Office of Community Planning and Development, Washington, DC CPD’s Risk Assessment and Monitoring of Its Grantees Office of Audit, Region 6 Audit Report Number: 2018-FW-0001 Fort Worth, TX June 26, 2018 To: Lori Michalski, Deputy Assistant Secretary for Operations, DO //signed// From: Kilah S. White, Regional Inspector General for Audit, 6AGA Subject: CPD’s Risk Assessment and Monitoring Program Did Not Provide Effective Oversight of Federal Funds Attached is the U.S. Department of Housing and Urban Development (HUD), Office of Inspector General’s (OIG) final results of our review of the Office of Community Planning and Development’s (CPD) risk assessment and monitoring of its grantees. HUD Handbook 2000.06, REV-4, sets specific timeframes for management decisions on recommended corrective actions. For each recommendation without a management decision, please respond and provide status reports in accordance with the HUD Handbook. Please furnish us copies of any correspondence or directives issued because of the audit. The Inspector General Act, Title 5 United States Code, section 8M, requires that OIG post its publicly available reports on the OIG website. Accordingly, this report will be posted at http://www.hudoig.gov. If you have any questions or comments about this report, please do not hesitate to call me at 817-978-9309. Audit Report Number: 2018-FW-0001 Date: June 26, 2018 CPD’s Risk Assessment and Monitoring Program Did Not Provide Effective Oversight of Federal Funds Highlights What We Audited and Why We audited the U.S. Department of Housing and Urban Development (HUD), Office of Community Planning and Development’s (CPD) risk assessment and monitoring of its grantees. We initiated this assignment due to significant findings previously reported, which showed that CPD did not have effective risk assessment or monitoring of the State Community Development Block Grant program at either the field office or national level. 1 Accordingly, we examined other CPD programs, reviewing grantee risk analysis and monitoring performed by field offices across the Nation. Our objective was to determine whether CPD appropriately assessed grantees’ risk to the integrity of CPD programs and adequately monitored its grantees. What We Found CPD’s risk assessment and monitoring did not provide effective oversight of programs and grantees. Risk analyses, annual work plans, and monitoring of grantees did not conform to requirements. These conditions occurred because CPD headquarters did not have effective supervisory controls and structured the risk assessment and monitoring model so that CPD field office directors would have substantial responsibility for ensuring the accuracy and effectiveness of the model. CPD headquarters’ responsibility for the model was limited to the design and general policy development, along with administrative matters. As a result, CPD did not have assurance that it correctly assessed grantee risk, prepared accurate work plans, or monitored grantees in compliance with requirements. Accordingly, CPD could not have confidence regarding accuracy, validity, or conclusions drawn. What We Recommend We recommend that the Deputy Assistant Secretary for Operations require CPD headquarters’ substantive involvement and responsibility for risk assessment and monitoring, to include (1) oversight of risk assessment, including ensuring all grantees are assessed; (2) review of annual work plans; (3) evaluation of monitoring performance and findings; (4) institution of functional supervisory controls; (5) enforcement of field office compliance with requirements; and (6) establishment of a field office-based multiyear monitoring tracking system allowing assessment of monitoring findings, resolution, and coverage. 1 HUD’s Monitoring of State CDBG, 2017-FW-0001, July 10, 2017 Table of Contents Background and Objective......................................................................................3 Results of Audit ........................................................................................................5 Finding: CPD’s Risk Assessment and Monitoring Program Did Not Provide Effective Oversight of Federal Funds ............................................................................. 5 Scope and Methodology .........................................................................................21 Internal Controls ....................................................................................................23 Followup on Prior Audits ......................................................................................24 Appendixes ..............................................................................................................25 A. Schedule of Funds To Be Put to Better Use ............................................................ 25 B. Auditee Comments and OIG’s Evaluation ............................................................. 26 2 Background and Objective The U.S. Department of Housing and Urban Development’s (HUD) Office of Community Planning and Development (CPD) oversees more than 20 major programs with disbursement of Federal funds to several thousand grantees annually. Annual allocations to CPD programs total approximately $7 billion. CPD developed a risk analysis and monitoring program to rank grantees by risk, develop the assessments into a work plan, and monitor the identified grantees. For fiscal year 2016, CPD awarded one or more formula grants to 1,281 grantees totaling approximately $4.7 billion. CPD also awarded more than $1.9 billion to approximately 2,524 grantees for fiscal year 2015 competitive grants. The more than $6.6 billion in grants awarded did not include disaster-related funding, which was budgeted to be an additional $2.3 billion for fiscal year 2016. See table 1 below. Table 1: Fiscal year 2016 formula and fiscal year 2015 competitive grants awarded Amount Program (in millions) Community Development Block Grant $3,014 HOME Investment Partnerships 965 Housing Opportunities for Persons With AIDS 301 Emergency Solutions Grant 270 Housing Trust Fund 174 Formula grants total 4,724 Continuum of Care (competitive) 1,939 Formula and competitive grants total 6,663 Under CPD’s risk assessment and monitoring model, grantees are subject to an annual risk assessment to determine the grantees that will receive monitoring. Field offices use grantee risk scores to develop annual work plans. 2 The Office of Field Management (OFM) sets field office annual monitoring goals based on its number of CPD representatives. CPD field office directors have discretion to monitor 100 percent of grantees in rank order or 70 percent in rank order and 30 percent at their discretion and determine the monitoring composition between formula and competitive grantees. During fiscal year 2017, CPD field offices with almost 300 CPD representatives assessed the risk of approximately 4,300 combined formula and competitive grantees for preparation of annual work plans and grantee monitoring. OFM established a monitoring goal for the 43 field offices of 865 grantees for fiscal year 2017. After selecting a grantee for monitoring, CPD defines a scope to monitor one or more of the grantee’s programs with a focus on certain aspects of the program(s) under review. 2 The summary worksheets rate and rank formula and competitive grantees separately. 3 Monitoring is an integral management control technique and a U.S. Government Accountability Office (GAO) standard. 3 It includes the activities that management establishes and operates to assess the quality of performance over time and promptly resolve findings of audits and other reviews. CPD uses monitoring as the principal means to ensure grantees carry out its programs efficiently, effectively, and in compliance with applicable laws and regulations. 