The OIG evaluated the U.S. Department of Housing and Urban Development’s (HUD) progress in applying zero trust security principles to protect personally identifiable information (PII).  HUD maintained a significant number of records that contain PII with limited zero trust controls in place to secure these data.  In FY 2022, HUD established a zero trust implementation plan to help the agency address the five zero trust…

The OIG evaluated the U.S. Department of Housing and Urban Development (HUD) Office of Housing’s (Housing) progress in applying zero trust security principles to protect personally identifiable information (PII) within the Federal Housing Administration (FHA) Catalyst system.HUD was in the beginning stages of implementing zero trust requirements for the data and identity pillars. HUD Office of Housing systems, including FHA Catalyst,…

The Federal Information Security Modernization Act of 2014 (FISMA) directs Inspectors General to conduct an annual evaluation of the agency information security program. FISMA, Department of Homeland Security (DHS), Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) establish information technology (IT) security guidance and standards for Federal agencies. We conducted this evaluation to…

 The Geospatial Data of 2018 (the Act) governs the collection, production, acquisition, maintenance, distribution, use, and preservation of geospatial data of covered agencies, including the U.S. Department of Housing and Urban Development (HUD).  We audited the U.S. Department of Housing and Urban Development’s (HUD) efforts to meet the geospatial data requirements stated in the Act.  The Act requires the Inspector…

We audited HUD and its grantees’ monitoring of subrecipients and contractors in HUD’s Emergency Solutions Grants Coronavirus Aid, Relief, and Economic Security Act (ESG-CV) program to assess subrecipient monitoring in the program.  ESG and ESG-CV grantees often rely on subrecipients and contractors to carry out ESG-CV-funded activities on behalf of the grantees, and are required to monitor subrecipients to ensure that the…

We audited the City and County of Honolulu’s Department of Budget and Fiscal Services’ and Department of Community Services’ (City) fraud risk management practices for its Emergency Solutions Grants Coronavirus Aid, Relief, and Economic Security Act (ESG CARES Act) program with the objective of assessing the maturity of the City’s fraud risk management framework that encompasses control activities to prevent, detect, and respond to…

We audited the California Department of Housing and Community Development (HCD) with the objective of evaluating HCD’s fraud risk management practices for its Emergency Solutions Grants Coronavirus Aid, Relief, and Economic Security Act (ESG CARES Act) program and assessing the maturity of its efforts to prevent, detect, and respond to fraud.  Fraudulent activity in the ESG CARES Act program can lead to significant financial…

Servicers followed the COVID-19 pandemic foreclosure moratorium requirements.  However, they could have better communicated the moratorium requirements to delinquent borrowers who were subject to foreclosure proceedings.  This situation occurred because HUD did not require servicers to notify borrowers directly about the foreclosure moratorium and that occupancy would pause the foreclosure process.  Borrowers who were…

The Federal Information Security Modernization Act of 2014 (FISMA) directs Inspectors General to conduct an annual evaluation of the agency information security program. FISMA, Department of Homeland Security (DHS), Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) establish information technology (IT) security guidance and standards for Federal agencies. We conducted this evaluation to…

We audited the U.S. Department of Housing and Urban Development (HUD), Office of Native American Programs’ (ONAP) coronavirus disease of 2019 (COVID-19) recovery programs.  We performed this audit to provide HUD with insight and a nationwide perspective on the challenges that grantees experienced with those programs.  Our audit objectives were to identify 1) the information, guidance, and training HUD provided to the grantees…

We conducted this evaluation to assess the maturity of HUD’s Robotic process automation (RPA) activities and determine whether HUD had implemented related controls to address technology and program management risks.  RPA is a software technology used to emulate human actions on a computer.  RPA software programs, referred to as “bots,” can complete repetitive tasks quickly and consistently, freeing up employees to work on…

We audited the U.S. Department of Housing and Urban Development’s (HUD) information technology (IT) infrastructure to support mandatory telework. During mandatory telework, more employees simultaneously needed remote access to HUD’s network and agency resources for an extended period, which presented unique risks and security requirements. While HUD is no longer operating under mandatory telework, understanding the challenges it faced…

We audited the U.S. Department of Housing and Urban Development (HUD), Office of Native American Programs’ (ONAP) Coronavirus Aid, Relief, and Economic Security (CARES) Act and American Rescue Plan (ARP) Act to identify drawdown levels for its block grant programs and assessed information ONAP made publicly available. As of October 4, 2022, grantees had drawn $231.6 million of the $300 million in CARES Act block grant funds and $135.8…

The Federal Information Security Modernization Act of 2014 (FISMA) directs Inspectors General to conduct an annual evaluation of the agency information security program.  FISMA, Department of Homeland Security (DHS), Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) establish information technology (IT) security guidance and standards for Federal agencies. We conducted this evaluation…

We audited the U.S. Department of Housing and Urban Development’s (HUD) efforts to meet the Geospatial Data Act of 2018 (the Act). Our audit objective was to determine whether HUD met the 13 responsibilities stated in the Act with regard to its collection, production, acquisition, maintenance, distribution, use, and preservation of geospatial data.  The Act also generally requires covered agencies provide access to geospatial…

In coordination with the Pandemic Response Accountability Committee, we conducted an audit to identify potential fraud schemes that could affect HUD’s pandemic funds.  We reviewed the funds appropriated by the Coronavirus Aid, Relief, and Economic Security (CARES) Act and the American Rescue Plan (ARP) Act for the Tenant-Based Rental Assistance (TBRA), Project-Based Rental Assistance (PBRA), HOME Investment Partnerships, and…

We audited the U.S. Department of Housing and Urban Development’s (HUD) Community Development Block Grant Coronavirus Aid, Relief, and Economic Security (CARES) Act program. Our audit objective was to determine what challenges grantees faced in using program funds for activities that prepare for, prevent, or respond to the coronavirus and its impact.  We used a survey questionnaire to gather feedback and insight directly from 1,…

We reviewed the U.S. Department of Housing and Urban Development’s (HUD) ability to effectively complete information technology (IT) acquisitions.  HUD’s IT systems and its modernization plans depend heavily on contractors, yet HUD has historically faced significant challenges with implementing effective acquisition processes. Therefore, HUD’s acquisition capacity represents a key potential risk within HUD’s IT environment. We…

In February 2021, the Office of the Chief Information Officer (OCIO) identified funding risks with the development contract under which HUD contracted for Federal Housing Administration (FHA) Catalyst’s development.  In response, HUD officials took steps to slow FHA Catalyst spending on the contract while awaiting approval for additional contract funds.  Despite efforts to slow project spending, it was not enough to prevent…

On March 27, 2020, the Coronavirus Aid, Relief, and Economic Security (CARES) Act made available $5 billion in supplemental CDBG funding for grants to prevent, prepare for, and respond to the coronavirus pandemic (CDBG-CV grants).  Because of similarities, we reviewed 132 CDBG-DR program audits and evaluations issued from May 2002 to March 2020 to summarize the common CDBG-DR program weaknesses and risks for CPD to consider to…