The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

Prepare a white paper regarding the accounting treatment for each type of funding disbursed under the HCVP, to include a comparison of the qualities the funding embodies against the qualities that are necessary for it to be considered a prepayment versus an expense according to generally accepted accounting principles. The Chief Financial Officer should work with PIH to gather the information necessary to complete this analysis and have PIH review it to ensure the accuracy of the program information used.

Develop and implement a policy that requires OCFO to review all new program notices, new regulations, and new types of funding and evaluate each against the accounting standards and current accounting treatment (as documented in white papers or other forms) to determine whether OCFO’s treatment complies with generally accepted accounting principles and if not, propose changes. The policy should include formal designation of roles and responsibilities as well as internal controls to ensure proper review and approval of conclusions.

Once additional data are available, and at least quarterly, reduce the CARES Act PIH prepayment by the amount actually spent by PHAs or an estimated amount with a low level of estimation uncertainty.

As part of the validation process for CPD’s accrued grant liabilities, review CPD’s accrued grant liabilities estimation methodology to ensure that it is based on verifiable grantee supporting documentation and all assumptions and variables used for the grant accrual estimate were properly established, supported, and documented.

Research the survey responses that resulted in a positive cash on hand balance to determine whether a cash advance exists. If so, the Chief Financial Officer should coordinate with CPD to (1) determine whether the grantees have proper documentation and approvals allowing for cash advances and (2) develop and implement procedures to estimate and account for cash advances for financial reporting purposes.

Investigate other methods for validating CPD’s accrued grant liabilities estimate, including the use of other sampling units, which could provide additional relevant information that can be used to produce more reasonable results and reduce estimation uncertainty to a low level.

Work with the Director of the Office of Multifamily Asset Management and Portfolio Oversight to ensure that all debt owed to HUD is identified, accurately reported in HUD’s financial records, and properly monitored to ensure compliance with applicable laws and regulations.

Implement a software asset management capability for software and operating systems to ensure that software executes only from the authorized software inventory and all unauthorized software is blocked from executing on HUD's network.

Status

In April 2024, the Office of the Chief Information Officer reported that it was in the process of implementing a software management tool that would allow it to control which software is authorized to access the network. This is the first step to creating rules for allowing only authorized software to be used through HUD's endpoint security software. The final implementation of this new tool is expected by Quarter 2 of FY 2025.

Analysis

To fully address this recommendation, HUD must provide evidence that it has an automated whitelist and it is implemented as per the NIST Special Publication 800-167 or accept the risk and document mitigating measures via a Risk-Based Decision memorandum.

Implementation of this recommendation will result in HUD having the capability to ensure only authorized software is used on HUD’s network based on its software asset listing.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.