4 According to HUD requirements, 5 monitoring is an ongoing process that is risk based and incorporated into the field office annual work plan. CPD established its risk assessment and monitoring model to address and correct findings in a 1999 GAO report 6 that placed HUD on the GAO high-risk list. GAO removed HUD from the high-risk list in 2001 due to actions taken by HUD in relation to GAO’s recommendations to improve management controls over its CPD programs. 7 Our audit objective was to determine whether CPD appropriately assessed program grantees’ risk to the integrity of CPD programs and adequately monitored its grantees. 3 HUD Monitoring Handbook 6509.2, REV-7, chapter 1 4 Ibid. 5 Ibid. 6 GAO, Community Development: Weak Management Controls Compromise Integrity of Four HUD Grant Programs, GAO/RCED-99-08 (Washington, DC: April 27, 1999) 7 GAO, High-Risk Series: An Update, GAO-01-263 (Washington, DC: January 2001) 4 Results of Audit Finding: CPD’s Risk Assessment and Monitoring Program Did Not Provide Effective Oversight of Federal Funds CPD’s risk assessment and monitoring did not provide effective oversight of programs and grantees. Risk analyses did not conform to requirements and contained errors and omissions affecting individual risk factor assessments, resulting in incorrect risk scores. Field office errors in preparation of annual work plans further compounded the effect of incorrect risk scores, preventing assurance of correct identification of high-risk grantees. CPD’s monitoring of grantees did not always support and document conclusions as required. These conditions occurred because OFM did not have effective supervisory controls to identify and correct deficiencies and it structured the risk assessment and monitoring model so that the CPD field office directors would have the substantial responsibility for ensuring the accuracy and effectiveness of the model. OFM’s responsibility for the model was limited to the design and general policy development and administrative matters. As a result, CPD did not know whether it correctly assessed grantee risk, prepared accurate work plans, or monitored in compliance with requirements. 8 CPD Did Not Monitor Most of Its Grantees Since 2014, CPD may not have monitored between 62 and 74 percent of its approximate 6,200 grantee programs. While CPD’s fiscal year 2017 risk assessment and monitoring process was primarily based on fiscal year 2016 formula grant information and fiscal year 2015 competitive grant information, CPD requirements 9 directed its personnel to complete a risk assessment for all open grants. As an example, two of the formula grant programs have a 2- and 5-year expenditure deadline, respectively. 10 Therefore, CPD’s oversight responsibility spanned multiple fiscal years and was not limited to funding for a specific fiscal year. In addition, CPD’s risk assessment universe for fiscal year 2017 did not include some grantees, resulting in those grantees’ omission from the annual work plan. Further limiting the extent of monitoring, CPD was not required to monitor every grantee program or complete all monitoring exhibits for an individual program. Due to the extent of grantee programs, funding amounts, limited CPD resources, and no requirement to monitor every grantee program or complete all monitoring exhibits for an individual program, this resulted in greater importance on the accuracy of risk analyses and the effectiveness of monitoring. 8 For the four CPD field offices sampled, the risk assessment funding universe was $907 million. 9 Notice CPD-14-04 10 Emergency Solutions Grant at 24 CFR (Code of Federal Regulations) 576.203(b) and HOME Investment Partnerships program at 24 CFR 92.500(d)(1)(iii), respectively 5 CPD’s Grants Management Process system 11 identified 2,923 formula grantee programs that could be considered for monitoring. Of those grantee programs, 1,110 had not been monitored since 2014, and an additional 701 grantee programs did not have a monitoring date within the data. Whether the blank date signified no monitoring or missing data, combining these totals showed that CPD may have not monitored almost 62 percent of its formula grantee programs since 2014. In addition, CPD’s system identified 3,292 competitive grantee programs available for monitoring. CPD had not monitored 124 grantee programs since 2014, and 2,304 grantee programs did not have a monitoring date in the system. As a result, CPD may not have monitored almost 74 percent of its competitive grantee programs since 2014. In addition to the lack of monitoring, the fiscal year 2017 risk analysis process did not include all awarded grantee programs. 12 Moreover, one formula-based program 13 was not included in CPD’s policy to be monitored. As a result, these grantee programs were not available for potential monitoring. Further, summary and detail data regarding the number of grantees and grantee programs did not reconcile. These limitations, along with the billions of dollars at risk each year, increased the need to approriately and effectively assess grantee risk and monitor the grantees selected. See table 2 below. Table 2: Overall lack of monitoring since 2014 Through Total Blank date 2014 programs Formula amounts 701 1,110 2,923 Formula percentages 23.98% 37.97% 61.96% Competitive amounts 2,304 124 3,292 Competitive percentages 69.99% 3.77% 73.75% Field Offices Reviewed Had a Similar Lack of Monitoring of Grantees The lack of monitoring for sampled field offices was similar to the overall percentages in the above table. The sample included four CPD field offices: Buffalo, NY, Louisville, KY, Miami, FL, and San Francisco, CA, with total grant awards of approximately $907 million. Table 3 describes the lack of monitoring since 2014 for the sampled field offices for formula and competitive grants. For both types of grants, the selected CPD field offices may not have monitored between approximately 45 and 75 percent of their grantees since 2014. See table 3 below. 11 This system consisted of the Grants Management Process – Reengineered (GMP-R) and the Grants Management Process Monitoring Module (GMP-M). GMP-R contained information regarding risk analyses and work plans. GMP-M documented the monitoring exhibits. 12 CPD did not prepare at least 15 risk analyses for formula-based programs (11 HOPWA, 3 ESG, and 1 CDBG). In addition, it was not possible to determine whether CPD prepared the correct amount of risk analyses for competitive-based programs due to the competitive nature of funding and missing data. 13 Housing Trust Fund 6 Table 3: Sample selection of lack of monitoring since 2014 Through Field office Grant type Blank date Total programs 2014 18 25 62 Formula 29.03% 40.32% 69.35% Buffalo 101 7 147 Competitive 68.71% 4.76% 73.47% 6 5 24 Formula 25.00% 20.83% 45.83% Louisville 16 0 35 Competitive 45.71% 0.00% 45.71% 19 57 112 Formula 16.96% 50.89% 67.86% Miami 22 3 35 Competitive 62.86% 8.57% 71.43% 68 121 255 Formula 26.67% 47.45% 74.12% San Francisco 201 8 274 Competitive 73.36% 2.92% 76.28% Risk Analyses, Annual Work Plans, and Monitoring Exhibits Were Deficient Field office personnel prepared risk analyses and monitoring exhibits without appropriate supporting documentation or adequate explanation for the sample of 20 grantees reviewed at 4 field offices, compromising the validity of overall risk scores for individual assessments. The risk analyses were the basis for the annual work plans that determined which grantees field offices would monitor. Improperly completed risk analyses negatively impacted the annual work plans. Specifically, the incorrect or unreliable risk scores affected the ranking of grantees for accurately developing the field office annual work plan and eliminated assurance of accurate identification of grantees for monitoring. Unsupported and insufficiently explained conclusions drawn in the monitoring exhibits left CPD without evidence needed to defend findings and concerns reported to its grantees. 