HUD’s Privacy Office should require program offices to periodically review systems in all environments (testing, development, production) for unnecessary disclosure of personally identifiable information (PII).

We recommend that the Chief Financial Officer enhance existing policies to establish a formal grant accrual risk management framework to help ensure consistent standards across HUD with regard to the development, review, and execution of the grant accrual and validation. This framework should include 1) identifying grant accrual estimation risk, assessing the magnitude of this risk, and managing the risks that arise when using certain quantitative estimation methods, 2) a governance structure that includes estimation ownership, oversight, and framework assessment, 3) the creation of a committee that is responsible for establishing a holistic approach to estimation risk management, including key stakeholders from OCFO and program offices, such as CPD, and 4) a requirement for documentation of committee meeting agendas, minutes, and key decisions and discussion points which impacts the various grant accrual methodologies across the Department.

Develop and fully implement a departmentwide policy for the monthly transaction review process that requires program office participation and timely completion of the review and certification.

Update OCFO’s travel card monitoring procedures to obtain, review, and monitor the IBA Use report on a regular basis to ensure compliance with purchases required to be made on the government travel card.

HUD’s Office of Administration, in coordination with OCIO, should update and communicate its PII minimization plan. The plan should include detailed procedures to regularly review and remove unnecessary PII collections in accordance with OMB Circular A-130 (IG FISMA metric 35).

HUD’s Office of the Chief Financial Officer (OCFO), in coordination with other appropriate program offices, should define and implement a risk-based process to assess and document IT risk management personnel resourcing needs and that those personnel are allocated effectively to support HUD’s risk management program (IG FISMA metric 7).

HUD OCFO, in coordination with other appropriate program offices, should define and implement a process to document and allocate non-personnel risk management resources in a risk-based manner, to include but not limited to funding, processes, and technology (IG FISMA metric 7).

Establish an improper payment council within HUD that consists of senior accountable officials from across the Department with a role in the effort that would work to identify risks and challenges to compliance and identify solutions as a collaborative group.

Develop and complete a detailed plan and timeline for completing compliant PIH-TBRA and PBRA program estimates and ensure that the improper payment council prioritizes completion of the plan in time for fiscal year 2023 reporting.

Develop a secure platform for the collection and storage of PIIA data that contain PII and formally assign a staff with adequate training and skillsets to administer the data and application (including maintaining and managing access controls of a chosen application that will be used to store the PIIA data with PII).

Reevaluate the methodology and reassess the weight assigned to each risk factor to ensure that appropriate weight is given to risks associated with non-Federal administrators or consider doing one risk assessment for HUD’s internal payment cycle and another risk assessment for the non-Federal entities that administer HUD’s program funds.

Until program-specific fraud risk assessments are completed, revise the PIIA fraud risk questionnaire process to compensate for the lack of program-specific fraud risk assessments.

Reassess the Homeless Assistance Grants program as part of the fiscal year 2023 risk assessment.

We recommend that the Chief Procurement Officer update HUD’s field service manager contract monitoring plan and FSM qualitative monitoring databases used to monitor contractor performance to align with the QASP and contractual requirements as noted in recommendation 1G below.

Develop and issue a departmental grant accrual validation policy or update the existing grant accrual policy to include the validation process. The policy should include 1) specific control activities over the grant accrual validation and outline all of the specific roles and responsibilities; 2) a periodic review of the grant accrual validation to evaluate and reassess its continued relevance and control effectiveness, and ensure any changes are designed and implemented appropriately; and 3) a clear communication plan that requires formal and documented communications between appropriate program offices and OCFO to ensure the validation results are used to update the grant accrual methodology and subsequent period’s estimate, as appropriate.

Develop and document internal procedures to ensure the OCFO’s responsibilities specified within the new or updated grant accrual validation policy are addressed.

Develop and implement procedures to ensure that planning for the CPD grant accrual validation is done early in the accounting cycle to allow for: • Sufficient resources to be available to perform the validation of the prior year grant accrual. • Validation efforts to start earlier to allow for follow-up on non-responsive grantees or grantees that provided incomplete information. • Materiality risk to be considered when planning and evaluating the CPD grant accrual validation.

Revise CPD Validation Review Instructions to specify documentation requirements similar to those provided to the grantee and specify verification of dates for when the costs were incurred.

As part of the validation process for CPD’s accrued grant liabilities, review CPD’s accrued grant liabilities estimation methodology to ensure that it is based on verifiable grantee supporting documentation and all assumptions and variables used for the grant accrual estimate were properly established, supported, and documented.

Establish a formal policy addressing HUD’s federal awarding agency responsibilities under 2 CFR § 200.513(c). The policy should identify those involved in the process and their roles in addressing this single audit oversight function. The policy should also address how it will be carried out and documented.