculations, intermediaries’ program performance, and use of Housing Choice Voucher program funds; Further strengthen controls over HUD’s computing environment; Improve personnel security practices for access to HUD’s critical financial systems; Improve compliance control to ensure the safety, completeness, and validity of collateral loan files; Strengthen internal control over risk-based issuer and document custodian reviews to improve the effectiveness of counterparty monitoring and oversight; and Effectively analyze and resolve identified information technology security control deficiencies. Our findings include the following five instances of noncompliance with applicable laws and regulations: HUD did not substantially comply with FFMIA regarding system requirements; HUD did not substantially comply with the Antideficiency Act; HUD did not substantially comply with laws and regulations governing claims of the United States Government; Mortgage Association Financial Statements for Fiscal Years 2011 and 2010 (2012-FO-0001), dated November 07, 2011) 2 FHA’s Mutual Mortgage Insurance Fund capitalization was not maintained at a minimum capital ratio of 2 percent, which is required under the Cranston-Gonzalez National Affordable Housing Act of 1990; and FHA did not substantially comply with the Federal Financial Management Improvement Act (FFMIA) regarding system limitations related to operational effectiveness and efficiency. In addition, our audit disclosed another matter, in which HUD did not obligate all of the funds appropriated for the Emergency Homeowners’ Loan Program. What We Recommend Most of the issues described in this report represent long-standing weaknesses. We understand that implementing sufficient change to mitigate these matters is a multiyear task due to the complexity of the issues, insufficient information, technology systems funding, and other impediments to change. In this and prior years’ audits of HUD’s financial statements, we have made recommendations to HUD’s management to address these issues. Our recommendations from the current audit, as well as those from prior years’ audits that remain open, are listed in appendix B of this report. The audit also identified $80.7 million in excess obligations recorded in HUD’s records. We are also recommending that HUD request a congressional recission of $471.8 million in funding originally appropriated for the Emergency Homeowners’ Loan Program but not obligated by the required obligation date. Lastly, we are recommending that HUD seek legislative authority to implement offsets of $820 million against public housing agencies’ (PHA) excess Section 8 funding held in net restricted assets accounts at the PHAs and $1 billion in the operating subsidy account. These amounts represent funds that HUD could put to better use. For each recommendation without a management decision, please respond and provide status reports in accordance with HUD Handbook 2000.06, REV-4. Please furnish us copies of any correspondence or directives issued because of the audit. Auditee’s Response The complete text of the auditee’s response, along with our evaluation of that response, can be found in appendix E and F of this report. 3 TABLE OF CONTENTS Highlights 1 Internal Control 5 Compliance With Laws and Regulations 63 Other Matters 69 Appendixes A. Objectives, Scope, and Methodology 71 B. Recommendations 74 C. FFMIA Noncompliance, Responsible Program Offices, and Recommended 85 Remedial Actions D. Schedule of Funds To Be Put to Better Use 99 E. Agency Comments 100 F. OIG Evaluation of Agency Comments 103 4 INTERNAL CONTROL Significant Deficiency 1: HUD Financial Management Systems Did Not Fully Comply With Federal Financial Management System Requirements As reported in prior years, the U.S. Department of Housing and Urban Development’s (HUD) financial management systems did not fully comply with Federal financial management system requirements. HUD did not develop an adequate agencywide financial management systems plan. Additionally, HUD had not completed development of an adequate integrated financial management system. HUD’s financial systems, many of which were developed and implemented before the issue date of current standards, were not designed to perform or provide the range of financial and performance data currently required. The result is that HUD, on a departmentwide basis, did not have integrated financial management systems that complied with current Federal requirements or provided HUD the information needed to effectively manage its operations on a daily basis. This situation could negatively impact management’s ability to perform required financial management functions; efficiently manage the financial operations of the agency; and report, on a timely basis, the agency’s financial results, performance measures, and cost information. The Office of Community Planning and Development’s (CPD) grants management systems had weaknesses in internal control and were also noncompliant with Office of Management and Budget (OMB) A-127 Federal financial management systems requirements, Federal accounting standards, and application of the U.S. Standard General Ledger (USSGL) at the transactions level. This situation could negatively impact management’s ability to perform required financial management functions; efficiently manage the financial operations of the agency; and report, on a timely basis, the agency’s financial results, performance measures, and cost information. Agencywide Financial Management Systems Plan Did Not Meet Circular A-127 Requirements In fiscal year 2010, we performed an audit to assess HUD’s compliance with the requirements specified in OMB Circular A-127.2 We found that HUD did not comply with the requirements. The Office of Inspector General (OIG) reported in its fiscal year 2008 financial statement audit report that HUD had not performed the 2 Audit Report Number 2011-DP-0003, ―HUD Did Not Fully Comply With the Requirements of OMB Circular A- 127,‖ issued December 3, 2010 5 OMB Circular A-127-required reviews of its financial management systems for compliance with computer security and internal control guidelines. During our review in fiscal year 2010, we determined that HUD had not taken corrective action to address this weakness and ensure that A-127 compliance reviews were conducted. In October 2011, HUD’s Risk Management Division submitted a revised corrective action plan, which allowed the recommendation from the fiscal year 2008 financial statement audit to be closed. As part of our fiscal year 2011 audit, we determined that the agencywide financial management systems plan developed by the Chief Financial Officer (CFO) did not fully meet requirements of OMB Circular A-127. Although the plan developed for fiscal year 2011 contained headers or specific sections for each of the required pieces of information according to Circular A-127, the information included within the document was not sufficient. Specifically, the plan did not address (1) specific modifications or enhancements needed for each financial management system; (2) equipment acquisition information and details regarding system modifications, enhancements, etc., necessary to implement the targeted architecture for each financial management system; (3) cost estimation data related to each specific project; (4) information regarding each financial management system’s life cycle; (5) a projection of the reasonable useful life of each investment; (6) details regarding system upgrades required for each system; or (7) existing problems related to each of the financial management systems. As a result, the plan was not an effective management tool. Without future system enhancement and modification, resource allocation, budgeting, and funding information in its financial management system plans, HUD has no single document that can be used to ensure that agency spending and funding are in line with its business plan and goals. HUD Is Required To Implement a Compliant Financial Management System The Federal Financial Management Improvement Act of 1996 (FFMIA) requires, among other things, that HUD implement and maintain financial management systems that substantially comply with Federal financial management system requirements. The financial management system requirements include implementing information system security controls. The requirements are also included in OMB Circular A-127, ―Financial Management Systems.‖ Circular A- 127 defines a core financial system as an information system that may perform all financial functions including general ledger management, funds management, payment management, receivable management, and cost management. The core financial system is the system of record that maintains all transactions resulting from financial events. It may be integrated through a common database or interfaced electronically to meet defined data and processing requirements. The core financial system is specifically used for collecting, processing, maintaining, 6 transmitting, and reporting data regarding financial events. Other uses include supporting financial planning, budgeting activities, and preparing financial statements. As in previous audits of HUD’s financial statements, in fiscal year 2011, there continued to be instances of noncompliance with Federal financial management system requirements. These instances of noncompliance have given rise to significant management challenges that have (1) impaired management’s ability to prepare financial statements and other financial information without extensive compensating procedures, (2) resulted in the lack of reliable, comprehensive managerial cost information on its activities and outputs, and (3) limited the availability of information to assist management in effectively managing operations on an ongoing basis. HUD's Financial Systems Were Not Adequate As reported in prior years, HUD did not have financial management systems that enabled it to generate and report the information needed to both prepare financial statements and manage operations on an ongoing basis accurately and in a timely manner. To prepare consolidated departmentwide financial statements, HUD required the Federal Housing Administration (FHA) and the Government National Mortgage Association (Ginnie Mae) to submit financial statement information on spreadsheet templates, which were loaded into a software application. In addition, all consolidating notes and supporting schedules had to be manually posted, verified, reconciled, and traced. To overcome these systemic deficiencies with respect to preparation of its annual financial statements, HUD was compelled to rely on extensive compensating procedures that were costly, labor intensive, and not always efficient. Due to a lengthy HUD Integrated Financial Management Improvement Project (HIFMIP) procurement process and lack of funding for other financial application initiatives, there were no significant changes made in fiscal year 2011 to HUD’s financial management processes. As a result, the underlying system limitations identified in past years remained. Due to the functional limitations of the three applications (HUD Central Accounting Processing System (HUDCAPS), Line of Credit Control System (LOCCS), and Program Accounting System (PAS)) performing the core financial system function, HUD was dependent on its data mart and reporting tool to complete the accumulation and summarization of data needed for U.S. Department of the Treasury and OMB reporting. 7 HUD’s Financial Systems Did Not Provide Managerial Cost Data In fiscal year 2006, the U.S. Government Accountability Office (GAO) reported in GAO-06-1002R, Managerial Cost Accounting Practices, that HUD’s financial systems did not have the functionality to provide managerial cost accounting across its programs and activities. This lack of functionality resulted in the lack of reliable and comprehensive managerial cost information on its activities and outputs. HUD lacked an effective cost accounting system that was capable of tracking and reporting costs of HUD’s programs in a timely manner to assist in managing its daily operations. This condition rendered HUD unable to produce reliable cost-based performance information. HUD officials indicated that various cost allocation studies and resource management analyses were required to determine the cost of various activities needed for mandatory financial reporting. However, this information is widely distributed among a variety of information systems, which were not linked and, therefore, could not share data. This condition made the accumulation of cost information time consuming, labor intensive, untimely, and ultimately made that cost information not readily available. Budget, cost management, and performance measurement data were not integrated because HUD Did not interface its budget formulation system with its core financial system; Lacked the data and system feeds to automate a process to accumulate, allocate, and report costs of activities on a regular basis for financial reporting needs, as well as internal use in managing programs and activities; Did not have the capability to derive current full cost for use in the daily management of HUD operations; and Required an ongoing extensive quality initiative to ensure the accuracy of the cost aspects of its performance measures as they were derived from sources outside the core financial system. While HUD had modified its resource management application to enhance its cost and performance reporting for program offices and activities, the application did not use core financial system processed data as a source. Instead, HUD used a variety of applications, studies, and models to estimate the cost of its program management activities. One of these applications, TEAM/REAP, was designed for use in budget formulation and execution, strategic planning, organizational and management analyses, and ongoing management of staff resources. It was 8 enhanced to include an allocation module that added the capability to tie staff distribution to strategic objectives and HUD program offices’ management plans. Additionally, HUD had developed time codes and an associated activity for nearly all HUD program offices to allow automated cost allocation to the program office activity level. HUD indicated that the labor costs that would be allocated to these activities would be obtained from the HUD payroll service provider. However, because the cost information did not pass through the general ledger, current Federal financial management requirements were not met. Financial Systems Did Not Provide for Effective and Efficient Financial Management During fiscal year 2011, HUD’s financial information systems did not allow it to achieve its financial management goals in an effective and efficient manner in accordance with current Federal requirements. To perform core financial system functions, HUD depended on three major applications, in addition to a data warehouse and a report-writing tool. Two of the three applications that performed core financial system functions required significant management oversight and manual reconciliations to ensure accurate and complete information. HUD’s use of multiple applications to perform core financial system functions further complicated financial management and increased the cost and time expended. Extensive effort was required to manage and coordinate the processing of transactions to ensure the completeness and reliability of information. Additionally, the interface between the core financial system and HUD’s procurement system did not provide the required financial information. The procurement system interface with HUDCAPS did not contain data elements to support the payment and closeout processes. Also, the procurement system did not interface with LOCCS and PAS. Therefore, the processes of fund certification, obligation, deobligation, payment, and closeout of transactions that were paid out of the LOCCS system were all completed separately, within either PAS or LOCCS. This lack of compliance with Federal requirements impaired HUD’s ability to effectively monitor and manage its procurement actions. HUD’s Plans To Implement a Departmentwide Core Financial System Were Underway HUD’s plans to implement a commercial Federal certified core financial system and integrate the current core financial system into one departmentwide core financial system were underway. FHA and Ginnie Mae had implemented a 9 compatible and compliant system to support the transition to the enterprise core financial system. HUD originally planned to select a qualified shared service provider to host the enterprise system and integrate the three financial systems (HUD, FHA, and Ginnie Mae) into a single system by fiscal year 2015. Achieving integrated financial management for HUD would result in a reduction in the total number of systems maintained, provide online, real-time information for management decision making, enable HUD to participate in E-government initiatives, and align with HUD’s information technology modernization goals. HIFMIP, launched in fiscal year 2003, had been plagued by delays. HIFMIP was intended to modernize HUD’s financial management systems in accordance with a vision consistent with administration priorities, legislation, OMB directives, modern business practices, customer service, and technology. HUD believed that at some point, HIFMIP would encompass all of HUD’s financial systems, including those supporting FHA and Ginnie Mae. HUD had intended to begin the implementation in fiscal year 2006. Due to delays with the procurement process, however, the contract for HIFMIP was not awarded until September 2010. OMB reviewed HIFMIP and recommended that HUD give additional consideration to its (1) categorization of risk and mitigation strategies, (2) governance structure to ensure appropriate leadership is in place to support the project, and (3) funding strategy to give more time to assess whether the current approach is viable. As a result of OMB’s recommendations, HUD agreed to rescope HIFMIP to address only the department-level portion. Based on HUD’s agreement to rescope the project, OMB approved the 18-month base period. Additional approvals will be needed for the option periods associated with HIFMIP. The planned ―go live‖ date for the first phase of HIFMIP has been revised from March 2012 to May 2012. Until its core financial system is fully implemented, we believe the following weaknesses with HUD’s financial management systems will continue: HUD’s ability to prepare financial statements and other financial information will require extensive compensating procedures. HUD will have limited availability of information to assist management in effectively managing operations on an ongoing basis. CFO is Required to Ensure CPD Financial Management Systems Are Compliant with OMB A-127 With OMB A-127 The CFO is responsible for overseeing all financial management activities relating to the programs and operations of the agency and developing and maintaining an integrated agency accounting and financial management system, including financial reporting and internal controls, which complies with applicable 10 accounting principles, standards, and requirements, and internal control standards, as well as, any other requirements applicable to such standards. Additionally, the CFO is responsible for directing, managing and providing policy guidance and oversight of agency financial management personnel, activities, and operations, including the approval and management of agency financial management systems design or enhancement projects. A financial system is an information system that may perform all financial functions including general ledger management, funds management, payment management, receivable management, and cost management. The core financial system is the system of record that maintains all transactions resulting from financial events.3 The core financial system is specifically used for collecting, processing, maintaining, transmitting, and reporting data regarding financial events. Any data transfers to the core financial system must be traceable to the transaction source, posted to the core financial system in accordance with applicable guidance from the Federal Accounting Standards Advisory Board (FASAB), and in the data format of the core financial system. A mixed system is an information system that can support both financial and nonfinancial functions. A financial management system includes the core financial systems and the financial portions of mixed systems necessary to support financial management, including automated and manual processes, procedures, and controls; data; hardware; software; and support personnel dedicated to the operation and maintenance of system functions. The following are examples of financial management systems: core financial systems, procurement systems, loan systems, grants systems, payroll systems, budget formulation systems, billing systems, and travel systems. The Integrated Disbursement Information System (IDIS) Online and the Disaster Recovery Grant Reporting (DRGR) systems are used by CPD to support both the financial and nonfinancial functions necessary for the management of CPD’s grant programs.4 The systems were developed to enable grantees to identify activities funded under their action plans, to include budgets; report accomplishments on the activities, which facilitate HUD’s reporting on performance goals; and report program income when applicable. To receive funding, these grantees must prepare a citizen participation plan, publish their proposed use of the funds, and submit an action plan to HUD. Once an action plan is submitted and approved, grantees can submit quarterly reports 3 A financial event is any activity having financial consequences to the Federal Government related to the receipt of appropriations or other financial resources; acquisition of goods or services; payments or collections; recognition of guarantees, benefits to be provided, or other potential liabilities; distribution of grants; or other reportable financial activities. 4 IDIS supports the four CPD formula grant programs: Community Development Block Grant (CDBG), HOME Investment Partnerships (HOME), Emergency Shelter Grants (ESG), and Housing Opportunities for Persons With AIDS (HOPWA) and the related American Recovery and Reinvestment Act programs: CDBG-Recovery, Tax Credit Assistance Payment (TCAP), and Homelessness Prevention and Rehabilitation Program (HPRP). DRGR supports the Disaster Recovery CDBG program and other special appropriations, such as the three rounds of funding of the Neighborhood Stabilization Program. 11 summarizing obligations, expenditures, drawdowns, and accomplishments for all of their CPD-funded activities. Annually, IDIS’s and DRGR’s compliance status, as determined by HUD, is reported in HUD’s Agency Financial Report. The financial portions of IDIS and DRGR, which store the transaction-level detail of the grant payments, are interfaced with HUD’s core financial systems.5 Additionally, IDIS and DRGR are the systems through which the grantees request funding from their grants and, thus, perform the payment management function for those grants. As a financial management system, CPD and CFO are responsible for ensuring IDIS and DRGR comply with the standards included within OMB A-127. Therefore, the transaction-level data, which are summarized, must be posted to the core financial statements using proper USSGL accounts and accounting standards, and the systems must comply with Federal financial management system requirements. Although the OIG has reported significant internal control deficiencies6 and has reported IDIS non-compliant with FFMIA, OMB A-127, and federal financial accounting standards in fiscal years 2009, 20107, and 2011, the system is still reported, by the CFO, as compliant in the Department’s Agency Financial Report. The system is reported as compliant by the Department without CFO’s review or research into OIG’s basis for determining IDIS as noncompliant. CPD’s Grants Management Systems Did Not Comply With Federal Financial System Requirements The Federal financial management system requirements consist of three parts: (1) computer security requirements, which are defined by the Federal Information Security Management Act (FISMA) and Circular A-130 or successor documents; (2) internal controls requirements, which are the internal control objectives of Circular A-123; and (3) core financial system requirements, which are defined by the Federal Systems Integration Office (FSIO). First, OIG has determined that CPD’s financial management systems did not meet the computer security requirements of A-127. As part of the fiscal year 2010 Federal Information System Controls Audit Manual (FISCAM) audit, OIG 5 The payment requests from the systems are interfaced with LOCCS, which feeds into HUD’s core financial systems and is used to disburse funds. LOCCS then passes the disbursement information to PAS and HUDCAPS, which are the accounting systems used to generate the financial statements. 6 Audit report number 2012-PH-0001, ―HUD Needed to Improve its Use of its Integrated Disbursement and Information System to Oversee its Community Development Block Grant Program,‖ issued October 31, 2011. 7 Audit Report number 2010-FO-0003, ―Additional Details to Supplement Our Report on HUD’s Fiscal Years 2009 and 2008 Financial Statements‖, issued November 16, 2009 and Audit Report number 2011-FO-0003, ―Additional Details to Supplement Our Report on HUD’s Fiscal Years 2010 and 2009 Financial Statements‖, issued November 15, 2010. 12 determined that HUD did not ensure that adequate application controls for the IDIS Online system were properly put in place and operating effectively.8 OIG noted the following deficiencies within IDIS: (1) incompatible functions such as system administration and security administration were not adequately separated, and (2) there was no formal user recertification process to ensure that all users were properly recertified. These weaknesses existed because CPD designed IDIS with decentralized security without adequate controls in place to ensure that the overall security of the application remained within the control of HUD staff. By not separating incompatible system administration and security responsibilities and reviewing the continued appropriateness of access to the financial systems, HUD increased its risk that sensitive financial data could be modified, disclosed, or misused or that erroneous or fraudulent transactions would be processed. The recommendations for the findings identified remained unimplemented. In an audit of DRGR during fiscal year 2011,9 OIG determined that the DRGR program office’s application security management program had weaknesses. Specifically, the DRGR system security documentation had not been updated to reflect current information about the system and its environment, and although the DRGR system had been classified as a mission-critical system, it was not tested during the most recent annual disaster recovery test. These conditions occurred because DRGR program officials failed to communicate with the Office of the Chief Information Officer (OCIO) to ensure that security controls of their system were adequate and their system documentation was up to date. As a result, the necessary security controls may not have been implemented. In addition, since the contingency plan had not been adequately tested, the effectiveness of the plan or the system’s readiness to deal with a potential disaster could not be determined. Control activities include policies, procedures, and mechanisms in place to help ensure that agency objectives are met and ensure that resource use is consistent with laws, regulations, and policies; resources are safeguarded against waste, loss, and misuse; and reliable data are obtained, maintained, and disclosed in reports. Internal controls also need to be in place over information systems, both general and application control. General control applies to all information systems such as the mainframe, network, and end-user environments and includes agencywide security program planning, management, control over data center operations, system software acquisition, and maintenance. Application control should be designed to ensure that transactions are properly authorized and processed accurately and that the data are valid and complete. Controls should be established at an application’s interfaces to verify inputs and outputs, such as edit checks. General and application controls over information systems are interrelated; both are needed to ensure complete and accurate information 8 Audit report number 2011-DP-0004 –―Fiscal Year 2010 FISCAM Report,‖ issued January 14, 2011 9 Audit report number 2011-DP-0008 – ―The Disaster Recovery Grant Reporting System That Maintained Recovery Act Information Had Application Security Control Deficiencies,‖ issued July 28, 2011 13 processing. Due to the rapid changes in information technology, controls must also adjust to remain effective. Secondly, CPD management did not maintain effective internal controls over financial reporting within the information systems. Our review found that DRGR did not have a sufficient data modification process in place to protect financial transaction data and audit trails from being overwritten. In addition, CPD did not maintain proper internal controls or adequate audit trails in IDIS to ensure that transactions were properly authorized and processed accurately and that the data were valid and complete to ensure that agency objectives were met; resource use was consistent with laws, regulations, and policies; and resources were safeguarded against waste, loss, and misuse. In both systems, the transaction- level data detailing how grantees used funding provided by HUD were not transferred to HUD’s core financial applications. The detailed financial transaction data were only maintained within the mixed systems; therefore, IDIS and DRGR were the financial management systems of record for these data, since only summary information was transferred and maintained in the core financial systems. However, OIG found that grantees were able to modify the detailed financial transactions within the systems, ultimately altering and in some cases, eroding audit trails without approval by CPD. In addition, IDIS’s design and implementation of adequate budget controls was deficient. Specifically, CPD allowed DRGR grantee users to modify voucher transactions (financial events or transactions) to reflect changes to program cost allocation information between activities (the allocation of funds drawn for specific activities). As a result, reconciliation between DRGR and HUD’s core financial applications was cumbersome and time consuming. The situation was further aggravated because (1) DRGR did not maintain the full voucher number for payment transactions recorded in LOCCS, (2) CPD allowed revision of all or part of the original distribution, (3) CPD did not require grantees to record a reason or justification for making the change within DRGR, (4) CPD allowed voucher modifications to be made until the grant was closed out, and (5) CPD did not require grantee users to obtain approval from HUD for each modification transaction.10 In addition, CPD did not adequately use IDIS to provide oversight of activities under its CDBG program. As a result, HUD was unaware of how grantees used almost $67 million that were provided to grantees to fund more than 1,300 activities that grantees later cancelled in IDIS. In addition, HUD lacked adequate oversight of almost $3 billion used to fund more than 20,000 long-standing11 open activities that grantees had reportedly not completed for up to 11 years. Further, IDIS did not support internal control activities to help ensure that agency 10 Notification of Finding and Recommendation - FISCAM-07, ―DRGR Does Not Have A Sufficient Process In Place to Protect Detailed Financial Transaction Data From Being Overwritten‖, Issued October 17, 2011 11 For purposes of this review, OIG defined a long-standing program activity as an activity that remained open for at least 5 years after it was funded through a grantee’s annual consolidated plan. 14 objectives were met and ensure that resources used were safeguarded against waste, loss, and misuse. 