7 CPD’s monitoring process began with requiring its field offices to complete a risk analysis for all active grants. 14 HUD’s risk analyses had factors and sub-factors for assessment specific to each program. CPD required 15 its representatives to review a specified timeframe 16 for most sub- factors and include a description clearly understood by an independent reviewer for sub-factors rated high risk. Based upon review of selected sample items, 17 CPD’s risk analyses had the following deficiencies: • the indicated basis of assessment was incorrect, • no indication of procedures performed, • unexplained or unsupported assessments, • questionable risk assessments due to lack of monitoring during the assessment period, • accuracy of the assessment not determinable from the available information, • lack of or unreferenced supporting documentation, and • neglecting to address all requirements of the assessed risk. 18 In addition to the above deficiencies, the San Francisco CPD field office point of contact placed significant reliance upon its CPD representatives’ knowledge of the grantee instead of supporting documentation as required. This office’s management knew CPD representatives did not always review all required information but did not take corrective action. This field office also estimated an overall review time of about 10 minutes for each risk analysis, meaning the supervisory review or verification of sub-factors may or may not occur. All 20 risk analyses reviewed had either incorrect or unsupported risk ratings. Figures 1 and 2 illustrate examples of unsupported risk ratings in which the CPD representative essentially used the language from Notice CPD-14-04 to rate the grantee. Factor 1.B in figure 1 required the Buffalo field office to determine grantee staff capacity for the previous 3 program years and current program design. The field office rated the grantee as high risk without identifying procedures performed or detailed information specific to the grantee. 19 Figure 1: City of Binghamton – CDBG risk analysis, factor 1.B Figure 2 showed the Miami field office did not use grantee-specific information to support a high-risk rating for factor 1.C. Based upon this answer, a supervisor or independent reviewer 14 Notice CPD-14-04 defined an active grant as any grant within the field office’s portfolio not closed out at the start of the risk analysis review process. 15 Notice CPD-14-04 16 Typically 3 years 17 See the Scope and Methodology section for sample selection details. 18 The sample items had multiple deficiencies to various degrees. 19 Further limiting the ability to review the risk analysis, the CPD representative did not maintain additional supporting documentation. 8 would not be able to draw the same conclusion with the given information for these risk assessments. Figure 2: Palm Beach County – HOME risk analysis, factor 1.C Figure 3 showed the Louisville field office wrote a limited explanation to rate the timely expenditure sub-factor as high risk. The criteria for this sub-factor required evaluation of the grantee’s expenditures in relation to its grant agreement. 20 The CPD representative inserted the comment, “Recaptures,” with no further explanation or supporting documentation. Figure 3: St. Vincent DePaul – Continuum of Care risk anlaysis, factor 2.B As shown in figure 4, the San Francisco field office also wrote a limited explanation to rate the recipient reporting sub-factor as high risk. As presented, the risk analysis did not support the high-risk designation given by the CPD representative and should have been identified by the supervisor. 21 Figure 4: San Joaquin County – Emergency Solutions Grant risk analysis, factor 1.A Each reviewed risk analysis had between 14 and 16 sub-factors to assess risk. Factors rated low or medium risk did not always have comments or reference supporting documentation to facilitate supervisory review. When interviewed about including supporting documentation for risk analyses, one CPD representative stated that his supervisor could look up the supporting documentation himself. Requiring reperformance of steps taken without adequate explanation or references to supporting documentation defeats the purpose of a review of work performed. Finally, an independent reviewer would not be able to draw the same conclusion without documented efforts and explanations. 20 Ibid. 21 Ibid. 9 Annual Work Plans Evidenced Preparation Errors CPD field offices did not always comply with the procedural requirements for the preparation of annual work plans. While the Miami and San Francisco field offices generally prepared their work plans in accordance with requirements, the Buffalo and Louisville offices had significant deficiencies. Specifically, the work plans included the improper ranking of grantees, resulting in exclusion from monitoring and non-selection of high-risk grantees without explanation, adding to the inaccuracy of some work plans. These issues went unidentified due to lack of substantive oversight. OFM’s lack of substantive oversight and control prevented identification and correction of field office errors and omissions, allowing defective work plans and questionable grantee selections for monitoring to remain uncorrected. Buffalo The Buffalo field office did not prepare its fiscal year 2017 annual work plan in accordance with requirements. The work plan contained the following deficiencies: • The competitive composite summary worksheet did not report average risk scores for five competitive grantees, which resulted in incorrect ranking with other grantees that had risk scores of zero. This error resulted in a high-risk grantee 22 that would have required a CPD field office review and another grantee with a risk score of 41 being ranked near the bottom with low-risk grantees. 23 • The field office omitted selection of a high-risk competitive grantee and program in rank order without explanation. • While selecting three grantees ranked lower, the field office did not select one medium- risk competitive Continuum of Care grantee, which was among the top 20 risk-based grantees. It did not provide an explanation for the omission. • The work plan listed a formula grant as selected for discretionary monitoring; however, the field office was required to monitor the grant program because it was rated high risk. Louisville The Louisville field office did not prepare its fiscal year 2017 annual work plan in accordance with requirements. The field office selected nine grantees in rank order by average score. However, one competitive grantee, Kentucky Housing Corporation, with an average risk score of 30, had one Continuum of Care program assessed as high risk (66), which required monitoring under CPD guidance. 24 The Louisville field office did not provide an allowed exception for non- selection of the grantee or program for review as the CPD notice required. 25 22 A risk score greater than 50 23 A risk score of less than 30 24 Notice CPD-14-04 25 Notice CPD-14-04, Section VI 10 Grantee Monitoring Was Not Conducted in Accordance with Requirements CPD field offices reviewed did not perform their fiscal year 2017 monitoring in accordance with requirements. 