oversight

CPD's Risk Assessment and Monitoring Program Did Not Provide Effective Oversight of Federal Funds

Published by the Department of Housing and Urban Development, Office of Inspector General on 2018-06-26.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

      Office of Community Planning and
       Development, Washington, DC
   CPD’s Risk Assessment and Monitoring of Its Grantees




Office of Audit, Region 6     Audit Report Number: 2018-FW-0001
Fort Worth, TX                                      June 26, 2018
To:            Lori Michalski, Deputy Assistant Secretary for Operations, DO

               //signed//
From:          Kilah S. White, Regional Inspector General for Audit, 6AGA
Subject:       CPD’s Risk Assessment and Monitoring Program Did Not Provide Effective
               Oversight of Federal Funds


Attached is the U.S. Department of Housing and Urban Development (HUD), Office of Inspector
General’s (OIG) final results of our review of the Office of Community Planning and
Development’s (CPD) risk assessment and monitoring of its grantees.
HUD Handbook 2000.06, REV-4, sets specific timeframes for management decisions on
recommended corrective actions. For each recommendation without a management decision,
please respond and provide status reports in accordance with the HUD Handbook. Please furnish
us copies of any correspondence or directives issued because of the audit.
The Inspector General Act, Title 5 United States Code, section 8M, requires that OIG post its
publicly available reports on the OIG website. Accordingly, this report will be posted at
http://www.hudoig.gov.
If you have any questions or comments about this report, please do not hesitate to call me at
817-978-9309.
                       Audit Report Number: 2018-FW-0001
                       Date: June 26, 2018

                       CPD’s Risk Assessment and Monitoring Program Did Not Provide Effective
                       Oversight of Federal Funds

Highlights
What We Audited and Why
We audited the U.S. Department of Housing and Urban Development (HUD), Office of
Community Planning and Development’s (CPD) risk assessment and monitoring of its grantees.
We initiated this assignment due to significant findings previously reported, which showed that
CPD did not have effective risk assessment or monitoring of the State Community Development
Block Grant program at either the field office or national level. 1 Accordingly, we examined
other CPD programs, reviewing grantee risk analysis and monitoring performed by field offices
across the Nation. Our objective was to determine whether CPD appropriately assessed
grantees’ risk to the integrity of CPD programs and adequately monitored its grantees.

What We Found
CPD’s risk assessment and monitoring did not provide effective oversight of programs and
grantees. Risk analyses, annual work plans, and monitoring of grantees did not conform to
requirements. These conditions occurred because CPD headquarters did not have effective
supervisory controls and structured the risk assessment and monitoring model so that CPD field
office directors would have substantial responsibility for ensuring the accuracy and effectiveness
of the model. CPD headquarters’ responsibility for the model was limited to the design and
general policy development, along with administrative matters. As a result, CPD did not have
assurance that it correctly assessed grantee risk, prepared accurate work plans, or monitored
grantees in compliance with requirements. Accordingly, CPD could not have confidence
regarding accuracy, validity, or conclusions drawn.

What We Recommend
We recommend that the Deputy Assistant Secretary for Operations require CPD headquarters’
substantive involvement and responsibility for risk assessment and monitoring, to include (1)
oversight of risk assessment, including ensuring all grantees are assessed; (2) review of annual
work plans; (3) evaluation of monitoring performance and findings; (4) institution of functional
supervisory controls; (5) enforcement of field office compliance with requirements; and (6)
establishment of a field office-based multiyear monitoring tracking system allowing assessment
of monitoring findings, resolution, and coverage.




1
    HUD’s Monitoring of State CDBG, 2017-FW-0001, July 10, 2017
Table of Contents
Background and Objective......................................................................................3

Results of Audit ........................................................................................................5
         Finding: CPD’s Risk Assessment and Monitoring Program Did Not Provide
         Effective Oversight of Federal Funds ............................................................................. 5

Scope and Methodology .........................................................................................21

Internal Controls ....................................................................................................23

Followup on Prior Audits ......................................................................................24

Appendixes ..............................................................................................................25
         A. Schedule of Funds To Be Put to Better Use ............................................................ 25

         B. Auditee Comments and OIG’s Evaluation ............................................................. 26




                                                             2
Background and Objective
The U.S. Department of Housing and Urban Development’s (HUD) Office of Community
Planning and Development (CPD) oversees more than 20 major programs with disbursement of
Federal funds to several thousand grantees annually. Annual allocations to CPD programs total
approximately $7 billion. CPD developed a risk analysis and monitoring program to rank
grantees by risk, develop the assessments into a work plan, and monitor the identified grantees.

For fiscal year 2016, CPD awarded one or more formula grants to 1,281 grantees totaling
approximately $4.7 billion. CPD also awarded more than $1.9 billion to approximately 2,524
grantees for fiscal year 2015 competitive grants. The more than $6.6 billion in grants awarded
did not include disaster-related funding, which was budgeted to be an additional $2.3 billion for
fiscal year 2016. See table 1 below.

Table 1: Fiscal year 2016 formula and fiscal year 2015 competitive grants awarded
                                                                  Amount
                                 Program                        (in millions)
              Community Development Block Grant                       $3,014
              HOME Investment Partnerships                                965
              Housing Opportunities for Persons With AIDS                 301
              Emergency Solutions Grant                                   270
              Housing Trust Fund                                          174
              Formula grants total                                      4,724
              Continuum of Care (competitive)                           1,939
              Formula and competitive grants total                      6,663

Under CPD’s risk assessment and monitoring model, grantees are subject to an annual risk
assessment to determine the grantees that will receive monitoring. Field offices use grantee risk
scores to develop annual work plans. 2 The Office of Field Management (OFM) sets field office
annual monitoring goals based on its number of CPD representatives. CPD field office directors
have discretion to monitor 100 percent of grantees in rank order or 70 percent in rank order and
30 percent at their discretion and determine the monitoring composition between formula and
competitive grantees.

During fiscal year 2017, CPD field offices with almost 300 CPD representatives assessed the risk
of approximately 4,300 combined formula and competitive grantees for preparation of annual
work plans and grantee monitoring. OFM established a monitoring goal for the 43 field offices
of 865 grantees for fiscal year 2017. After selecting a grantee for monitoring, CPD defines a
scope to monitor one or more of the grantee’s programs with a focus on certain aspects of the
program(s) under review.


