We audited selected controls within the Disaster Recovery Grant Reporting system (DRGR) related to Neighborhood Stabilization Program (NSP) funding because of the emergency and the transparency nature of the Housing and Economic Recovery Act and the American Recovery and Reinvestment Act, respectively, and corresponding statutory timeframes. DRGR is an existing system that was modified to track close to $5.9 billion dollars of NSP funds, the majority of which must be obligated and expended within two years. NSP I funding totaled $3.9 billion. The American Recovery and Reinvestment Act of 2009 (ARRA) revised some of the program rules and appropriated an additional $2 billion for the program, to be competitively awarded. Following the initiation of our audit, the Office of Community Planning and Development (CPD) decided to use DRGR to track the $2 billion in funding allocated to NSP II, in addition to the $3.9 billion allocated to NSP I.
Our objective was to assess risk assessment updates and whether NSP funds were properly safeguarded by the access controls related to DRGR. While we did not find misappropriation or misuse of funds in our limited review, we did find weaknesses that require CPD actions to obtain reasonable assurance that NSP funds are properly safeguarded. We found that (1) access control policies and procedures for DRGR violated HUD policy, (2) the system authorization to operate was outdated and based upon inaccurate and untested documentation, (3) CPD did not adequately separate the DRGR system and security administration functions, and (4) CPD had not sufficiently tested interface transactions between DRGR and the Line of Credit Control System.
CPD had identified and initiated actions in an effort to address or mitigate many of the weaknesses identified. We commend CPD’s efforts to identify and remedy the weaknesses in the DRGR system. In addition, we acknowledge that CPD efforts to initiate and proceed with modifications to DRGR have been hampered due to a lack of funding and staff resources.