26 HUD uses its monitoring program as its primary means to ensure grantees carry out their administration of Federal funds efficiently, effectively, and in accordance with applicable laws. Monitoring reviews did not provide confidence that field offices accurately evaluated grantee performance. CPD policy required its staff to support, defend, and adequately document all conclusions, positive and negative. 27 For instance, • “Specific responses to the Exhibit questions are expected. Although this approach can take more time up-front, it yields higher quality reviews that provide a better picture of a program participant’s grant program for supervisory staff, future CPD representatives, for the program participant, and others who have a need to review the program participant’s performance or HUD’s monitoring efforts.” 28 • “Document! The responses to the questions in this Handbook Exhibits form the basis for monitoring conclusions and are supplemented by program participant records copied or reviewed during the monitoring. All Exhibit questions must be clearly answered (both the ‘Yes/No/N/A’ box and the ‘Basis for Conclusion’ text box). For example, an N/A response could indicate either that the question did not apply or the reviewer was unable to answer it (due to time constraints, unexpected problems in other areas, etc.). The “Basis for Conclusion” needs to succinctly but explicitly explain this.” 29 • “Keep in mind that people unfamiliar with the program participant, or the program/area being monitored, assess CPD monitoring efforts (e.g., staff from HUD’s OIG or GAO). Field Office changes may also result in reassignment of program participants to different CPD staff. Therefore, monitoring conclusions must be clear to persons unfamiliar with the participant, program or technical area.” 30 • “It is essential that each step of the monitoring process be adequately documented. Documenting preserves the valuable results, both positive and negative. All correspondence, documentation and working papers relating to the monitoring and conclusions are to be maintained in the official Field Office files. Where appropriate or required, information can be maintained in electronic form (e.g., GMP).” 31 26 HUD Handbook 6509.2, REV-7 27 HUD Handbook 6509.2, REV-7, chapter 2, section 2-8.A. 28 HUD Handbook 6509.2, REV-7, chapter 2, section 2-7.C.1 second paragraph. 29 HUD Handbook 6509.2, REV-7, chapter 2, section 2-7.C.3 first paragraph. 30 HUD Handbook 6509.2, REV-7, chapter 2, section 2-7.C.3 second paragraph. 31 HUD Handbook 6509.2, REV-7, chapter 2, section 2-14.A first paragraph. 11 CPD did not comply with its own standards. Numerous errors and omissions existed in all monitoring engagements reviewed, including but not limited to neglecting to • properly report a finding and, instead, reducing it to a concern; • note whether and what procedures were performed; • provide a basis for the conclusion; • identify items examined, preventing reperformance or verification; • document the procedures performed to verify interview representations; • complete the correct exhibits for activities possibly subject to Federal administrative, cost, and audit requirements; 32 • address and document sampling methodology, sample size determination, and results of testing in applicable instances; • document an exit conference, completion of an official monitoring letter within 60 days following monitoring, or complete documentation relating to final resolution of identified deficiencies; • meet the requirements for the in-depth monitoring approach specified in the individual monitoring strategy; • require evidence of compliance before closing findings; • obtain source documentation instead of summary documents; • use the supplemental exhibits required for completion of the monitoring process; • reconcile incompatible conclusions and bases for conclusions and improper forfeiture of right to access records; and • require sufficient information to clarify the conclusion. For all monitoring engagements reviewed, each exhibit evidenced a number of the above deficiencies. Some examples are described below. Buffalo The grantee and program reviewed was the Town of Union, Union, NY, Community Development Block Grant-Disaster Recovery (CDBG-DR) program. CPD did not use the supplemental exhibit required for completion of the monitoring process. The planned engagement procedures included Exhibit 6-8, Guide for Review of Procurement. 33 The monitoring letter issued after completion of the engagement noted no issues or concerns regarding procurement. See figure 5 below. 32 2 CFR Part 200 33 Ibid., chapter 6 12 Figure 5: Excerpt from CPD monitoring letter The CPD representative did not complete the required procedures to support the conclusion. The exhibit 6-8 instructions directed use of either exhibit 3-20 or 34-2, as applicable, to supplement the exhibit for entitlement communities that received CDBG-DR funding. The HUD system did not contain evidence the CPD representative complied with the instructions. See figure 6 below. Figure 6: Exhibit 6-8 instructions (emphasis highlighted): Since the CPD representative did not use the required supplemental exhibit for procurement, it was not correct for HUD to state that it reviewed the grantee’s procurement processes and had no issues or concerns. The monitoring was not complete and included unsupported statements regarding procurement. Louisville The grantee and program reviewed was the Louisville Jefferson County Metro Government, Louisville, KY, HOME program. CPD did not document a basis for its conclusions. 13 A component of the monitoring engagement included Exhibit 7-2, Guide for Review of Overall Management Systems. The CPD representative neglected to describe the documents reviewed or other procedures performed to support the conclusions reached. The exhibit consisted of 46 questions. For 43 of the 46 questions, the CPD representative described the basis for conclusion as “Staff interviews and document reviews,” as shown in figure 7 below. Figure 7: Exhibit 7-2, question 1 For two of the remaining questions (questions 13 and 39), the CPD representative used vague descriptions and did not refer to the supporting documentation. See figure 8 below. Figure 8: Exhibit 7-2, question 13 For question 46, the CPD representative did not describe the entire process to ensure information entered into the Integrated Disbursement and Information System was accurate. See figure 9 below. Figure 9: Exhibit 7-2, question 46 Based on a lack of supporting documentation and detailed procedures to support a review of documents, verification of interview representations, or any other procedures performed, none of the conclusions were supported, defensible, or adequately documented. 14 Miami The grantee and program reviewed was Fort Lauderdale, Fort Lauderdale, FL, Housing Opportunities for Persons with AIDS (HOPWA) program. CPD did not resolve conflicting information between the exhibit and monitoring letter. One component of the monitoring engagement included completion of Exhibit 10-4, Guide for Review of HOPWA Project Sponsor or Subrecipient Management. 