OFFICE OF AUDIT REGION 4 ATLANTA, GA HUD’s Office of Community Planning and Development, Washington, DC Grant Risk Assessment Procedures 2013-AT-0002 AUGUST 26, 2013 Issue Date: August 26, 2013 Audit Report Number: 2013-AT-0002 TO: Frances Bush, Deputy Assistant Secretary for Operations, DO Yolanda Chavez, Deputy Assistant Secretary for Grant Programs, DG Ann Oliva, Deputy Assistant Secretary for Special Needs, DN FROM: Nikita N. Irons, Regional Inspector General for Audit, Atlanta Region, 4AGA SUBJECT: HUD’s Office of Community Planning and Development Had Established and Implemented a Risk Assessment Process Adequate for Evaluating Grants Administered or Carried Out by Subrecipients Attached are the U.S. Department of Housing and Urban Development (HUD), Office of Inspector General (OIG), final results of our review of HUD’s Office of Community Planning and Development’s grant risk assessment procedures. HUD Handbook 2000.06, REV-4, sets specific timeframes for management decisions on recommended corrective actions. For each recommendation without a management decision, please respond and provide status reports in accordance with the HUD Handbook. Please furnish us copies of any correspondence or directives issued because of the audit. The Inspector General Act, Title 5 United States Code, section 8L, requires that OIG post its publicly available reports on the OIG Web site. Accordingly, this report will be posted at http://www.hudoig.gov. If you have any questions or comments about this report, please do not hesitate to call me at 404-331-3369. Date of Issuance: August 26, 2013 HUD’s Office of Community Planning and Development Had Established and Implemented a Risk Assessment Process Adequate for Evaluating Grants Administered or Carried Out by Subrecipients Highlights Audit Report 2013-AT-0002 What We Audited and Why What We Found We reviewed the U.S. Department of CPD had established and implemented an adequate Housing and Urban Development’s risk assessment process for developing monitoring (HUD) Office of Community Planning strategies for grants administered or carried out by and Development’s (CPD) risk subrecipients. From 2008 to 2012, HUD OIG issued assessment procedures as they relate to 44 CPD reports with subrecipient deficiencies showing subrecipient involvement in CPD $104 million in questioned costs or funds that could programs. We initiated the audit due to have been put to better use. During this period, CPD observations by HUD Office of had continuously reevaluated its overall risk Inspector General (OIG) auditors of assessment process. It had increased efforts to identify frequent subrecipient-related findings in subrecipient-related issues by revising the risk factors CPD external audits. Our objective was specific to subrecipient involvement in its grants. The to determine whether CPD’s risk actions that CPD took, as well as additional planned assessments were adequate for actions, should result in improved identification and evaluating grants administered or monitoring of the grants most susceptible to waste, carried out by subrecipients. fraud, abuse, and mismanagement. What We Recommend Our audit identified no reportable deficiencies; therefore, there are no recommendations. TABLE OF CONTENTS Background and Objective 3 Results of Audit CPD Had Established and Implemented an Adequate Risk Assessment Process for Grants With Subrecipient Involvement 4 Scope and Methodology 7 Internal Controls 8 Appendixes A. 2008-2012 HUD OIG Reports With Subrecipient Issues 9 B. Auditee Comments 13 2 BACKGROUND AND OBJECTIVE The U.S. Department of Housing and Urban Development’s (HUD) Office of Community Planning and Development (CPD) periodically issues a notice providing a methodology for conducting risk analyses for formula and competitive grantees and establishes monitoring priorities within available resources. For fiscal years 2012 and 2013, CPD issued Notice 12-12 (Implementing Risk Analyses for Monitoring Community Planning and Development Grant Programs in FY 2012 and 2013). This risk analysis process was incorporated into CPD’s Grants Management Process system, a computer-based information system that is used to provide a documented record of conclusions and results. The notices are intended to augment the departmental policy contained in HUD Handbook 1840.1, REV-3, Departmental Management Control Program Handbook, which requires the development of risk-based rating systems for all programs and is incorporated into Handbook 6509.2, REV-6, Community Planning and Development Monitoring Handbook. The major steps for implementing risk-based monitoring include • Developing risk-based rating systems for program grantees, • Rating and selecting grantees for