2
    The summary worksheets rate and rank formula and competitive grantees separately.



                                                       3
Monitoring is an integral management control technique and a U.S. Government Accountability
Office (GAO) standard. 3 It includes the activities that management establishes and operates to
assess the quality of performance over time and promptly resolve findings of audits and other
reviews. CPD uses monitoring as the principal means to ensure grantees carry out its programs
efficiently, effectively, and in compliance with applicable laws and regulations. 4 According to
HUD requirements, 5 monitoring is an ongoing process that is risk based and incorporated into the
field office annual work plan. CPD established its risk assessment and monitoring model to
address and correct findings in a 1999 GAO report 6 that placed HUD on the GAO high-risk list.
GAO removed HUD from the high-risk list in 2001 due to actions taken by HUD in relation to
GAO’s recommendations to improve management controls over its CPD programs. 7

Our audit objective was to determine whether CPD appropriately assessed program grantees’ risk
to the integrity of CPD programs and adequately monitored its grantees.




3
    HUD Monitoring Handbook 6509.2, REV-7, chapter 1
4
    Ibid.
5
    Ibid.
6
    GAO, Community Development: Weak Management Controls Compromise Integrity of Four HUD Grant
    Programs, GAO/RCED-99-08 (Washington, DC: April 27, 1999)
7
    GAO, High-Risk Series: An Update, GAO-01-263 (Washington, DC: January 2001)



                                                  4
Results of Audit

Finding: CPD’s Risk Assessment and Monitoring Program Did Not
Provide Effective Oversight of Federal Funds
CPD’s risk assessment and monitoring did not provide effective oversight of programs and
grantees. Risk analyses did not conform to requirements and contained errors and omissions
affecting individual risk factor assessments, resulting in incorrect risk scores. Field office errors
in preparation of annual work plans further compounded the effect of incorrect risk scores,
preventing assurance of correct identification of high-risk grantees. CPD’s monitoring of
grantees did not always support and document conclusions as required. These conditions
occurred because OFM did not have effective supervisory controls to identify and correct
deficiencies and it structured the risk assessment and monitoring model so that the CPD field
office directors would have the substantial responsibility for ensuring the accuracy and
effectiveness of the model. OFM’s responsibility for the model was limited to the design and
general policy development and administrative matters. As a result, CPD did not know whether
it correctly assessed grantee risk, prepared accurate work plans, or monitored in compliance with
requirements. 8

CPD Did Not Monitor Most of Its Grantees
Since 2014, CPD may not have monitored between 62 and 74 percent of its approximate 6,200
grantee programs. While CPD’s fiscal year 2017 risk assessment and monitoring process was
primarily based on fiscal year 2016 formula grant information and fiscal year 2015 competitive
grant information, CPD requirements 9 directed its personnel to complete a risk assessment for all
open grants. As an example, two of the formula grant programs have a 2- and 5-year
expenditure deadline, respectively. 10 Therefore, CPD’s oversight responsibility spanned multiple
fiscal years and was not limited to funding for a specific fiscal year. In addition, CPD’s risk
assessment universe for fiscal year 2017 did not include some grantees, resulting in those
grantees’ omission from the annual work plan. Further limiting the extent of monitoring, CPD
was not required to monitor every grantee program or complete all monitoring exhibits for an
individual program. Due to the extent of grantee programs, funding amounts, limited CPD
resources, and no requirement to monitor every grantee program or complete all monitoring
exhibits for an individual program, this resulted in greater importance on the accuracy of risk
analyses and the effectiveness of monitoring.




8
     For the four CPD field offices sampled, the risk assessment funding universe was $907 million.
9
     Notice CPD-14-04
10
     Emergency Solutions Grant at 24 CFR (Code of Federal Regulations) 576.203(b) and HOME Investment
     Partnerships program at 24 CFR 92.500(d)(1)(iii), respectively




                                                      5
CPD’s Grants Management Process system 11 identified 2,923 formula grantee programs that
could be considered for monitoring. Of those grantee programs, 1,110 had not been monitored
since 2014, and an additional 701 grantee programs did not have a monitoring date within the
data. Whether the blank date signified no monitoring or missing data, combining these totals
showed that CPD may have not monitored almost 62 percent of its formula grantee programs
since 2014. In addition, CPD’s system identified 3,292 competitive grantee programs available
for monitoring. CPD had not monitored 124 grantee programs since 2014, and 2,304 grantee
programs did not have a monitoring date in the system. As a result, CPD may not have
monitored almost 74 percent of its competitive grantee programs since 2014.

In addition to the lack of monitoring, the fiscal year 2017 risk analysis process did not include all
awarded grantee programs. 12 Moreover, one formula-based program 13 was not included in
CPD’s policy to be monitored. As a result, these grantee programs were not available for
potential monitoring. Further, summary and detail data regarding the number of grantees and
grantee programs did not reconcile. These limitations, along with the billions of dollars at risk
each year, increased the need to approriately and effectively assess grantee risk and monitor the
grantees selected. See table 2 below.

Table 2: Overall lack of monitoring since 2014
                                                                        Through             Total
                                                     Blank date          2014             programs
       Formula amounts                                       701             1,110              2,923
       Formula percentages                               23.98%            37.97%             61.96%
       Competitive amounts                                 2,304               124              3,292
       Competitive percentages                           69.99%             3.77%             73.75%

Field Offices Reviewed Had a Similar Lack of Monitoring of Grantees
The lack of monitoring for sampled field offices was similar to the overall percentages in the
above table. The sample included four CPD field offices: Buffalo, NY, Louisville, KY, Miami,
FL, and San Francisco, CA, with total grant awards of approximately $907 million. Table 3
describes the lack of monitoring since 2014 for the sampled field offices for formula and
competitive grants. For both types of grants, the selected CPD field offices may not have
monitored between approximately 45 and 75 percent of their grantees since 2014. See table 3
below.




11
     This system consisted of the Grants Management Process – Reengineered (GMP-R) and the Grants Management
     Process Monitoring Module (GMP-M). GMP-R contained information regarding risk analyses and work plans.
     GMP-M documented the monitoring exhibits.
12
     CPD did not prepare at least 15 risk analyses for formula-based programs (11 HOPWA, 3 ESG, and 1 CDBG).
     In addition, it was not possible to determine whether CPD prepared the correct amount of risk analyses for
     competitive-based programs due to the competitive nature of funding and missing data.
13
     Housing Trust Fund



                                                       6
Table 3: Sample selection of lack of monitoring since 2014
                                                       Through
     Field office       Grant type     Blank date                        Total programs
                                                         2014
                                                18              25                      62
                         Formula
                                           29.03%          40.32%                  69.35%
     Buffalo
                                               101               7                     147
                       Competitive
                                           68.71%           4.76%                  73.47%

                                                   6               5                    24
                           Formula
                                              25.00%          20.83%               45.83%
      Louisville
                                                   16               0                   35
                         Competitive
                                              45.71%            0.00%              45.71%