34 The exhibit had three questions numbered 34 because it had three different subgrantees. Question 34, associated with Broward House, identified no unknown problems as shown in figure 10. However, the monitoring report identified that Broward House had environmental review deficiencies that the City had not detected. Figure 10: Question 34, Broward House Question 34, associated with Broward Regional Planning Council, identified a smoke alarm deficiency as shown in figure 11, but CPD’s monitoring letter did not contain this environmental finding. Figure 11: Question 34, Broward Regional Health Planning Council 34 Ibid., chapter 10 15 Question 34, associated with Sun Server, basically had the same conclusion as Broward Regional Health Planning Council as shown in figure 12. However, the monitoring report identified no findings with Sun Server. Figure 12: Question 34, Sun Server The CPD representative stated the findings noted in the monitoring report were correct. To avoid confusing a supervisor or another reviewer, the information in the exhibits needed to support and be consistent with the information presented in the monitoring report. As a result of the inconsistencies noted above, the conclusion presented in the exhibit was not supportable, defensible, or adequately documented. Neither the reviewer nor the approver required further information to clarify the discrepancies between the exhibit and the monitoring report and resolve the issue. San Francisco The grantee and program reviewed was the Committee on the Shelterless Continuum of Care program, Petaluma, CA. CPD did not address and document its sampling methodology, sample size determination, or results of testing in applicable instances. The field office monitoring of the Committee on the Shelterless Continuum of Care included completion of Exhibit 29-1, Guide for Review of Homeless and At-Risk Determination/Recordkeeping Requirements 35 as shown figure 13. 35 Ibid., chapter 29 16 Figure 13: Exhibit 29-1 instructions (emphasis highlighted): The field office must use this exhibit. It also must do the following: (1) select a random sample from both current and former program participants and (2) review these program participant files to complete the questions in the exhibit, supplemented by recipient staff interviews. The exhibit did not include the basis for sample selection and samples reviewed as required, with the result that the field office did not support, defend, or adequately document the related conclusions. For example, see figures 14, 15, and 16 below. Figure 14: Question 5 17 The CPD representative concluded “Yes” but left the basis for conclusion blank. There was no description of the sample selection process, sample(s) reviewed, or other supporting documentation as required: Figure 15: Question 6 The conclusion was “Yes” and the basis for conclusion noted, “All client files reviewed contained third-party documentation, but the HMIS database does meet these requirements.” However, there was no description of the sample selection process and samples reviewed as required. 36 Figure 16: Questions 9-24 (note: only one question in sequence 9-24 shown as an example) As with all questions in the indicated sequence, the basis for conclusion states, “Not applicable to clients reviewed.” However, these descriptions did not include the sample selection process, 36 Ibid. 18 list client files reviewed, or refer to other supporting documentation that would have that information. All 20 monitoring reviews had multiple deficiencies, and the monitoring exhibits generally contained insufficient supporting documentation and inadequate explanation of conclusions drawn. Neither OFM nor the CPD field offices reviewed provided evidence to show that the deficiencies identified were isolated instances or that the deficiencies were limited to these four field offices. Further, the lack of OFM substantive oversight prevented it from noting field office errors and required correction of noncompliance with requirements. As a result, CPD did not have effective monitoring, identification of deficiencies, development of appropriate corrective action, and resolution to ensure proper administration of Federal funds by grantees. OFM Lacked Oversight and Policy Implementation To compound the conflicting data issues and lack of monitoring cited above, OFM’s oversight of the risk analyses and monitoring processes was solely administrative. While CPD field office directors and program managers were tasked with review of risk analyses and monitoring exhibits, OFM did not have substantive oversight procedures to ensure field staff had properly and consistently implemented established policies concerning completion and review of the monitoring process. Therefore, OFM could not know the extent of the deficiences with the implementation of the risk analysis and monitoring process. Based on the issues identified in the previous audit 37 and in this audit, it is imperative headquarters develop appropriate, substantive oversight procedures to ensure the overall monitoring process has credibility. Without credible implementation of the monitoring process, CPD did not have assurance grantees effectively administered Federal funds. Conclusion CPD did not appropriately assess program grantees’ risk to the integrity of CPD programs or adequately monitor its grantees, resulting in no assurance of effective oversight or control of billions in Federal funds. CPD had not monitored most of its grantees over the last 3 years, placing greater importance on CPD’s correctly assessing risk and monitoring. Risk analyses did not conform to requirements and contained errors and omissions affecting individual risk factor assessments, resulting in incorrect risk scores. Field office errors in preparing annual work plans further compounded the effect of incorrect risk scores, preventing correct identification of high-risk grantees. CPD’s monitoring of grantees did not always support and document conclusions as required. Supervisory controls did not function at any level. CPD program managers and directors did not note and require correction of instances of CPD representative noncompliance with requirements. OFM limited its role to administrative matters and was unable to identify field office noncompliance. This condition occurred because OFM structured the risk assessment and monitoring model so that the CPD directors would have the substantial responsibility for ensuring the accuracy and effectiveness of the model. OFM could not readily produce correct 37 HUD’s Monitoring of State CDBG, 2017-FW-0001, July 10, 2017 19 grant and grantee data. As a result, CPD had no assurance that it correctly assessed grantee risk, prepared annual work plans accurately, or conducted monitoring in accordance with requirements for billions in funding. 38 Recommendations We recommend that the Deputy Assistant Secretary for Operations 1A. Develop and implement policies to require CPD headquarters’ substantive involvement and responsibility in the risk assessment and monitoring function, including (1) oversight of risk assessment, including ensuring that all required grantees have a risk assessment performed; (2) review of annual work plans; (3) evaluation of monitoring performance and findings; (4) institution of functional supervisory controls; and (5) enforcement of field office compliance with risk analysis and monitoring requirements. If OFM does this, a minimum of $907 million in Federal funds could be put to better use by more consistently and accurately assessing risk and monitoring grantees. 1B. Establish a monitoring tracking system, organized on a CPD field office basis, to incorporate and track internal and external data and provide an immediate, multiyear quantification of grantees, grants, and dollar value for both monitored and not monitored grantees, allowing immediate assessment of monitoring findings, resolutions, and coverage individually and in total. 