To determine whether all the unexpended obligations of HUD are valid and meet funding guidelines, the Office of the Chief Financial Officer (OCFO) coordinates annually an Open Obligation Review (OOR) of all program and administrative funds. This review determines which funds are still needed and certifies to Treasury that the funds remaining in its obligation balance at the end of the fiscal year represent future obligations for the department.…

The OIG evaluated the U.S. Department of Housing and Urban Development (HUD) Office of Housing’s (Housing) progress in applying zero trust security principles to protect personally identifiable information (PII) within the Federal Housing Administration (FHA) Catalyst system.HUD was in the beginning stages of implementing zero trust requirements for the data and identity pillars. HUD Office of Housing systems, including FHA Catalyst, are largely…

The Federal Information Security Modernization Act of 2014 (FISMA) directs Inspectors General to conduct an annual evaluation of the agency information security program. FISMA, Department of Homeland Security (DHS), Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) establish information technology (IT) security guidance and standards for Federal agencies. We conducted this evaluation to assess the…

HUD did not comply with PIIA because it did not report improper and unknown payment estimates for the Office of Public and Indian Housing’s Tenant-Based Rental Assistance (PIH-TBRA) program and the Office of Multifamily Housing Programs’ Project-Based Rental Assistance (PBRA) program, HUD’s largest rental assistance programs.  This noncompliance is significant because this is the seventh consecutive year in which HUD has been unable to…

As required by the Charge Card Abuse Prevention Act of 2012, Public Law 112-194, we performed risk assessments of the U.S. Department of Housing and Urban Development’s (HUD) purchase and travel card programs.  In our risk assessments, we analyzed and identified the risks of illegal, improper, or erroneous purchases.  Using information provided by HUD, we assessed risk for eight different risk factors and ranked each risk factor as low…

The Federal Information Security Modernization Act of 2014 (FISMA) directs Inspectors General to conduct an annual evaluation of the agency information security program. FISMA, Department of Homeland Security (DHS), Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) establish information technology (IT) security guidance and standards for Federal agencies. We conducted this evaluation to assess the…

We audited the U.S. Department of Housing and Urban Development’s (HUD) fiscal year 2022 compliance with the Payment Integrity Information Act of 2019 (PIIA) and implementation of Office of Management and Budget (OMB) guidance. PIIA was enacted to prevent and reduce improper payments and require each agency’s inspector general to perform an annual review of the agency’s compliance with PIIA. Our objectives were to assess (1) whether HUD had met…

We conducted this evaluation to assess the maturity of HUD’s Robotic process automation (RPA) activities and determine whether HUD had implemented related controls to address technology and program management risks.  RPA is a software technology used to emulate human actions on a computer.  RPA software programs, referred to as “bots,” can complete repetitive tasks quickly and consistently, freeing up employees to work on other, higher…

We audited the U.S. Department of Housing and Urban Development’s (HUD) information technology (IT) infrastructure to support mandatory telework. During mandatory telework, more employees simultaneously needed remote access to HUD’s network and agency resources for an extended period, which presented unique risks and security requirements. While HUD is no longer operating under mandatory telework, understanding the challenges it faced is key to…

The Federal Information Security Modernization Act of 2014 (FISMA) requires all Federal agencies to conduct independent penetration tests and vulnerability assessments on a sampling of information systems annually.  In conjunction with our fiscal year 2022 FISMA evaluation (2022-OE-0001), we conducted a targeted penetration test and vulnerability assessment of sample systems that resulted in a Topic Brief.  The objective of this…

We contracted with the independent public accounting firm of CliftonLarsonAllen LLP (CLA) to audit the financial statements of HUD as of and for the fiscal years ended September 30, 2022 and 2021, and to provide reports on HUD’s 1) internal control over financial reporting; and 2) compliance with laws, regulations, contracts, and grant agreements and other matters, including whether financial management systems complied substantially with the…

We audited the U.S. Department of Housing and Urban Development’s (HUD) fraud risk management program at the enterprise and program-office levels and assessed its overall maturity.  Our objective was to determine HUD’s progress in implementing a fraud risk management framework at the enterprise and program-office levels that encompasses control activities to prevent, detect, and respond to fraud. The Antifraud Playbook established by the…

The Federal Information Security Modernization Act of 2014 (FISMA) directs Inspectors General to conduct an annual evaluation of the agency information security program.  FISMA, Department of Homeland Security (DHS), Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) establish information technology (IT) security guidance and standards for Federal agencies. We conducted this evaluation to assess…

We completed a corrective action verification (CAV) of recommendations from prior Office of Inspector General (OIG) audit reports on the U.S. Department of Housing and Urban Development’s (HUD) government purchase cards and government travel cards, both issued January 31, 2020. During our CAV, we followed up on all 10 recommendations from OIG audit report 2020-KC-0001 and all 13 recommendations from OIG audit report 2020-KC-0002. Our CAV…

We audited the U.S. Department of Housing and Urban Development’s (HUD) fiscal year 2021 compliance with the Payment Integrity Information Act of 2019 (PIIA) and implementation of Office of Management and Budget (OMB) guidance.  PIIA was enacted to prevent and reduce improper payments and require each agency’s inspector general to perform an annual review of the agency’s compliance with PIIA.  Our objectives were to assess (1) whether…

We audited the U.S. Department of Housing and Urban Development’s (HUD) grant closeout processes and compliance with the Grants Oversight and New Efficiency (GONE) Act.  The GONE Act required that we conduct a risk assessment to determine whether an audit of HUD’s grant closeout process was warranted.  We initiated this review based on the results of our risk assessment conducted in fiscal year 2018, which found that an audit was…

The Federal Information Security Modernization Act of 2014 (FISMA) directs Inspectors General to conduct an annual evaluation of the agency information security program.  FISMA, Department of Homeland Security (DHS), Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) establish information technology (IT) security guidance and standards for Federal agencies. We conducted this evaluation to assess…

The Federal Information Security Modernization Act of 2014 (FISMA) requires all federal agencies to conduct independent security technical verification testing on a sampling of information systems annually.  In conjunction with our fiscal year 2021 FISMA evaluation (2021-OE-0001), we conducted a targeted security testing assessment of sample systems that resulted in a Topic Brief.  The objective of this application vulnerability…

We contracted with the independent public accounting firm of CliftonLarsonAllen LLP (CLA) to audit the financial statements of HUD as of and for the fiscal years ended September 30, 2021 and 2020,1 and to provide reports on HUD’s 1) internal control over financial reporting; and 2) compliance with laws, regulations, contracts, and grant agreements and other matters, including whether financial management systems complied substantially with the…

We reviewed the U.S. Department of Housing and Urban Development’s (HUD) ability to effectively complete information technology (IT) acquisitions.  HUD’s IT systems and its modernization plans depend heavily on contractors, yet HUD has historically faced significant challenges with implementing effective acquisition processes. Therefore, HUD’s acquisition capacity represents a key potential risk within HUD’s IT environment. We found that a…