monitoring, • Identifying program risks and setting monitoring objectives, and • Documenting the process and recording the rationale for choosing grantees. Each CPD field office is responsible for developing monitoring strategies and an office work plan encompassing grantees and programs to be monitored during the fiscal year. Headquarters establishes the completion dates for risk analyses and work plans each fiscal year. The purpose of a monitoring strategy is to define the scope and focus of the monitoring efforts, including establishing a framework for determining the appropriate level of monitoring for CPD grantees consistent within available resources. The work plan documents the field office decisions regarding where to apply staff and travel resources for monitoring, training, and technical assistance. The risk analysis process is intended to provide the information needed for CPD to effectively target its resources to grantees that pose the greatest risk to the integrity of CPD programs, including identification of the grantees to be monitored onsite and remotely, the program areas to be covered, and the depth of the review. The selection process should result in identifying those grantees and activities that represent the greatest vulnerability to fraud, waste, and mismanagement. We initiated the audit due to observations by HUD Office of Inspector General (OIG) auditors of frequent subrecipient-related findings in CPD external audits. Our objective was to determine whether CPD’s risk assessments were adequate for evaluating grants administered or carried out by subrecipients. 3 RESULTS OF AUDIT CPD Had Established and Implemented an Adequate Risk Assessment Process for Grants With Subrecipient Involvement CPD had established and implemented an adequate risk assessment process for developing monitoring strategies for grants administered or carried out by subrecipients. From 2008 to 2012, HUD OIG issued 44 CPD reports with subrecipient deficiencies showing $104 million in questioned costs or funds that could have been put to better use. During this period, CPD had continuously reevaluated its overall risk assessment process. It had increased efforts to identify subrecipient-related issues by revising the risk factors specific to subrecipient involvement in its grants. The actions that CPD took, as well as additional planned actions, should result in improved identification and monitoring of the grants most susceptible to waste, fraud, abuse, and mismanagement. Previously Issued Reports With Subrecipient Deficiencies Were Reviewed In an effort to better understand the types of risks presented by subrecipient involvement in CPD’s grant programs, we reviewed previously issued HUD OIG audit reports with findings due to either subrecipient actions or inadequate subrecipient monitoring by grantees. We reviewed 44 audit reports issued from 2008 through 2012 and summarized the most frequently occurring findings. The reports included $104 million in questioned costs or funds that could have been put to better use. A list of the 44 reports is included in appendix A of this report. The most commonly occurring HUD OIG findings related to subrecipient actions were • Grantee or subrecipient failed to maintain adequate support documentation (39); • Grantee did not adequately monitor subrecipient or adequately document monitoring (38); • Subrecipient used program funds for ineligible costs or participants (22); • Subrecipient lacked controls to properly identify eligible program participants (9); • Program income was incorrectly identified, reported, or classified (6); • Grantee awarded funds to ineligible subrecipients, failed to enter into a subrecipient agreement, or had inadequate subrecipient agreement (5); • Grantee did not provide adequate training or guidance to subrecipient (4); • Grantee could not support that program met a national objective (3); and 4 • Grantee or subrecipients failed to follow procurement requirements (2). CPD Had Established an Adequate Risk Assessment Process CPD had long been aware of the increased risk inherent in grants with subrecipient involvement. During our review period, HUD OIG audit reports and the results of CPD’s own monitoring reviews caused both CPD’s headquarters and field staff to have increased concern with the additional risk posed when subrecipients administered or carried out grant programs. As a result, CPD continually reevaluated its process and increased scores for applicable risk assessment factors. It more heavily weighted subrecipient involvement, thereby increasing the likelihood that the process would identify such grantees for monitoring. We reviewed risk assessment guidance CPD published for use in years 2008 to 2013 and