38 Ibid. 20 Scope and Methodology We performed our audit work from July 2017 through March 2018 at HUD headquarters in Washington, DC, and on site in the Buffalo, Louisville, Miami, and San Francisco field offices. Our review period was from October 2016 through September 2017. To accomplish our audit objective, we • Reviewed relevant Federal laws and regulations. • Assessed the CPD requirements issued to all field offices for conducting risk assessments, annual work plan development, and the monitoring of CPD grantees and programs. • Interviewed headquarters personnel. • Obtained grant and grantee data from headquarters and performed analytics of detail and summary information by competitive and formula grants by region and field office, workload per CPD representative for risk analysis and monitoring, and historical monitoring coverage. • Performed site visits to four field offices and o Interviewed staff to (1) determine their level of training and experience, timing of the yearly risk analysis and monitoring cycle, procedures conducted, filing and record retention policies and systems, knowledge and understanding of sampling, sampling methods, and documentation; (2) obtain insight into their perceived shortcomings and deficiencies in the risk analysis and monitoring process; and (3) solicit their recommendations for improvement. o Evaluated risk assessments for compliance with requirements, including analysis of sub-factor procedures performed relative to requirements, conclusions reached, and supporting documentation examined and retained. o Reviewed the field office compilations of summary composite worksheets, determined the monitoring method selected, and examined preparation of the annual work plans for compliance with requirements. o Examined monitoring engagement procedures for conformance to requirements, to include but not limited to the individual monitoring strategies designed for conduct of the engagement, communications to and from grantees, selection of monitoring exhibits, completion of exhibits, support for conclusions reached, workpaper and document retention, and proper identification and handling and resolution of findings and concerns. Sample Selection During the audit period, CPD had approximately 4,300 combined formula and competitive grantees for which more than 6,200 grantee worksheets were prepared. From the population of 43 field offices, 5 grantees and programs each from 4 field offices were selected for testing and review of the related risk assessment and monitoring. 21 We based our sample selection on interviews with OFM staff; analysis of summary grant and grantee data in total and by field office; and review of field office staffing levels, field office annual monitoring goals, and monitoring coverage percentages. We excluded the seven field offices sampled under our State CDBG audit. 39 Using the available information, we selected a cross section of field offices based upon size and geographical location. Table 4: Field offices selected for site visits 40 Field Formula Competitive Total office grants funding grants funding grants funding Buffalo 65 $ 74,701,611 503 $ 51,843,478 568 $126,545,089 Louisville 26 60,049,777 207 18,635,431 233 78,685,208 Miami 114 86,554,313 387 48,461,626 501 135,015,939 San Francisco 245 356,484,010 664 211,252,628 909 567,736,638 Total 450 577,789,711 1,761 330,193,163 2,211 907,982,874 As our sample was not statistical, our sample results could not be projected to the population. However, because of the decentralized system, lack of supervisory review, and extent and consistency of the deficiencies, the selections provided sufficient evidence to conclude whether CPD followed its requirements and that the requirements were adequate to ensure that if followed, CPD could accurately assess risk, develop a work plan based on accurately rated and ranked grantees, and execute credible monitoring of grantees to ensure the proper administration of Federal funds. We conducted the audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective. 39 HUD’s Monitoring of State CDBG, 2017-FW-0001, July 10, 2017 40 The total funding represents the minimum cost savings that CPD could recognize by establishing controls to ensure consistent compliance with its guidance for risk assessment and monitoring of grantees and therefore, providing supportable assurance that grantees are properly administering Federal funds or instances of noncompliance are identified and corrected. 22 Internal Controls Internal control is a process adopted by those charged with governance and management, designed to provide reasonable assurance about the achievement of the organization’s mission, goals, and objectives with regard to • effectiveness and efficiency of operations, • reliability of financial reporting, and • compliance with applicable laws and regulations. Internal controls comprise the plans, policies, methods, and procedures used to meet the organization’s mission, goals, and objectives. Internal controls include the processes and procedures for planning, organizing, directing, and controlling program operations as well as the systems for measuring, reporting, and monitoring program performance. Relevant Internal Controls We determined that the following internal controls were relevant to our audit objective: • Program operations – Policies and procedures that management has implemented to ensure that a program meets its objectives. • Validity and reliability of data – Policies and procedures that management has implemented to ensure that valid and reliable data are obtained, maintained, and fairly disclosed. • Compliance with laws and regulations – Policies and procedures that management has implemented to ensure that resource use is consistent with laws and regulations. We assessed the relevant controls identified above. A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, the reasonable opportunity to prevent, detect, or correct (1) impairments to effectiveness or efficiency of operations, (2) misstatements in financial or performance information, or (3) violations of laws and regulations on a timely basis. Significant Deficiencies Based on our review, we believe that the following items are significant deficiencies: • OFM did not have adequate controls to exercise oversight or control of risk assessment or the monitoring of CPD grantees. • Field offices did not implement adequate controls to accurately assess risk, develop work plans, or execute monitoring in accordance with requirements. 23 Followup on Prior Audits HUD’s Monitoring of State CDBG, 2017-FW-0001 All of the report recommendations, 1A through 1F, were open as of March 14, 2018. The recommendations included the General Deputy Assistant Secretary for Community Planning and Development to (1) develop and implement a review process at the headquarters level to ensure compliance with established policy for risk analysis and monitoring, (2) require referenced supporting documentation be uploaded into its system and implement guidance for field offices to maintain supporting documentation in their official files, (3) develop and implement a policy that requires field offices to rate grantees of at least medium risk that have not been monitored within the last 3 years, and (4) update monitoring exhibits to guide staff to document procedures performed and provide sufficient explanation to verify procedures performed and conclusions drawn. The full report can be found at the following link: https://www.hudoig.gov/reports-publications/audit-reports/hud%E2%80%99s-monitoring-of- state-cdbg Recommendations 1B, 1C, and 1F were open without a final action target date. The final action target date for completing corrective action for recommendations 1A and 1E is July 10, 2018, and recommendation 1D is September 30, 2018. The State of Oklahoma Did Not Obligate and Spend Its Community Development Block Grant Disaster Recovery Funds in Accordance With Requirements, 2016-FW-1010 All of the report recommendations, 1A through 1F, were open as of March 14, 2018. The recommendations included the Acting Deputy Assistant Secretary for Grant Programs require the State to (1) develop and implement policies and procedures to document and perform detailed review and testing to establish eligibility, existence, disaster event qualifications, reasonableness of cost estimates, prioritization, and fund allocation, both retroactively and prospectively, which would put $81.9 million to better use; (2) support or properly obligate more than $11.7 million in unsupported obligations; and (3) support or repay more than $4.3 million in unsupported expenditures. The full report can be found at the following link: https://www.hudoig.gov/reports-publications/audit-reports/state-of-oklahoma-did-not-obligate- and-spend-its-community The final action target date for completing corrective action was November 29, 2017. CPD and the State of Oklahoma were still in consideration of corrective action, if any, as of the date of this report. 