As part of the validation process for CPD’s accrued grant liabilities, review CPD’s accrued grant liabilities estimation methodology to ensure that it is based on verifiable grantee supporting documentation and all assumptions and variables used for the grant accrual estimate were properly established, supported, and documented.

Research the survey responses that resulted in a positive cash on hand balance to determine whether a cash advance exists. If so, the Chief Financial Officer should coordinate with CPD to (1) determine whether the grantees have proper documentation and approvals allowing for cash advances and (2) develop and implement procedures to estimate and account for cash advances for financial reporting purposes.

Investigate other methods for validating CPD’s accrued grant liabilities estimate, including the use of other sampling units, which could provide additional relevant information that can be used to produce more reasonable results and reduce estimation uncertainty to a low level.

Work with the Director of the Office of Multifamily Asset Management and Portfolio Oversight to ensure that all debt owed to HUD is identified, accurately reported in HUD’s financial records, and properly monitored to ensure compliance with applicable laws and regulations.

Adequately notify homeowners that, due to COVID-19, all FHA refund applications and supporting documents should be sent electronically to avoid delay in processing. This process should include (1) developing and expediting implementation of correspondence sent to homeowners with the application, (2) a notice of operational changes on HUD’s FHA refunds websites, (3) ensuring that HUD’s Does HUD Owe You a Refund website is updated to the most recent FHA Homeowners Fact Sheet, (4) an updated voice message from the call center including an accurate email, and (5) developing an updated script for call center agents for the initial contact with the homeowner, follow up, and contact with homeowners who already submitted their application by mail.

Conduct a privacy impact assessment for accepting homeowner FHA refund applications and supporting documentation that contain PII electronically to identify potential risks and develop and implement plans to mitigate those risks.

Develop and implement written policies and procedures for SFIOD to quickly respond to emergency situations when staff cannot return to the office. Procedures should include steps to quickly notify homeowners of any changes made to the FHA refund process.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

Implement a software asset management capability for software and operating systems to ensure that software executes only from the authorized software inventory and all unauthorized software is blocked from executing on HUD's network.

Status

In April 2024, the Office of the Chief Information Officer reported that it was in the process of implementing a software management tool that would allow it to control which software is authorized to access the network. This is the first step to create rules for allowing only authorized software to be used through HUD's endpoint security software. Final implementation of this new tool is expected by Quarter 2 of FY 2025.

Analysis

To fully address this recommendation, HUD must provide evidence that it has an automated whitelist and implement as per the NIST Special Publication 800-167 or accept the risk and document mitigating measures via a Risk Based Decision memorandum.

Implementation of this recommendation will result in HUD having the capability to ensure only authorized software is used on HUD’s network based on its software asset listing.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.