identified specific risk factors for subrecipient involvement in CPD’s programs. CPD typically issued revised risk assessment guidance notices every 2 years. When a new risk notice was due, CPD staff reviewed existing guidance and made changes designed to improve the process. The changes documented in CPD’s risk assessment guidance from notice to notice supported a pattern of continual reevaluation of the risk factors and supported HUD’s increased focus on the risks presented by subrecipients. We found the latest individual risk factors to be adequate for evaluating the additional risk posed by subrecipient involvement in the grant programs. In addition to assessing the risk assessment guidance and individual risk factors, we reviewed actual risk assessments that CPD performed on a sample of nine grantees that we selected from nine separate field offices for compliance with applicable guidance. While we found minor instances in which staff had incorrectly assigned scores for specific risk factors, none of the instances would have affected the scores by a large enough margin to change the overall grantee risk rating. In addition to continuing its practice of reevaluating guidance and risk factors applicable to subrecipients, CPD planned to change its grant reporting system from a legacy-based platform to a new Web-based platform for fiscal year 2015. One goal of the new system was to further streamline and improve the risk assessment process. CPD planned to issue a new risk notice applicable for use with the new system and withdraw old program notices at that time. 5 Conclusion CPD had established and implemented an adequate risk assessment process for developing monitoring strategies for grants administered or carried out by subrecipients. It had continuously reevaluated the risk assessment process and increased its efforts to identify subrecipient-related issues by revising the risk factors specific to subrecipient involvement when necessary. While there are no formal recommendations included in this report, we encourage CPD to continue its focus on the risks of subrecipient involvement as it develops and designs its new grant reporting system and the accompanying risk notices applicable to the new system. Recommendations Our audit identified no reportable deficiencies; therefore, there are no recommendations. 6 SCOPE AND METHODOLOGY We performed our fieldwork between February 2013 and April 2013 at HUD headquarters and our offices in Knoxville, TN. Our audit generally covered the period January 2008 through December 2012. To accomplish our audit objective, we • Contacted CPD staff to obtain an understanding of the controls related to the audit objective and the controls significant to the audit objective. • Reviewed applicable criteria: HUD Handbooks 1840.1, REV-3, and 6509.2, REV-6, and HUD CPD’s policy and procedures for performing grant risk assessments, specifically CPD Notice CPD-07-07 and later notices. • Reviewed applicable risk assessment guidance from HUD for our audit period to identify risk factors in existence, evaluate whether they were adequate, and determine changes in HUD’s scoring or approach to subrecipient involvement in CPD grants between notices. • Identified and reviewed 44 previously issued HUD OIG audit reports (2008-2012) with findings due to subrecipient actions or the grantees’ inadequate monitoring of subrecipients. We summarized the information from these reports to identify common findings for inclusion in our report. • Selected 9 CPD grantees (each from a different region) from our 44 previously issued HUD OIG reports. For each grantee, we reviewed HUD’s risk assessment for compliance with applicable risk assessment guidance. • Reviewed the following reports related to CPD risk assessment procedures: o HUD OIG report 2010-BO-0002: HUD’s Office of Community Planning and Development Had Established and Implemented an Appropriate Risk Assessment Process, o HUD Office of Policy Development and Research: Risk Based Monitoring of CPD Formula Grants, and o The Cloudburst Group: CPD Monitoring NCR Project # NP8620101015. We conducted the audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective. 