                                                   19              57                  112
                           Formula
                                              16.96%          50.89%               67.86%
      Miami
                                                   22               3                   35
                         Competitive
                                              62.86%            8.57%              71.43%

                                                   68             121                  255
                           Formula
                                              26.67%          47.45%               74.12%
      San Francisco
                                                  201               8                  274
                         Competitive
                                              73.36%            2.92%              76.28%

Risk Analyses, Annual Work Plans, and Monitoring Exhibits Were Deficient
Field office personnel prepared risk analyses and monitoring exhibits without appropriate
supporting documentation or adequate explanation for the sample of 20 grantees reviewed at 4
field offices, compromising the validity of overall risk scores for individual assessments. The
risk analyses were the basis for the annual work plans that determined which grantees field
offices would monitor. Improperly completed risk analyses negatively impacted the annual work
plans. Specifically, the incorrect or unreliable risk scores affected the ranking of grantees for
accurately developing the field office annual work plan and eliminated assurance of accurate
identification of grantees for monitoring. Unsupported and insufficiently explained conclusions
drawn in the monitoring exhibits left CPD without evidence needed to defend findings and
concerns reported to its grantees.




                                               7
CPD’s monitoring process began with requiring its field offices to complete a risk analysis for all
active grants. 14 HUD’s risk analyses had factors and sub-factors for assessment specific to each
program. CPD required 15 its representatives to review a specified timeframe 16 for most sub-
factors and include a description clearly understood by an independent reviewer for sub-factors
rated high risk. Based upon review of selected sample items, 17 CPD’s risk analyses had the
following deficiencies:

     •    the indicated basis of assessment was incorrect,
     •    no indication of procedures performed,
     •    unexplained or unsupported assessments,
     •    questionable risk assessments due to lack of monitoring during the assessment period,
     •    accuracy of the assessment not determinable from the available information,
     •    lack of or unreferenced supporting documentation, and
     •    neglecting to address all requirements of the assessed risk. 18
In addition to the above deficiencies, the San Francisco CPD field office point of contact placed
significant reliance upon its CPD representatives’ knowledge of the grantee instead of supporting
documentation as required. This office’s management knew CPD representatives did not always
review all required information but did not take corrective action. This field office also
estimated an overall review time of about 10 minutes for each risk analysis, meaning the
supervisory review or verification of sub-factors may or may not occur.
All 20 risk analyses reviewed had either incorrect or unsupported risk ratings. Figures 1 and 2
illustrate examples of unsupported risk ratings in which the CPD representative essentially used
the language from Notice CPD-14-04 to rate the grantee. Factor 1.B in figure 1 required the
Buffalo field office to determine grantee staff capacity for the previous 3 program years and
current program design. The field office rated the grantee as high risk without identifying
procedures performed or detailed information specific to the grantee. 19

Figure 1: City of Binghamton – CDBG risk analysis, factor 1.B




Figure 2 showed the Miami field office did not use grantee-specific information to support a
high-risk rating for factor 1.C. Based upon this answer, a supervisor or independent reviewer

14
     Notice CPD-14-04 defined an active grant as any grant within the field office’s portfolio not closed out at the
     start of the risk analysis review process.
15
     Notice CPD-14-04
16
     Typically 3 years
17
     See the Scope and Methodology section for sample selection details.
18
     The sample items had multiple deficiencies to various degrees.
19
     Further limiting the ability to review the risk analysis, the CPD representative did not maintain additional
     supporting documentation.



                                                           8
would not be able to draw the same conclusion with the given information for these risk
assessments.

Figure 2: Palm Beach County – HOME risk analysis, factor 1.C




Figure 3 showed the Louisville field office wrote a limited explanation to rate the timely
expenditure sub-factor as high risk. The criteria for this sub-factor required evaluation of the
grantee’s expenditures in relation to its grant agreement. 20 The CPD representative inserted the
comment, “Recaptures,” with no further explanation or supporting documentation.

Figure 3: St. Vincent DePaul – Continuum of Care risk anlaysis, factor 2.B




As shown in figure 4, the San Francisco field office also wrote a limited explanation to rate the
recipient reporting sub-factor as high risk. As presented, the risk analysis did not support the
high-risk designation given by the CPD representative and should have been identified by the
supervisor. 21
Figure 4: San Joaquin County – Emergency Solutions Grant risk analysis, factor 1.A




Each reviewed risk analysis had between 14 and 16 sub-factors to assess risk. Factors rated low
or medium risk did not always have comments or reference supporting documentation to
facilitate supervisory review. When interviewed about including supporting documentation for
risk analyses, one CPD representative stated that his supervisor could look up the supporting
documentation himself. Requiring reperformance of steps taken without adequate explanation or
references to supporting documentation defeats the purpose of a review of work performed.
Finally, an independent reviewer would not be able to draw the same conclusion without
documented efforts and explanations.



20
     Ibid.
21
     Ibid.



                                                 9
Annual Work Plans Evidenced Preparation Errors
CPD field offices did not always comply with the procedural requirements for the preparation of
annual work plans. While the Miami and San Francisco field offices generally prepared their
work plans in accordance with requirements, the Buffalo and Louisville offices had significant
deficiencies. Specifically, the work plans included the improper ranking of grantees, resulting in
exclusion from monitoring and non-selection of high-risk grantees without explanation, adding
to the inaccuracy of some work plans. These issues went unidentified due to lack of substantive
oversight. OFM’s lack of substantive oversight and control prevented identification and
correction of field office errors and omissions, allowing defective work plans and questionable
grantee selections for monitoring to remain uncorrected.

Buffalo
The Buffalo field office did not prepare its fiscal year 2017 annual work plan in accordance with
requirements. The work plan contained the following deficiencies:

     •   The competitive composite summary worksheet did not report average risk scores for five
         competitive grantees, which resulted in incorrect ranking with other grantees that had risk
         scores of zero. This error resulted in a high-risk grantee 22 that would have required a
         CPD field office review and another grantee with a risk score of 41 being ranked near the
         bottom with low-risk grantees. 23
     •   The field office omitted selection of a high-risk competitive grantee and program in rank
         order without explanation.
     •   While selecting three grantees ranked lower, the field office did not select one medium-
         risk competitive Continuum of Care grantee, which was among the top 20 risk-based
         grantees. It did not provide an explanation for the omission.
     •   The work plan listed a formula grant as selected for discretionary monitoring; however,
         the field office was required to monitor the grant program because it was rated high risk.