7 OIG also noted during the fiscal year 2011 audit that the IDIS system only stored the last update to any given activity record, which would make it difficult for CPD to provide oversight of activities, as well as obtain an adequate audit trail to determine whether resources were spent to achieve expected results. Without reliable and timely financial information, government managers have limited assurance that resources were spent to achieve expected results. In addition, the ability to evaluate program effectiveness and detect waste and inefficiency is diminished when audit trails are cumbersome, detailed information regarding transactions is not maintained, and approvals for data modifications are not required. Budget controls are part financial reporting and part compliance controls and provide reasonable assurance that budgetary transactions, such as obligations and outlays, are properly recorded, processed, and summarized to permit the preparation of the financial statements; primarily the statement of budgetary resources, in accordance with U.S. generally accepted accounting principles (GAAP). Budget controls are generally compliance controls in that they provide reasonable assurance that transactions are executed in accordance with laws governing the use of budget authority. In fiscal year 2009, we found that the design and implementation of adequate budget controls in IDIS were deficient as a result of CPD’s decision to charge grant disbursement drawdowns from the oldest budget fiscal year (BFY) appropriation funding source available at the time of drawdown without regard for the original source of funding for the corresponding obligation recorded. CPD refers to this practice as FIFO (first-in, first-out). This process results in a mismatching of obligations and outlays. We found the monetary impact of using FIFO and incorrectly mismatching BFY fund sources to be significant, with almost $44 billion of CPD’s formula program grants citing the mismatched BFY appropriation as a source of funds for disbursement since fiscal year 2002.12 Our review of the payment transaction history in IDIS indicated that beginning with fiscal years 2002 through October 13, 2011, approximately 4.5 billion payments were completed for a total of $72.4 billion, of which 57 percent, or 2.6 million payments, and approximately 61 percent, or $44 billion, did not match the source and use of funds. Thus, the funds disbursed for activities set up13 under a given grant’s BFY appropriation were disbursed from grants awarded with BFY appropriations before that grant year 12 This is the first year that all CPD formula grants were appropriated under a fixed-year treasury symbol and no longer received no-year annual appropriations. 13 For purposes of the analysis, ―set up‖ refers to the process of specifically identifying an activity under a specific BFY appropriation grant award and allocating estimated amounts expected to complete an activity in IDIS. Activities are the manner in which grantees further identify the source and use of funds and reconcile to their annual budget of their grant awards. 15 due to the FIFO process. For fiscal year 2011 alone, there were almost 226,000 payments totaling almost $4.1 billion which were mismatched. In addition, $55.7 million of disbursements made from fiscal year 2004 obligations during fiscal year 2011, from fiscal year 2004 obligations, did not match the source of funds, due to FIFO. These payments should have been disbursed from a fiscal year subsequent to 2004. If FIFO was not used and the payments were properly matched to the source of funds, in accordance with the National Defense Authorization Act (NDAA) of 199114, the $55.7 million would have been returned to the U.S. Treasury at the end of fiscal year 2011. According to the grants’ funds control plans, the legal point of obligation is when an acceptable annual plan is submitted, establishing what should be the BFY projects and activities, and the assistance award or amendment is signed. The point of obligation using the BFY defines the source of funds and establishes the timeframes for suballocation, expenditures, and when the funds are returned to the U.S. Treasury if not expended. This process is in accordance with GAO’s Title 2,15 which recognizes that the accounting for a Federal assistance award begins with the execution of an agreement or the approval of an application in which the amount and purposes of the grant, the performance periods, the obligations of the parties to the award, and other terms are established. The execution of these obligation agreements initiates a financial transaction and requires CPD to record an obligation in its financial accounting records, and to identify a related BFY source of funding for the agreement in accordance with Federal budgetary accounting laws and GAAP. This source BFY, which is identified at the point of obligation and at the initiation of the financial transaction event, is required by budgetary internal controls to remain constant and be identified with each use of the funds by the grantee. This is especially necessary for recording related financial transactions and the event of the obligation established. The logic used by IDIS and CPD to select the source of funds, rather than properly identifying and matching the source and use of funds, demonstrates an internal control deficiency. CPD’s definition of ―source of funds‖ takes into account the source of funding being only that of either a State grantee or entitlement grantee and the type of money (program income versus entitlement grant funds, etc.). It disregards the Federal budgetary fiscal year source of funds. CPD describes how FIFO is applied in a procurement document in the following manner: 14 The National Defense Authorization Act of 1991 (Public Law 101-510, November 5, 1990) established rules governing the availability of appropriations for expenditure. This legislation mandates that on September 30th of the fifth fiscal year after the period of availability for obligation of a fixed appropriation account ends, the account shall be closed and any remaining balance (whether obligated or unobligated) in the account shall be canceled and thereafter shall not be available for obligation or expenditure for any purpose. 15 Accounting Principles, Standards and Requirements; Title 2 Standards Not Superseded by FASAB Issuances, from GAO Policy and Procedures Manual for Guidance of Federal Agencies 16 The FIFO technique is applied to funds having the same grant program, source of funds, recipient of funds, and type of funds. The grant year is used to order the funds from oldest year to newest year. When a grantee commits funds to an activity (by funding an activity using the activity funding function), the funds are committed from the oldest funds having the same source of funds, recipient of funds, and type of funds. The grantee is unaware of the year from which the funds are committed. Similarly, when a grantee draws funds, the funds are drawn from the oldest funds having the same source of funds, recipient of funds, and type of funds. At issue is CPD’s and IDIS’s treatment of the source of grant funds. Based on our review and discussion with CPD staff, we found that CPD used a different meaning and application technique for source of funds depending on what action was taken. At the point of obligation, a BFY appropriation source year was used to obligate the funds to a State or entitlement grantee. When an activity was established and funded, CPD would match the State or entitlement grantee source and type of funding and may have used the oldest BFY appropriation source of funds to allocate funds for the estimated costs for the activity. At disbursement, CPD and IDIS would match the State or entitlement grantee source and type of funding and use the oldest BFY appropriation source of funds to disburse funding to pay for an activity. While a grantee’s program year may not line up with a Federal fiscal year due to when agreements are signed, the achievements, projects, and activity costs recorded in the IDIS Online system must be reconcilable with the BFY appropriation source year in which the funding was approved. Arbitrarily liquidating the funding from the oldest available BFY appropriation source for the fund type associated with the activity is not in line with budgetary internal controls requirements. As noted in CPD’s definition and application of FIFO, the BFY appropriation was not considered except as identification for the source of funds. CPD described the BFY as the grant year, and its only purpose was to order the funds from oldest to newest. CPD’s position of mingling all of the grant year (BFY appropriation) funds together and simply ordering them from oldest to newest and using FIFO is based on its belief that the purpose of block grants is to provide the grantees a great deal of flexibility in managing their projects. While this may have been the simplest way to manage grants at the start of the programs, which was before FASAB, budget controls, the NDAA, and other recently implemented Federal financial management acts, it ignores how FIFO affects these aspects of financial reporting and is also noncompliant with Federal financial reporting requirements. 17 During the fiscal year 2009 audit, OIG identified programmatic issues, which resulted in the accumulation of undisbursed funds for the HOME program16. However, during fiscal year 2010, CPD did not review the old Community Housing Development Organizations (CHDO) and subgrantee commitments to determine whether a use for the funding existed, and if not, whether de-obligation of funds was warranted, and CPD did not develop a policy to track CHDOs and subgrantees expenditures separately, as agreed. Instead, CPD decided to modify IDIS to implement ‖Financial Control Enhancements‖, which CPD believes will resolve the risk of HOME grantees losing project funds due to idiosyncratic accounting rules in IDIS Online. CPD stated the changes would alter the way the system currently operates under limited FIFO functionality for HOME, and results in the system drawing newer money before older funds, unintentionally leaving pockets of older funds that become subject to recapture – even if the funds are reserved to organizations or committed to projects. These modifications, also known as "true-FIFO" would no longer be challenged by the recipient of funds for CHDOs and subgrantees and will only be challenged by the source and type of funds in the HOME program by the participating jurisdiction. OIG has previously communicated that the modifications to IDIS are inappropriate and coupled with the internal control deficiencies previously cited, would further erode CPD’s ability to monitor actual performance by its participating jurisdictions and CHDOs. As the CFO is responsible for the approval and management of agency financial management systems design or enhancement projects, OIG recommended HUD to suspend work on this task immediately until a review of how appropriate compliant business processes can be integrated into IDIS’s programming was conducted. However, CPD has disregarded OIG’s position, and has committed $1 million of HUD’s Transformation Initiative toward implementing these changes, which are in direct contradiction to OIGs finding surrounding IDIS' non- compliance with the internal control objectives of federal financial management system requirements and federal accounting standards. Lastly, the applicable FSIO financial system requirements for the CPD financial systems are defined by the Grant Financial System Requirements, JFMIP-SR-00- 3 (June 2000). The Grant Financial System Requirements state that ―All grant financial systems must provide, as a minimum, the following qualities: Complete and accurate funds control; Complete, accurate, and prompt recording of obligations; Complete, accurate, and prompt payment of grantee payment requests; 16 OIG determined that these funds had accumulated due to poor performing Community Housing Development Organizations (CHDOs); subgrantees that were not expending funds timely; and the program’s cumulative accounting techniques. This is discussed further under Significant Deficiency 3: Office of Community Planning and Development's (CPD) Internal Controls over Monitoring Grantees’ Compliance with Program Requirements Were Not Operating Effectively. 18 Complete, accurate, and prompt generation and maintenance of grant financial records and transactions; Timely and efficient access to complete and accurate information, without extraneous material, to those internal and external to the agency who require the information; Timely and proper interaction of the grant financial system with core financial systems and other existing automated systems; and Adequate internal controls to ensure that the grant financial system is operating as intended. Payment requests require the following information in the request: Grantee name and identifier Amount requested Grantee official authorized to submit request Authorized grantee’s information Amount of funds authorized Amount approved Amount disallowed Program funding codes Appropriation code(s) In addition, the Financial Reporting Process Flow section of the Grant Financial System Requirements provides that ―sufficient and appropriate information must be maintained for reconciliation with the agency’s core financial system.‖ As noted above, IDIS did not maintain grant financial records and transactions, as grantees had the ability to change the details of financial records and transactions. The system maintained only a record of the last change and did not maintain an audit trail. In addition, during the payment request process in IDIS, the request did not include or require the appropriation code; hence, the system arbitrarily selected the oldest appropriation code (BFY) to use for the payment. CPD’s Grants Management Systems Did Not Comply With Federal Accounting Standards Agency financial management systems must maintain accounting data to permit reporting in accordance with Federal accounting standards and reporting requirements issued by the Director of OMB or the Secretary of the Treasury. Statement of Federal Financial Accounting Standards 4: Managerial Cost Accounting Standards states that cost assignments should be directly traceable to the original common data source. 19 Statement of Federal Financial Accounting Concepts 1: Objective of Federal Financial Reporting Standards states that financial reporting should assist in fulfilling the Government’s duty to be publicly accountable for funds raised through taxes and other means and for their expenditure in accordance with the appropriations laws that establish the Government’s budget for a particular fiscal year and related laws and regulations. Federal financial reporting should provide information that helps the reader to determine how information on the use of budgetary resources relates to information on the costs of program operations and whether information on the status of budgetary resources is consistent with other accounting information on assets and liabilities. As grantees can change the information used to provide the data used for performance reporting, the systems lack reliable and comprehensive managerial cost information on grantee activities and outputs. When grantees alter the detail of the accounting transactions and that information is in contrast to the information reported in the core financial systems and reported in the external financial reports, the information reported to external parties regarding the performance is not traceable to the common data source. This is especially true as the information has the ability to change across financial reporting periods without CPD’s knowledge. CPD lacked an effective cost accounting system that was capable of tracking and reporting costs of CPD’s programs in a timely manner to assist in managing its daily operations. This condition rendered HUD unable to produce reliable cost-based performance information. In addition, as the process of FIFO does not allow the costs of performing the grantee activities to be traceable to an original data source, the process of accumulating cost information was time consuming, labor intensive, untimely, and ultimately made that cost information not readily available. Without reliable and timely financial information, government managers have limited assurance that resources were spent to achieve expected results. In addition, the ability to evaluate program effectiveness and detect waste and inefficiency is diminished when audit trails are cumbersome, detailed information regarding transactions is not maintained, and approvals for data modifications are not required. HUD’s Uniform Administrative Requirements for Grants and Cooperative Agreements17 requires that grantee financial management systems provide for (1) accurate, current, and complete disclosure of the financial results of each federally sponsored project or program and (2) records that identify adequately the source and application of funds for federally sponsored activities. These records must contain information pertaining to Federal awards, authorizations, obligations, unobligated balances, assets, outlays, income and interest, and comparison of outlays with budget amounts for each award. Whenever appropriate, financial information should be related to performance and unit cost data and accounting records including cost accounting records that are supported by source documentation. Accordingly, grantees, to be in compliance with U.S. GAAP as well as OMB and HUD requirements, are required to account for these grants on a 17 24 Code of Federal Regulations (CFR), Title 24, Part 84 and 85 20 BFY appropriation and grant-year basis and must identify the source and use of funds for all financial transactions and support cost accounting. However, as CPD has implemented the use of FIFO to arbitrarily record performance of financial transactions and allow grantees to alter the data related to cost accounting, their financial management systems are not capable of functioning at the same level they require their grantee’s financial management systems. CPD’s Grants Management Systems Did Not Comply With the U.S. General Ledger at the Transaction Level Financial events shall be recorded applying the requirements of the USSGL. Application of the USSGL at the transaction level means that each time an approved transaction is recorded in the system, it will generate appropriate general ledger accounts for posting the transaction according to the rules defined in the USSGL guidance. OIG noted during our review of DRGR, that when grantees altered the voucher transactions in the system, as voucher transactions are approved financial transactions, it altered the supporting detail of the financial transaction and did not generate the appropriate general ledger accounts for posting the transaction in accordance with USSGL at the transaction level. In addition, as noted above, during the payment request process in IDIS, the request did not include or require the appropriation code; hence, the system arbitrarily selected the oldest appropriation code (BFY) to use for the payment. It did not generate the correct appropriate general ledger accounts for posting the transaction according to the rules in the USSGL guidance, which requires outlays of obligations to be recorded against the obligation. 21 Significant Deficiency 2: HUD’s Processes for Reviewing Its Obligations Had Improved, but Deficiencies Still Existed HUD had made progress over the past several years in improving its processes for reviewing its outstanding obligations and recapturing amounts no longer needed to fund them. However, deficiencies still existed that allowed invalid obligations to remain in HUD’s accounting records. This condition occurred because of a lack of resources and inadequate procedures. This has been a long-standing weakness. In fiscal year 2011, HUD’S CFO coordinated a review of unliquidated obligations to determine whether the obligations should be continued, reduced, or canceled. The review encompassed all of HUD’s unliquidated obligations except those for the Section 8 project-based and tenant-based moderate rehabilitation programs and Sections 235 and 236 interest reduction and rental assistance and rent supplement programs, which were subjected to separate reviews led by the program offices. We evaluated HUD’s internal controls for monitoring obligated balances and found that HUD had continued its progress in implementing improved procedures and information systems. However, additional improvements are needed. Our review of the fiscal year 2011 yearend obligation balances showed that timely reviews and recaptures of unexpended obligations for the CPD Supportive Housing Program, Section 202 and 811 programs, and HUD’s administrative and other program obligations were not always performed. As a result, $38.5 million in excess funds had not been recaptured, which, however, is a significant improvement from past years. Our review also identified $100.6 million in unsupported obligations for predevelopment and low-rent development grants that had not been closed out, of which $76.6 million was identified in the prior year financial statement audit and remained open in fiscal year 2011. Lastly, our review identified $18.3 million obligated for 154 expired Housing Choice Voucher contracts. Administrative and Other Program Obligations Annually, the CFO forwards requests for obligation reviews to HUD’s administrative and program offices. The focus of the review is on administrative and program obligations that exceed threshold amounts established by the CFO. The thresholds are calculated so that if all obligations above the thresholds are reviewed, approximately 95 percent of HUD’s total open obligations will have been reviewed. For this year’s review, the thresholds were set at $23,000 for administrative obligations and $243,000 for program obligations. HUD identified 1,758 obligations with remaining balances totaling $65.3 million for deobligation. We tested the 1,758 obligations HUD identified to determine whether the associated $65.3 million had been deobligated in HUD’s accounting systems. We found that, as of September 30, 2011, a total of 93 obligations with remaining balances totaling $1.7 million had not been deobligated. HUD had initiated the process of closing these contracts, and the associated funding should be recaptured in fiscal year 2012. 22 Supportive Housing Program Contracts Our review of the obligation balances for the Office of Special Needs Assistance Programs (SNAPs) as of September 30, 2011, showed approximately $57.8 million in undisbursed obligations recorded for expired contracts for Supportive Housing Program contracts. These contracts expired on or before June 30, 2011. CPD’s funds control plan allows a 90-day closeout period for expired contracts. HUD regulations also state that HUD may authorize an extension for a recipient to complete the closeout process and liquidate all obligations incurred under the award. Field offices were responsible for reviewing the status of contracts and recommending that funds that have been obligated but not disbursed before the expiration of the contract be deobligated and included in the next notification of funding availability to be awarded to eligible grantees if they are deobligated during the unexpired phase of the budget authority.18 During the fiscal year 2010 audit, OIG identified $97.8 million in unexpended balances on expired contracts which had not been closed out during the 90-day period. Additionally, OIG reported that SNAPs did not have an effective system of internal controls with published control activities that included specific policies, procedures, and mechanisms in place to help ensure that grants were closed out and remaining balances recaptured, including appropriate documentation of extensions granted and follow-up efforts with the grantees. During fiscal year 2011, SNAPs documented policies and procedures to review contracts approaching expiration to determine actions to take before the contracts expired, as well as review procedures after contract expiration. As of September 30, 2011, SNAPs had reviewed the status of the $97.8 million identified in fiscal year 2010 audit and taken action to deobligate $77 million in unexpended balances on expired contracts. However, contracts that expired between July 1, 2010 and June 30, 2011 were not closed out during the 90-day period leaving an additional $32 million19 in unexpended balances on expired contracts as of September 30, 2011. 18 Period of availability for making disbursements: Under a general law, funds annual budget authority and multiyear budget authority may disburse during the first two phases of the life cycle of the budget authority. During the unexpired phase, the budget authority is available for incurring ―new‖ obligations. You may make ―new‖ grants or sign ―new‖ contracts during this phase, and you may make disbursements to liquidate the obligations. This phase lasts for a set number of years. Annual budget authority lasts for up to 1 fiscal year. Multiyear authority lasts for longer periods, currently from more than 1 fiscal year up to 15 fiscal years, and no-year authority lasts indefinitely. 19 SNAPs made efforts to deobligate $77 million, disbursed $1.7 million, and extended $1.2 million for a total of $79.9 million, leaving $17.9 million. As of September 30, 2011, SNAPs had identified an additional $7.9 million for a total of $25.8 million in undisbursed balances on grants which expired before June 30, 2010. The $25.8 million and the $32 million which expired between July 1, 2010, and June 30, 2011 result in the $57.8 million in undisbursed balances as of September 30, 2011. 