7 INTERNAL CONTROLS Internal control is a process adopted by those charged with governance and management, designed to provide reasonable assurance about the achievement of the organization’s mission, goals, and objectives with regard to • Effectiveness and efficiency of operations, • Reliability of financial reporting, and • Compliance with applicable laws and regulations. Internal controls comprise the plans, policies, methods, and procedures used to meet the organization’s mission, goals, and objectives. Internal controls include the processes and procedures for planning, organizing, directing, and controlling program operations as well as the systems for measuring, reporting, and monitoring program performance. Relevant Internal Controls We determined that the following internal controls were relevant to our audit objective: • Policies and procedures that management has implemented to ensure that the risk attributable to subrecipient participation in CPD programs is adequately evaluated by CPD’s risk assessment process. We assessed the relevant controls identified above. A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, the reasonable opportunity to prevent, detect, or correct (1) impairments to effectiveness or efficiency of operations, (2) misstatements in financial or performance information, or (3) violations of laws and regulations on a timely basis. Significant Deficiencies We evaluated internal controls related to the audit objective in accordance with generally accepted government auditing standards. Our evaluation of internal controls was not designed to provide assurance regarding the effectiveness of the internal control structure as a whole. Accordingly, we do not express an opinion on the effectiveness of CPD’s internal control. 8 APPENDIXES Appendix A 2008-2012 HUD OIG REPORTS WITH SUBRECIPIENT ISSUES Item Audit report Report date Report title Grant program number 1 2011-AT-1019 9/28/2011 The Alabama Department of Economic and HPRP* - ARRA** Community Affairs, Montgomery, AL, Used Homelessness Prevention and Rapid Re-Housing Program Funds for Ineligible and Unsupported Purposes 2 2010-AT-1004 5/17/2010 Mobile Housing Board, Mobile, AL, Used HOME HOME*** Investment Partnerships Program Funds for Ineligible and Unsupported Costs for Its HOPE VI Redevelopment 3 2010-LA-1010 5/7/2010 Arizona Department of Housing’s Administration HPRP - ARRA of Its Recovery Act Grant: Homelessness Prevention and Rapid Re-Housing Program 4 2011-LA-1016 8/18/2011 The City of Compton Did Not Administer Its HOME HOME Program in Compliance With HOME Requirements 5 2011-LA-1010 5/17/2011 People Assisting the Homeless, Los Angeles, CA, HPRP - ARRA Did Not Always Ensure That Homelessness Prevention and Rapid Re-Housing Funds Were Used To Assist Eligible and Supported Participants 6 2011-LA-1009 4/6/2011 Special Services for Groups, Los Angeles, CA, HPRP - ARRA Approved Homelessness Prevention and Rapid Re-Housing Program Assistance for Unsupported and Ineligible Participants 7 2010-LA-1003 12/4/2009 City of Los Angeles’ Community Development CDBG**** Department, Los Angeles, California, Projects Did Not Comply with Community Development Block Grant Program Requirements 8 2010-LA-1001 10/28/2009 City of Los Angeles Housing Department, Los HOME Angeles, California, Did Not Ensure That the NoHo Commons Housing Development Met HOME Program Requirements 9 2009-LA-1011 7/1/2009 City of Los Angeles Housing Department, Los HOME Angeles, California, Did Not Ensure That the Buckingham Place Project Met HOME Program Requirements 10 2009-DE-1005 9/17/2009 Adams County, Colorado, Did Not Have Adequate CDBG 9 Item Audit report Report date Report title Grant program number Controls over Its Block Grant Funds 11 2009-DE-1001 2/11/2009 The Adams County, Colorado, Did Not Comply HOME with HOME Investment Partnerships Program Regulations 12 2008-DE-1003 9/23/2008 The State of Colorado Did Not Comply with CDBG Community Development Block Grant Program Requirements 13 2008-AT-1003 12/26/2007 The City of Jacksonville, FL Lacked Proper CDBG Support for Some Subrecipient Purchases and Expenditures 14 2008-CH-1004 4/7/2008 City of Muncie, Indiana Lacked Adequate HOME Controls over Its HOME Investment Partnerships Program 15 2010-AO-1002 1/4/2010 State of Louisiana, Baton Rouge, LA, Did Not CDBG - Disaster Always Ensure Compliance Under Its Recovery Recovery Workforce Training Program 16 2009-AO-1003 9/23/2009 Louisiana Land Trust, as the State of Louisiana’s CDBG - Disaster Subrecipient, Did Not Always Ensure That Recovery Properties Were Properly Maintained 17 2010-BO-1002 11/23/2009 The City of Holyoke, Massachusetts, Office of CDBG Community Development, Needs to Improve Its Administration of HOME- and CDBG-Funded Housing Programs 18 2011-CH-1001 10/13/2010 The City of Flint, MI, Lacked Adequate Controls HOME Over Its HOME Program Regarding Community Housing Development Organizations’ Home- Buyer Projects, Subrecipients’ Activities, and Reporting Accomplishments in HUD’s System 19 2012-PH-1006 3/14/2012 Gloucester Township, NJ, Did Not Always CDBG - ARRA Administer Its Community Development Block Grant Recovery Act Funds According to Applicable Requirements 20 2012-NY-1005 1/27/2012 The City of Newark, NJ, Had Weaknesses in the HPRP - ARRA Administration