Revise CPD Validation Review Instructions to specify documentation requirements similar to those provided to the grantee and specify verification of dates for when the costs were incurred.

As part of the validation process for CPD’s accrued grant liabilities, review CPD’s accrued grant liabilities estimation methodology to ensure that it is based on verifiable grantee supporting documentation and all assumptions and variables used for the grant accrual estimate were properly established, supported, and documented.

Establish a formal policy addressing HUD’s federal awarding agency responsibilities under 2 CFR § 200.513(c). The policy should identify those involved in the process and their roles in addressing this single audit oversight function. The policy should also address how it will be carried out and documented.

Perform a complete agency-wide fraud risk assessment (which incorporates the fraud risk assessments performed at the program level) and use the results to develop and implement an agency-wide plan to move HUD’s fraud risk management program out of the ad hoc phase.

Status

As of July 2025, HUD has cancelled its fraud risk management contracts and the Chief Risk Officer position was vacated under the Deferred Resignation Program. HUD is currently working to realign its business process and determining how it will address fraud risk management. While HUD had made progress in improving its fraud risk management program, as of July 2025, HUD has not provided an updated plan on how it will complete an agency-wide fraud risk assessment and undertake office-specific risk programs. The final action target date was September 30, 2024.

Analysis

To fully address this recommendation, HUD must provide evidence that it has performed an agency-wide fraud risk assessment performed at the program level, adopted and implemented its fraud risk assessment program departmental policy, and that each HUD program office has established office-specific risk programs.

Develop and implement a procedure to collect and analyze reported suspected instances of fraud, along with other relevant data points, that can be leveraged to develop more robust antifraud risk mitigation tools.

Communicate to HUD program staff the differences between HUD’s enterprise risk management, PIIA, and financial risk management risk assessment processes to ensure an understanding of their roles and responsibilities within HUD’s fraud risk management program.

Develop and implement activities to raise awareness of fraud, such as participating in organized antifraud conferences or a newsletter that includes instances of recent fraud in Federal programs.

Develop and implement a strategy for collecting and analyzing agency-wide data, to include subrecipient and beneficiary data, to identify trends and potential indicators of fraud across programs.

Collaborate with the Chief Risk Officer to conduct a workforce assessment to determine the level of dedicated full-time staff resources needed by the Chief Risk Officer to effectively (1) administer HUD’s enterprise and fraud risk management programs and (2) support program risk officers by increasing employee and stakeholder awareness of potential fraud schemes that could impact each program respectively.

If the workforce assessment determines that additional staff are needed, work with the Chief Risk Officer to staff the necessary positions.

HUD OCIO should implement procedures to ensure that information in cybersecurity risk registers is obtained accurately, consistently, and in a reproducible format and is used to a. quantify and aggregate security risks, b. normalize cybersecurity risk information across organizational units, and c. prioritize operational risk response (derived from metric 5).

HUD OCIO and the HUD Chief Risk Officer should coordinate to implement procedures to monitor the effectiveness of cybersecurity risk responses to ensure that risk tolerances are maintained at an appropriate level (derived from metric 5).

HUD OCIO and the Office of Administration should implement procedures to ensure proper validation of media sanitization in accordance with HUD Media Protection Procedures 2.0 (February 2022) and form HUD 1067A, Certification of Sanitization (derived from metric 36).

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

HUD OCIO should ensure that system owners and information system security officers consistently test their ISCPs and upload the test results to CSAM in accordance with HUD’s defined ISCP testing policy (derived from metric 63).

In collaboration with all involved program offices, develop and implement a sampling methodology that allows for a sample size that reasonably allows for the testing of the complete payment cycle within the PIIA reporting timeframe.

Consult with OMB on the appropriate reporting for the untested portions of the payment cycle (such as reporting as unknown) and report accordingly.

Implement a procedure, which ensures that future improper and unknown payment testing that does not test the full payment cycle is reported in accordance with OMB’s guidance.

Coordinate with OMB to ensure that all of HUD’s data posted on OMB’s PaymentAccuracy.gov are accurate, including data before fiscal year 2021.

Update its procedures to include verifying all HUD data on PaymentAccuracy.gov immediately after the data are published on the public website to ensure that all data are accurate and if not, coordinate any corrections with OMB.