23 Due to the extensive backlog of expired contracts that expired before December 31, 2010, SNAPs’ efforts were focused on deobligating the old balances and did not concentrate effort and resources to the contracts that were expiring during fiscal year 2011. SNAPs acknowledged that it would have to refocus and ensure that it becomes current with the review process. Excess funding on the $32 million from expired contracts identified during this year’s audit can be included in the next Continuum of Care competition, as announced in the notice of funding availability, and redistributed to eligible grantees. The excess funds should be recaptured and used to further accomplish the objectives of the program, which are to reduce the incidence of homelessness in Continuum of Care communities by assisting homeless individuals and families in moving to self-sufficiency and permanent housing. Supportive Housing for the Elderly and Disabled - Sections 202 and 811 Programs HUD’s Sections 202 and 811 programs provide affordable housing and supportive services for elderly families and families with disabilities. These programs provide capital advances to private nonprofit organizations to finance the construction of new facilities or the acquisition or rehabilitation of existing facilities. The capital advance is interest free and does not have to be repaid if the housing remains available for very low-income elderly or disabled families for at least 40 years. After the facility has been constructed and occupied, HUD provides additional project rental assistance contract funds to owners to cover the difference between the HUD-approved operating cost for the project and the tenants’ contribution toward rents. Funds for the Section 202 and 811 programs are also used to provide service coordinator grants, technical assistance, and inspections. Generally, funds appropriated for Section 202 and 811 programs are available for 3 years. After 3 years, the funds expire and will not be available for obligation, thus necessitating the need to track funds obligated under the program. At the beginning of fiscal year 2011, the Sections 202 and 811 programs had unliquidated obligation balances of $3.1 billion and $838 million, respectively. We reviewed the PAS subsidiary ledger supporting the unliquidated obligations to determine whether unliquidated program obligations reported were valid and whether invalid obligations had been cancelled and recaptured in PAS. Our review identified 154 Section 202 and 811 projects with available obligation balances totaling $4.8 million that had either expired or were no longer needed. HUD had initiated the process of closing out these projects, and the associated funding should be recaptured during fiscal year 2012. Additionally, the Office of Housing Assistance and Grant Administration within HUD’s Office of Housing, is taking steps to improve the monitoring of the Section 202 and 811 unliquidated 24 obligations, including issuing instructions to the Hubs and Program Center Directors to perform reviews on a semiannual basis, providing them with copies of the updated funds control plans, and working with CFO Systems staff to ensure expiration dates are entered for all Section 202 and 811 projects. Public Housing Predevelopment Grant Programs HUD’s Office of Public Housing Investments, within the Office of Public and Indian Housing (PIH), administers the Public Housing Capital Fund and development grant programs which provides public housing agencies with funds for development, financing, modernization, and management improvements. As of April 2011, the Office of Public Housing Investments grants subsidiary ledger contained 8,160 unliquidated obligations with remaining balances totaling $3.9 billion. Our review of the Capital Funds unliquidated obligations focused on 170 grants funded with appropriations received before the enactment of the Quality Housing Work and Responsibility Act of 1998. The obligations for these grants were coded in HUD’s general ledger with fund codes that indicated the funds’ source year as fiscal year 1996 or earlier. Additionally, the obligations were recorded under program codes for predevelopment, development, and technical assistance activities in HUD’s grants management and disbursement system, LOCCS. Our fiscal year 2011 review identified 34 grants with remaining obligated balances totaling $24 million that should have been closed out. Of these, 16 with remaining balances totaling $12.8 million were predevelopment grants that had been left on the books after the grant activities had been completed. There were no cumulative disbursement records in LOCCS for these 16 predevelopment grants. These grants had been transferred from an older system to LOCCS, and there was no audit trail so the current balance could be verified. OIG Audit Report 97-SF-107-0001 reported similar problems with the transfer of low-rent development grants in 1996. We also followed up on the status of the $174 million in invalid obligations for 434 grants from PIH’s low rent program that were recommended for recapture in our report on HUD’s fiscal year 2010 financial statements. As of September 2011, there was $76.6 million obligated for 132 grants that had not been recaptured. HUD’s final action target date for the recapture of these funds is June 30, 2012. The invalid obligations for the predevelopment grants and the low rent program grant remained on HUD’s books because PIH did not have a program office or division responsible for administering them. There was also a lack of adequate 25 procedures for the review of the remaining balances obligated for these grants. This condition led to difficulties in closing out the 132 remaining grants from our fiscal year 2010 audit recommendation as the PIH field offices had not been able to provide the documentation necessary for the grant closeouts and recapture of remaining balances. Last year, we recommended that the CFO develop desk procedures and perform reconciliations to ensure that the unpaid obligations subsidiary records for program grants accurately supports the general ledger balances. We reviewed the CFO reconciliation of the unpaid obligations for appropriation 0304 as of September 30, 2011. We noted that one grant for $2.3 million was repeated in two portfolios and used twice to support the balance. Also, we noted a $2 million reconciling item labeled ―Non-PAS Program‖ that was unsupported at the end of audit field work. Lastly, the $76.6 million from the low rent program portfolio containing invalid public housing grants that we identified and reported last year was used to support the general ledger balance. HUD’s CFO relied on PIH to review and certify the validity of its program obligations; however, it had no procedures in place to monitor or verify the accuracy and completeness of PIH’s unpaid obligations review. This condition led to an overstatement of HUD’s obligation balance by $100.6 million. Section 8 Housing Choice Voucher Contract Renewals Obligations Starting January 1, 2005, Congress changed the basis of the tenant-based Section 8 Housing Choice Voucher program funding from a ―unit-based‖ process to a ―budget-based‖ process that limits the Federal funding to a fixed amount. Under this legislation, HUD distributes Federal funding using a formula based on the prior 12 months reported by housing agencies. HUD disbursed on a monthly basis 1/12 of the annual funding allocated to the PHA, leaving no balance of unpaid obligations after the 12-month period. As of March 2011, the program’s subsidiary ledger had a total of 7,740 unpaid obligation contracts totaling $3.1 billion, which supported the program general ledger unpaid obligation accounts that had accumulated since fiscal year 2005. The data showed 1,123 contracts totaling $52 million in unpaid obligations that were expired as far back as fiscal year 2005. We tested 40 obligation contracts totaling $31 million (60 percent) and found that all were expired according to the terms of their funding notification letters. At least 14 contracts amounting to $14 million related to Moving to Work Demonstration program (MTW) PHAs and 19 contracts amounting to $6 million related to regular Section 8 PHAs should be have been deobligated years ago. 26 PIH justifications for retaining MTW PHAs’ contracts obligated were not substantiated by the MTW program director, whom was unaware about the funds obligation status. This lack of communication among the PIH offices regarding the status of obligations in the Section 8 program affected HUD’s ability to maintain accurate accounting records. As of a result of our review, HUD’s Financial Management Center (FMC) proposed to process recaptures for the $14 million MTW PHA contracts and the $6 million for other remaining contracts but had not fully completed the process at yearend. As of September 2011, we noted 154 expired contracts (including MTW PHAs) totaling $18.3 million that should have been deobligated. In regard to regular Section 8 Housing Choice Voucher program expired contracts, we attribute this condition to PIH management’s terminating the reviewing of program obligations, believing that obligated contracts were fully disbursed, leaving no unpaid obligated balance after implementing the Section 8 budget-based funding methodology in 2005. Nevertheless, our review showed obligated contracts that had expired with outstanding balances that should be deobligated. 27 Significant Deficiency 3: Office of Community Planning and Development’s Internal Controls Over Monitoring Grantees’ Compliance With Program Requirements Were Not Operating Effectively CPD seeks to develop viable communities by promoting integrated approaches that provide decent housing and a suitable living environment and expand economic opportunities for low- and moderate-income persons. The primary means toward this end is the development of partnerships among all levels of government and the private sector, including for-profit and nonprofit organizations. To carry out its mission, CPD uses a mixture of competitive and formula-based grants. OMB Circular A-123, Management’s Responsibility for Internal Controls, requires that management, and ultimately HUD’s program offices implement an effective system of internal controls to ensure that grantees for which funds are provided meet their goals and objectives and carry out the program in accordance with program requirements. These responsibilities include developing and maintaining internal control activities that comply with standards to meet the three objectives of internal control: (1) effectiveness and efficiency of operations, (2) reliability of financial reporting, and (3) compliance with applicable laws and regulations. In carrying out its internal control responsibility of grantee oversight, management is responsible for assessing the risk of grantee noncompliance with program regulations and developing control activities which collect and distribute timely and relevant information to those charged with making informed decisions. Control procedures developed should be clearly communicated, be written, provide an audit trail, and be located where they can be obtained by those carrying out the activities. Proper design of control activities is important, as is the collection and dissemination of timely and relevant information. However, effective use and proper analysis of the information collected to facilitate timely follow-up on grantee deficiencies noted is equally important. Moreover, monitoring and evaluating the effectiveness of control procedures is critical to ensure correction of internal control deficiencies before they materially affect the achievement of the program’s and the organization’s objectives and goals. Based upon our review of CPD’s programs and internal controls implemented to monitor grantee compliance with program regulations, we noted control deficiencies regarding the programs’ timely action and follow-up with noncompliant grantees, as well as inadequate procedures to identify noncompliant grantees. The combination of the control deficiencies noted during our audit have adversely affected the organization’s ability to meet its internal control objectives, which are to not only determine grantee compliance with applicable laws and regulations, but to also identify deficiencies in a timely manner and design and implement corrective actions to improve or reinforce program participant performance. 28 Subgrantees and Community Housing Development Organizations for the HOME Program Did Not Always Expend Grantee Funds in a Timely Manner Our review of the HOME program found $16.3 million in unexpended grants funded with no-year expiration funds and dated from 1992 through 2001; $9.9 million of the $16.3 million was uncommitted as of September 30, 2011. These no-year funds had accumulated due to (1) poorly performing community housing development organizations (CHDO) and subgrantees of the participating jurisdictions that did not expend funds in a timely manner, (2) a cumulative accounting process which allowed poor performance to go undetected, and (3) a recapture policy for noncompliant participating jurisdictions that recaptured funds from a current funding source. The $16.3 million in HOME grant funds were not used to expand the supply of decent, safe, sanitary, and affordable housing for low- and very low-income families. In addition, our review showed $2.6 million in unexpended fiscal year 2004 HOME funds and $1.7 million in uncommitted funds. These funds, due to provisions of the NDAA, were cancelled and remitted to the U.S. Treasury by the Department on September 30, 2011. Table 1 Fiscal Year Available To Available To Commit Draw 1992 $40,324 $62,270 1993 357,438 655,751 1994 640,551 1,730,511 1995 911,566 1,340,591 1996 981,750 2,000,826 1997 578,613 945,841 1998 1,749,007 2,325,634 1999 1,557,579 1,882,625 2000 869,221 1,696,771 2001 2,288,614 3,707,930 Subtotal 9,974,663 16,348,750 2004 1,707,640 2,574,731 Grand Total $11,682,303 $18,923,481 Current HOME program regulations state that funds not expended in a timely manner can be reallocated in the next year’s formula allocation to further the 29 mission of the program. It is the field offices’ responsibility to ensure that funds from fiscal years 2001 and earlier that were not spent in a timely manner were recaptured and used in the next year’s formula allocation. HOME program regulations did not penalize or highlight poorly performing grantees, subgrantees, or CHDOs for two reasons. First, CHDO subgranted or reserved funds and other subgranted funds were held to the 5-year disbursement deadline, but it was the participating jurisdiction that was ultimately responsible for meeting the disbursement deadline. Therefore, compliance was monitored at the participating jurisdiction’s level. To that end, if a CHDO or subgrantee did not draw down funds or complete projects in a timely manner, it could be masked by other well-performing or over-performing CHDOs, subgrantees, or the participating jurisdiction itself. In addition, it appears that the large number of subgrantees and CHDOs per participating jurisdiction within the HOME program and lack of field office staff made it difficult for the field offices to sufficiently monitor the status of subgranted funds. Second, the commitment, reservation, and disbursement deadlines were determined on an aggregate or cumulative basis versus a grant-year basis. This condition created a situation in which older funds remained available for drawdown because compliance with the disbursement deadline was determined cumulatively. Therefore, if a grantee was not performing as it should or not spending funds to complete its projects, the cumulative program requirements allowed a grantee’s poor performance for 1 grant year to remain undetected. As noted above, $11.6 million in funds was uncommitted. The cumulative process allowed these funds to remain uncommitted for almost 20 years, while the participating jurisdiction remained compliant with the regulations during the compliance reviews. In addition, if participating jurisdictions were found to be noncompliant, the recapture process deobligated funds from current multiyear funding sources and not the older no-year expiration funds, which also remained as obligated balances. As part of the fiscal year 2011 audit, OIG recalculated Jacksonville – Duval County’s 2008 commitments based upon the commitments made only between the date of the 2008 grant award and its October 31, 2010, deadline date. OIG determined that, based upon only applying the commitments made toward the participating jurisdiction’s 2008 planned budget and actual commitments signed during that 2-year period, the participating jurisdiction did not commit 100 percent of its 2008 grant before the deadline and was short of the 100 percent requirement by $464,715. Additionally, OIG reviewed the De Kalb County participating jurisdiction and determined that it fell short of committing $391,298 before its June 30, 2011, deadline for its fiscal year 2009 grant. However, based upon HUD’s cumulative technique, which allows the inclusion of commitments 30 for grants awarded prior to and subsequent to the grant year, neither participating jurisdiction was considered to be non-compliant. During the fiscal year 2009 audit,20 OIG recommended that CPD ensure that field offices encourage participating jurisdictions to review the expiring funds report, as well as the performance of CHDOs and subgrantees, to determine whether the unused funds should be deobligated. We also recommended that CPD develop a policy that would track expenditure deadlines for funds reserved and committed to CHDOs and subgrantees separately. However, as part of the fiscal year 2010 audit, CPD informed OIG that to rectify this problem and in response to our recommendations, it contracted with an independent company to modify IDIS21 so that one CHDO’s or subgrantee’s funds under one participating jurisdiction could be used by another in the event of untimely use of funds by another CHDO or subgrantee. CPD calls this process ―true-FIFO.‖ CPD officials stated this process will keep unused funds from being ―held‖ to one CHDO. HUD estimated that the proposed change in IDIS would result in the drawdown of grant funds on a true-FIFO basis and would eliminate the fiscal years 1992-2001 HOME grant balances in less than 1 fiscal year. The project was expected to have been implemented by December 31, 2010. OIG communicated to CPD that the implementation of ―true-FIFO‖ modifications to IDIS were inappropriate and would further erode CPD’s ability to monitor actual performance by its participating jurisdictions and CHDOs and sufficiently manage its grant funds and recommended that CPD suspend work pending completion of a review of how appropriate compliant business processes could be integrated into IDIS’s programming. CPD has delayed implementing the system changes until further instruction from Management due to OIG's concerns. At the conclusion of the fiscal year 2011 audit, the recommendations from OIG from the 2009 and 2010 audit had not been implemented, and $18.9 million remained undisbursed. OIG maintains its position that the modifications prevent CPD from sufficiently managing its grant funds and, thus, should be suspended. 20 Audit Report number 2010-FO-003, ―Additional Details to Supplement Our Report on HUD’s Fiscal Years 2010 and 2009 Financial Statements‖, issued November 15, 2010‖, Subgrantees and Community Housing Development Organizations for the HOME Program Do Not Always Expend Grant Funds in a Timely Manner, identified $24.7 million in undisbursed HOME funds on grants from 1992 through 2001. 21 As a nationwide database, IDIS provides HUD with current information regarding the program activities underway across the Nation, including funding data. HUD uses this information to report to Congress and to monitor grantees. IDIS is the drawdown and reporting system for the four CPD formula grant programs: CDBG, HOME, ESG, and HOPWA and Recovery Act programs: CDBG-R, TCAP, and HPRP. The system allows grantees to request their grant funding from HUD and report on what is accomplished with these funds. 31 Completed Projects for the HOME Program Were Not Always Closed Out in IDIS in a Timely Manner A review of the HOME program open activities report,22 dated September 30, 2011, showed 6,994 of 21,121 open activities (33 percent), in which the participating jurisdiction had made its final draw but the activity was still listed on the report. Thus, these projects were not closed in the system, although all funds had been drawn. HOME program regulations required participating jurisdictions to enter project completion information into IDIS within 120 days of making a final draw for a project. A similar finding was reported by OIG during the fiscal years 2009 and 2010 audits.23 The report also showed 307 activities which were funded between April 2000 and September 2010 that had a funded and remaining amount of $63.9 million, as no draws had been made against the activities since they were initially funded. The report further showed 190 activities funded between 1999 and 2009 wherein the percentage of amounts drawn on the activity was 50 percent or less. These activities had incurred no drawndowns on the funds since 2009 and had balances of $24 million still available for draw. Table 2 Number Funding Amount of year remaining activities 2000 $14,803 2 2004 40,000 1 2007 3,459,218 5 2008 2,084,863 8 2009 7,431,133 21 2010 50,932,456 270 Total $63,962,473 307 22 The open activities report is issued monthly and used by CPD field offices and participating jurisdictions within the HOME program to review open activities in IDIS. Open activities are those that have not been closed in the system. 23 Audit Report number 2010-FO-003, ―Additional Details to Supplement Our Report on HUD’s Fiscal Years 2010 and 2009 Financial Statements‖, issued November 15, 2010‖, Completed Projects for the HOME Program Not Always Closed Out in IDIS in a Timely Manner, identified 5,972 of 29,216 projects (20 percent), in which the participating jurisdiction had made its final draw but the activity was still listed on the August 31, 2009, open activities report. 32 Table 3 Number Funding Amount Of Year Remaining Activities 1999 $3,614 1 2000 116,264 2 2001 1,011,025 6 2002 462,728 9 2003 563,849 6 2004 1,358,092 10 2005 729,547 13 2006 1,739,786 25 2007 6,976,759 35 2008 8,315,926 56 2009 2,764,160 27 Total $24,041,748 190 The open activities report also allows participating jurisdictions to view activities that have been open for several years with little or no HOME funds drawn. Field offices can use this report as a desk-monitoring tool to view each participating jurisdiction’s open activities in need of completion or possibly cancellation in IDIS. If the report indicates that funds have not been drawn for an extended period, the field office can use the report to follow up with the participating jurisdiction to determine the reason for the slow progress on the project and whether it should be cancelled. However, it appeared that the field offices were not using the open activities report to follow up with participating jurisdictions on slow-moving projects listed on the report. It also appeared that participating jurisdictions were not using the report as a reference to determine projects that should be cancelled or closed in IDIS. The report was created to alleviate the widespread problem of participating jurisdictions not entering project completion data into IDIS in a timely manner. A similar finding was reported by OIG concerning HUD’s needs to improve efforts to require participating jurisdictions to cancel HOME fund balances for open activities.24 As a response to the OIG findings, HOME published a new HOME FACTS policy (HOME FACTS - Vol. 3 No. 1, June, 2010). The HOME FACTS announces and explains the change in HUD’s treatment of HOME activities with commitments in the IDIS that are more than 12 months old with no funds disbursed being automatically cancelled within the system. Additionally, HUD reported that it would review the open activities report annually for stalled 24 Audit Report number 2009-AT-0001, ―HUD Lacked Adequate Controls to Ensure the Timely Commitment and Expenditure of HOME Funds‖, issued September 28, 2009 33 activities and follow up on them until resolution. However, the HOME FACTS did not address participating jurisdictions entering completion data into IDIS in a timely manner, nor did it address a system of internal controls, wherein control activities would be established and implemented to ensure compliance and that instances of noncompliance would be communicated to management in a timely manner to effect change. During the fiscal year 2011 audit, OIG noted that effective January 1, 2011, activities were automatically cancelled by HUD. However, grantees were able to reinstate and open activities which were cancelled through HUD’s automated cancellation process; hence, the September 30, 2011, report showed 307 old activities funded before September 2010 which had not had any draws since they were funded with an open status. In addition, the annual review for stalled activities had not been implemented in a formal policy or completed. Projects which appeared to be stalled remained ―open‖. CPD also did not explain the cause for the stalled projects identified during fiscal year 2010 audit which remained stalled in fiscal year 2011. Participating jurisdictions that do not enter completion data in a timely manner are in violation of the HOME regulations. Failure to enter project completion data in IDIS negatively affects a participating jurisdiction’s score on several HOME performance SNAPSHOTS indicators, understating actual accomplishments and reducing the participating jurisdiction’s statewide and national overall rankings. The widespread failure of participating jurisdictions to enter completion and beneficiary data in a timely manner resulted nationally in underreporting of actual HOME program accomplishments to Congress and OMB and may negatively impact future funding for the program. Failure to cancel stalled or inactive activities in a timely manner leaves unused funds committed to activities and keeps them from being committed to new activities. Findings Cited During CPD’s Onsite Grantee Monitoring Were Not Followed Up and Closed in the Grants Management Process Information System in a Timely Manner A review of several key elements of the grantee monitoring process established under CPD’s Office of Field Management revealed that the CPD field offices, which are responsible for conducting monitoring reviews of CPD program grantees, did not always follow the CPD Monitoring Handbook or the annual risk assessment notice. The review also revealed that the Grants Management Process 34 (GMP) information system25 was not always updated to reflect the current status of the monitoring reviews. We reviewed the risk analyses performed in accordance with CPD Notice 09-04, Implementing Risk Analyses for Monitoring Community Planning and Development Grant Programs in FYs [fiscal years] 2010 and 2011, and the monitoring activities in accordance with the CPD Monitoring Handbook. For 20 of the 43 CPD field offices responsible for conducting the monitoring reviews, we reviewed a notification letter, a monitoring letter, and the field office’s annual work plan. We selected a sample of 24 individual grantees within each of the 20 field offices sampled and reviewed their individual work plans. Our review revealed that although the handbook requires it, (1) field offices did not always include an individual grantee monitoring strategy for a high-risk grantee or program, (2) one field office did not prepare an overall workplan for the fiscal year’s monitoring strategy, (3) one field office excluded a grantee from the risk analysis process, (4) field offices did not send a notification letter to the grantee more than 14 days before the monitoring, (5) monitoring report letters were sent to the grantee after the 60-day deadline, (6) required exhibits were not always used, and (7) a required finding was not issued. A similar finding was reported in the fiscal year 2010 audit management letter. As part of the fiscal year 2011 audit, we reviewed a sample of open findings identified during the fiscal years 2006 through 2010 onsite grantee monitoring reviews conducted by the CPD field offices. Our review revealed that although required by the handbook, (1) HUD reviewers in the field offices did not document follow-up with a program participant when it did not meet the established target date, (2) field offices did not always send an additional letter if the program participant was nonresponsive to the first reminder, and (3) field offices did not respond to the program participant within the 30-day requirement to communicate the status of their finding after review of the documentation submitted by the program participant to attempt to close the finding. We found that responses ranged between 22 and 883 days. The deadlines and responsibilities outlined in the CPD Monitoring Handbook provide an effective system of monitoring internal controls. They include providing timely and relevant information to those charged with making decisions as well as timely follow-up for deficiencies identified. However, all field offices had not implemented the internal controls outlined in the handbook, which led to properly designed controls being ineffective. Not following the handbook prohibits the field offices from indentifying instances of noncompliance and potential fraud, waste, and abuse by program participants and prohibits the grantees from rectifying deficiencies in a timely manner. 25 The GMP system is a computer-based information system that is used to provide a documented record of conclusions and results. 35 The Office of Affordable Housing Did Not Adequately Monitor Grantees of the Tax Credit Assistance Program or Document Their Compliance with OMB Regulations The Office of Affordable Housing Programs (OAHP) did not have adequate internal controls in place to monitor Tax Credit Assistance Program (TCAP) grantees for compliance with the program regulations or to ensure onsite monitoring of the $2.082 billion disbursed of the $2.244 billion in grants awarded. OAHP lacked staff, expertise, and funding to perform onsite monitoring reviews. Compliance with program regulations, Federal requirements, and completion of program goals were not monitored. Although the TCAP grant agreements require grantees to monitor the grant- supported activities to assure compliance with applicable Federal requirements and that performance goals were achieved as a term of the grant agreement, OAHP did not monitor grantees to ensure that they complied with the terms of the grant agreement. Additionally, TCAP was explicitly excluded from CPD’s annual risk analysis for determining which grantees would be selected for onsite monitoring, and no monitoring exhibits were developed for TCAP for onsite monitoring reviews. OAHP indicated during the program’s front-end risk assessment that OAHP lacked staff expertise in the low-income housing tax credit program, so monitoring for compliance was not feasible. Additionally, OAHP lacked the staffing, and since no administrative funds were appropriated in the TCAP legislation funding to administer and manage onsite monitoring of TCAP grantees, OAHP did not have the funds necessary to conduct the onsite monitoring. Instead, OAHP indicated that it would rely on the controls in place at outside entities; however, it did not ensure that the controls on which it relied were operating effectively. It would also perform limited procedures remotely and perform reviews of the Federal Audit Clearinghouse (FAC) for TCAP grantees with findings and follow up on the findings indentified in the A-133 single audit reports. However, there were no written procedures or policies in place to ensure that the review of the Clearinghouse took place and proper follow-up measures were completed in accordance with OMB Memorandum 10-14, Updated Guidance on the American Recovery and Reinvestment Act. In addition, evidence of OAHP’s review of the FAC and follow-up procedures for findings identified was not maintained, and OAHP did not demonstrate its compliance with OMB Memorandum 10-14 regarding Federal agencies’ requirements for review and action on the A-133 single audit reports. 