The U.S. Department of Housing and Urban Development (HUD) Office of Inspector General (OIG) conducted an evaluation of the operational effectiveness of information technology (IT) security controls for the HUDUSER system, which is operated by HUD’s Office of Policy Development and Research (PD&R).  The OIG identified four significant weaknesses involving website security, underscoring the need to strengthen technical security…

In August 2024, we issued an audit report on the California Department of Housing and Community Development’s (HCD) fraud risk management practices, finding that HCD was not adequately prepared to prevent, detect, and respond to fraud due to the lack of focus it placed on fraud risks and establishing a robust fraud risk management framework for the Coronavirus Aid, Relief, and Economic Security Act (CARES) Act funding for the Emergency…

We recently issued an audit report on the City and County of Honolulu’s (City) fraud risk management practices, which determined the grantee did not adequately develop a fraud risk management framework for the Coronavirus Aid, Relief, and Economic Security (CARES) Act funding provided for the Emergency Solutions Grant (ESG) program to prevent, detect, and respond to fraud (Audit Report No. 2024-LA-1002, issued August 6, 2024). This…

We have reviewed the U.S. Department of Housing and Urban Development’s (HUD’s) Detailed Accounting Report and the related management assertions for National Drug Control Program activities for the fiscal year ended September 30, 2025. We also reviewed the Budget Formulation Compliance Report, which includes budget formulation information for fiscal year 2027, and the related management assertions for National Drug Control Program…

We audited New York City (NYC) Department of Social Services (DSS) with the objective of evaluating DSS’ fraud risk management practices for its Emergency Solutions Grants Coronavirus Aid, Relief, and Economic Security Act (ESG CARES Act) funded activities and assessed the maturity of its efforts to prevent, detect, and respond to fraud.  Fraud within activities funded by the ESG CARES Act can lead to significant financial losses…

The Federal Information Security Modernization Act of 2014 (FISMA) directs Inspectors General to conduct an annual evaluation of the agency information security program. FISMA, Department of Homeland Security (DHS), Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) establish information technology (IT) security guidance and standards for Federal agencies. We conducted this evaluation to…

The OIG evaluated the U.S. Department of Housing and Urban Development’s (HUD) progress in applying zero trust security principles to protect personally identifiable information (PII).  HUD maintained a significant number of records that contain PII with limited zero trust controls in place to secure these data.  In FY 2022, HUD established a zero trust implementation plan to help the agency address the five zero trust…

The OIG evaluated the U.S. Department of Housing and Urban Development (HUD) Office of Housing’s (Housing) progress in applying zero trust security principles to protect personally identifiable information (PII) within the Federal Housing Administration (FHA) Catalyst system.HUD was in the beginning stages of implementing zero trust requirements for the data and identity pillars. HUD Office of Housing systems, including FHA Catalyst,…

The Federal Information Security Modernization Act of 2014 (FISMA) directs Inspectors General to conduct an annual evaluation of the agency information security program. FISMA, Department of Homeland Security (DHS), Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) establish information technology (IT) security guidance and standards for Federal agencies. We conducted this evaluation to…

 The Geospatial Data of 2018 (the Act) governs the collection, production, acquisition, maintenance, distribution, use, and preservation of geospatial data of covered agencies, including the U.S. Department of Housing and Urban Development (HUD).  We audited the U.S. Department of Housing and Urban Development’s (HUD) efforts to meet the geospatial data requirements stated in the Act.  The Act requires the Inspector…

We audited HUD and its grantees’ monitoring of subrecipients and contractors in HUD’s Emergency Solutions Grants Coronavirus Aid, Relief, and Economic Security Act (ESG-CV) program to assess subrecipient monitoring in the program.  ESG and ESG-CV grantees often rely on subrecipients and contractors to carry out ESG-CV-funded activities on behalf of the grantees, and are required to monitor subrecipients to ensure that the…

We audited the City and County of Honolulu’s Department of Budget and Fiscal Services’ and Department of Community Services’ (City) fraud risk management practices for its Emergency Solutions Grants Coronavirus Aid, Relief, and Economic Security Act (ESG CARES Act) program with the objective of assessing the maturity of the City’s fraud risk management framework that encompasses control activities to prevent, detect, and respond to…

We audited the California Department of Housing and Community Development (HCD) with the objective of evaluating HCD’s fraud risk management practices for its Emergency Solutions Grants Coronavirus Aid, Relief, and Economic Security Act (ESG CARES Act) program and assessing the maturity of its efforts to prevent, detect, and respond to fraud.  Fraudulent activity in the ESG CARES Act program can lead to significant financial…

The Federal Information Security Modernization Act of 2014 (FISMA) directs Inspectors General to conduct an annual evaluation of the agency information security program. FISMA, Department of Homeland Security (DHS), Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) establish information technology (IT) security guidance and standards for Federal agencies. We conducted this evaluation to…

We conducted this evaluation to assess the maturity of HUD’s Robotic process automation (RPA) activities and determine whether HUD had implemented related controls to address technology and program management risks.  RPA is a software technology used to emulate human actions on a computer.  RPA software programs, referred to as “bots,” can complete repetitive tasks quickly and consistently, freeing up employees to work on…

We conducted an attestation review of the U.S. Department of Housing and Urban Development’s drug control accounting for the fiscal year ended September 30, 2022.  We performed this review pursuant to section 705(d) of Public Law 105-277, which requires National Drug Control Program agencies to submit to the Director of ONDCP a detailed accounting of all funds spent by the agencies for National Drug Control Program activities…

We audited the U.S. Department of Housing and Urban Development’s (HUD) information technology (IT) infrastructure to support mandatory telework. During mandatory telework, more employees simultaneously needed remote access to HUD’s network and agency resources for an extended period, which presented unique risks and security requirements. While HUD is no longer operating under mandatory telework, understanding the challenges it faced…

The Federal Information Security Modernization Act of 2014 (FISMA) directs Inspectors General to conduct an annual evaluation of the agency information security program.  FISMA, Department of Homeland Security (DHS), Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) establish information technology (IT) security guidance and standards for Federal agencies. We conducted this evaluation…

We audited the U.S. Department of Housing and Urban Development’s (HUD) efforts to meet the Geospatial Data Act of 2018 (the Act).Our audit objective was to determine whether HUD met the 13 responsibilities stated in the Act with regard to its collection, production, acquisition, maintenance, distribution, use, and preservation of geospatial data.  The Act also generally requires covered agencies provide access to geospatial data…

We audited the U.S. Department of Housing and Urban Development’s (HUD) Emergency Solutions Grants Coronavirus Aid, Relief, and Economic Security Act (CARES Act) (ESG-CV) program. Our audit objective was to determine what challenges ESG-CV grant recipients faced in implementing the program and using grant funds. We used a survey questionnaire to gather feedback and insight directly from the 362 recipients of ESG-CV grants. At the time…