The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

Establish an improper payment council within HUD that consists of senior accountable officials from across the Department with a role in the effort that would work to identify risks and challenges to compliance and identify solutions as a collaborative group.

Develop and complete a detailed plan and timeline for completing compliant PIH-TBRA and PBRA program estimates and ensure that the improper payment council prioritizes completion of the plan in time for fiscal year 2023 reporting.

Develop a secure platform for the collection and storage of PIIA data that contain PII and formally assign a staff with adequate training and skillsets to administer the data and application (including maintaining and managing access controls of a chosen application that will be used to store the PIIA data with PII).

Reevaluate the methodology and reassess the weight assigned to each risk factor to ensure that appropriate weight is given to risks associated with non-Federal administrators or consider doing one risk assessment for HUD’s internal payment cycle and another risk assessment for the non-Federal entities that administer HUD’s program funds.

Until program-specific fraud risk assessments are completed, revise the PIIA fraud risk questionnaire process to compensate for the lack of program-specific fraud risk assessments.

Reassess the Homeless Assistance Grants program as part of the fiscal year 2023 risk assessment.

Identify short- and long-term plans for the RPA program that align its capabilities, staffing needs, funding projections, and mission needs.

Implement procedures to capture and monitor centralized logs to maintain appropriate visibility into bot activities and provide for auditability of bot actions.

Implement procedures to periodically review RPA system access and remove access for users that are not authorized or no longer have a need to use the system.

Implement procedures to ensure that attended bots use the security rights and credentials of the attending user.

Research, evaluate, and implement technical or alternative solutions to deploy essential computer software updates using appropriate secure methods to ensure that computer security updates occur in a timely manner to minimize risk to HUD’s systems and operations

Research, evaluate, and implement technical solutions to provide additional improvements to VPN and related remote working capabilities of HUD system users.

Perform routine VPN stress tests as part of its contingency planning and testing processes to regularly identify and remediate network performance issues and ensure that network capabilities are sufficient for teleworking.

Research, evaluate, and implement technical solutions to resolve the user account management issues and the underlying issue in the technical environment.

Assess its help desk system against other technical solutions and ensure that the help desk solution used captures complete data on technical support requests. This measure includes but is not limited to ensuring that sequence gaps are properly documented or do not occur, valid transactions are accepted by the help desk system, rejected transactions are identified, and the history of each transaction is retained.

Develop and issue a departmental grant accrual validation policy or update the existing grant accrual policy to include the validation process. The policy should include 1) specific control activities over the grant accrual validation and outline all of the specific roles and responsibilities; 2) a periodic review of the grant accrual validation to evaluate and reassess its continued relevance and control effectiveness, and ensure any changes are designed and implemented appropriately; and 3) a clear communication plan that requires formal and documented communications between appropriate program offices and OCFO to ensure the validation results are used to update the grant accrual methodology and subsequent period’s estimate, as appropriate.

Develop and document internal procedures to ensure the OCFO’s responsibilities specified within the new or updated grant accrual validation policy are addressed.

Develop and implement procedures to ensure that planning for the CPD grant accrual validation is done early in the accounting cycle to allow for: • Sufficient resources to be available to perform the validation of the prior year grant accrual. • Validation efforts to start earlier to allow for follow-up on non-responsive grantees or grantees that provided incomplete information. • Materiality risk to be considered when planning and evaluating the CPD grant accrual validation.