36 OIG reviewed the FAC for TCAP A-133 single audit reports, which identified findings during the audit and identified seven TCAP grantees. However, OAHP was not able to provide OIG with documentation demonstrating that in accordance with OMB Memorandum 10-14, it had expeditiously reviewed and resolved the audit findings for the seven grantees within 6 months after the date on which the FAC showed filing status as complete. OAHP’s internal control procedures for monitoring TCAP grantees to determine whether they have performed monitoring procedures in accordance with the terms of the grant agreements have not been adequately developed, documented or implemented. In addition, OAHP has not adequately developed, documented or implemented internal controls procedures for reviewing and resolving audit findings identified in the OMB A-133 Single Audit Reports reported in the FAC, as required by OMB Memorandum 10-14. 37 Significant Deficiency 4: HUD Needs To Improve Administrative Control of Funds HUD needs to improve its accounting and administrative controls of funds to ensure that (1) all programs that incurred obligations or disbursements have acceptable funds control plans and (2) the funds control plans are complete, accurate, updated and complied with by the program offices. During our review, we identified a number of program codes that did not have funds control plans. Additionally, we noticed that funds control plans were not always updated to reflect all program codes and did not always include the correct appropriations. We also noted that the Office of the Chief Financial Officer (OCFO) had not ensured the effective administrative control of funds process as required by HUD’s Policies Handbook 1830.2. Incomplete implementation of administrative control of funds has been a long-standing issue and has been previously reported since fiscal year 2005 in our audit reports and management letters. Certain HUD Programs Were Operating Without Funds Control Plans and Funds Control Plans Were Not Complete and Accurate The Federal Managers’ Financial Integrity Act (FMFIA) of 1982 provides that ―internal accounting and administrative controls of each executive agency shall be established to ensure (1) obligations and costs are in compliance with applicable law; (2) funds, property, and other assets are safeguarded against waste, loss, unauthorized use, or misappropriation; and (3) revenues and expenditures applicable to agency operations are properly recorded and accounted for to permit the preparation of accounts and reliable financial and statistical reports and to maintain accountability over the assets.‖ HUD’s Policies Handbook 1830.2 set forth the authorities and responsibilities to administer control of HUD’s funds. The handbook states that Congress has vested overall responsibility for establishing an effective administrative control of funds process with the OCFO. It provides the internal guidance for the preparation of the funds control plans to comply with the provisions of the Antideficiency Act (ADA) and FMFIA as well as the overall process for reviewing and approving the funds control plans. It states that before the CFO can issue an advice of allotment to an allotment holder, he or she must provide (1) certification of knowledge and acceptance of responsibility to assure that he or she has established and will properly execute a funds control plan that provides reasonable assurance that obligations and expenditures will not exceed the authorized limits of the funds allotted to him or her and (2) submission of an acceptable funds control plan. It also states that OCFO will conduct periodic reviews of compliance with funds control plans to ensure that adequate funds control is being applied in actual practice. 38 HUD has established a program code to account for and record the use of HUD’s funds at the detail transaction level. Each program code must have an acceptable funds control plan before it can incur the obligations and disburse the funds. One funds control plan can cover more than one program code. During our fiscal year 2011 internal controls review phase, we reviewed 242 program codes excluding the program codes associated with salaries and expenses funds. We identified 151 program codes, with the fiscal year 2011 disbursement total of $1.8 billion, that did not have funds control plans or the funds control plans were not complete and accurate as follows: Table 4 Fiscal Year 2011 Number Of Fiscal Year 2011 Program Incurred Program Disbursement Office Obligation Codes Amount Amount CPD 26 $119,714,525.00 $104,017,458.09 FHEO* 2 10,915,354.54 2,483,583.43 HSNG** 70 896,693,039.53 1,406,572,994.93 LBPA*** 2 3,034,169.98 1,207,549.77 PDR**** 4 0.00 3,026,965.49 PIH 45 157,391,136.28 251,498,961.10 SHC***** 2 101,607,851.69 4,626,566.88 Total 151 $1,289,356,077.02 $1,773,434,079.69 * FHEO = Office of Fair Housing and Equal Opportunity ** HSNG = Office of Housing *** LBPA = Office of Lead-Based Paint Abatement **** PDR = Office of Policy Development and Research ***** SHC = Self-Help Center Note: The numbers include total incurred obligation and disbursement for the full fiscal year. As a result of the missing or incomplete funds control plans, HUD did not adequately document its controls over approximately 2.6 percent of fiscal year 2011 obligations and 3.2 percent of fiscal year 2011 disbursements. Without this documentation, HUD management does not have the assurance needed that the policy, procedures, and systems in place can support the preparation of accounts and reliable financial and statistical reports and to maintain accountability fir the assets and ensure compliance with ADA and FMFIA. During our reconciliation with OCFO in August 2011, OCFO confirmed that 11 of 151 program codes did not have funds control plans because either (1) the programs were old (7 program codes), (2) the funds control plans had been in the draft status since 2009 (3 program codes), or (3) the funds control plan had not 39 been received by OCFO (1 program codes). We could not find any statements in HUD’s Policies Handbook 1830.2 that allow HUD to not control the funds for programs that are old or inactive. OCFO stated that the rest, 140 of 151 program codes, did have funds control plans but they were not complete and accurate since they did not contain any pertinent information concerning the subject program codes including the appropriation amounts. We reviewed 140 program codes for which OCFO claimed to have funds control plans and found that funds control plans for 9 of 140 program codes had additional inaccuracies. HUD had disbursed funds for these nine program codes to different appropriations than those stated in the funds control plans. Lacking a funds control plan for a specific program can cause confusion in administering the controls of the specific funds and increase the risk for fraud and ADA violations. HUD Needs To Ensure Compliance With Funds Control Plans HUD’s Policies Handbook 1830.2 states that OCFO will conduct periodic reviews of compliance with funds control plans to ensure that adequate funds control is applied in actual practice. At the end of fiscal year 2011, HUD had a total of 167 approved funds control plans as follows: Table 5 Number Of Funds Office Control Plans CPD 65 FHEO 5 HSNG 33 LBPA 5 PDR 6 PIH 50 SHC 3 Total 167 During the fiscal year, OCFO perform funds control compliance assessments for four offices: Office of Sustainable Housing and Communities (appropriation 0162), Public Housing Operating Subsidy (appropriation 0163), Asset Management Technical Assistance (appropriation 0163), and Office of Housing 40 Transformation Initiative – Technical Assistance (appropriation 0402). OCFO did not performed funds control compliance assessments for one-third of the approved funds control plans in fiscal year 2011 as provided by its management decision in response to the prior-year findings. As a result, it had not ensured the effective administrative control of funds process as required by HUD’s Policies Handbook 1830.2. 41 Significant Deficiency 5: Continued Improvements Over the Oversight and Monitoring of Subsidy Calculations, Intermediaries’ Performance, and Utilization of Housing Choice Voucher and Operating Subsidy Program Funds Are Needed Under the provisions of the U.S. Housing Act of 1937, HUD provides housing assistance funds through various grant and subsidy programs to multifamily project owners (both nonprofit and for profit) and housing agencies. These intermediaries, acting for HUD, provide housing assistance to benefit primarily low-income household and individuals (families) that live in public housing, Section 8 and Section 202-811 assisted housing, and Native American housing. HUD spent $32 billion and $33 billion in FY 2010 and FY 2011 respectively to provide rent and operating subsidies that could benefit an estimated 5.38 million households. Since 1996, we have reported on weaknesses with the monitoring of the housing assistance program’s delivery and the verification of subsidy payments. We focused on the impact these weaknesses had on HUD’s ability to (1) ensure that intermediaries correctly calculated housing subsidies and (2) verified tenant income and billings for subsidies. During the past several years, HUD has made progress in correcting this deficiency. From fiscal years 2002 to 2009, PIH used comprehensive consolidated reviews to address PHAs’ improper payments and other high-risk elements. In fiscal year 2010, PIH discontinued the comprehensive consolidated reviews and focused most of its resources on the review of American Recovery and Reinvestment Act (ARRA) grants and other high-priority goals. In fiscal year 2010, HUD began implementing plans to comply with the Improper Payments Elimination and Recovery Act of 2010 (IPERA) and Presidential Executive Order 13520, Reducing Improper Payments issued in 2009. Additionally, in consultation with OMB, HUD developed six supplemental measures for PIH and four supplemental measures for the Office of Multifamily Housing to track and report on intermediaries’ efforts for addressing improper payments. HUD demonstrated improvements in its internal control structure to address the significant risk that HUD’s intermediaries did not properly carry out their responsibility to administer assisted housing programs in accordance with HUD requirements. HUD’s increased and improved monitoring resulted in a significant decline in improper payment estimates over the last several years. However, HUD needs to continue to place emphasis on its onsite monitoring and technical assistance to ensure that acceptable levels of performance and compliance are achieved and periodically assess the accuracy of intermediaries’ rent determinations, tenant income verifications, and billings. Tenant income is the primary factor affecting eligibility for housing assistance, the amount of assistance a family receives, and the amount of subsidy HUD pays. Generally, HUD’s subsidy payment makes up the difference between 30 percent of a household’s adjusted income and the housing unit’s market rent or, under the Section 8 voucher program, a payment standard. The admission of a household to these rental assistance programs and the size of the subsidy the household receives depend directly on the household’s self-reported income. However, significant amounts of excess subsidy payments occur because of errors in intermediaries’ rent determinations and undetected, unreported, or underreported income. By overpaying rent 42 subsidies, HUD serves fewer families. Every dollar paid in excess subsidies represents funds that could have been used to subsidize other eligible families in need of assistance. HUD’s Gross Estimate of Erroneous Payments Slightly Increased in Fiscal Year 2010 The estimate of erroneous payments that HUD reports in its Agency Financial Report (AFR) relates to HUD’s inability to ensure or verify the accuracy of subsidy payments being determined and paid to assisted households. This year’s contracted study of HUD’s three major assisted housing programs estimated that the rent determination errors made by the intermediaries and intentional underreporting of income by the tenants resulted in substantial subsidy overpayments and underpayments. The study was based on analyses of a statistical sample of tenant files, tenant interviews, and income verification data for activity that occurred during fiscal year 2010. From the HUD study, we determined the total gross error of $95926 million, which represents 3.6427 percent of the rental housing assistance program expenditures tested. We found that HUD reported in the AFR a gross error rate of 2.9 percent using the $32 billion total housing assistance expenditures reported in the fiscal year 2010 financial statements. However, the $32 billion includes $6 billion in administrative fees and Moving to Work program subsidies. The $6 billion is the difference between the more than $32 billion that HUD reported in fiscal year 2010 financial statements and the $26 billion in disbursements that we found to be attributable to the quality control and income match studies. Our calculation differs from HUD’s because we excluded program expenditures for Moving to Work PHAs that were not included in the universe for testing (in HUD’s Quality Control Study and Income Match Study) and administrative fees. For fiscal year 2011, we are reporting the 2010 improper payments projections and error without comparing the results to the previous years. The result this year is not comparable to the projections in the prior years. HUD continues to report a substantial amount of gross dollar erroneous payments in the rental housing assistance program. In fiscal year 2011, HUD reported in its AFR a combined gross improper payment estimate of $853 million in fiscal year 2010. These estimated gross improper payments exclude the $106 million in billing errors. Furthermore, in its fiscal year 2010 AFR, HUD did not report the administrator error, income reporting error, or billing error for the Public Housing 26 The $959 million is the sum of $650 million in administrative error plus $203 million income matching errors from the 2010 QC study plus $106 million billing errors not tested in fiscal year 2010 QC study. 27 The 3.64 percent is calculated by dividing $959 million by $26 billion of total rental assistance program expenditures tested by 2010 HUD’s quality control study. 43 rental assistance program. Additionally, HUD did not report the billing error for the Section 8 Voucher program.28 The three elements of the payment error estimates reported by HUD in fiscal years 2010 and 2009 are provided in detail below. Administrator error29 - This error represents the program administrators’ failure to properly apply income exclusions and deductions and correctly determine income, rent, and subsidy levels. HUD reported a slight increase from $649 million in estimated gross erroneous payments due to administrator error in fiscal year 2010 to $650 million in fiscal year 2011. Income reporting error30 - This error represents the tenant beneficiary’s failure to properly disclose all income sources and amounts upon which subsidies are determined. HUD reported $203 million in estimated gross erroneous payments in income reporting error in fiscal year 2011. This is a 6.7 percent decrease compared to prior-year estimates of $218 million. Billing error31 - This error represents errors in the billing and payment of subsidies between HUD and third-party program administrators, housing providers, or both. HUD did not conduct a billing study for fiscal year 2010. However, in FY 2011 HUD reported $106 million gross erroneous payments using data for fiscal year 2004 for public housing and fiscal year 2009 data for housing. Initiatives To Mitigate Risks That Contribute to Improper Payments Should Be Continued Effective January 31, 2010, HUD required all public housing agencies and owners and management agents to use the Enterprise Income Verification (EIV) systems 28 In FY 2007, HUD made structural changes in the Public Housing rental assistance program so that the Public Housing Operating Fund would be distributed by formula. According to HUD, this change effectively eliminated improper payments due to administrator, income reporting, or billing errors for the Public Housing rental assistance program because the effect of these errors would be borne by the PHA and HUD’s subsidy payment would remain unchanged. Starting in 2010, the Public Housing Operating Fund was no longer frozen; thus, HUD is reporting administrator, income reporting, and billing error for the current year. For the Section 8 Voucher program, HUD implemented budget-based funding in FY 2005, which eliminated billing errors in the program. 29 The $649 million estimate for the 2009 study does not include $130 million in administrator error for the public housing rental assistance program. The $650 million estimate for the 2010 study does not include $141 million in administrative error as well. 30 The $203M reported estimates in FY 2011 include the $80, $45, and $35 million, while $218M estimates reported in FY 2010 does not include $45 and $85 million in income reporting error for the Public Housing rental assistance program. 31 The estimate of billing error only covers the Office of Housing’s Section 8 multifamily project-based Section 202 project rental assistance projects (PRAC), Section 811 PRAC, and Section 202 project assistance contracts. HUD does not include the public housing rental assistance program or the Section 8 Housing Choice Voucher program in the study used to determine the estimated erroneous payments due to billing error. 44 to verify the identity, employment, and income of program participants to improve the eligibility and accuracy of income and rent determinations in the Rental Housing Assistance Program (RHAP). PIH and the Office of Housing have separate EIV systems, but they have similar designs according to HUD’s Office of Housing staff. The EIV systems are Web-based systems, which compile tenant income information and make it available online to HUD business partners to assist in determining accurate tenant income as part of the process of setting the rental subsidy. EIV matches tenant data against Social Security Administration information, including Social Security benefits and Supplemental Security Income, and with the U.S. Department of Health and Human Services National Directory of New Hires database, which provides information such as wages, unemployment benefits, and Internal Revenue Service form W-4 (―new hires‖) data, on behalf of PIH and multifamily housing programs. The EIV systems are available to PHAs nationwide and to owner-administered project-based assistance programs, and they are required to use the EIV systems in their day-to-day operations pursuant to 24 CFR (Code of Federal Regulations) 5.233. In response to Presidential Executive Order 13520, PIH established six supplemental measures to manage the risk from improper payments: (1) Public and Indian Housing Information Center (PIC) reporting rate, (2) EIV system access rate, (3) EIV system usage rate, (4) failed identity verification rate, (5) deceased single-member households, and (6) income discrepancy rate. Because PIH’s EIV system relies on tenant data from PIC, the PIC reporting rate is an important supplemental measure. The other five supplemental measures are based on reports from the EIV system and are potential risk factors for improper payments. In our fiscal year 2011 review of HUD’s supplemental measures for improper payments, we found that HUD generally complied with the IPERA requirements. By August 2011, PIH completed the development of the strategy to identify the most critical PHA’s that showed the most income discrepancies and the largest number of overdue tenant recertifications. Additionally, PIH was in the process of implementing the electronic notification process for these PHAs. The majority of administrator errors identified in the fiscal year 2010 quality control report occurred in the Section 8 Housing Choice Voucher program, which is reported on by HUD as part of its estimate of gross erroneous payments. Two major sources of administrator error identified by the report were overdue tenant recertification and verification errors. However, PIH had developed corrective actions to reduce the incidence of these two sources of error. In response to the Executive Order 13520, the Office of Multifamily Housing (Housing) established four supplemental measures to manage the risk from improper payments: (1) EIV access rate, (2) EIV usage rate, (3) failed identity verification rate, and (4) deceased single-member households. Housing derived the EIV access rate and EIV usage rate through ad hoc reports. However, an EIV access report and an EIV usage report were being developed, and the reports were expected to be available by April 2012. Unlike PIH, Housing’s supplemental measures did not track or report on income discrepancies at the 100 percent 45 threshold, as the tenant-income reporting error was one of the three major sources of error for improper payments. A recent OIG audit32 highlighted problems with Housing’s oversight and monitoring of Performance Based Contract Administrators (PBCA) due to insufficient staff and travel funds. Housing relies on the Management and Occupancy Reviews (MOR) conducted by the PBCAs to detect all three sources of error for improper payments. Since the recommendations proposed by OIG are still open for this audit, we cannot be certain that the issues elevated regarding Housing's staffing and its oversight of PBCAs have been resolved. Housing has been working on the development of the Integrated Subsidy Error Reduction System (iSERS), which would collect data on specific errors in rental subsidy calculations detected during MORs, but iSERS will not be operational until fiscal year 2013 at the earliest. HUD made substantial progress in taking steps to reduce erroneous payments. We are encouraged by the ongoing actions to focus on improving controls regarding income verification. However, as noted above, there are several areas in which HUD needs to improve. In addition, PIH needs to continue addressing administrator error through increased electronic remote and onsite monitoring as needed and ensure that correct income and allowance amounts are used in rent calculations. In the Office of Housing, there are insufficient staff and travel funds to provide adequate oversight and monitoring of PBCAs, making reliance on the MORs to detect erroneous payments by owners and management agents a questionable strategy. Until these problems are resolved, Office of Housing staff needs to review the EIV reports and MORs, following up with owners and management agents. Monitoring Public Housing Agencies’ Utilization of Section 8 Housing Choice Voucher Program Funds Has Improved The Section 8 Housing Choice Voucher program is HUD’s largest housing assistance program, with an annual appropriation of $18 billion, and provides assistance to around 2.1 million families. The annual appropriation acts require HUD to distribute the full amount of funding appropriated using a formula based on the housing agencies’ self-reported prior-year costs reported in the Voucher Management System (VMS). HUD expects PHAs to retain and use the funds provided in their entirety for authorized program activities and expenses within the time allowed. Program guidance states that any budgetary authority provided to PHAs that exceeds actual program expenses for the same period must be accounted for and maintained as restricted cash and made available for housing 32 Audit report number 2009-SE-0003, ―HUD’s Monitoring of the Performance-Based Contract Administrators Was Inadequate‖, issued September 1, 2009 46 assistance. Although these funds are retained by the PHA, HUD relies on the PHAs to hold excess budgetary authority in reserve and make funds available for serving more families. According to HUD’s monitoring systems, as of June 30, 2011, PHAs’ net restricted assets (NRA) accounts showed an estimated balance of $1.39 billion in excess funding. HUD’s monitoring of PHAs’ budgetary authority utilization is an essential internal control to provide accountability of program resources and ensure that excess funds are safeguarded and only used for authorized program activities. Accurate VMS cost data are essential to (1) correctly calculate the $18 billion in annual PHA budget allocations, (2) determine overutilization and underutilization of funds and excess budget authority available for unanticipated cost increases and budget offsets, and (3) evaluate PHAs’ performance in ensuring that the maximum numbers of families are served. In prior years, we recommended that HUD increase its monitoring efforts regarding the excess budget authority, seek legislative authority to annually offset excessive funding reserves, reconcile PHAs’ accounting with HUD-estimated funds to ensure that funds exist, and improve its onsite monitoring by including the confirmation of excess budget authority as part of the VMS reviews. Since fiscal year 2009, HUD has addressed our audit recommendation to reconcile the PHAs’ NRA account balances reported in the Real Estate Assessment Center’s (REAC) Financial Assessment Subsystem-Public Housing (FASS-PH) against the HUD-estimated NRA balances based on VMS expenditure data. During fiscal year 2010, the responsibility for completing the NRA reconciliations shifted from the FMC to the REAC FASS Team. The NRA estimation process had been improved as a result of the reconciliation initiative, and the use of audited financial data in FASS-PH and program data from VMS to support the NRA values. The resulting changes led to an increase in the recognized value of the NRA held by PHAs. According to a report relying only on VMS data, the total NRA held by PHAs as of December 31, 2009, was approximately $838 million. As a result of the reconciliation, that value was corrected and increased to nearly $1.1 billion. Additionally, HUD developed a Web tool for PHAs to use in projecting their future funding utilization and reserves balances. In an attempt to control the excessive NRA accumulation, HUD included language in its fiscal year 2011 congressional budget justification seeking authority to reduce the budget allocation to those PHAs holding reserves exceeding 6 percent of their annual budget. This legislation was not approved during the 2011 budget process. If the legislation had been approved, HUD would have obtained permanent authority to perform budgetary offsets to those PHAs that are not maximizing the use of funds. 47 The total NRA account balances held by PHAs as of June 30, 2011, was $1.39 billion. Of that value we calculated that 1,891 PHAs held $1.01 billion in excess of six percent of their annual budgetary authority representing the amount of excess unused funds that could be recaptured (or offset) if the funds are still not used by year-end. PIH officials indicated that Congress was considering offsetting $350 to $750 million in unused reserves as part of the fiscal year 2012 appropriations bill. However, based on our analysis, we recommend increasing the budget offset request up to $820 million. Starting in fiscal year 2012, in a measure to safeguard and reduce the risk of funds being misused, PIH plans to continue allocating the entire amount appropriated by Congress but will scrutinize PHAs’ reserves quarterly and reduce or withhold disbursements to PHAs holding excessive reserves until funding reserves decrease to acceptable levels. However, depending on whether HUD obtains permanent authority to offset funding, HUD could end accumulating and accounting for the PHAs’ reserves withheld as unpaid obligations. As a consequence, HUD must ensure that unpaid obligations are accounted for and reported properly in HUD’s financial statements. HUD must review the unpaid obligations at least annually, deobligate any unneeded undisbursed reserves amount assigned to PHAs during the budget allocation, and present those unneeded reserves as unobligated balances in HUD’s financial statements. Lastly, because the NRAs are held in PHA accounts, it is our belief that there is a higher potential for waste, fraud, and mismanagement than if the funds were controlled by HUD. Further, we are concerned that the existence of the NRA account balance may affect the accuracy of HUD’s financial reporting if the funds allocated to PHAs are being treated as program costs, although the funds are not being disbursed for program purposes in the current fiscal year. Monitoring of Public Housing Agencies’ Utilization of Operating Subsidy Program Funds Had Weaknesses The Public Housing Operating Fund provides operating subsidies to 3,137 housing authorities to assist in funding the operating and maintenance expenses of their own dwellings in accordance with Section 9 of the U.S. Housing Act of 1937, as amended. The subsidies are required to help maintain services and provide minimum operating reserves. The operating subsidy is authorized under 42 U.S.C. (United States Code) 1437g and the regulations under 24 CFR Part 990. The regulations establish the eligibility requirements for a PHA to receive an operating subsidy, explain the components of the subsidy formula, and describe how the subsidy is disbursed to eligible recipients. In accordance with HUD Financial Management Handbook 7475.1, PHAs are allowed to establish reserves 48 for such purposes and in such reasonable amounts as may be required in the prudent operation of the projects and as may be approved by the Government using the operating receipts of the projects. The operating subsidy is determined as the difference between formula expense and formula income. If a PHA’s formula expense is greater than its formula income, the PHA is eligible for an operating subsidy. Formula expense is an estimate of a PHA’s operating expense and is determined using three components: (1) project expense level (PEL), (2) utility expense level (UEL), and (3) other formula expenses. Formula income is an estimate of a PHA’s non-operating subsidy revenue. During fiscal year 2011, we assessed HUD’s funding allocation process for the Operating Subsidy program. Specifically, we wanted to determine whether HUD prudently determined the operating subsidies funding allocations needed in a reasonable manner. We found that HUD analyzed the PHAs’ financial statements data to monitor the program funding utilization and funding reserves accumulated over time. HUD records indicated that the total operating subsidy that HUD provided to the PHAs in fiscal years 2009 and 2010 was $4.45 billion and $4.76 billion, respectively. Our analysis found that the total reserves held were equivalent to an entire year’s worth of funding and appeared excessive. HUD’s data showed that as of the last financial statement, the PHAs’ total operating reserves held was $4.06 billion. Increases in Operating Subsidy reserves were due to three factors: (1) there were inaccuracies in the Information Management System (IMS)-PIC, which tracks PHAs’ total number of units eligible and available for inclusion in funding calculations; (2) the operating funding formula used multifamily housing project cost data to estimate the PHA project level cost for PHAs, and this variable did not consider synergies obtained from PHAs managing larger projects; and (3) the formula funding process did not factor the actual cost and actual tenant income reported by the PHAs in FASS-PH. Making these comparisons would have helped determine the actual need for funding, rather than allocating and disbursing the total amount appropriated by Congress, and reduced the accumulation of reserves. HUD was aware of the problem and was working to perform up to a $1 billion nationwide offset if authorized by the fiscal year 2012 budget. However, the planned budget offset only represents 25 percent of the total excess reserves. PHAs have $4.06 billion in total reserves, of which $1.89 billion is in excess of the recommended 6-month operating reserves PHAs should maintain. In addition to the $1 billion that should be offset, there is a potential of an additional $890 million in PHAs’ accrued expenses and long term liabilities that constitute the remaining excess reserves that HUD needs to evaluate. If not needed HUD should also include these funds in the request for a funding offset. 