24 Appendixes Appendix A Schedule of Funds To Be Put to Better Use Recommendation Funds to be put number to better use 1/ 1A $907,982,874 Total 907,982,874 1/ Recommendations that funds be put to better use are estimates of amounts that could be used more efficiently if an Office of Inspector General (OIG) recommendation is implemented. These amounts include reductions in outlays, deobligation of funds, withdrawal of interest, costs not incurred by implementing recommended improvements, avoidance of unnecessary expenditures noted in preaward reviews, and any other savings that are specifically identified. In this instance, funds to be put to better use represents the fiscal year 2016 formula grants and fiscal year 2015 competitive grants for the four field offices selected for site visit examination. As discussed in the Scope and Methodology section, the deficiencies identified during the audit were systemic and not limited to the sample items tested. Of the sample items reviewed, 100 percent of risk analyses and monitoring engagements examined evidenced many and varied instances of noncompliance with requirements. This result was attributable to field office noncompliance with requirements and OFM’s decentralized system, lack of supervisory review, and lack of support for conclusions reached. CPD could recognize cost savings of more than $907 million by establishing controls to ensure consistent compliance with its guidance for risk assessment and monitoring of grantees and therefore, providing supportable assurance that grantees are properly administering Federal funds or instances of noncompliance are identified and corrected. 25 Appendix B Auditee Comments and OIG’s Evaluation Ref to OIG Evaluation Auditee Comments Comment 1 Comment 2 Comment 3 26 Ref to OIG Evaluation Auditee Comments Comment 4 Comment 5 Comment 1 27 Ref to OIG Auditee Comments Evaluation Comment 6 Comment 7 Comment 8 Comment 9 28 Ref to OIG Auditee Comments Evaluation Comment 10 Comment 11 Comment 12 Comment 12 Comment 13 Comment 14 Comment 15 29 OIG Evaluation of Auditee Comments Comment 1 CPD unequivocally stated that the audit report’s conclusion that CPD has no assurance of effective oversight or control of billions in Federal funds is invalid and unfounded. CPD misinterpreted the audit report’s evidence and conclusions. CPD did not have a system of control to provide the assurances that its policies and procedures were implemented by the field offices and operating as designed. The audit noted significant and consistent mistakes and omissions at the four sites reviewed that affected all other field offices since they had the same oversight controls. In addition, OFM developed a monitoring review training program in March 2016 after a review of more than 2,000 monitoring exhibits. The deficiencies OFM identified and incorporated in this training were similar to the issues reported in this report. As stated in the report, neither the field office directors nor OFM noted and corrected instances of noncompliance. Without controls to determine if the policies were implemented and operating as designed, CPD cannot have assurances. We maintain our position. Comment 2 CPD did not believe that the sample was sufficient or that the audit considered the Single Audits performed on grantees. CPD also stated that the report did not cite any instances of CPD violating a law or regulation. The sample included 10 percent of CPD field offices. As stated in Comment 1, CPD did not have controls in place to determine that policies were adequately and consistently operating throughout the 43 field offices. Furthermore, OFM’s own review showed similar mistakes and omissions. CPD did not provide any specifics on how it would address the significant deficiency. In addition, we have reported significant findings with CPD grantees’ compliance with requirements in other HUD OIG reports. While CPD’s grantees that expend more than $750,000 annually are required to have audits, these audits focus on the grantee’s financial statements and major Federal programs. Grantees may receive multiple Federal grants from different Federal agencies. Based on the independent auditor’s assessment, HUD funding may or may not be included for review during this type of audit. CPD’s risk analyses required a determination of the Single Audit’s timeliness and whether the audit included findings or recommendations; however, CPD’s response did not state how it used the audits in its overall monitoring processes. Lastly, GAO’s 30 Standards for Internal Controls in the Federal Government specifically states that these audits are not part of HUD’s internal controls. 41 Comment 3 CPD stated our report displayed a misconception of risk assessment and did not clearly communicate the intended point. The report described the importance of risk assessment as part of the condition of the finding since HUD was not required to monitor all grantees. Unsupported, incomplete, and inaccurate risk scores could lead to not identifying the grantees that pose the highest risk. As stated in Comment 2, the external audits did not have an effect on CPD following its policy on risk analysis or monitoring. Other than including that HUD was not required to monitor all grantees, which was previously in a footnote, in the body of the finding, we did not delete or revise the sections. Comment 4 CPD stated that we were applying “auditing standards” to CPD in evaluating the effectiveness of its risk assessment and monitoring. 42 CPD also requested clarification of what “verification of interview representations” meant. As discussed throughout the audit, this audit examined CPD compliance with CPD policies and procedures. 43 CPD internally developed, published, and distributed these policies to CPD field offices for performance of risk assessment and monitoring. We have included additional CPD policies in the body of the report to help clarify the reported deficiencies. “Verification of interview representations” meant CPD representatives must obtain support for statements made during the interview. We maintain our position. Comment 5 CPD stated that we did not understand its organizational structure and had blurred the lines “between overseeing a process and enforcing program requirements…” and stated “it is inappropriate and contrary to program delegations of authority to shift program management and oversight responsibility to OFM.” CPD’s response did not refute • CPD representatives did not comply with requirements; • CPD directors approved deficient risk analyses and monitoring exhibits without noting noncompliance with requirements and requiring corrective action; and • OFM separated itself from the process and did not oversee or “manage” the implementation and operations of its risk analysis and monitoring policy. 