Louisville
The Louisville field office did not prepare its fiscal year 2017 annual work plan in accordance
with requirements. The field office selected nine grantees in rank order by average score.
However, one competitive grantee, Kentucky Housing Corporation, with an average risk score of
30, had one Continuum of Care program assessed as high risk (66), which required monitoring
under CPD guidance. 24 The Louisville field office did not provide an allowed exception for non-
selection of the grantee or program for review as the CPD notice required. 25




22
     A risk score greater than 50
23
     A risk score of less than 30
24
     Notice CPD-14-04
25
     Notice CPD-14-04, Section VI




                                                 10
Grantee Monitoring Was Not Conducted in Accordance with Requirements
CPD field offices reviewed did not perform their fiscal year 2017 monitoring in accordance with
requirements. 26 HUD uses its monitoring program as its primary means to ensure grantees carry
out their administration of Federal funds efficiently, effectively, and in accordance with
applicable laws.

Monitoring reviews did not provide confidence that field offices accurately evaluated grantee
performance. CPD policy required its staff to support, defend, and adequately document all
conclusions, positive and negative. 27 For instance,

     •   “Specific responses to the Exhibit questions are expected. Although this approach can
         take more time up-front, it yields higher quality reviews that provide a better picture of a
         program participant’s grant program for supervisory staff, future CPD representatives, for
         the program participant, and others who have a need to review the program participant’s
         performance or HUD’s monitoring efforts.” 28

     •   “Document! The responses to the questions in this Handbook Exhibits form the basis for
         monitoring conclusions and are supplemented by program participant records copied or
         reviewed during the monitoring. All Exhibit questions must be clearly answered (both
         the ‘Yes/No/N/A’ box and the ‘Basis for Conclusion’ text box). For example, an N/A
         response could indicate either that the question did not apply or the reviewer was unable
         to answer it (due to time constraints, unexpected problems in other areas, etc.). The
         “Basis for Conclusion” needs to succinctly but explicitly explain this.” 29

     •   “Keep in mind that people unfamiliar with the program participant, or the program/area
         being monitored, assess CPD monitoring efforts (e.g., staff from HUD’s OIG or GAO).
         Field Office changes may also result in reassignment of program participants to different
         CPD staff. Therefore, monitoring conclusions must be clear to persons unfamiliar with
         the participant, program or technical area.” 30

     •   “It is essential that each step of the monitoring process be adequately documented.
         Documenting preserves the valuable results, both positive and negative. All
         correspondence, documentation and working papers relating to the monitoring and
         conclusions are to be maintained in the official Field Office files. Where appropriate or
         required, information can be maintained in electronic form (e.g., GMP).” 31




26
     HUD Handbook 6509.2, REV-7
27
     HUD Handbook 6509.2, REV-7, chapter 2, section 2-8.A.
28
     HUD Handbook 6509.2, REV-7, chapter 2, section 2-7.C.1 second paragraph.
29
     HUD Handbook 6509.2, REV-7, chapter 2, section 2-7.C.3 first paragraph.
30
     HUD Handbook 6509.2, REV-7, chapter 2, section 2-7.C.3 second paragraph.
31
     HUD Handbook 6509.2, REV-7, chapter 2, section 2-14.A first paragraph.



                                                      11
CPD did not comply with its own standards. Numerous errors and omissions existed in all
monitoring engagements reviewed, including but not limited to neglecting to

          •    properly report a finding and, instead, reducing it to a concern;
          •    note whether and what procedures were performed;
          •    provide a basis for the conclusion;
          •    identify items examined, preventing reperformance or verification;
          •    document the procedures performed to verify interview representations;
          •    complete the correct exhibits for activities possibly subject to Federal administrative,
               cost, and audit requirements; 32
          •    address and document sampling methodology, sample size determination, and results
               of testing in applicable instances;
          •    document an exit conference, completion of an official monitoring letter within 60
               days following monitoring, or complete documentation relating to final resolution of
               identified deficiencies;
          •    meet the requirements for the in-depth monitoring approach specified in the
               individual monitoring strategy;
          •    require evidence of compliance before closing findings;
          •    obtain source documentation instead of summary documents;
          •    use the supplemental exhibits required for completion of the monitoring process;
          •    reconcile incompatible conclusions and bases for conclusions and improper forfeiture
               of right to access records; and
          •    require sufficient information to clarify the conclusion.

For all monitoring engagements reviewed, each exhibit evidenced a number of the above
deficiencies. Some examples are described below.

Buffalo
The grantee and program reviewed was the Town of Union, Union, NY, Community
Development Block Grant-Disaster Recovery (CDBG-DR) program. CPD did not use the
supplemental exhibit required for completion of the monitoring process.

The planned engagement procedures included Exhibit 6-8, Guide for Review of Procurement. 33
The monitoring letter issued after completion of the engagement noted no issues or concerns
regarding procurement. See figure 5 below.




32
     2 CFR Part 200
33
     Ibid., chapter 6



                                                    12
Figure 5: Excerpt from CPD monitoring letter




The CPD representative did not complete the required procedures to support the conclusion. The
exhibit 6-8 instructions directed use of either exhibit 3-20 or 34-2, as applicable, to supplement
the exhibit for entitlement communities that received CDBG-DR funding. The HUD system did
not contain evidence the CPD representative complied with the instructions. See figure 6 below.

Figure 6: Exhibit 6-8 instructions (emphasis highlighted):




Since the CPD representative did not use the required supplemental exhibit for procurement, it
was not correct for HUD to state that it reviewed the grantee’s procurement processes and had no
issues or concerns. The monitoring was not complete and included unsupported statements
regarding procurement.

Louisville
The grantee and program reviewed was the Louisville Jefferson County Metro Government,
Louisville, KY, HOME program. CPD did not document a basis for its conclusions.




                                               13
A component of the monitoring engagement included Exhibit 7-2, Guide for Review of Overall
Management Systems. The CPD representative neglected to describe the documents reviewed or
other procedures performed to support the conclusions reached. The exhibit consisted of 46
questions. For 43 of the 46 questions, the CPD representative described the basis for conclusion
as “Staff interviews and document reviews,” as shown in figure 7 below.

Figure 7: Exhibit 7-2, question 1




For two of the remaining questions (questions 13 and 39), the CPD representative used vague
descriptions and did not refer to the supporting documentation. See figure 8 below.

Figure 8: Exhibit 7-2, question 13




For question 46, the CPD representative did not describe the entire process to ensure information
entered into the Integrated Disbursement and Information System was accurate. See figure 9
below.

Figure 9: Exhibit 7-2, question 46




Based on a lack of supporting documentation and detailed procedures to support a review of
documents, verification of interview representations, or any other procedures performed, none of
the conclusions were supported, defensible, or adequately documented.




                                               14
Miami
The grantee and program reviewed was Fort Lauderdale, Fort Lauderdale, FL, Housing
Opportunities for Persons with AIDS (HOPWA) program. CPD did not resolve conflicting
information between the exhibit and monitoring letter.