49 Significant Deficiency 6: Controls Over HUD’s Computing Environment Can Be Further Strengthened HUD’s computing environment, data centers, networks, and servers provide critical support to all facets of HUD’s programs, mortgage insurance, financial management, and administrative operations. In prior years, we reported on various weaknesses with general system controls and controls over certain applications, as well as weak security management. These deficiencies increase risks associated with safeguarding funds, property, and assets from waste, loss, unauthorized use, or misappropriation. We evaluated selected information systems’ general controls of HUD’s computer systems on which HUD’s financial systems reside. We also followed up on the status of previously reported application control weaknesses. Our review found information systems control weaknesses that could negatively affect HUD’s ability to accomplish its assigned mission, protect its data and information technology assets, fulfill its legal responsibilities, and maintain its day-to-day functions. Presented below is a summary of the control weaknesses found during the review. Security Management Program HUD had continued its progress in implementing a comprehensive, entitywide information system security program. Specifically, HUD had (1) created a new Cyber Security Awareness and Training Program that addresses specialized security roles and responsibilities, (2) issued a memorandum to the program offices requesting confirmation of separate accounts for administrative and nonadministrative duties, and (3) developed appropriate interconnectivity service agreements and memorandums for contractor systems. Additionally, HUD had provided corrective action plans that will address continuous monitoring, two-factor authentication, and the user management identity management program. Although HUD had made improvements, management attention is needed to ensure that all individuals are properly trained on their security responsibilities before allowing them continued access to information systems. Twenty six percent of HUD employees accessing information systems had not taken security awareness training during fiscal year 2011. Security awareness training is to be used by organizations to inform users of the common goal of protecting information and information technology-related resources of the agency. 50 Security Weaknesses in HUD’s Network Devices During fiscal year 2010, we audited security controls over HUD’s network devices33 to determine whether the security configurations implemented on the devices provided adequate controls to prevent abuse or unauthorized access to HUD’s information resources. We evaluated security measures that protect HUD information by scanning identified network devices and identifying vulnerabilities and suspect configurations that place sensitive information at risk. Security configurations implemented on HUD’s network devices were weak. Specifically, HUD did not (1) maintain a complete inventory of network devices, (2) implement strong security configurations on network devices, and (3) implement security configurations that sufficiently protected network paths. If HUD cannot comprehensively identify devices within its network, it cannot determine when there is unauthorized access to its network. An attacker could potentially exploit the weak security configurations to obtain information on the network and gain access to HUD’s systems and sensitive information. Failure to securely configure network devices and analyze information flow within a network increases the chances of sensitive information disclosure occurring without detection. We followed up on the status of these weaknesses during fiscal year 2011 and determined that corrective actions had been implemented for most of these weaknesses. HUD planned to complete corrective actions for the remaining recommendation by December 2, 2011. Preventive Maintenance Not Performed for the IBM Mainframe Operating System and Database Software HUD’s information technology (IT) support contractor did not perform preventive maintenance on the IBM mainframe system software34 to keep products up to date and available for support and enhancements. Software patches were not always installed, and software versions were not always upgraded to the minimum level that is supported by IBM. At least one issue was identified due to software patches not being applied as part of preventive maintenance. Specifically, during September 2009, the owner of the Tenant Rental Assistance Certification System requested installation of the DB235 Connect Enterprise software to allow connectivity to the 33 Audit report number 2010-DP-0004, ―Security Weaknesses on HUD’s Network Devices,‖ issued September 30, 2010 34 Audit report number 2011-DP-0001, ―HUD Did Not Properly Manage HITS Contracts and Contractors To Fully Comply With Contract Requirements and Acquisition Regulations,‖ issued October 6, 2010 35 DB2 is a database management system. 51 DB2 databases on the IBM mainframe from applications based on other platforms. The request was approved, but the installation was delayed because software patches for the DB2 version 7.1 running on the IBM mainframe had not been installed up to the minimum supported level for processing with the new DB2 Connect Enterprise version 9.5 software. Also, DB2 version 7.1 had reached its end of support life36 as of June 30, 2008. In addition to the DB2 software, we found two other system software products that had reached or were close to reaching their end of support life. The CICS37 software, used to support the online transaction processing on the IBM mainframe, was upgraded to CICS Transaction Server version 2.3 in June 2010, but had reached its end of support life in September 2009. Also, the z/OS mainframe operating system was upgraded in July 2010 from z/OS 1.7 to z/OS 1.9, which reached its end of support life in September 2010. Preventive maintenance was not generated and distributed for products that had reached end of support life; therefore, preventive maintenance could not be performed to mitigate future potential problems as recommended by industry standards best practices. The use of system software, which was not maintained at the recommended level of service, could result in system outages, delays in service, and the inability to implement changes required by new initiatives or legislation. We followed up on the status of these weaknesses during fiscal year 2011 and determined that HUD had made progress in remediating these weaknesses. The z/OS operating system was upgraded, and CICS was scheduled for upgrade in November 2011. Additionally, HUD’s IT support contractor included maintenance upgrades in the latest version of the MVS Implementation and Maintenance guide. HUD planned to complete corrective actions for these weaknesses by November 30, 2012. IBM Mainframe Libraries Not Properly Managed In fiscal year 2010, we reported that HUD’s IBM Mainframe z/OS38 authorized program facility (APF)39 libraries were not adequately controlled. We reviewed the IBM mainframe authorized libraries and identified weaknesses that left HUD’s IBM mainframe vulnerable to unauthorized access. Three libraries were 36 End of support life is when the vendor stops providing basic support (e.g., problem resolution, providing software patches, etc.) for a product. 37 CICS is a transaction manager designed for rapid, high-volume online processing. 38 z/OS is the computer operating system for IBM's z-Series 900 (z900) line of large (mainframe) servers. 39 The authorized program facility is an IBM tool that limits the use of sensitive system services and resources to authorized system and user programs. 52 not under CA Top Secret40 resource security protection.41 The resource level of protection is the most secure level of protection because it prevents programmers from linking into protected programs and files. Additionally, the APF list included the names of libraries that did not exist, increasing the risk that unauthorized programs could be inserted and executed in the IBM mainframe z/OS environment. This type of weakness could seriously diminish the reliability of information produced by all of the applications supported by the computer system and increase the risk of fraud and sabotage. We followed up on the status of this weakness during fiscal year 2011. We once again identified APF libraries that were not under CA Top Secret resource security protection. We determined that HUD’s IT support contractor did not always follow the procedures in place for ensuring the APF libraries were properly controlled. Further, the support contractor did not always follow procedures for notifying ADP Security when adding libraries to the APF. Details of these findings will be included in our report for our fiscal year 2011 review of information systems controls in support of the financial statement audit to be issued in January 2012. Disaster Recovery Grant Reporting System In fiscal year 2009, we reported on selected controls within the Disaster Recovery Grant Reporting System (DRGR)42 related to Neighborhood Stabilization Program (NSP) funding. We found that (1) access control policies and procedures for DRGR violated HUD policy, (2) the system authorization to operate was outdated and based upon inaccurate and untested documentation, (3) the Office of Community Planning and Development (CPD) did not adequately separate the DRGR system and security administration functions, and (4) CPD had not sufficiently tested interface transactions between DRGR and LOCCS. As a result, CPD could not ensure that only authorized users had access to the application, user access was limited to only the data that were necessary for them to complete their jobs, and users who no longer required access to the data in the system had their access removed. Further, the failure to sufficiently test interface transactions between DRGR and LOCCS left HUD with limited assurance that the $5.9 billion in NSP funding would be accurately processed. During fiscal year 2011, HUD made additional progress toward resolving the issues identified in fiscal year 2009. HUD completed actions to address the 40 CA-Top Secret is the software used on the IBM mainframe to secure resources from unauthorized exposure . 41 Resource security protection prevents unauthorized updates to programs within the libraries. 42 Audit Report No. 2009-DP-0007, Review of Selected Controls within the Disaster Recovery Grant Reporting System, issued September 30, 2009. 53 weaknesses pertaining to system access controls, system documentation, inadequate separation of duties, and insufficient testing of controls with LOCCS. Additionally, we audited the DRGR system during fiscal year 201143 to determine whether adequate controls were in place to safeguard, accurately track, and report $1.93 billion in ARRA funds allocated to CPD’s NSP2. We found that the improvements CPD made to the DRGR system within the last year were beneficial to the overall assurance that the system’s data were properly maintained, safeguarded, and in compliance with Federal regulations. However, for HUD to address ARRA requirements for accurate data requirements, additional improvements should be made to the DRGR system. We recommended that CPD modify the DRGR system to improve its application controls. Also, the DRGR system owner needs to coordinate with OCIO to ensure that the (1) security documentation is updated, (2) contingency plan is adequately tested, and (3) DRGR system is included in the annual disaster recovery test as it is a mission-critical application. Integrated Disbursement and Information System During our fiscal year 2010 review of information system controls,44 we found that application controls for IDIS were not properly placed and operating effectively. We noted the following deficiencies: (1) incompatible functions such as system administration and security administration were not adequately separated, and (2) there was no formal user recertification process to ensure that all users were properly recertified. We found that (1) HUD field office personnel were granted access to the data for one grantee organization without oversight beyond the field office level, (2) field office personnel were granted headquarters level access45 as part of the continuity of operations plan without sufficient compensating controls, and (3) HUD users with administrative access within IDIS were granted access to production data within the application. These weaknesses existed because CPD designed IDIS with decentralized security without adequate controls in place to ensure that the overall security of the application remained within the control of HUD staff. By not separating incompatible system administration and security responsibilities and reviewing the continued appropriateness of access to the financial systems, HUD increased its risk that sensitive financial data could be modified, disclosed, or misused or that erroneous or fraudulent transactions would be processed. 43 Audit Report No. 2011-DP-0008: The Disaster Recovery Grant Reporting System That Maintained Recovery Act Information Had Application Security Control Deficiencies, issued July 28, 2011 44 Audit Report No. 2011-DP-0004: Audit Report on the Fiscal Year 2010 Review of Information Systems Controls in Support of the Financial Statements Audit, issued January 14, 2011 45 A user with headquarters administrative access has access to nationwide data within the application. 54 We also found that CPD did not require all users to sign and acknowledge the specific rules of behavior form created for the IDIS application. In addition, CPD did not implement a formal user recertification process for IDIS. Instead, CPD implemented controls within IDIS that allowed ―administrators‖ from the grantee organization the ability to edit the profiles for users with access to the data for that grantee. These controls, however, shifted the responsibility of user access to the grantee administrator. Proper access controls place the responsibility with HUD staff. This condition occurred because management in the CPD Systems Division was not aware that there was an IDIS-specific rules of behavior form. In addition, IDIS was designed with decentralized security controls, which did not ensure that overall security of the application remained within the control of HUD staff. Instead, ―administrators‖ from grantee organizations were given the ability to modify user access. By not implementing strong access controls, HUD cannot ensure that users have access to only the data that are necessary for them to complete their jobs. In addition, they are unable to ensure that only authorized users have access to the system and that users who no longer require access to the data in the system have had their access removed. HUD Procurement System We audited HUD’s procurement systems in fiscal year 2006.46 Through actions taken during fiscal years 2007 through 2010, the Office of the Chief Procurement Officer (OCPO) had made progress toward resolving the issues identified during the audit. However, two significant recommendations remained open during fiscal year 2011. The procurement systems continued to be noncompliant with Federal financial management requirements. In addition, OCPO had not yet implemented functionality to ensure that there was sufficient information within HUD’s current procurement systems to support the primary acquisition functions of fund certification, obligation, deobligation, payment, and closeout. During fiscal year 2011, OCPO worked to implement a replacement application for the current procurement systems. The HUD Integrated Acquisition Management System (HIAMS) will completely replace OCPO’s legacy procurement systems, using a widely adopted acquisition management software system. Initial deployment of the application began in October 2011 and is planned for completion in January 2012. 46 Audit Report No. 2007-DP-0003: Review of HUD’s Procurement Systems, issued January 25, 2007 55 Configuration Management During fiscal year 2010, we performed an audit of controls over selected configuration management (CM) activities within HUD.47 Although HUD had processes and procedures for managing the configurations of systems in HUD’s computing environment, those procedures were not always followed. HUD’s help desk application was not approved by the Configuration Change Management Review Board48 (CCMB), although the application had been in use since 2007. As a result of our audit, the CCMB did approve the application as a HUD standard. Additionally, a software tool for use in the CM for source code and other software development assets went through multiple pilot tests without prior CCMB approval. Compounding the issue, OCIO’s Office of Enterprise Architecture determined in November 2007 that the tool would not meet user needs and would not be cost effective. We also reviewed CM plans for the eTravel system and IDIS Online to determine whether they were kept up to date. The CM plans for each system did not include all required information or contained outdated information for the areas of system overview, project references, roles and responsibilities, and supporting group contact information. In addition, the eTravel CM plan did not include sections such as baseline identification, measurements, configuration status accounting, configuration management libraries, release management, and configuration audits. As part of our fiscal year 2011 audit, we reviewed the CM plan and selected controls for the DRGR system. The DRGR CM plan also did not include required information and contained outdated information. In addition, we identified weaknesses related to the DRGR testing environment and required testing documents. Details of these findings will be included in our report for our fiscal year 2011 review of information systems controls in support of the financial statement audit to be issued in January 2012. Contingency Planning and Physical Security In fiscal year 2009, we found that disaster recovery exercises did not fully test system functionality because critical applications were not verified through transaction and batch processing and the exercises did not include recovery of all applications that interface with the critical systems. By not having current 47 Audit Report Number 2011-DP-0006, ―HUD’s Controls Over Selected Configuration Management Activities Need Improvement‖, issued March 24, 2011 48 The CCMB was established to ensure that all changes made to the HUD IT infrastructure and system development platforms take place through a rational and orderly process. 56 information in the disaster recovery plan and fully testing system functionality during disaster recovery exercises, HUD could not ensure that its systems and applications would function as intended in an actual emergency. We also determined that sensitive data stored on backup tapes, transported and stored offsite, were not adequately protected. HUD’s information IT support contractor is required to create backup tapes of HUD’s mission-critical data and store the backup tapes at an offsite storage facility. These backup tapes are created for use in contingency operations and disaster recovery events and exercises. However, during the 2009 disaster recovery exercises, we observed that backup tapes from the offsite storage facility were not in encrypted form. HUD planned to include requirements to fully test system functionality during disaster recovery exercises and encrypt backup tapes being transported to and from the offsite storage facility in the next IT support contract. For fiscal year 2011, we evaluated physical security controls at HUD’s data centers. We determined that weaknesses existed with regard to access to sensitive areas within the data center. Specifically, temporary access to the computer room for a special project was not removed upon completion, an obsolete job function (phased out in March 2011) was on the access list to the computer room, and reviews of the access list for individuals with physical access to sensitive areas within the data center were not performed regularly and results of reviews were not documented. Access to sensitive areas allows individuals to be in direct physical contact with data center equipment such as the hardware, network equipment, cables and power cords, and physical storage media containing large amounts of electronic information. Inadequate controls over access to sensitive areas within the data center facility could lead to equipment damage, data loss, equipment downtime, theft and sabotage of equipment, and unintentional wrongdoing by personnel. HUD provided explanations for the weaknesses identified, and plans to revise procedures to ensure that review of access to sensitive areas properly includes documenting the date and results of the reviews. FHA Information Technology Weaknesses In fiscal year 2011, FHA’s independent public auditor (IPA) reported as a significant deficiency that the information security control over FHA systems related to security and access controls, as well as in configuration management and contingency planning, were deficient. The report noted the following information security weaknesses by control area: Security Management HUD’s IT security policies and procedures had not been updated to comply with the National Institute of Standards and Technology (NIST) 57 Special Publication (SP) 800-53 Revision 3, Recommended Security Controls for Federal Information Systems and Organizations. The system security plans for FHA applications and general support systems were not being reviewed and updated in accordance with HUD policy or NIST standards. Vulnerability scanning practices did not agree with written HUD policy, and identified vulnerabilities were not being tracked for remediation. Specialized security training required by HUD policy and NIST standards was not being monitored and enforced. Agreements for external information systems and interface control documentation were not being maintained in accordance with HUD policy and NIST standards. Access Control Management of user accounts was not being performed in accordance with HUD policy and NIST standards. Password and security parameter settings were not being consistently applied in accordance with HUD policy. Remote access authentication did not meet HUD policy and was not in compliance with NIST standards. Inactive user accounts were not always deactivated as required by HUD policy and in compliance with NIST standards. Configuration Management Standard baseline configuration policies for FHA’s general support systems were not fully documented and implemented in accordance with HUD policy and NIST standards. Contingency Planning Systems supporting critical operations were not consistently identified and tested in accordance with HUD policy and in compliance with NIST standards. Contingency plans for certain systems were incomplete or not updated in accordance with HUD policy and NIST standards. 58 Many of these weaknesses were observed and reported in prior FHA audits and management letters. FHA tracks actions to improve controls using corrective action plans and plans of action and milestones. While these plans often result in improvements to the specific system weaknesses reported, the IPA found that the weaknesses had not been remediated. Further, it found the same type of weaknesses when it examined different systems. This finding indicated that the root causes of the deficiencies were not being effectively addressed for all systems. The IPA’s recommendations requested FHA to work with HUD OCIO to resolve these long- standing issues. 59 Significant Deficiency 7: Weak Personnel Security Practices Continued To Pose Risks of Unauthorized Access to HUD’s Critical Financial Systems For several years, we have reported that HUD’s personnel security practices regarding access to its systems and applications were inadequate. Deficiencies in HUD’s IT personnel security program were found, and recommendations were made to correct the problems. However, the risk of unauthorized access to HUD’s financial systems remains a critical issue. We followed up on previously reported IT personnel security weaknesses and deficiencies and found that deficiencies still existed. HUD Did Not Have a Central Repository Listing of All Users With Access to HUD’s General Support and Application Systems Since 2004, we have reported that HUD did not have a complete list of all users with greater than read access at the application level. Those users with greater than read access to sensitive application systems are required to have a background investigation. Our review this year found that HUD still did not have a central repository that listed all users with greater than read access to HUD’s general support and application systems. While HUD’s implementation in 2007 of the Centralized HUD Account Management Process (CHAMP) was a step toward improving its user account management practices, CHAMP remained incomplete and did not fully address OIG’s concerns. Specifically, we noted that CHAMP did not contain complete and accurate data. OCIO did not electronically update CHAMP with data from the HUD Online User Registration System. Instead, it chose to enter the legacy data manually. However, this process had not been completed. In a January 2009 audit report,49 we recommended that all offices within HUD provide the historical information necessary to update CHAMP. OCIO agreed with our recommendation, and corrective action was scheduled for completion in December 2009. We followed up on this recommendation and found that as of September 30, 2011, OCIO had not completed entering user access data into CHAMP for all of HUD’s systems. Information provided by OCIO showed that user data had been entered into CHAMP for only 112 systems. 