41 GAO-14-704G, Standards for Internal Control in the Federal Government, OV2.15 42 See also, HUD’s Monitoring of State CDBG, 2017-FW-2001, OIG Evaluation of Auditee Comments. 43 HUD Monitoring Handbook 6509.2, REV-7 and Notice CPD-14-04 31 OFM stated that it was not responsible for the oversight of the risk analysis and monitoring processes with the exception of limited administrative tasks, and further stated that the deficiencies identified in the draft report were the responsibility of the Office of Block Grant Assistance due to the program knowledge its employees had and OFM lacked. Although OFM consistently cited lack of program knowledge as justification for not exercising substantive oversight, the indications of noncompliance with requirements noted during this audit did not require program expertise to identify (e.g., nonperformance of procedures, no indication of specific procedures performed, lack of supporting documents and workpapers, lack of completeness, etc.). Identification of monitoring deficiencies by OFM in development of its training program demonstrated OFM’s ability to identify noncompliance with requirements. We maintain our position. Comment 6 CPD disagreed with our statement regarding its inability to readily produce detail grant and grantee data upon request, noting the report did not provide sufficient evidence as to data missing, the nature of the problem, or explain if the remark emanated from our perception that the system needed to do something it was not designed to do. CPD’s inability to produce detail data was a problem identified and communicated to CPD during the initial stages of the audit in July 2017. CPD provided summary grant and grantee data, but was unable to provide the supporting details that agreed to, or reconciled with and supported the summary totals. We worked with CPD through multiple iterations of detail data before receiving, in September 2017, a detail for the formula and competitive grants summary information received in July 2017. CPD did not furnish the requested detail for formula and competitive grantees. We maintain our position. Comment 7 CPD stated Recommendation 1B, to establish a monitoring tracking system, constituted our “taking on a management role in designing internal controls and requiring the actual control CPD should use” and, as such, was an “inappropriate overreach and contrary to generally accepted government auditing standards.” Making a recommendation to establish a tracking system did not constitute “taking on management’s role.” According to GAO, 44 we recommend “actions to correct deficiencies and other findings identified during the audit and to improve programs and operations when the potential for improvement in programs, operations, and performance is substantiated by the reported findings and conclusions.” Further, we make recommendations that we believe would address 44 Government Auditing Standards, chapter 7, Reporting Standards for Performance Audits. 32 the findings and conclusions, are directed at resolving the cause of the identified deficiencies and findings, and clearly state the actions recommended. We maintain our position. Comment 8 CPD stated the report did not have sufficient evidence to support the assertion that supervisory controls did not function at any level. The Scope and Methodology section of the report describes our testing procedures. The body of the report identifies the results of those procedures for the overall audit, including conclusions reached regarding supervisory controls. Furthermore, as stated in the finding, CPD did not establish or implement supervisory or quality controls outside of the field office reviews. As noted throughout the report, CPD directors approved risk analyses and monitorings without identification and correction of instances of noncompliance indicating nonfunctioning supervisory controls at the field office level. In addition, OFM’s administrative review did not include evaluation to ensure its field offices were implementing the risk analysis and monitoring review policies. Lastly, CPD’s response did not provide support that it had adequate or effective oversight controls. We maintain our position. Comment 9 CPD wrote that the report incorrectly characterized GAO’s removal of HUD from its high-risk list. We modified the report to reflect the language in the GAO report. Comment 10 CPD wanted clarification of all awarded grantee programs and specifics regarding footnote 13 (now footnote 12). All awarded grantee programs refers to the CPD funds awarded to entitlement and competitive grantees for which field offices were required to perform risk analysis. We added specific numbers to the footnote. Comment 11 CPD stated the example regarding Figure 11 of our report was confusing and noted the monitoring letter addressed the smoke detector problem for Broward Regional Health Planning Council. Figures 10, 11, and 12 illustrated the conflicting information between the exhibits and the monitoring letter. The monitoring letter addressed the smoke detector, which is a housing quality standards issue that was not identified in Figure 10. The monitoring letter did not address the environmental finding and was inconsistent with what was presented in the exhibit. We did not revise the finding. Comment 12 CPD stated that the report contained auditing terminology and clarification of such terminology would be helpful to ensure a common understanding. CPD also described what it considered to be an acceptable explanation to support monitoring reviews. 33 We used common sampling terminology similar to what CPD uses in its own policy. For instance, HUD’s HOPWA exhibit 10-5 instructions state, “Use the grantee’s listing of applicable cost items supported with HOPWA funds during the operating year under review as a basis for the sample selection.” We agree with CPD on what it considered an acceptable description to support its determination. However, as stated throughout the finding, this description was missing from the documentation provided during our review. Therefore, the responses (including N/A) were not supportable or adequately documented. Comment 13 CPD requested the recommendations for improvement that we solicited from field offices. During our site visits, we solicited comments and recommendations from the CPD personnel interviewed. We considered and evaluated their comments and recommendations for improvement during the performance of fieldwork and in development of the report. Comment 14 CPD stated the audit followup section inaccurately reflected the status of the previous audit due to the lack of discussing CPD’s substantive disagreements. The purpose of this section was to describe significant recommendations that remain unresolved and disclose the status of recommendations that could affect the current audit objectives. We did not revise the report section. Comment 15 CPD was puzzled by the inclusion of the State of Oklahoma audit report since it was outside OFM’s purview. We agree that OFM was not responsible for the State of Oklahoma audit recommendations. The Oklahoma City CPD field office did not perform accurate risk assessments and, did not monitor the State for at least five years. This audit led to the current audit on the CPD monitoring of all grantees. In addition, the material findings and recommendations in the State of Oklahoma report affect the current audit objectives for this latest report. 34
CPD's Risk Assessment and Monitoring Program Did Not Provide Effective Oversight of Federal Funds
Published by the Department of Housing and Urban Development, Office of Inspector General on 2018-06-26.
Below is a raw (and likely hideous) rendition of the original report. (PDF)