One component of the monitoring engagement included completion of Exhibit 10-4, Guide for
Review of HOPWA Project Sponsor or Subrecipient Management. 34 The exhibit had three
questions numbered 34 because it had three different subgrantees.

Question 34, associated with Broward House, identified no unknown problems as shown in
figure 10. However, the monitoring report identified that Broward House had environmental
review deficiencies that the City had not detected.

Figure 10: Question 34, Broward House




Question 34, associated with Broward Regional Planning Council, identified a smoke alarm
deficiency as shown in figure 11, but CPD’s monitoring letter did not contain this environmental
finding.

Figure 11: Question 34, Broward Regional Health Planning Council




34
     Ibid., chapter 10



                                               15
Question 34, associated with Sun Server, basically had the same conclusion as Broward Regional
Health Planning Council as shown in figure 12. However, the monitoring report identified no
findings with Sun Server.

Figure 12: Question 34, Sun Server




The CPD representative stated the findings noted in the monitoring report were correct. To
avoid confusing a supervisor or another reviewer, the information in the exhibits needed to
support and be consistent with the information presented in the monitoring report. As a result of
the inconsistencies noted above, the conclusion presented in the exhibit was not supportable,
defensible, or adequately documented. Neither the reviewer nor the approver required further
information to clarify the discrepancies between the exhibit and the monitoring report and
resolve the issue.

San Francisco
The grantee and program reviewed was the Committee on the Shelterless Continuum of Care
program, Petaluma, CA. CPD did not address and document its sampling methodology, sample
size determination, or results of testing in applicable instances.

The field office monitoring of the Committee on the Shelterless Continuum of Care included
completion of Exhibit 29-1, Guide for Review of Homeless and At-Risk
Determination/Recordkeeping Requirements 35 as shown figure 13.




35
     Ibid., chapter 29



                                               16
Figure 13: Exhibit 29-1 instructions (emphasis highlighted):




The field office must use this exhibit. It also must do the following: (1) select a random sample
from both current and former program participants and (2) review these program participant files
to complete the questions in the exhibit, supplemented by recipient staff interviews. The exhibit
did not include the basis for sample selection and samples reviewed as required, with the result
that the field office did not support, defend, or adequately document the related conclusions. For
example, see figures 14, 15, and 16 below.

Figure 14: Question 5




                                               17
The CPD representative concluded “Yes” but left the basis for conclusion blank. There was no
description of the sample selection process, sample(s) reviewed, or other supporting
documentation as required:

Figure 15: Question 6




The conclusion was “Yes” and the basis for conclusion noted, “All client files reviewed
contained third-party documentation, but the HMIS database does meet these requirements.”
However, there was no description of the sample selection process and samples reviewed as
required. 36

Figure 16: Questions 9-24 (note: only one question in sequence 9-24 shown as an example)




As with all questions in the indicated sequence, the basis for conclusion states, “Not applicable
to clients reviewed.” However, these descriptions did not include the sample selection process,


36
     Ibid.



                                                18
list client files reviewed, or refer to other supporting documentation that would have that
information.

All 20 monitoring reviews had multiple deficiencies, and the monitoring exhibits generally
contained insufficient supporting documentation and inadequate explanation of conclusions
drawn. Neither OFM nor the CPD field offices reviewed provided evidence to show that the
deficiencies identified were isolated instances or that the deficiencies were limited to these four
field offices. Further, the lack of OFM substantive oversight prevented it from noting field
office errors and required correction of noncompliance with requirements. As a result, CPD did
not have effective monitoring, identification of deficiencies, development of appropriate
corrective action, and resolution to ensure proper administration of Federal funds by grantees.

OFM Lacked Oversight and Policy Implementation
To compound the conflicting data issues and lack of monitoring cited above, OFM’s oversight of
the risk analyses and monitoring processes was solely administrative. While CPD field office
directors and program managers were tasked with review of risk analyses and monitoring
exhibits, OFM did not have substantive oversight procedures to ensure field staff had properly
and consistently implemented established policies concerning completion and review of the
monitoring process. Therefore, OFM could not know the extent of the deficiences with the
implementation of the risk analysis and monitoring process. Based on the issues identified in the
previous audit 37 and in this audit, it is imperative headquarters develop appropriate, substantive
oversight procedures to ensure the overall monitoring process has credibility. Without credible
implementation of the monitoring process, CPD did not have assurance grantees effectively
administered Federal funds.

Conclusion

CPD did not appropriately assess program grantees’ risk to the integrity of CPD programs or
adequately monitor its grantees, resulting in no assurance of effective oversight or control of
billions in Federal funds.

CPD had not monitored most of its grantees over the last 3 years, placing greater importance on
CPD’s correctly assessing risk and monitoring. Risk analyses did not conform to requirements
and contained errors and omissions affecting individual risk factor assessments, resulting in
incorrect risk scores. Field office errors in preparing annual work plans further compounded the
effect of incorrect risk scores, preventing correct identification of high-risk grantees. CPD’s
monitoring of grantees did not always support and document conclusions as required.
Supervisory controls did not function at any level. CPD program managers and directors did not
note and require correction of instances of CPD representative noncompliance with
requirements. OFM limited its role to administrative matters and was unable to identify field
office noncompliance. This condition occurred because OFM structured the risk assessment and
monitoring model so that the CPD directors would have the substantial responsibility for
ensuring the accuracy and effectiveness of the model. OFM could not readily produce correct


37
     HUD’s Monitoring of State CDBG, 2017-FW-0001, July 10, 2017



                                                    19
grant and grantee data. As a result, CPD had no assurance that it correctly assessed grantee risk,
prepared annual work plans accurately, or conducted monitoring in accordance with
requirements for billions in funding. 38

Recommendations
We recommend that the Deputy Assistant Secretary for Operations

             1A.   Develop and implement policies to require CPD headquarters’ substantive
                   involvement and responsibility in the risk assessment and monitoring function,
                   including (1) oversight of risk assessment, including ensuring that all required
                   grantees have a risk assessment performed; (2) review of annual work plans; (3)
                   evaluation of monitoring performance and findings; (4) institution of functional
                   supervisory controls; and (5) enforcement of field office compliance with risk
                   analysis and monitoring requirements. If OFM does this, a minimum of $907
                   million in Federal funds could be put to better use by more consistently and
                   accurately assessing risk and monitoring grantees.

             1B.   Establish a monitoring tracking system, organized on a CPD field office basis, to
                   incorporate and track internal and external data and provide an immediate,
                   multiyear quantification of grantees, grants, and dollar value for both monitored
                   and not monitored grantees, allowing immediate assessment of monitoring
                   findings, resolutions, and coverage individually and in total.