49 Audit report number 2009-DP-0003, ―Review of the Centralized HUD Account Management Process‖, issued January 9, 2009 60 As of September 16, 2011, HUD’s inventory of automated systems contained 208 active systems. HUD did not conduct a security categorization and a risk assessment for CHAMP as required by Federal Information Processing Standards Publications 199 and 200. HUD’s OCIO chose not to do so because it believed that these items were not required for CHAMP, which it considered to be a process rather than a system. HUD also believed that since CHAMP was exclusively owned by its IT contractor, it was not subject to these requirements. Without a security categorization and risk assessment of CHAMP, HUD cannot know the full extent of risks to which the CHAMP process is vulnerable or whether adequate levels of security controls have been put into place to protect data and applications impacted by CHAMP. In the January 2009 audit report, OIG recommended that OCIO conduct a security categorization and a risk assessment for CHAMP. OCIO agreed and originally expected to complete this task by August 31, 2009, but did not do so. We followed up on this recommendation and found that a contract was awarded on August 2, 2011, to perform the certification and accreditation for 30 systems, including CHAMP. However, due to the contract delay, OCIO was expecting to complete it by December 31, 2011. Lack of Reconciliations To Identify Sensitive System Users Without Appropriate Background Investigations Remains a Concern In prior audits, we found that HUD did not routinely identify users with greater than read access to HUD sensitive systems that had not undergone appropriate background checks. Granting people access to HUD’s information and resources without appropriate background investigations increases the risk that unsuitable individuals could gain access to sensitive information and inappropriately use, modify, or delete it. HUD’s Personnel Security Division is required to reconcile listings of users with above-read access to HUD’s sensitive systems to the database containing background investigation information to ensure that each user has had the appropriate background investigation. In our May 2010 audit report,50 we recommended that HUD develop and implement a plan to routinely perform the quarterly reconciliation of users with above-read access to sensitive systems and general support systems to identify those without appropriate background investigations. However, no reconciliations were performed for fiscal year 2011. We have reported since 2006 that the list of sensitive systems to be included in the reconciliation was incomplete. In response to a recommendation in our fiscal 50 Audit report number 2010-DP-0002, ―Audit Report on the Fiscal Year 2009 Review of Information Systems Controls in Support of the Financial Statements Audit,‖ issued May 14, 2010 61 year 2008 audit report,51 OCIO planned to update the sensitive system list by April 30, 2010. OCIO recently provided clarification that HUD had 15 systems that were considered sensitive because of the financial and personally identifiable information they contained. However, the original condition still existed; only one system was required to be included in the reconciliation. In fiscal year 2007, we first reported that the general support systems on which HUD’s mission-critical and sensitive applications resided were not included in the reconciliations because they were not classified as mission critical.52 Granting people access to general support systems without appropriate background investigations increases the risk that unsuitable individuals could gain access to sensitive information and inappropriately use, modify, or delete it. We recommended that the Office of Security and Emergency Planning update its policies and procedures to include users of HUD’s general support systems in the user access reconciliation process. The Personnel Security and Suitability Handbook was updated in September 2009 but did not include language requiring general support systems to be included in the reconciliation process. Having access to general support systems typically includes access to system tools, which provide the means to modify data and network configurations. We previously identified IT personnel, such as database administrators and network engineers, who had access to these types of system tools but did not have appropriate background checks. These persons were not identified as part of the reconciliation process. This issue still existed during fiscal year 2011. 51 Audit report number 2009-DP-0004, ―Fiscal Year 2008 Review of Information Systems Controls in Support of the Financial Statements Audit,‖ issued May 29, 2009 52 Audit report number 2008-DP-0003, ―Fiscal Year 2007 Review of Information Systems Controls in Support of the Financial Statements Audit,‖ issued March 4, 2008 62 Compliance With Laws and Regulations In fiscal year 2011 we found instances where HUD did not ensure transactions were executed in accordance with laws governing the use of budget authority and with other laws and regulations that could have a direct and material effect on the financial statements and any other laws, regulations, and government wide policies identified in OMB audit guidance. HUD Did Not Substantially Comply With the Federal Financial Management Improvement Act FFMIA requires auditors to report whether the agency’s financial management systems substantially comply with the Federal financial management systems requirements and applicable accounting standards and support the USSGL at the transaction level. We found that HUD was not in substantial compliance with FFMIA because CPD’s IDIS grant information system was not in compliance with Federal GAAP, FFMIA, and its internal controls over financial reporting as well as HUD’s financial management systems’ noncompliance with Federal financial management system requirements. During fiscal year 2010, we found that CPD’s IDIS was determined to be noncompliant with FFMIA due to deficiencies in internal controls over financial reporting and its ability to process transactions that would follow Federal GAAP. These deficiencies were described in detail in Significant Deficiency 1: HUD Financial Management Systems Did Not Comply With the Federal Financial Management Improvement Act of 1996 (FFMIA) of the prior-year report. HUD on an entitywide basis made limited progress as it attempted to address its financial management deficiencies to bring the agency’s financial management systems into compliance with FFMIA. Deficiencies remained as HUD’s financial management systems continued to not meet current requirements and were not operated in an integrated fashion and linked electronically to efficiently and effectively provide agencywide financial system support necessary to carry out the agency’s mission and support the agency’s financial management needs. HUD was not in full compliance with OMB Circular A-127. The circular requires each agency to perform reviews of its financial management systems. However, HUD did not complete any OMB Circular A-127 reviews in fiscal year 2011. HUD is also required to maintain financial management system plans for each of their financial management applications. We determined that HUD’s financial management systems plan document for fiscal year 2011 did not meet the requirements specified in the circular. 63 Federal Financial Management System Requirements In its Fiscal Year 2011 Agency Financial Report, HUD reported that 3 of its 41 financial management systems did not comply with the requirements of FFMIA and OMB Circular A-127, Financial Management Systems. Although 38 individual systems had been certified as compliant with Federal financial management systems requirements, HUD performed only one OMB Circular A- 127 review (FHA-SL) in the last two years and relied upon the results of OMB Circular A-123 and FISMA annual internal control reviews for individual applications. For the past two years, HUD has reported the ongoing OMB Circular A-127 evaluation of one core system, Federal Housing Administration Subsidiary Ledger (FHA-SL). Since the final report for the A-127 evaluation performed is not expected to be completed until December 2011, HUD continues to be noncompliant. Additionally, in fiscal year 2010 OIG reported that IDIS was noncompliant with the requirements of OMB Circular A-12753. However, HUD continues to report IDIS as compliant54. Further, in fiscal year 2011, OIG determined that CPD’s financial management systems did not meet the computer system requirements of OMB A-127. Specifically, OIG determined that the DRGR program office’s application security management program had weaknesses. The weaknesses in DRGR are identified in Significant Deficiency 1: HUD Financial Management Systems Do Not Fully Comply With Federal Financial Management System Requirements. Therefore, collectively and in the aggregate, deficiencies continued to exist. We continue to report as a significant deficiency that HUD financial management systems need to comply with Federal financial management systems requirements. The significant deficiency addresses how HUD’s financial management systems remained substantially noncompliant with Federal financial management requirements. FHA’s auditor reported as a noncompliance that FHA’s financial management infrastructure was comprised of many aging information systems developed over the last 30 years that were connected to each other, customers, and the general ledger through hundreds of electronic interfaces. FHA’s auditor stated that this complex and outdated infrastructure was becoming increasingly difficult and 53 Audit Report 2011-FO-0003, Additional Details to Supplement Our Report on HUD’s Fiscal Years 2010 and 2009 Financial Statements, Significant Deficiency 1: HUD Financial Management Systems Do Not Comply with the Federal Financial Management Improvement Act of 1996 (FFMIA). 54 See Appendix C of this report 64 costly to maintain. FHA’s auditor reported that these limitations impacted FHA’s ability to ―continue to operate in an effective and efficient manner‖ and to support its ―changing business practices‖ as required by OMB Circular No. A-127, Financial Management Systems. FHA had also implemented many expensive and manual compensating controls to ensure the reliability of its day-to-day financial reporting. We also continue to report as significant deficiencies that (1) controls over HUD’s computing environment can be further strengthened and (2) weak personnel security practices continue to pose risks of unauthorized access to HUD’s critical financial systems. These significant deficiencies discuss how weaknesses with general controls and certain application controls and weak security management increase risks associated with safeguarding funds, property, and assets from waste, loss, unauthorized use, or misappropriation. We have included the specific nature of noncompliance issues, responsible program offices, and recommended remedial actions in appendix C of this report. HUD Did Not Substantially Comply With the Antideficiency Act HUD Had Not Made Progress in Reporting ADA Violations as Required Our fiscal year 2011 audit found that HUD had not improved its process for conducting, completing, reporting, and closing the investigation of potential 31 U.S.C. 1351.1517(b) ADA violations. Our review found that none of the six cases identified as a potential deficiency in fiscal year 2009 were reported to the President through OMB, Congress, or GAO as required or determined not to be a violation. Of the six cases in which OCFO was notified of a potential violation, two of the six case files were opened in fiscal year 2003, two cases were opened in fiscal year 2004, one case file was opened in fiscal year 2005, and the remaining case was opened in fiscal year 2008. In all six cases, OCFO had not completed its review to report the violations to the President through OMB, Congress, or GAO as required. Additionally, in four of the six cases, the Appropriations Law Division (ALD) had not completed its review as required. Therefore, we did not find any improvement in HUD’s conducting, completing, reporting, or closing potential ADA violation investigations. We have reported in prior-year reports that HUD continued to show no substantial improvement to its process for conducting, completing, reporting, and closing the investigation of potential ADA violations. Since fiscal year 2009, we have reported HUD’s failure to report six cases identified as a potential deficiency to 65 the President through OMB, Congress, or GAO as required or make a determination that no violation had occurred. OCFO is responsible for conducting investigations and reporting on violations of ADA. HUD’s continued delay in completing ADA investigations and reporting known violations results in ADA violators avoiding timely reprimands or punishments and prevents timely correction of violations. In all six of the cases, OCFO had not completed its review as required to report the violation to the President through OMB, Congress, or GAO as required. The lack of adequate oversight of the investigative process impeded the completion of the review process. The review process requires that in ADA cases for which the Funds Control Assurance Division has determined that an ADA violation has occurred, the case must be reviewed by the ALD before the report is reviewed by OCFO. However, in four of the six cases reported since fiscal year 2009, ALD had not completed its review. Therefore, no progress had been made by OCFO in the 3 years since OIG first began reporting this finding. HUD Did Not Comply With Laws and Regulations Governing Claims of the United States Government Inadequate Efforts To Collect on Delinquent Direct Loans Continued Regulations at 31 CFR Part 901, Standards for the Administrative Collection of Claims, holds HUD responsible for aggressively collecting all debts arising out of activities performed by the agency. These activities include notifying debtors of a delinquency and performing timely follow-up activities. As reported in the prior year, follow-up activities were not being substantially and promptly performed for Section 202 delinquent loans as required by HUD Handbook 1900.25, REV-3, and 31 CFR Part 901. Our review of the Section 202 delinquent loans determined that inadequate collection efforts continued. A sample of 13 projects with Section 202 loans delinquent more than 90 days noted 7 (54 percent) projects which did not show evidence that the owner was notified of the delinquency or that efforts were attempted to cure the delinquency 30 days after the delinquency occurred. While project managers started to follow up with property owners on the delinquent loan at the beginning of fiscal year 2011, follow-up activities were not performed for two delinquent loans before our review. These seven loans had delinquent payments aged between 242 days and 7 years. In addition, our review of the Flexible Subsidy loan portfolio determined that follow-up activities were not performed in a timely manner for two of three delinquent loans that were more than 90 days delinquent as of March 31, 2011. 66 One of the two loans was delinquent before January 31, 2003, and the property owner submitted a proposal to address the delinquent payment on January 31, 2003, but was not approved until March 2011 due to inadequate follow-up efforts by the project manager. The project manager of the second loan did not follow up on the delinquent payment until the loan was delinquent for 26 months. In response to our prior-year finding, the Office of Housing drafted guidance to address required collection procedures for Section 202 delinquent loans; however, the guidance had not been finalized and issued to project managers by the end of fiscal year 2011. In addition, the Office of Housing worked with OCFO to develop accurate delinquency reports to be provided to project managers and they were monitoring each hub’s progress in collecting delinquent loans. The Office of Housing was drafting guidance to address the collection procedures for Flexible Subsidy delinquent loans, which will be similar to the guidance drafted for the Section 202 loans. Inadequate efforts to collect on delinquent balances result in a higher risk of HUD’s assets becoming uncollectable. If insufficient follow-up continues, over time, more direct loans that fall into delinquent status will be at a higher risk of becoming uncollectable. Nonreporting of Delinquent Loan Information to Third Parties Continued As reported in the prior year, OCFO did not report delinquent direct loans to third-party entities, such as credit bureaus and CAIVRS (Credit Alert Verification Reporting System) as required by 31 U.S.C. 3711. As a result, the delinquent status of debt due to HUD was not reported to other Federal credit agencies. Consequently, other agencies did not have all delinquent information available to perform prescreening procedures as required by 31 U.S.C. 3711 and OMB. HUD’s failure to report its delinquent debtors might have resulted in other agencies’ improperly qualifying ineligble debtors for a Federal loan. This reporting failure would prevent other agencies from effectively protecting the Government’s assets and curtailing the losses in relation to Government benefits provided. Ensuring that this information is reported to third parties became even more important after HUD implemented the Emergency Homeowners’ Loan Program in fiscal year 2011, obligating more than $209 million in new direct loans to homeowners. The loans issued under the program will eventually be maintained in the Nortridge Loan System, thereby increasing the significance of having this reporting requirement functional in the immediate future. During fiscal year 2011, HUD made significant efforts to configure the NLS to allow for the reporting of delinquent loan information to CAIVRS. OCFO was waiting for the Office of Housing to finalize its formal notice, which describes the 67 criteria for reporting delinquent direct loan debts to credit bureaus and CAIVRS, before initiating the reporting process. However, OCFO was still working on determining how to report delinquent loan information to credit bureaus. 68 OTHER MATTERS HUD Did Not Obligate All of the Funds Appropriated for the Emergency Homeowners’ Loan Program The Dodd-Frank Wall Street Reform and Consumer Protection Act, P.L. 111-203 (Dodd-Frank Act), enacted July 21, 2010, provided $1 billion in assistance through the Emergency Homeowners’ Relief Fund. HUD administered these funds under the Emergency Homeowners’ Loan Program (EHLP). Through EHLP, homeowners may receive a maximum of $50,000 in assistance in the form of a declining balance, nonrecourse, zero-interest, subordinate secured loan with a term of up to 7 years. No payment is due from homeowners during the term of the loan provided they remain current in their monthly homeowner contribution payments. If the homeowner meets this requirement, the balance due will decline by a HUD-designated percentage until the loan is fully satisfied. Due to delays in establishing EHLP, HUD only obligated $528.2 million of the $1 billion appropriated for EHLP. The $528.2 million in obligations included $46.8 million for a cooperative agreement with NeighborWorks America to facilitate outreach and application processing, $25.5 million for a fiscal agent agreement with Bank of New York Mellon to review application packages and service the loans issued by HUD, $246.6 million in grants to five States to operate programs deemed substantially similar to the EHLP, and $205.2 million for the credit subsidy portion of the direct loans issued by HUD. The Dodd-Frank Act specified a period, October 1, 2010, to September 30, 2011, when emergency mortgage relief payments could be obligated. As a result of the difficulties HUD encountered establishing the program, $471.8 million in funds not obligated by September 30, 2011, are not available for additional loans. The delays HUD experienced in setting up EHLP were due to the uniqueness of the program, outsourced application intake and evaluation, lack of a permanent management structure, and the aggressive timeframe for obligating the funds. While EHLP was originally authorized by the Emergency Homeowners’ Relief Act of 1975, the program was never used, and it was removed from the Code of Federal Regulations in 1995. Additionally, HUD did not have any similar programs in operation or the in-house expertise to manage such a program. Further, HUD did not enter into agreements with NeighborWorks and Bank of New York Mellon until May 2011 and did not begin accepting applications from distressed homeowners until June 20, 2011, 10 and 11 months, respectively, after the passage of the Dodd-Frank Act. NeighborWorks and its network of housing counseling agencies identified and contacted 43,000 applicants having a ―good chance‖ of meeting the eligibility requirements of EHLP. However, a higher number of applicants were disqualified than HUD had anticipated, which led HUD to reopen the application window. The high disqualification rate, combined with the lengthy application process, led to HUD’s approving and obligating 69 funds for 5,823 loans, as opposed to the approximated 19,000 HUD expected. While the loans were obligated by September 30, HUD had not completed the application evaluation for more than 5,000 loans. When the loan application evaluation is complete, there are likely to be fewer loans than obligated. While the funds for this program were ―no year‖ money, HUD had no authority to make new loans and had already obligated the funds needed to administer the outsourced portions of this program. As result, the unobligated balance of $471.8 million should be returned to the U.S. Treasury, less amounts needed for upward adjustments for current loan obligations and expected administrative expenses for the current program. 70 Appendix A Objectives, Scope, and Methodology Management is responsible for * Preparing the financial statements in conformity with accounting principles generally accepted in the United States of America; * Establishing, maintaining, and evaluating internal controls and systems to provide reasonable assurance that the broad objectives of FMFIA are met; and * Complying with applicable laws and regulations. In auditing HUD’s principal financial statements, we were required by Government Auditing Standards to obtain reasonable assurance about whether HUD’s principal financial statements were presented fairly, in accordance with generally accepted accounting principles, in all material respects. We believe that our audit provides a reasonable basis for our opinion. In planning our audit of HUD’s principal financial statements, we considered internal controls over financial reporting by obtaining an understanding of the design of HUD’s internal controls, determined whether these internal controls had been placed into operation, assessed control risk, and performed tests of controls to determine our auditing procedures for the purpose of expressing our opinion on the principal financial statements. We are not providing assurance on the internal control over financial reporting. Consequently, we do not provide an opinion on internal controls. We also tested compliance with selected provisions of applicable laws, regulations, and government policies that may materially affect the consolidated principal financial statements. Providing an opinion on compliance with selected provisions of laws, regulations, and government policies was not an objective, and, accordingly, we do not express such an opinion. We considered HUD’s internal control over required supplementary stewardship information reported in HUD’s Fiscal Year 2011 Agency Financial Report by obtaining an understanding of the design of HUD’s internal controls, determined whether these internal controls had been placed into operation, assessed control risk, and performed limited testing procedures as required by AU Section 558, Required Supplementary Information. The tests performed were not to provide assurance on these internal controls, and, accordingly, we do not provide assurance on such controls. With respect to internal controls related to performance measures to be reported in the Management’s Discussion and Analysis and HUD’s Fiscal Year 2011 Agency Financial Report, we obtained an understanding of the design of significant internal controls relating to the existence and completeness assertions as described in section 230.5 of OMB Circular A-11, Preparation, Submission and Execution of the Budget. We performed limited testing procedures as required by AU Section 558, Required Supplementary Information, and OMB Bulletin 07-04, Audit Requirements for Federal Financial Statements, as amended. Our procedures were not 71 designed to provide assurance on internal control over reported performance measures, and, accordingly, we do not provide an opinion on such controls. To fulfill these responsibilities, we * Examined, on a test basis, evidence supporting the amounts and disclosures in the consolidated principal financial statements; * Assessed the accounting principles used and the significant estimates made by management; * Evaluated the overall presentation of the consolidated principal financial statements; * Obtained an understanding of internal controls over financial reporting (including safeguarding assets) and compliance with laws and regulations (including execution of transactions in accordance with budget authority); * Tested and evaluated the design and operating effectiveness of relevant internal controls over significant cycles, classes of transactions, and account balances; * Tested HUD’s compliance with certain provisions of laws and regulations; governmentwide policies, noncompliance with which could have a direct and material effect on the determination of financial statement amounts; and certain other laws and regulations specified in OMB Bulletin 07-04, as amended, including the requirements referred to in FMFIA; * Considered compliance with the process required by FMFIA for evaluating and reporting on internal control and accounting systems; and * Performed other procedures we considered necessary in the circumstances. We did not evaluate the internal controls relevant to operating objectives as broadly defined by FMFIA. We limited our internal control testing to those controls that are material in relation to HUD’s financial statements. Because of inherent limitations in any internal control structure, misstatements may, nevertheless, occur and not be detected. We also caution that projection of any evaluation of the structure to future periods is subject to the risk that controls may become inadequate because of changes in conditions or that the effectiveness of the design and operation of policies and procedures may deteriorate. Our consideration of the internal controls over financial reporting would not necessarily disclose all matters in the internal controls over financial reporting that might be significant deficiencies. We noted certain matters in the internal control structure and its operation that we consider significant deficiencies under OMB Bulletin 07-04, as amended. Under standards issued by the American Institute of Certified Public Accountants, a significant deficiency is a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance. A material weakness is a deficiency or combination of deficiencies in internal controls, such that there is a reasonable possibility that a material misstatement of the financial statements will not be prevented or detected and corrected on a timely basis. 72 Our work was performed in accordance with generally accepted government auditing standards and OMB Bulletin 07-04, as amended. This report is intended solely for the use of HUD management, OMB, and Congress. However, this report is a matter of public record, and its distribution is not limited. 73 Appendix B Recommendations To facilitate tracking recommendations in the Audit Resolution and Corrective Action Tracking System (ARCATS), this appendix lists the newly developed recommendations resulting from our report on HUD’s fiscal year 2011 financial statements. Also listed are recommendations from prior years’ reports that have not been fully implemented. This appendix does not include recommendations pertaining to FHA and Ginnie Mae issues because they are tracked under separate financial statement audit reports of that entity. Recommendations From the Current Report With respect to the significant deficiency that HUD’s financial management systems need to comply with Federal financial management system requirements, we recommend that the CFO: 1.a. In coordination with the OIG, CFO Systems, CFO Accounting, CFO Financial Management, CPD Management, and CPD Systems, review the methodology used by CPD for assigning and disbursing budget fiscal year funding sources to activities within IDIS. 1.b. Based upon the understanding obtained of the methodology used by CPD, develop and execute procedures to determine whether the methodology used by CPD for assigning and disbursing budget fiscal year funding sources to activities within IDIS is in accordance with federal financial accounting standards and whether the budgetary and internal controls over financial reporting are adequately designed provide reasonable assurance that misstatements, losses, or noncompliance material in relation to the financial statements would be prevented or detected on a timely basis. 1.c. In coordination with CPD, develop modifications, to IDIS and DRGR to correct the unacceptable errors or discontinue the use of these systems for any financial and budgetary information. With respect to the significant deficiency that HUD needs to improve the process for reviewing obligation balances, we recommend that the CFO, in coordination with the appropriate program offices: 2.a. Recapture the $1.7 million for the 93 administrative and program unliquidated obligations that were marked for deobligation during the fiscal year 2011 open obligations review. 74 With respect to the significant deficiency that HUD needs to improve the process for reviewing obligation balances, we recommend that CPD: 2.b. Review the status of each of its homeless assistance contracts that make up the $32 million OIG identified as excess funding and recapture excess funds for expired contracts, which have not been granted extension. 2.c. Fully implement the internal control procedures and control activities that were drafted as a result of the fiscal year 2010 audit finding, that include specific policies, procedures and mechanisms, including appropriate documentation of extensions granted and follow-up efforts with the grantees to obtain the close-out documents, to ensure that grants are closed out within the 90-day period after the contract expiration or after the extension period, so that remaining balances are recaptured on a periodic basis. With respect to the significant deficiency that HUD needs to improve the process for reviewing obligation balances, we recommend that the Office of Housing, in coordination with the CFO: 2.d. Recapture the $3.8 million tied to the 78 inactive or expired obligations for the Section 202 and 811 programs. With respect to the significant deficiency that HUD needs to improve the process for reviewing obligation balances, we recommend that the Office of the Chief Procurement Officer, in coordination with the Office of Housing: 2.e. Review and if necessary close-out the 76 obligations with remaining balances totaling $991 thousand that were forwarded by the Office of Housing Assistance and Grants Administration. With respect to the significant deficiency that HUD needs to improve the process for reviewing obligation balances, we recommend that the CFO, in coordination with PIH: 2.f. For the Office of Public Housing Investment grants, i) Close out the 34 predevelopment grants and recapture $24 million in unpaid obligations in LOCCS; and ii) Perform a review of the 170 grants coded PDEV, LBAC, and COMP and any other grants not subject to or obligated before the Quality Housing Work and Responsibility Act of 1998 to ensure that the grants were obligated properly and not transferred to LOCCS, correct any inaccuracies, and ensure that the accounting records are complete. 