of Its Homelessness Prevention and Rapid Re-Housing Program 21 2011-NY-1015 9/20/2011 Weaknesses Existed in Essex County, NJ’s HPRP - ARRA Administration of Its Homelessness Prevention and Rapid Re-Housing Program 22 2011-NY-1002 11/12/2010 The City of Bayonne, NJ, Did Not Adequately CDBG Administer Its Economic Development Program 10 Item Audit report Report date Report title Grant program number 23 2009-NY-1005 12/16/2008 The Township of South Orange Village, New CDBG Jersey, Did Not Always Disburse Community Development Block Grant Funds As Per HUD Requirements 24 2009-NY-1004 12/8/2008 The Economic Development Corporation Did Not CDBG Administer Its Community Development Block Grant Program in Accordance with HUD Requirements 25 2008-NY-1007 5/29/2008 The County of Essex, Verona, NJ, Did Not CDBG Always Administer Its Community Development Block Grant Program in Accordance with HUD Requirements 26 2009-NY-1006 1/26/2009 The City of Rome, New York, Did Not Always CDBG Administer Its Community Development Block Grant Program in Accordance with HUD Requirements 27 2011-NY-1010 4/15/2011 The City of Buffalo Did Not Always Administer CDBG Its Community Development Block Grant Program in Accordance With HUD Requirements 28 2011-NY-1016 9/22/2011 The City of Buffalo, NY, Did Not Always HPRP - ARRA Disburse Homelessness Prevention and Rapid Re- Housing Program Funds in Accordance With Regulations 29 2012-NY-1002 10/18/2011 The City of New York, NY, Charged Questionable HPRP - ARRA Expenditures to Its Homelessness Prevention and Rapid Re-Housing Program 30 2008-FW-1012 8/4/2008 The City of Tulsa, Oklahoma Allowed Its Largest CDBG Subrecipient to Expend $1.5 Million in Unsupported CDBG Funding 31 2011-PH-1006 1/31/2011 The City of Pittsburgh, PA, Can Improve Its CDBG - ARRA Administration of Its Community Development Block Grant Recovery Act Funds 32 2011-PH-1002 11/8/2010 The City of Scranton, PA, Did Not Administer Its CDBG Community Development Block Grant Program in Accordance With HUD Requirements 33 2010-PH-1001 10/2/2009 The City of Altoona, Pennsylvania, Made CDBG Unsupported Community Development Block Grant Payments 34 2011-FW-1013 6/30/2011 The City of Beaumont, TX, Should Strengthen Its HPRP - ARRA Controls Over Its Homelessness Prevention and Rapid Re-Housing Program 11 Item Audit report Report date Report title Grant program number 35 2011-FW-1009 6/2/2011 The City of Houston, TX, Did Not Ensure That Its HPRP - ARRA Homelessness Prevention and Rapid Re-Housing Program Complied With Recovery Act Requirements 36 2009-PH-1007 3/20/2009 The City of Norfolk, Virginia, Did Not Ensure HOME That Program Income Was Returned to Its HOME Program as Required 37 2010-SE-1001 8/31/2010 Washington State Did Not Disburse Its HPRP - ARRA Homelessness Prevention and Rapid Re-Housing Funds in Accordance With Program Requirements 38 2011-AT-1004 1/21/2011 Mecklenburg County, NC, Mismanaged Its Shelter Shelter Plus Care Plus Care Program 39 2011-LA-1001 10/25/2010 The City of Los Angeles Housing Department, HPRP - ARRA Los Angeles, CA, Did Not Always Effectively Administer Its Homelessness Prevention and Rapid Re-Housing Program 40 2009-AT-1005 4/1/2009 The City of Augusta, Georgia, Did Not Comply HOME with HOME Monitoring Requirements 41 2010-AO-1005 8/4/2010 The State of Louisiana’s, Baton Rouge, LA, CDBG - Disaster Subrecipient Did Not Always Meet Agreement Recovery Requirements When Administering Projects Under the Orleans Parish Long Term Community Recovery Program 42 2010-AO-1001 6/22/2010 Mississippi Development Authority, Jackson, CDBG - Disaster Mississippi, Did Not Always Ensure Compliance Recovery under its Public Housing Program 43 2008-AT-1011 08/07/2008 The City of Durham, North Carolina Did Not HOME Comply with HOME Investment Partnerships Requirements 44 2008-NY-1004 3/31/2008 Lower Manhattan Development Corporation, New CDBG - Disaster York, New York, Community Development Block Recovery Grant Disaster Recovery Assistance Funds * Homelessness Prevention and Rapid Re-Housing Program ** American Recovery and Reinvestment Act of 2009 *** HOME Investment Partnerships Program **** Community Development Block Grant 12 Appendix B AUDITEE COMMENTS The Director of the Office of Field Management informed us by telephone that HUD agreed with the draft report and had no written comments to include in the final report. 13
HUD's Office of Community Planning and Development Had Established and Implemented a Risk Assessment Process Adequate for Evaluating Grants Administered or Carried Out by Subrecipients
Published by the Department of Housing and Urban Development, Office of Inspector General on 2013-08-26.
Below is a raw (and likely hideous) rendition of the original report. (PDF)