38
     Ibid.



                                                   20
Scope and Methodology
We performed our audit work from July 2017 through March 2018 at HUD headquarters in
Washington, DC, and on site in the Buffalo, Louisville, Miami, and San Francisco field offices.
Our review period was from October 2016 through September 2017.

To accomplish our audit objective, we
   • Reviewed relevant Federal laws and regulations.
   • Assessed the CPD requirements issued to all field offices for conducting risk
       assessments, annual work plan development, and the monitoring of CPD grantees and
       programs.
   • Interviewed headquarters personnel.
   • Obtained grant and grantee data from headquarters and performed analytics of detail and
       summary information by competitive and formula grants by region and field office,
       workload per CPD representative for risk analysis and monitoring, and historical
       monitoring coverage.
   • Performed site visits to four field offices and
           o Interviewed staff to (1) determine their level of training and experience, timing of
              the yearly risk analysis and monitoring cycle, procedures conducted, filing and
              record retention policies and systems, knowledge and understanding of sampling,
              sampling methods, and documentation; (2) obtain insight into their perceived
              shortcomings and deficiencies in the risk analysis and monitoring process; and (3)
              solicit their recommendations for improvement.
           o Evaluated risk assessments for compliance with requirements, including analysis
              of sub-factor procedures performed relative to requirements, conclusions reached,
              and supporting documentation examined and retained.
           o Reviewed the field office compilations of summary composite worksheets,
              determined the monitoring method selected, and examined preparation of the
              annual work plans for compliance with requirements.
           o Examined monitoring engagement procedures for conformance to requirements,
              to include but not limited to the individual monitoring strategies designed for
              conduct of the engagement, communications to and from grantees, selection of
              monitoring exhibits, completion of exhibits, support for conclusions reached,
              workpaper and document retention, and proper identification and handling and
              resolution of findings and concerns.

Sample Selection
During the audit period, CPD had approximately 4,300 combined formula and competitive
grantees for which more than 6,200 grantee worksheets were prepared. From the population of
43 field offices, 5 grantees and programs each from 4 field offices were selected for testing and
review of the related risk assessment and monitoring.




                                                21
We based our sample selection on interviews with OFM staff; analysis of summary grant and
grantee data in total and by field office; and review of field office staffing levels, field office
annual monitoring goals, and monitoring coverage percentages. We excluded the seven field
offices sampled under our State CDBG audit. 39 Using the available information, we selected a
cross section of field offices based upon size and geographical location.

Table 4: Field offices selected for site visits 40
     Field               Formula                        Competitive             Total
     office       grants      funding              grants   funding      grants  funding
 Buffalo               65    $ 74,701,611              503  $ 51,843,478    568 $126,545,089
 Louisville            26      60,049,777              207    18,635,431    233    78,685,208
 Miami               114       86,554,313              387    48,461,626    501   135,015,939
 San Francisco       245      356,484,010              664   211,252,628    909   567,736,638
 Total               450      577,789,711            1,761   330,193,163  2,211   907,982,874

As our sample was not statistical, our sample results could not be projected to the population.
However, because of the decentralized system, lack of supervisory review, and extent and
consistency of the deficiencies, the selections provided sufficient evidence to conclude whether
CPD followed its requirements and that the requirements were adequate to ensure that if
followed, CPD could accurately assess risk, develop a work plan based on accurately rated and
ranked grantees, and execute credible monitoring of grantees to ensure the proper administration
of Federal funds.

We conducted the audit in accordance with generally accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain sufficient, appropriate
evidence to provide a reasonable basis for our findings and conclusions based on our audit
objective. We believe that the evidence obtained provides a reasonable basis for our findings
and conclusions based on our audit objective.




39
     HUD’s Monitoring of State CDBG, 2017-FW-0001, July 10, 2017
40
     The total funding represents the minimum cost savings that CPD could recognize by establishing controls to
     ensure consistent compliance with its guidance for risk assessment and monitoring of grantees and therefore,
     providing supportable assurance that grantees are properly administering Federal funds or instances of
     noncompliance are identified and corrected.



                                                          22
Internal Controls
Internal control is a process adopted by those charged with governance and management,
designed to provide reasonable assurance about the achievement of the organization’s mission,
goals, and objectives with regard to

•   effectiveness and efficiency of operations,
•   reliability of financial reporting, and
•   compliance with applicable laws and regulations.

Internal controls comprise the plans, policies, methods, and procedures used to meet the
organization’s mission, goals, and objectives. Internal controls include the processes and
procedures for planning, organizing, directing, and controlling program operations as well as the
systems for measuring, reporting, and monitoring program performance.
Relevant Internal Controls
We determined that the following internal controls were relevant to our audit objective:

•   Program operations – Policies and procedures that management has implemented to ensure
    that a program meets its objectives.
•   Validity and reliability of data – Policies and procedures that management has implemented
    to ensure that valid and reliable data are obtained, maintained, and fairly disclosed.
•   Compliance with laws and regulations – Policies and procedures that management has
    implemented to ensure that resource use is consistent with laws and regulations.

We assessed the relevant controls identified above.

A deficiency in internal control exists when the design or operation of a control does not allow
management or employees, in the normal course of performing their assigned functions, the
reasonable opportunity to prevent, detect, or correct (1) impairments to effectiveness or
efficiency of operations, (2) misstatements in financial or performance information, or (3)
violations of laws and regulations on a timely basis.

Significant Deficiencies
Based on our review, we believe that the following items are significant deficiencies:

•   OFM did not have adequate controls to exercise oversight or control of risk assessment or the
    monitoring of CPD grantees.
•   Field offices did not implement adequate controls to accurately assess risk, develop work
    plans, or execute monitoring in accordance with requirements.




                                                23
Followup on Prior Audits
HUD’s Monitoring of State CDBG, 2017-FW-0001
All of the report recommendations, 1A through 1F, were open as of March 14, 2018. The
recommendations included the General Deputy Assistant Secretary for Community Planning and
Development to (1) develop and implement a review process at the headquarters level to ensure
compliance with established policy for risk analysis and monitoring, (2) require referenced
supporting documentation be uploaded into its system and implement guidance for field offices
to maintain supporting documentation in their official files, (3) develop and implement a policy
that requires field offices to rate grantees of at least medium risk that have not been monitored
within the last 3 years, and (4) update monitoring exhibits to guide staff to document procedures
performed and provide sufficient explanation to verify procedures performed and conclusions
drawn. The full report can be found at the following link:
https://www.hudoig.gov/reports-publications/audit-reports/hud%E2%80%99s-monitoring-of-
state-cdbg
Recommendations 1B, 1C, and 1F were open without a final action target date. The final action
target date for completing corrective action for recommendations 1A and 1E is July 10, 2018,
and recommendation 1D is September 30, 2018.
The State of Oklahoma Did Not Obligate and Spend Its Community Development Block
Grant Disaster Recovery Funds in Accordance With Requirements, 2016-FW-1010
All of the report recommendations, 1A through 1F, were open as of March 14, 2018. The
recommendations included the Acting Deputy Assistant Secretary for Grant Programs require the
State to (1) develop and implement policies and procedures to document and perform detailed
review and testing to establish eligibility, existence, disaster event qualifications, reasonableness
of cost estimates, prioritization, and fund allocation, both retroactively and prospectively, which
would put $81.9 million to better use; (2) support or properly obligate more than $11.7 million in
unsupported obligations; and (3) support or repay more than $4.3 million in unsupported
expenditures. The full report can be found at the following link:

https://www.hudoig.gov/reports-publications/audit-reports/state-of-oklahoma-did-not-obligate-
and-spend-its-community