2.g. For the Office of the Chief Financial Officer (in regards to Office of Public Housing Investment grants), i) Perform a $2 million downward and withdrawal adjustment for the unliquidated obligations that are unsupported in the Non PAS Program ledger or provide evidence of the grants for the unpaid obligations; and 75 ii) Perform a $2.3 million downward and withdrawal adjustment for the duplicated grants. 2.h. For the Office of Public Housing Investment grants, i) Improve the PIH and CFO internal control environment to ensure that all grants in appropriation 0304 have a program office responsible for their administration and oversight and periodically conduct reviews of all predevelopment grants; ii) For those low-rent grants without supporting documentation, obtain a statement from the field office directors certifying that no documentation is available to support the obligations as evidence to process the grants’ closeout and recapture; and iii) Improve the open obligation review process by including all PIH programs in the open obligation review and include quality control testing in the obligation reviews performed by the program offices. 2.i. For the Section 8 Housing Choice Voucher tenant-based program, i) Develop formal written procedures to review the program obligations; ii) Deobligate $18.3 million in expired contracts; and iii) Include the Section 8 tenant-based program obligations in the departmental open obligation review process. With respect to the significant deficiency that CPD needs to improve its oversight of grantees, we recommend that CPD: 3.a. Consult with OCFO to determine whether the implementation of "true-FIFO" complies with the Federal financial accounting standards and adequate budgetary and internal control requirements over financial reporting. 3.b. Implement a policy to require grantees to include the reason for reopening activities cancelled on the HUD-initiated activity cancellation reports. 3.c. Implement a policy to require CPD field offices to review the HUD-initiated activity cancellation reports for activities that have been cancelled and reopened to follow up and verify the validity of the activity. 3.d. Ensure that field offices have developed and implemented control activities, which are documented and can be periodically tested and monitored by the Office of Field Management, to ensure that the field offices have a system to ensure compliance with the requirements within the biennial risk analysis process Notices for Implementing Risk Analyses (CPD Notice 09-04) for Monitoring Community Planning and Development Grant Programs and the CPD Monitoring Handbook. 3.e. Review information within the GMP system for consistency and completeness and follow up with field offices when information is incomplete or inconsistent among the risk analysis, work plans, and completed monitoring efforts. 76 3.f. Ensure that all required information has been updated and entered into GMP after the due dates for submissions have passed and follow up with field offices that have not entered their information. 3.g. Follow up on information in GMP to ensure that findings which had questioned costs have been repaid and noncompliance and internal control deficiencies have been addressed. 3.h. Develop, document, and implement internal control procedures for OAHP’s review to ensure that grantees comply with the terms of the grant agreement, which require the grantees to perform monitoring procedures. 3.i. Develop, document, and implement internal control procedures for the review and resolution of audit findings identified in the A-133 single audit reports as reported in the FAC, including measures to ensure that all grantees have reported to the FAC. 3.j. Maintain documentation readily available to support OAHP’s compliance with the requirements of OMB Memorandum M-10-14. With respect to the significant deficiency that HUD needs to improve its administrative control of funds, we recommend that OCFO: 4.a Establish and implement procedures to ensure that all program codes that disburse HUD’s funds have complete and approved funds control plans before the funds can be disbursed. 4.b Establish and implement procedures to ensure that the funds control plans are updated to include the new program codes and new appropriation requirements. 4.c Develop and implement a 3-year cycle of funds control compliance reviews for all approved funds control plans by completing the assessments of 1/3 of approved funds control plans each fiscal year. With respect to the significant deficiency that HUD needs to continue improving its oversight and monitoring of subsidy calculations, intermediaries’ performance, and use of Housing Choice Voucher and operating subsidy program funds, we recommend that PIH: 5.a. Conduct remote monitoring and onsite monitoring as necessary to ensure that PHAs have a review process in place to prevent consistency and transcription errors and to ensure that income and allowance amounts used in the rent calculation are correct. 5.b. The Office of Housing report on income discrepancies at the 100 percent threshold level as a supplemental measure; assign staff to review the deceased single-member household and income discrepancy reports at least quarterly and follow up with owners and management agents (O-A) listed on these reports; and include in the contract between HUD and O-As a provision for improper payments that requires O- 77 and resolve in a timely manner income discrepancies, failed identity verifications, and cases of deceased single-member households. 5.c. Request Congress provide an NRA offset amount for program reserves in excess of 6 percent of the PHAs’ annual Budgetary Authority up to the estimated $820 million and provide HUD with legislative authority to annually perform offsets of NRA balances in excess of 6 percent of the PHAs’ Budgetary Authority. 5.d. For the Operating Subsidy, PIH request congressional approval to perform a $1 billion offset or offset the held reserve exceeding 6 months of operating reserves. 5.e. For the Operating Subsidy, PIH should evaluate and document the nature of the remaining $890 million of PHA operating subsidies reserve and request congressional approval for an offset if it is determined these funds are excess. With respect to HUD’s substantial noncompliance with ADA, we recommend that the CFO, in coordination with the appropriate program offices: 6.a Amend the current ADA case processing timelines policy to establish a timeframe for completion of review of the preliminary assessment report by the CFO and Deputy CFO. With respect to HUD’s substantial noncompliance with the laws and regulations governing claims of the U.S. Government, we recommend that the Office of Housing: 7.a. Draft and issue guidance regarding collection procedures for delinquent Flexible Subsidy loans and ensure the policy is communicated to each applicable project manager and implemented after issuance. With respect to ―Other Matters‖ that HUD did not obligate all of the funds appropriated for the Emergency Homeowners’ Loan Program, we recommend that the CFO: 8.a Determine the amount of funds needed to cover future administrative costs and possible upward adjustments of obligations to current EHLP beneficiaries. 8.b Seek the authority from Congress to return to the U.S. Treasury up to $471.8 million in funds not needed for potential upward adjustments to current loan obligations and future administrative costs for the existing program. 78 Unimplemented Recommendations From Prior Years’ Reports Not included in the recommendations listed above are recommendations from prior years’ reports on HUD’s financial statements that have not been fully implemented based on the status reported in ARCATS. HUD should continue to track these under the prior years’ report numbers in accordance with departmental procedures. Each of these open recommendations and its status is shown below. Where appropriate, we have updated the prior recommendations to reflect changes in emphasis resulting from recent work or management decisions. OIG Report Number 2011-FO-0003 (Fiscal Year 2010 Financial Statements) With respect to the significant deficiency that HUD’s Financial Management Systems Need to Comply with Federal Financial Management System Requirements, we recommend CPD: 1.a. Cease the changes being made to IDIS for the HOME program related to the FIFO rules until the cumulative effect of using FIFO can be quantified on the financial statements. (Final action target date is June 21, 2012; reported in ARCATS as recommendation 1A.) 1.b. Change IDIS so that the budget fiscal year source is identified and attached to each activity from the point of obligation to disbursement. (Final action target date is June 21, 2012; reported in ARCATS as recommendation 1B.) 1.c. Cease the use of FIFO to allocate funds (fund activities) within IDIS and disburse grant payments. Match outlays for activity disbursements to the obligation and budget fiscal source year in which the obligation was incurred and in addition, match the allocation of funds (activity funding) to the budget fiscal year source of the obligation. (Final action target date is June 21, 2012; reported in ARCATS as recommendation 1C.) 1.d. Include as part of the annual CAPER [consolidated annual performance and evaluation report] a reconciliation of HUD’s grant management system, IDIS, to grantee financial accounting records on an individual annual grant basis, not cumulatively, for each annual grant awarded to the grantee. (Final action target date is June 21, 2012; reported in ARCATS as recommendation 1D.) With respect to the significant deficiency that HUD needs to improve the process for reviewing obligation balances, we recommend that the CFO, in coordination with the appropriate program offices: 79 2.a. Deobligate the $3.2 million in administrative and program unliquidated obligations that were marked for deobligation. (Final action target date is October 31, 2011; reported in ARCATS as recommendation 2A. 55) 2.b. Promptly perform contract closeout reviews and recapture of invalid obligations. (Final action target date is October 31, 2011; reported in ARCATS as recommendation 2B. 55) 2.c. Review the 510 obligations which were not distributed to the program offices during the open obligations review and deobligate amounts tied to closed or inactive projects, including the $27.5 million we identified during our review as expired or inactive. (Final action target date is October 31, 2011; reported in ARCATS as recommendation 2C. 55) With respect to the significant deficiency that HUD needs to improve the process for reviewing obligation balances, we recommend that CPD: 2.d. Investigate, through reviewing each individual obligating document and contacting the grantee, the $1.62 billion in obligations, which were originally obligated in 2005 and prior, to obtain the intended use for open obligation amount (commitments, etc.). For those which do not have a specific intended use, CPD should recapture the open obligation amount. Where applicable for non-fixed-year funds, CPD should include the deobligated amounts in next year’s formula allocation. (Final action target date is October 14, 2011; reported in ARCATS as recommendation 2E. 55) 2.e. For grantees which do not comply with program regulations, deobligate the funds related to the noncompliance from the older applicable grant award and not the current available for obligation awards. (Final action target date is June 21, 2012; reported in ARCATS as recommendation 2F.) 2.f. In coordination with the CFO, develop and publish written guidance and policies to establish a benchmark for field directors to use to determine the validity of the open obligation. The guidance should include specific procedures for open obligation amounts, wherein the obligation was made before a specified amount of time, as well as disbursement inactivity beyond a specified amount of time. (Final action target date is October 31, 2011; reported in ARCATS as recommendation 2G. 55) 2.g. In coordination with the CFO, develop procedures to periodically evaluate HUD’s program financial activities and operations to ensure that current accounting policies are sufficient and appropriate and to ensure that they are implemented and operated by program and accounting staff as intended. (Final action target date is October 31, 2011; reported in ARCATS as recommendation 2H. 55) 55 As of the date of this report, this unimplemented recommendation had a corrective action plan that is overdue for completion. OIG has performed audit follow-up activities to determine the status of the corrective action plan and is working with the Department to ensure it is completed and the recommendation is addressed. 80 With respect to the significant deficiency that HUD needs to improve the process for reviewing obligation balances, we recommend that the Office of Housing, in coordination with the CFO, 2.h. Implement a long-term financial management strategy and improvement plan to address data and system weaknesses to ensure that information for the Office of Housing’s obligations is kept up to date and accurate. (Final action target date is May 8, 2012; reported in ARCATS as recommendation 2K.) With respect to the significant deficiency that HUD needs to improve the process for reviewing obligation balances, we recommend that the CFO, in coordination with PIH: 2.i. Coordinate a review and close out each of the 434 PIH low-rent grants in PAS subsidiary and determine the status of any other grants included in the OIG audit report SF-1997-107-0001 that remain open. (Final action target date is June 30, 2012; reported in ARCATS as recommendation 2L.) 2.j. After reviewing and closing out these 434 PIH low-rent grants, determine whether there are any overpayments that need to be recovered from any housing authority grants that were overpaid. (Final action target date is June 30, 2012; reported in ARCATS as recommendation 2M.) 2.k. Recapture the full amount of obligations from these 434 PIH low-rent grants totaling $174 million and return to the U.S. Treasury the total balance of budgetary resources from invalid grants. (Final action target date is June 30, 2012; reported in ARCATS as recommendation 2N.) 2.l. Update its funds control plans, adding procedures to ensure that any unexpended obligation portfolios are excluded from the open obligation review and for accurately documenting the entire accounting process and responsibilities. (Final action target date is December 30, 2011; reported in ARCATS as recommendation 2O.) 2.m. Develop procedures to periodically evaluate HUD’s program financial activities and operations to ensure that current accounting policies are sufficient and appropriate and to ensure that they are properly carried out by the program and accounting staff. (Final action target date is December 30, 2011; reported in ARCATS as recommendation 2Q.) With respect to the significant deficiency that CPD needs to improve its oversight of grantees, we recommend that CPD: 3.a. Review the status of each of its homeless assistance contracts that make up the $97.8 million OIG identified as excess funding and recapture excess funds for expired 81 contracts, which have not been granted extensions. (Final action target date is February 2, 2012; reported in ARCATS as recommendation 4A.) 3.b. Implement the guidance as instructed in the new HOME FACTS regarding activities that are over 12 months old with no funds disbursed; these activities will be automatically cancelled by HUD and the funds uncommitted. (Final action target date is May 31, 2011; reported in ARCATS as recommendation 4D. 55) 3.c. Establish internal control procedures or internal regulations that require field offices to perform follow-up measures for participating jurisdictions (PJ) with slow-moving projects on an annual basis, including contacting the PJs and requiring the PJs to respond with an action plan for disbursing the unused funds on slow-moving projects. (Final action target date is February 29, 2012; reported in ARCATS as recommendation 4E.) 3.d. Investigate the progress of the 350 stalled activities with funding dates 2005 and prior wherein the percentage of amounts drawn on the activity was 50 percent or less with a remaining undrawn amount $27.5 million and recapture those amounts in which the activity can be cancelled. (Final action target date is October 14, 2011; reported in ARCATS as recommendation 4F. 55) With respect to the significant deficiency that HUD needs to improve its administrative control of funds, we recommend that OCFO: 4.a Enhance the low-rent funds control plans to verify that the legislation changes are incorporated; ensure that the accounting treatment and policies employed are appropriate; and include the OCFO accounting and reporting staff in the review of the classification, disclosure, and presentation of programmatic accounting information. (Final action target date is December 30, 2011; reported in ARCATS as recommendation 5A.) 4.b Establish and implement procedures to ensure accuracy and completeness of ARRA funds control plans. (Final action target date is December 30, 2011; reported in ARCATS as recommendation 5B.) 4.c Conduct periodic reviews of the program offices’ compliance with requirements of the funds control plans. (Final action target date is December 30, 2011; reported in ARCATS as recommendation 5D.) With respect to the significant deficiency that HUD needs to improve its administrative control of funds, we recommend that OCFO, in coordination with the appropriate program offices: 4.d Develop and implement funds control plans for any program found to be without an up-to-date funds control plan. (Final action target date is December 30, 2011; reported in ARCATS as recommendation 5J.) 82 With respect to HUD’s substantial noncompliance with ADA, we recommend that the CFO, in coordination with the appropriate program offices: 5.a Complete required steps on the six known potential ADA issues and report those determined to be violations immediately to the President, Congress, and GAO as required by 31 U.S.C., and OMB Circular A-11. (Final action target date is December 30, 2011; reported in ARCATS as recommendation 6A.) 5.b Investigate the potential ADA violation and other interagency agreements that were similarly executed. If the investigation determines that an ADA violation occurred, immediately report it to the President, Congress, and GAO as required by 31 U.S.C., and OMB Circular A-11. (Final action target date is December 30, 2011; reported in ARCATS as recommendation 6B.) 5.c Develop or. where appropriate. modify and implement measures to prevent future potential ADA violations resulting from contracts funded over multiple fiscal years. (Final action target date is December 30, 2011; reported in ARCATS as recommendation 6C.) With respect to HUD’s noncompliance with the laws and regulations governing claims of the U.S. Government, we recommend that the Office of Housing: 6.a Finalize and issue the draft notice regarding collection procedures for delinquent Section 202 loans. (Final action target date is September 25, 2011; reported in ARCATS as recommendation 7A. 55) 6.b After issuance of the notice, ensure that the policy is effectively communicated to each applicable project manager and hub director nationwide. (Final action target date is September 25, 2011; reported in ARCATS as recommendation 7B.55) 6.c Ensure adherence to the notice by establishing internal controls to record activities to collect on delinquent loans. (Final action target date is October 14, 2011; reported in ARCATS as recommendation 7C. 55) With respect to HUD’s noncompliance with the laws and regulations governing claims of the U.S. Government, we recommend that the CFO: 6.d Activate the delinquent debt reporting functionality to enable NLS to report HUD’s delinquent debt to credit bureaus and CAIVRS. (Final action target date is March 15, 2012; reported in ARCATS as recommendation 7D.) 6.e Establish criteria to determine what delinquent debt should be subject to reporting. (Final action target date is March 15, 2012; reported in ARCATS as recommendation 7E.) 6.f Based on the criteria established, identify delinquent debts and report those to credit 83 bureaus and CAIVRS as required. (Final section target date is March 15, 2012; reported in ARCATS as recommendation 7F.) OIG Report Number 2010-FO-0003 (Fiscal Year 2009 Financial Statements) With respect to the significant deficiency that the CPD needs to improve its oversight of grantees, we recommend that CPD: 7.a Determine whether the $24.7 million in unexpended funds for the HOME program from fiscal years 2001 and earlier that are not spent in a timely manner should be recaptured and reallocated in next year’s formula allocation. (Final action target date is April 1, 2011; reported in ARCATS as recommendation 1E. 55) 7.b Develop a policy for the HOME program that would track expenditure deadlines for funds reserved and committed to community housing development organizations and subgrantees separately. (Final action target date is September 30, 2011; reported in ARCATS as recommendation 1F. 55) With respect to the significant deficiency that HUD needs to improve the process for reviewing obligation balances, we recommend that the CFO, in coordination with the appropriate program offices: 8.a Deobligate the $8.8 million in administrative and program unliquidated obligations that were marked for deobligation. (Final action target date is March 11, 2011; reported in ARCATS as recommendation 3A. 55) 8.b Promptly perform contract closeout reviews and recapture of invalid obligations. (Final action target date is March 11, 2011; reported in ARCATS as recommendation 3B. 55) With respect to HUD’s substantial noncompliance with ADA, we recommend that the CFO, in coordination with the appropriate program offices: 9.a Complete the investigations and determine whether ADA violations have occurred and if an ADA violation has occurred, immediately report to the President, Congress, and GAO. (Final action target date is March 11, 2011; reported in ARCATS as recommendation 5A. 55) 9.b Report the six ADA violations immediately to the President, Congress, and GAO as required by 31 U.S.C. and OMB Circular A-11, upon receiving OCFO legal staff concurrence with the investigation results. (Final action target date is March 16, 2011; reported in ARCATS as recommendation 5B. 55) 84 Appendix C Federal Financial Management Improvement Act Noncompliance, Responsible Program Offices, and Recommended Remedial Actions This appendix provides details required under FFMIA reporting requirements. To meet those requirements, we performed tests of compliance using the implementation guidance for FFMIA issued by OMB and GAO’s Financial Audit Manual. The results of our tests disclosed that HUD’s systems did not substantially comply with requirements. The details for our basis of reporting substantial noncompliance, responsible parties, primary causes, and HUD’s intended remedial actions are included in the following sections. Federal Financial Management Systems Requirements 1. HUD’s annual assurance statement, issued pursuant to Section 4 of the Financial Manager’s Integrity Act, will report three nonconforming systems.56 The organizations responsible for systems that were found not to comply with the requirements of OMB Circular A-127 based on HUD’s assessments are as follows: Responsible office Number of systems Nonconforming systems Office of Housing 18 0 Office of the Chief Financial Officer 14 0 Office of Chief Human Capital Officer 1 1 Office of the Chief Procurement Officer 0 2 Office of Community Planning and Development 3 0 Office of Public and Indian Housing 1 0 Government National Mortgage Association 1 0 Totals 38 3 In fiscal year 2010 OIG reported that C04 – Integrated Disbursement & Information System (IDIS) was noncompliant with the requirements of OMB Circular A-12757. Additionally, OIG has determined that CPD’s financial management systems did not meet the computer system requirements of OMB A-12758. 56 The three nonconforming systems are (1) A35-HUD Procurement System, (2) P035-Small Purchase System, and (3) D67A-Facilities Integrated Resources Management System, 57 2011-FO-0003, Additional Details to Supplement Our Report on HUD’s fiscal years 2010 and 2009 Financial Statements, Significant Deficiency 1: HUD Financial Management Systems Do Not Comply with the Federal Financial Management Improvement Act (FFMIA) of 1996. 58 Significant Deficiency1: HUD Financial Management Systems Do Not Fully Comply With Federal Financial Management System Requirements – ―CPD’s Grants Management Systems are Not Compliant with Federal Financial System Requirements‖. 85 The following section outlines HUD’s plan to correct noncompliance with OMB Circular A-127 as submitted to us as of September 30, 2011, and unedited by us. 86 OFFICE OF THE CHIEF PROCURMENT OFFICER REMEDIATION PLAN AS of 08/05/2011 A35 HUD Procurement Systems (HPS) P035 Small Purchase System (SPS) Noncompliance Issue(s) Tasks/Steps Target Actual (including Milestones) Completion Completion Dates Dates INTERNAL CONTROLS Intermediate Resolution Plan 1. HUD’s Procurement 1A Review transactions of the four contracting officers Systems Do Not Have who input records in excess of their contract Adequate Controls for authority and take actions as appropriate. Monitoring the OCPO researched the transactions in question to 12/23/2006 12/14/2006 Procurement Process determine if the obligations were appropriate or not. OCPO determined that the transactions were 3/31/2007 12/14/2006 properly executed by contracting officers acting within their authority. No further action is necessary. 1B Implement system controls to ensure that contracting officers are not able to exceed their procurement authority. The OCPO will implement procurement authority 3/31/2007 4/25/07 control procedures. The OCPO will include validation of contracting 1/08/2007 1/08/2007 officer authority as part of each Procurement On-Going Management Review. 1C Implement controls to ensure that contracting officers are required to either input or approve all transactions that record funds through the HUDCAPS interfaces. 4/30/2007 4/25/2007 The OCPO will implement procedural controls to require contracting officers to validate transactions in HPS. 1D Modify the systems to make the contracting officer field mandatory. 4/30/2007 6/20/2008 The OCPO will implement procedures for Revised— electronic records, which are recorded in HPS, are 11/30/2008 reviewed to ensure that a Contracting Officer is identified for each record. The OCPO will implement validation of the 1/8/2007 1/08/2007 contracting officer identification as part of each On-Going Procurement Management Review. (See 1B bullet 2 above. Validation of contracting authority is the same as implementation of task) 2. HUD Procurement 2A Ensure that system administration and security 87 Noncompliance Issue(s) Tasks/Steps Target Actual (including Milestones) Completion Completion Dates Dates Systems’ Separation of Duties administration functions are separate Controls Were Bypassed The OCPO will formally appoint separate 4/16/2007 05/01/2007 individuals to act as security administrator and system administrator for each OCPO system and that the individuals will not be performing conflicting duties. 2B Ensure that staff are not assigned conflicting duties, that separate functions are performed by separate individuals, and that the concept of least privilege is applied. OCPO will determine if multiple system profiles are actually a valid requirement on an individual basis in HPS. The goal is to eliminate all unnecessary and redundant profiles in HPS and that the individuals will not be performing conflicting duties. o The OCPO will Identify users with 2/15/2007 12/21/2006 multiple HPS profiles o The OCPO will deactivate 07/31/2007 07/19/2007 unnecessary/redundant profiles NOTE: While we can separate the duties procedurally, the separation cannot be enforced in HPS or SPS without reprogramming. 2C Implement formal policies and procedures to recertify the access granted to users at least annually. The OCPO will develop and implement formal procedures for granting access by using the concept of least privilege to OCPO systems, as well as annual user access reviews by: o Revise system access request forms 1/31/2007 12/31/2006 o Revise process in which user requests 2/28/2007 1/31/2007 system access o Revise procedure in which system 3/31/2007 1/31/2007 access is granted o Develop formal procedure to enforce 06/30/2007 07/18/2007 annual user access review 2D Create and implement routing functionality within the Small Purchase System to allow users to be granted access to more than one office or region. OCPO recommends implementing the following tasks to alleviate the routing issue. OCPO will determine if multiple SPS system profiles are actually a valid requirement on an individual basis. The goal is to eliminate all unnecessary and redundant profiles in SPS. 88 Noncompliance Issue(s) Tasks/Steps Target Actual (including Milestones) Completion Completion Dates Dates o The OCPO will identify users with 2/15/2007 12/21/2006 multiple SPS profiles o The OCPO will restructure the issuing 11/30/2007 12/14/2007 office hierarchy to alleviate the necessity of multiple profiles for a given user. 3. HUD’s Procurement 3A Perform a cost benefit analysis to determine whether Systems Do Not Contain it is more advantageous to modify or replace the Sufficient Financial Data to procurement systems to ensure compliance with Allow It to Effectively Joint Federal Management Improvement Program Manage and Monitor Requirements. Procurement Transactions The OCPO will perform a cost benefit analysis to 05/31/2008 2/12/2008 replace the OCPO systems. 3B Implement functionality to ensure that there is sufficient information within HUD’s procurement systems to support the primary acquisition functions of fund certification, obligation, deobligation, payment, and closeout. Based on the availability of funds, OCPO will replace its systems with COTS software to ensure identified issues with security controls are addressed. Milestones – Not later than Develop Independent Government Estimate 5/4/2007 05/03/2007 Conduct Market Research Source Selection 04/6/2007 04/06/2007 7/31/2010 09/30/2010 Roll-out pilot of production system 10/15/2011 TBD SECURITY CONTROLS 4. The Office of the Chief 4A Obtain the training and or resources necessary to Procurement Officer Did develop or perform compliant (1) information Not Design or Implement system categorization analyses; (2) risk Required Information assessments; (3) security plans; (4) contingency Security Controls plans and tests; (5) monitoring processes, which include applicable Federal Information Processing Standards Publication 200 managerial, operational, and technical information security controls; and (6) evaluations of the managerial, operational, and technical security controls. OCPO will ensure that training or other resources are obtained to develop or perform required managerial, operational, and technical security controls. Update Risk Assessments 12/31/2008 08/31/2007 Update Security Plans 12/31/2008 08/31/2007 12/31/2008 12/13/2007 Update Annual Contingency Plans and Tests On Going Monitoring processes, which includes 09/01/2008 08/29/2008 applicable Federal Information Processing On Going Standards (FIPS) Publication 200 managerial, operational, and technical information 89 Noncompliance Issue(s) Tasks/Steps Target Actual (including Milestones) Completion Completion Dates Dates security controls; and The OCPO continues to work the OCIO to monitor the above mentioned areas on an annual basis through updates to the Contingency plans, Security Plans, and BIA. Evaluations of the managerial, operational, 09/01/2008 08/29/2008 and technical security controls. On Going The OCPO continues to work the OCIO to evaluate the above mentioned areas on an annual basis. 4B Complete the corrective actions for the known open information security vulnerabilities or develop mitigation strategies if new system development is underway. OCPO will ensure it develops mitigation strategies for the known open information security vulnerabilities. Review vulnerabilities 11/30/2008 NOTE: Vulnerability scans were requested Requested an by OCPO 06/09/2010 through OIT and Extension— security office – estimated scan date by 12/31/2009 06/14/2010 – Received the scans on 7/31/2010 09/13/2010 09/13/2010. Working with OITS to analyze the results Develop mitigation strategy NOTE: Upon completion of the scans, 09/13/2010 09/13/2010 mitigating strategies will be developed for See Note On Going known vulnerabilities. Completion time is dependent on the number of vulnerability discovered 4C Designate a manager to assume responsibility for ensuring the Office of the Chief Procurement Officer’s compliance with federal certification and accreditation process requirements and to provide ―continuous monitoring‖ of the office’s information systems security. OCPO will designate a manager responsible for 1/15/2007 03/13/2007 ensuring compliance with information systems security and federal certification and accreditation process. OCPO will work with OCIO to define roles and responsibilities and to ensure that appropriate 2/1/2007 2/1/2007 90 Noncompliance Issue(s) Tasks/Steps Target Actual (including Milestones) Completion Completion Dates Dates resources are provided to perform required monitoring and certification and accreditation. 4D Reevaluate the HUD Procurement System and Small Purchase System application systems’ security categorization in light of Office of Management and Budget guidance on personally identifiable information. OCPO will reevaluate the HUD Procurement 8/31/2007 8/31/2007 System and Small Purchase System application systems’ security categorization in light of Office of Management and Budget guidance on personal identifiable information. 4E Perform a business impact analysis for the procurement systems. Based on the results of the impact analysis, determine what actions HUD can take to limit the amount of time needed to recover from the various levels of contingencies that can occur and include the determined actions in the contingency plans for the systems. OCPO will develop a business impact analysis for the procurement systems and revise the contingency plan based on the BIA. Develop business impact analyses 4/30/2007 06/06/2007 Incorporate BIA into contingency plans 9/30/2007 12/13/2007 5A Implement the HUD Integrated Acquisition Management System (HIAMS) Complete Requirements Document 06/26/2009 07/15/2009 Complete Statement of Work 06/26/2009 07/15/2009 Re-Issue RFI to receive comments on SOW and 12/18/2009 12/18/2009 requirements Review comments from RFI and update SOW 01/31/2010 01/31/2010 and requirements Issue solicitation 02/01/2010 05/31/2010 06/02/2010 Purchase software 07/31/2010 09/30/2010 09/27/2010 Configuration of software 12/31/2010 07/29/2011 Configuration of the software has begun. 07/08/2011 The complete configuration will be completed by October 2011 (FY 2012) Testing/Training/Implementation 10/28/2011 91 OFFICE OF THE CHIEF HUMAN CAPITAL OFFICER REMEDIATION PLAN AS of 09/30/2011 D67A Facilities Integrated Resources Management System (FIRMS) Noncompliance Issue(s) Tasks/Steps Target Actual (including Milestones) Completion Completion Dates Dates INTERNAL CONTROLS OIG Audit Report #: 2010- 1A. Work with the Office of the Chief Information Officer 1/31/2011 Completed F0-0004 to develop and implement a system that would allow 1/31/2011 Review of HUD's Property OFMS to identify when equipment is purchased. and Equipment, issued 8-17- The Office of the Chief Information Officer had 10 developed and implemented the Automated Bankcard System for tracking government credit Finding: card purchases. This system allows the Property Management Branch (PMB) to view purchases to 1. HUD lacked control over determine accountability status. OCFS currently the acquisition of uses ANSWERS and provides a monthly report accountable equipment to PMB of all government credit card purchases . that are determined accountable. October 2011 1B. Update and reissue the standard operating procedures and HUD handbooks for reporting the purchases and lease (when applicable) of equipment and implement a set of standard operating procedures for users of purchase cards, including procedures for but not limited to notifying OFMS of the purchase and delivery/receipt of accountable and sensitive equipment, so that the items can be recorded and bar coded by OFMS. The SOPs have been updated and distributed to OCPO, OCIO, OCHCO Support Services, and OCFS. As of 3/21/2011 OCPO and OCIO have concurred with the revisions in the SOP and will begin implementation. Comments are forthcoming from OCHCO Support Services and OCFS for review and possible implementation. OIG Audit Report #: 2010- 2A. Coordinate with the Office of the Chief Financial TBD F0-0004 Officer, Office of the Chief Information Officer, and Review of HUD's Property Office of the Chief Procurement Officer to develop and and Equipment, issued 8-17- implement system interfaces, including but not limited to 10 interfaces between FIRMS and the core financial system and the acquisition system. Finding: 2B. Develop and implement a process that can distinguish 2. HUD’s Property between capitalized and expensed equipment in the May 2010 Completed Management System Had May 2010 property management system. Weaknesses 92 OFFICE OF THE COMMUNITY PLANNING AND DEVELOPMENT REMEDIATION PLAN AS of 10/25/2011 Integrated Disbursement and Information System (IDIS) Disaster Recovery and Grant Reporting System (DRGR) Tasks/Steps Target Actual Non-Compliance Issue(s) (including Milestones) Completion Completio Dates n Dates INTERNAL CONTROLS OIG Audit Report #2011-FO-0003, Issued 11/15/2010 OIG Recommendations Intermediate Resolution Plan 1A.Cease the changes being For OIG Recommendations 1A, 1B, 1C, 1D, 2F made to IDIS for the OIG is seeking a formal legal opinion from GAO HOME program related regarding the use of FIFO. Upon CPD’s receipt of to the FIFO rules until GAO’s legal opinion, CPD will begin preparing the cumulative effect of appropriate revised management decisions for the using FIFO can be recommendations and provide these revised proposed quantified on the management decisions to OIG within 60 days of the financial statements. receipt of the opinion. These proposals will include new final action target dates (FATD) to complete any 1B. Change IDIS so that the actions in accordance with the legal opinion or a budget fiscal year source request for concurrent closure, should the is identified and attached Department’s position prevail. to each activity from the point of obligation to CPD will begin preparing appropriate revised disbursement. management decisions for recommendation 1A-D and provide these revised proposed management 1C. Cease the use of FIFO decisions to OIG within 60 days of the receipt of the to allocate funds (fund opinion. activities) within IDIS and disburse grant Planned Timetable: payments. Match outlays OIG submitted their formal request for legal opinion 5/17/11 for activity regarding the use of FIFO - 5/17/11; disbursements to the obligation and budget GAO provides their legal opinion - 7/31/11- Date not 7/31/11 fiscal source year in met; OIG HAS which the obligation was not received incurred, and in addition, a response match the allocation of from GAO. funds (activity funding) to the budget fiscal year CPD provides revised management decisions based 6/21/2012 source of the obligation. on their interpretation of the legal opinion - 6/21/2012. 1D. Include as part of the annual CAPER, a reconciliation of HUD's grant management 93 Tasks/Steps Target Actual Non-Compliance Issue(s) (including Milestones) Completion Completio Dates n Dates system, IDIS, to grantee financial accounting records on an individual annual grant basis, not cumulatively, for each annual grant awarded to the grantee. OIG Audit Report #2011-FO-0003, Issued 11/15/2010 OIG Recommendations For OIG Recommendation 2F 2F. For grantees which do CPD will revisit the issue after GAO issues its not comply with opinion to determine what impact if any that it has on program regulations, de- Grant Reductions. OIG is seeking a formal legal obligate the funds related opinion from GAO regarding the use of FIFO. Upon to the non-compliance CPD’s receipt of GAO’s legal opinion, CPD will from the older applicable begin preparing appropriate revised management grant award and not the decisions for recommendations 1A, 1B, 1C, 1D and current available for 2F and provide these revised proposed management obligation awards. decisions to OIG within 60 days of the receipt of the opinion. These proposals will include new final action target dates (FATD) to complete any actions in accordance with the legal opinion or a request for concurrent closure, should the Department’s position prevail. CPD will begin preparing appropriate revised management decisions for recommendation 1A-D and provide these revised proposed management decisions to OIG within 60 days of the receipt of the opinion. . Planned Timetable: OIG submits their formal request for legal opinion 5/17/11 regarding the use of FIFO - 5/17/11; GAO provides their legal opinion - 7/31/11- Date not 7/31/11 met; OIG HAS not received a response from GAO CPD provides revised management decisions based 6/21/2012 on their interpretation of the legal opinion - 6/21/2012. OIG Audit Report # 2009-DP-0007, Issued 9-30-2009 OIG Recommendations Recommendation 1A 3/26/2010 3/26/2010 1A. Complete Completed establishment of policies and procedures establishment of policies requiring that all access-related requests for HUD and procedures requiring employees be processed through CHAMP. 94 Tasks/Steps Target Actual Non-Compliance Issue(s) (including Milestones) Completion Completio Dates n Dates that all access-related requests for HUD employees be processed through CHAMP 1B. Provide a listing of all Recommendation 1B 3/26/2010 3/26/2010 HUD employees with Provided a listing of all HUD employees with access access to the DRGR to the DRGR application and their access level to the application and their Office of the Chief Information Officer, Office of access level to the Office Information Technology Support Services, for of the Chief Information recording in CHAMP. Officer, Office of Information Technology Support Services, for recording in CHAMP 1C. Establish rules of Recommendation 1C 3/26/2010 8/1/2010 behavior for each type of Electronic acceptance of Rules of Behavior (ROB) DRGR user. Implement in DRGR were included in Release 7.0 deployed policies and procedures September 2, 2010. HUD has implemented a requiring users to standard CIO and/or CPD rules of behavior forms complete and sign the for DRGR as part of this release along with a time rules of behavior form stamp for electronic signature of the ROB. when access is granted Standard rules can be modified by user role, as and annually at needed. Copies of the standard ROB are attached. recertification. 1D.Establish a formal Recommendation 1D Established Prior to Release 3/26/2010 3/26/2010 process for grantee users 7.0, DRGR had a formal process in place that requesting access to the incorporates verifications of each grantee user both application. This by HUD field staff and by the grantee’s own system process should include a administrator by email. DRGR already required requirement that an grantees to submit email requests to CPD field official from the offices for verification and approval. DRGR also applicant’s organization required that grantee system administrators authorize the request and authorize each user’s access to each grant. Under the type of access Release 7.0 deployed Sept. 2, 2010, DRGR now required. requires additional certifications within DRGR based on user roles for new accounts. HUD headquarters DRGR system administrators in CPD will certify CPD field managers. CPD field managers will certify their CPD field staff accounts in DRGR. CPD field staff will certify grantee contacts and grantee system administrators by email and within DRGR. Grantee DRGR administrators will in turn certify other grantee users. Copies of these screens are shown in the attached summary of new functions under Release 7.0. 1E. Implement a formal Recommendation 1E Under Release 7.0 3/26/2010 8/1/2010 user recertification process deployed September 2, 2010, DRGR now requires for all DRGR users. additional semi-annual re-certifications within 95 Tasks/Steps Target Actual Non-Compliance Issue(s) (including Milestones) Completion Completio Dates n Dates DRGR based on user roles for new accounts. HUD headquarters DRGR system administrators in CPD will recertify CPD field managers. CPD field managers will recertify their CPD field staff accounts in DRGR. CPD field staff will recertify grantee contacts and grantee system administrators by email and within DRGR. Grantee DRGR administrators will in turn recertify other grantee users. Each user authorized to certify other users may also decertify users at any time, as needed. Copies of these screens are shown in the attached summary of new functions under Release 7.0. 2A. Work with its Recommendation 2A 3/26/2010 8/1/2010 contractors to update CPD and CIO have been working on updated configuration management configuration and contingency plans as part of its and contingency plans. ongoing system development and management efforts. These plans are done by HUD staff rather than contractors. This effort is targeted to be complete as part of a summer 2010 release in production. All updated plans from Release 6.5.3 are attached. 2B. Work with its Recommendation 2B Work with its contractors 3/26/2010 3/26/2010 contractors to create system to create system and user manuals for the and user manuals for the application. application. 2C. Initiate testing of the Recommendation 2C 3/26/2010 3/26/2010 application contingency CPD and CIO have been working on updated plan, once updated, and configuration and contingency plans as part of its procedures to ensure that ongoing system development efforts. Updated annual testing is completed. documents from Release 6.5.3 are attached. CPD’s System Development and Evaluation Division (SDED) submitted a request in September of 2010 that DRGR be tested as a major system, but no test has been scheduled yet. 2D. Review and revise the Recommendation 2D CPD and CIO have been 3/26/2010 8/1/2010 risk assessment to include working on updated configuration and only controls that are active contingency plans as part of its ongoing system and in place. development efforts. Update of Risk Assessment is scheduled for next release as part of Work Request 2009-003a. Updated documents related to Risk Assessments from Release 6.5.3 are attached. 2E. Review and revise all Recommendation 2EFunctional requirements 3/26/2010 8/1/2010 system documentation to documents discussed during the audit are design ensure that the information documents intended to guide development for is accurate and that only system programmers. HUD will continue to work valid information are 96 Tasks/Steps Target Actual Non-Compliance Issue(s) (including Milestones) Completion Completio Dates n Dates maintained within the with contractors to ensure that official document. documentation for the DRGR system includes only accurate and valid information. CPD and OCIO will continue to require contractors to update functional requirements and other required system documentation as changes are made to the system. CPD and OCIO will continue to review these documents with each new set of enhancements. Updated functional requirement documents from Release 6.5.3 are attached. 2F. Submit the revised Recommendation 2F CPD and CIO have been 3/26/2010 3/26/2010 documentation to the working on updated configuration and authorizing official for use contingency plans as part of its ongoing system in the certification and development efforts. All revised documentation accreditation process. for use in the C & A process was approved by CPD in June of 2010. Updated materials related to Release 6.5.3 are attached. OIG Recommendations Recommendation 3A CPD separated the duties 3/26/2010 3/26/2010 3A. Separate the duties of of security administration and system security administration and administration for the DRGR application. system administration for the DRGR application. 3B. Remove the ability to Recommendation 3B CPD will continue to 3/26/2010 9/15/2010 modify grantee data from restrict HUD accounts that allow edits to grantee HUD staff members that do reporting data using the grantee simulator role. not require it. CPD has enforced DRGR controls that will not permit any HUD super-users to alter any drawdown data under DRGR Release 6.3 deployed in January of 2009. Financial data of this nature can only be directly altered by DRGR grantee users that have been authorized by the grantee and HUD field staff familiar with grantee operations. The ability to edit grantee reporting data on their behalf will remain restricted to a very small number of HUD HQ users in order to provide technical assistance for DRGR data entry problems, as needed. HUD will continue to document any such requests by email and will issue a contractor work request to support the creation of DRGR reports which track all data edits performed using the grantee simulator. A work request, including this item was approved by GSA in August of 2010. Copies are attached. 3C. Take steps to fund the Recommendation 3C CPD Took steps to fund the 3/26/2010 3/26/2010 use of the CPD contractor use of the CPD contractor to perform the help to perform the help desk desk function for the DRGR application. 97 Tasks/Steps Target Actual Non-Compliance Issue(s) (including Milestones) Completion Completio Dates n Dates function for the DRGR application. OIG Recommendations Recommendation 4A CPD and OCIO will work 3/26/2010 8/1/2010 4A. Work with its with contractor (CACI) to ensure computer contractors to ensure that processes, both internal and external to the computer processes, both system, are documented and tested in accordance internal and external to the with NIST 800-53. Updated functional system, are documented requirement documents from Release 6.5.3 are and tested in accordance attached. with NIST SP 800-53, which is incorporated in HUD policy (HUD Handbook 2400.25, REV- 2). 4B. Work with its Recommendation 4B CPD and CIO will continue to 3/26/2010 8/1/2010 contractors to ensure that work with contractors to ensure that official tests of drawdown controls documentation for the DRGR system includes only and transaction processing accurate and valid information. Updated reports are performed as functional requirement documents from Release stated in the functional 6.5.3 are attached. requirements documentation or if other controls are used, removes stated controls not in use from system documentation. 98 Appendix D SCHEDULE OF FUNDS TO BE PUT TO BETTER USE Recommendation Funds to be put number to better use 1/ 2.a. $1.7M 2.b. $32M 2.d. $3.8M 2.e. $0.9M 2.f. $24M 2.i. $18.3M 5.c. $820M 5.d. $1B 7.b. $471.8M 1/ Recommendations that funds be put to better use are estimates of amounts that could be used more efficiently if an OIG recommendation is implemented. These amounts include reductions in outlays, deobligation of funds, withdrawal of interest, costs not incurred by implementing recommended improvements, avoidance of unnecessary expenditures noted in preaward reviews, and any other savings that are specifically identified. 99 Appendix E AUDITEE COMMENTS 100 101 102 Appendix F OIG Evaluation of Agency Comments HUD’s management generally disagrees with our presentation of the findings in this report. While management only provided formal comments on 3 of the 7 Significant Deficiencies, they non concurred on the significant deficiencies related to the noncompliance of financial management systems with FFMIA; oversight and monitoring of subsidy calculations and the use of HCVP and Operating Subsidy program funds; the need to improve administrative control of funds. HUD was in general agreement with our presentation of the findings related to the need to improve information security. In regards to HUD management’s formal comments: Emergency Home Loan Program HUD disagreement with our reporting of the Emergency Home Loan Program relates to the return of $472 million of unobligated funds. Due to delays in establishing the EHLP, HUD only obligated $528 million of the $1 billion appropriated for the EHLP. The Dodd-Frank Act specified a time period, October 1, 2010 to September 30, 2011 when emergency mortgage relief payments could be obligated. Under current law, no additional loans can be made and additional obligations can only be made for increases to existing loan amounts and administrative costs. Therefore, HUD has no legal basis for retaining the remaining unobligated funds beyond the stated needs We are recommending that HUD seek the authority from Congress to return to the U.S. Treasury up to $472 million in funds not needed for potential upward adjustments to current loan obligations and future administrative costs for the existing program. Federal Financial Management Improvement Act of 1996 HUD’s disagreement on its non compliance with FFMIA has two components, HUD’s entity wide integrated financial management system and CPD formula grant accounting. First, HUD continues to hold their long stated position, that while acknowledging deficiencies, its entity wide integrated financial management system is compliant with FFMIA. HUD agrees that their systems processes can be more efficiently integrated to eliminate the need for existing compensating controls, nevertheless management feels the existing environment is substantially compliant and not at material risk of misreporting. The deficiencies noted in HUD’s financial management systems are due to the current financial system being developed prior to the issuance of current requirements. The system is also technically obsolete, has inefficient multiple batch processes, and requires labor-intensive manual reconciliations. Because of these inefficiencies, HUD’s management systems are unable to routinely produce reliable, useful, and timely financial information. This weakness manifests itself by limiting HUD’s capacity to manage with timely and objective data, and thereby hampers its ability to effectively manage and oversee its major programs. In addition, the Department has not met the minimum set of automated information resource controls relating to Entity-wide Security Program Planning and Management as required by FISMA and OMB Circular A-130 Appendix III. 103 Second, HUD still believes that the CPD’s formula grant programs are compliant and that our FFMIA noncompliance conclusion due to CPD grant accounting departures from U.S.GAAP and weaknesses in internal controls over financial reporting do not fully take into account the nature of block grants. We disagree with their assessment and believe that CPD formula grants need to comply with budgetary controls and Federal financial management requirements related to the matching of outlays to source of funds by appropriation year. We will continue to work with HUD so that they can understand and correct the control deficiencies in their grant management systems as well as remedy the accounting and financial reporting non compliance issues related to CPD formula grants. Erroneous Payments In their response to this report, HUD takes exception to our methodology in calculating this percentage. Our calculation differs from HUD’s because we excluded program expenditures for Moving to Work PHAs not included in the universe for testing (in HUD’s Quality Control (QC) Study and Income Match Study) and administrative fees. We found that HUD calculated the projected gross error using the $32 billion total housing assistance expenditures reported in the fiscal year 2010 financial statements. However, the $32 billion includes $6.2 billion in administrative fees and Moving to Work program subsidies. The $6 billion is approximately the difference between the $32 billion that HUD reported in fiscal year 2010 financial statements and the $26 billion in disbursements that we found to be attributable to the quality control and income match studies. The MTW PHAs transactions were removed from the population before the sample was selected, and they were not part of the population when the error was projected. HUD was aware of their removal from the population. Therefore, their inclusion in the total program payments to calculate the improper payments errors can mislead the readers of HUD’s financial statements. For the administrative expenses, a HUD official justified that these expenses paid to the ―program administrators are an integral part of the program payments.‖ However, the fiscal year 2010 QC study only tested the rental subsidies paid to the tenants; the administrative expenses were not tested for improper payments. The fiscal year 2010 QC study population included ―all projects and tenants.‖ Hence, the population consisted only of units occupied by the tenants. It was the tenant files, selected by the contractor. that were reviewed, and tenants that were interviewed not the administrators of the PHAs and/or owners of administered homes. As a result, because the administrative money paid to the PHA administrators and/or owner administered homes were not tested; the expenses should be excluded from the total program payments. As a result for fiscal year 2011, we are reporting the fiscal year 2010 improper payments projections and errors without comparing the results to the previous years as this year’s result is not comparable to the projections in the prior years. We believe our method and calculations to be valid and accurate. We will continue to work with HUD on this issue. 104 Administrative Control of Funds HUD also did not agree with the categorization of our observation that HUD Needs to Improve Administrative Control of Funds as a significant deficiency. We take exception to HUD’s position that the requirement for documenting controls over funds administration ends at the point of obligation when compliance with the provisions of the Anti Deficiency Act is ensured. Defects in HUD’s design and implementation of the administrative control of funds have been identified and discussed with HUD since fiscal year 2005. Our justification for reporting this issue as a significant deficiency this year was that (1) not all programs that incurred obligations or disbursements had acceptable funds control plans and (2) the funds control plans were not complete, accurate, updated and complied with by the program offices. Additionally, we noticed that funds control plans were not always updated to reflect all program codes and did not always include the correct appropriations. We also noted that the Office of the Chief Financial Officer (OCFO) had not ensured the effective administrative control of funds process as required by HUD’s Policies Handbook 1830.2. Incomplete implementation of administrative control of funds has been a long-standing issue and has been previously reported since fiscal year 2005 in our audit reports and management letters. 105
Additional Details To Supplement Our Report on HUD's Fiscal Years 2011 and 2010 Financial Statements
Published by the Department of Housing and Urban Development, Office of Inspector General on 2011-11-15.
Below is a raw (and likely hideous) rendition of the original report. (PDF)