The final action target date for completing corrective action was November 29, 2017. CPD and
the State of Oklahoma were still in consideration of corrective action, if any, as of the date of this
report.




                                                 24
Appendixes

Appendix A


                        Schedule of Funds To Be Put to Better Use
                          Recommendation Funds to be put
                              number          to better use 1/

                          1A                       $907,982,874
                          Total                     907,982,874


1/   Recommendations that funds be put to better use are estimates of amounts that could be
     used more efficiently if an Office of Inspector General (OIG) recommendation is
     implemented. These amounts include reductions in outlays, deobligation of funds,
     withdrawal of interest, costs not incurred by implementing recommended improvements,
     avoidance of unnecessary expenditures noted in preaward reviews, and any other savings
     that are specifically identified. In this instance, funds to be put to better use represents
     the fiscal year 2016 formula grants and fiscal year 2015 competitive grants for the four
     field offices selected for site visit examination. As discussed in the Scope and
     Methodology section, the deficiencies identified during the audit were systemic and not
     limited to the sample items tested. Of the sample items reviewed, 100 percent of risk
     analyses and monitoring engagements examined evidenced many and varied instances of
     noncompliance with requirements. This result was attributable to field office
     noncompliance with requirements and OFM’s decentralized system, lack of supervisory
     review, and lack of support for conclusions reached. CPD could recognize cost savings
     of more than $907 million by establishing controls to ensure consistent compliance with
     its guidance for risk assessment and monitoring of grantees and therefore, providing
     supportable assurance that grantees are properly administering Federal funds or instances
     of noncompliance are identified and corrected.




                                              25
Appendix B
             Auditee Comments and OIG’s Evaluation



Ref to OIG
Evaluation                     Auditee Comments




Comment 1
Comment 2




Comment 3




                              26
Ref to OIG
Evaluation        Auditee Comments




 Comment 4




 Comment 5
 Comment 1




             27
Ref to OIG        Auditee Comments
Evaluation




 Comment 6




 Comment 7




 Comment 8




 Comment 9




             28
Ref to OIG         Auditee Comments
Evaluation




 Comment 10
 Comment 11


 Comment 12


 Comment 12


 Comment 13
 Comment 14
 Comment 15




              29
                         OIG Evaluation of Auditee Comments


Comment 1   CPD unequivocally stated that the audit report’s conclusion that CPD has no
            assurance of effective oversight or control of billions in Federal funds is invalid
            and unfounded.

            CPD misinterpreted the audit report’s evidence and conclusions. CPD did not
            have a system of control to provide the assurances that its policies and procedures
            were implemented by the field offices and operating as designed. The audit noted
            significant and consistent mistakes and omissions at the four sites reviewed that
            affected all other field offices since they had the same oversight controls. In
            addition, OFM developed a monitoring review training program in March 2016
            after a review of more than 2,000 monitoring exhibits. The deficiencies OFM
            identified and incorporated in this training were similar to the issues reported in
            this report.
            As stated in the report, neither the field office directors nor OFM noted and
            corrected instances of noncompliance. Without controls to determine if the
            policies were implemented and operating as designed, CPD cannot have
            assurances. We maintain our position.

Comment 2   CPD did not believe that the sample was sufficient or that the audit considered the
            Single Audits performed on grantees. CPD also stated that the report did not cite
            any instances of CPD violating a law or regulation.
            The sample included 10 percent of CPD field offices. As stated in Comment 1,
            CPD did not have controls in place to determine that policies were adequately and
            consistently operating throughout the 43 field offices. Furthermore, OFM’s own
            review showed similar mistakes and omissions. CPD did not provide any
            specifics on how it would address the significant deficiency. In addition, we have
            reported significant findings with CPD grantees’ compliance with requirements in
            other HUD OIG reports.
            While CPD’s grantees that expend more than $750,000 annually are required to
            have audits, these audits focus on the grantee’s financial statements and major
            Federal programs. Grantees may receive multiple Federal grants from different
            Federal agencies. Based on the independent auditor’s assessment, HUD funding
            may or may not be included for review during this type of audit. CPD’s risk
            analyses required a determination of the Single Audit’s timeliness and whether
            the audit included findings or recommendations; however, CPD’s response did
            not state how it used the audits in its overall monitoring processes. Lastly, GAO’s




                                             30
                 Standards for Internal Controls in the Federal Government specifically states that
                 these audits are not part of HUD’s internal controls. 41
Comment 3        CPD stated our report displayed a misconception of risk assessment and did not
                 clearly communicate the intended point.
                 The report described the importance of risk assessment as part of the condition of
                 the finding since HUD was not required to monitor all grantees. Unsupported,
                 incomplete, and inaccurate risk scores could lead to not identifying the grantees
                 that pose the highest risk. As stated in Comment 2, the external audits did not
                 have an effect on CPD following its policy on risk analysis or monitoring. Other
                 than including that HUD was not required to monitor all grantees, which was
                 previously in a footnote, in the body of the finding, we did not delete or revise the
                 sections.
Comment 4        CPD stated that we were applying “auditing standards” to CPD in evaluating the
                 effectiveness of its risk assessment and monitoring. 42 CPD also requested
                 clarification of what “verification of interview representations” meant.
                 As discussed throughout the audit, this audit examined CPD compliance with
                 CPD policies and procedures. 43 CPD internally developed, published, and
                 distributed these policies to CPD field offices for performance of risk assessment
                 and monitoring. We have included additional CPD policies in the body of the
                 report to help clarify the reported deficiencies. “Verification of interview
                 representations” meant CPD representatives must obtain support for statements
                 made during the interview. We maintain our position.

Comment 5        CPD stated that we did not understand its organizational structure and had blurred
                 the lines “between overseeing a process and enforcing program requirements…”
                 and stated “it is inappropriate and contrary to program delegations of authority to
                 shift program management and oversight responsibility to OFM.”

                 CPD’s response did not refute
                       • CPD representatives did not comply with requirements;
                       • CPD directors approved deficient risk analyses and monitoring
                           exhibits without noting noncompliance with requirements and
                           requiring corrective action; and
                       • OFM separated itself from the process and did not oversee or
                           “manage” the implementation and operations of its risk analysis and
                           monitoring policy.




41
     GAO-14-704G, Standards for Internal Control in the Federal Government, OV2.15
42
     See also, HUD’s Monitoring of State CDBG, 2017-FW-2001, OIG Evaluation of Auditee Comments.
43
     HUD Monitoring Handbook 6509.2, REV-7 and Notice CPD-14-04



                                                    31
                  OFM stated that it was not responsible for the oversight of the risk analysis and
                  monitoring processes with the exception of limited administrative tasks, and
                  further stated that the deficiencies identified in the draft report were the
                  responsibility of the Office of Block Grant Assistance due to the program
                  knowledge its employees had and OFM lacked.

                  Although OFM consistently cited lack of program knowledge as justification for
                  not exercising substantive oversight, the indications of noncompliance with
                  requirements noted during this audit did not require program expertise to identify
                  (e.g., nonperformance of procedures, no indication of specific procedures
                  performed, lack of supporting documents and workpapers, lack of completeness,
                  etc.).

                  Identification of monitoring deficiencies by OFM in development of its training
                  program demonstrated OFM’s ability to identify noncompliance with
                  requirements. We maintain our position.
Comment 6         CPD disagreed with our statement regarding its inability to readily produce detail
                  grant and grantee data upon request, noting the report did not provide sufficient
                  evidence as to data missing, the nature of the problem, or explain if the remark
                  emanated from our perception that the system needed to do something it was not
                  designed to do.

                  CPD’s inability to produce detail data was a problem identified and
                  communicated to CPD during the initial stages of the audit in July 2017. CPD
                  provided summary grant and grantee data, but was unable to provide the
                  supporting details that agreed to, or reconciled with and supported the summary
                  totals. We worked with CPD through multiple iterations of detail data before
                  receiving, in September 2017, a detail for the formula and competitive grants
                  summary information received in July 2017. CPD did not furnish the requested
                  detail for formula and competitive grantees. We maintain our position.

Comment 7         CPD stated Recommendation 1B, to establish a monitoring tracking system,
                  constituted our “taking on a management role in designing internal controls and
                  requiring the actual control CPD should use” and, as such, was an “inappropriate
                  overreach and contrary to generally accepted government auditing standards.”

                  Making a recommendation to establish a tracking system did not constitute
                  “taking on management’s role.” According to GAO, 44 we recommend “actions to
                  correct deficiencies and other findings identified during the audit and to improve
                  programs and operations when the potential for improvement in programs,
                  operations, and performance is substantiated by the reported findings and
                  conclusions.” Further, we make recommendations that we believe would address


44
     Government Auditing Standards, chapter 7, Reporting Standards for Performance Audits.



                                                       32
              the findings and conclusions, are directed at resolving the cause of the identified
              deficiencies and findings, and clearly state the actions recommended. We
              maintain our position.

Comment 8     CPD stated the report did not have sufficient evidence to support the assertion that
              supervisory controls did not function at any level.

              The Scope and Methodology section of the report describes our testing
              procedures. The body of the report identifies the results of those procedures for
              the overall audit, including conclusions reached regarding supervisory controls.
              Furthermore, as stated in the finding, CPD did not establish or implement
              supervisory or quality controls outside of the field office reviews. As noted
              throughout the report, CPD directors approved risk analyses and monitorings
              without identification and correction of instances of noncompliance indicating
              nonfunctioning supervisory controls at the field office level. In addition, OFM’s
              administrative review did not include evaluation to ensure its field offices were
              implementing the risk analysis and monitoring review policies. Lastly, CPD’s
              response did not provide support that it had adequate or effective oversight
              controls. We maintain our position.

Comment 9     CPD wrote that the report incorrectly characterized GAO’s removal of HUD from
              its high-risk list.
              We modified the report to reflect the language in the GAO report.
Comment 10 CPD wanted clarification of all awarded grantee programs and specifics regarding
           footnote 13 (now footnote 12).
              All awarded grantee programs refers to the CPD funds awarded to entitlement and
              competitive grantees for which field offices were required to perform risk
              analysis. We added specific numbers to the footnote.
Comment 11 CPD stated the example regarding Figure 11 of our report was confusing and
           noted the monitoring letter addressed the smoke detector problem for Broward
           Regional Health Planning Council.
              Figures 10, 11, and 12 illustrated the conflicting information between the exhibits
              and the monitoring letter. The monitoring letter addressed the smoke detector,
              which is a housing quality standards issue that was not identified in Figure 10.
              The monitoring letter did not address the environmental finding and was
              inconsistent with what was presented in the exhibit. We did not revise the
              finding.
Comment 12 CPD stated that the report contained auditing terminology and clarification of
           such terminology would be helpful to ensure a common understanding. CPD also
           described what it considered to be an acceptable explanation to support
           monitoring reviews.


                                               33
              We used common sampling terminology similar to what CPD uses in its own
              policy. For instance, HUD’s HOPWA exhibit 10-5 instructions state, “Use the
              grantee’s listing of applicable cost items supported with HOPWA funds during
              the operating year under review as a basis for the sample selection.” We agree
              with CPD on what it considered an acceptable description to support its
              determination. However, as stated throughout the finding, this description was
              missing from the documentation provided during our review. Therefore, the
              responses (including N/A) were not supportable or adequately documented.
Comment 13 CPD requested the recommendations for improvement that we solicited from field
           offices.
              During our site visits, we solicited comments and recommendations from the CPD
              personnel interviewed. We considered and evaluated their comments and
              recommendations for improvement during the performance of fieldwork and in
              development of the report.
Comment 14 CPD stated the audit followup section inaccurately reflected the status of the
           previous audit due to the lack of discussing CPD’s substantive disagreements.
              The purpose of this section was to describe significant recommendations that
              remain unresolved and disclose the status of recommendations that could affect
              the current audit objectives. We did not revise the report section.
Comment 15 CPD was puzzled by the inclusion of the State of Oklahoma audit report since it
           was outside OFM’s purview.
              We agree that OFM was not responsible for the State of Oklahoma audit
              recommendations. The Oklahoma City CPD field office did not perform accurate
              risk assessments and, did not monitor the State for at least five years. This audit
              led to the current audit on the CPD monitoring of all grantees. In addition, the
              material findings and recommendations in the State of Oklahoma report affect the
              current audit objectives for this latest report.




                                              34