Design and implement a data-driven methodology to determine the appropriate mix of origination and servicing monitoring and desk reviews.

We recommend that the Deputy Assistant Secretary instruct the Virgin Islands Housing Finance Authority to develop and implement procedures, including financial controls, to enhance its tracking of payments made with CDBG-DR funds and payments made with FEMA funds to ensure that payments are not made for the same invoices, match requirements are not exceeded before closeout, and a thorough review is conducted for award increases and cost…

We recommend that the Deputy Assistant Secretary instruct the Virgin Islands Housing Finance Authority to enforce its subrecipient agreement requirement to submit monthly status reports.

We recommend that the Deputy Assistant Secretary instruct the Virgin Islands Housing Finance Authority to develop and implement procedures to ensure that all Match Program activities are monitored, and guidance is provided to its Match Program recipients.

We recommend that the Deputy Assistant Secretary instruct the Virgin Islands Housing Finance Authority to develop and implement detailed policies and procedures to guide staff in reporting performance outcomes in the QPR and on its disaster recovery website.

We recommend that the Deputy Assistant Secretary instruct the Virgin Islands Housing Finance Authority to revise its policies and procedures to include requirements to document its basis for activities’ meeting the national objective, including the rationale for the service area used and a list of acceptable documents to support that the area was primarily residential for the low- and moderate- income area benefit national objective.

We recommend that the Deputy Assistant Secretary instruct the Virgin Islands Housing Finance Authority to conduct training for Authority staff on the newly developed or revised policies and procedures

We recommend that the Deputy Assistant Secretary work with the Authority to assess the risk of potential improper payment for projects PW273 and PW100 and vouchers 576322, 583423, and 578761.

We recommend that the Deputy Assistant Secretary require HUD program staff to provide technical assistance to the Authority to address deficiencies noted throughout the audit report.

We recommend that the Deputy Assistant Secretary instruct the Authority to develop and implement monitoring policies and detailed procedures to guide the Authority’s CMU staff in assessing activity performance to meet the subrecipient monitoring requirements and establish written performance metrics to progressively achieve the performance outcome for those activities the Authority administers.

We recommend that the Deputy Assistant Secretary instruct the Authority to revise subrecipient agreements to include performance metrics and milestones tailored to the activity in sufficient detail to enable the Authority to collect information to effectively assess the activity’s performance.

We recommend that the Deputy Assistant Secretary instruct the Authority to revise the monthly status report template to allow the subrecipient to report its current progress against the established performance metrics.

We recommend that the Deputy Assistant Secretary instruct the Authority to develop a tracking process to ensure that the Authority issues monitoring reports and receives responses to these reports within the timeframe required by its policy. This process should also include a referral to management when the timeframe requirements are not met.

HUD OCIO should consistently implement personnel accountability procedures to ensure that assigned cybersecurity risk management roles are being performed in an effective manner (IG FISMA metric 7).

HUD’s Office of the Chief Financial Officer (OCFO), in coordination with other appropriate program offices, should define and implement a risk-based process to assess and document IT risk management personnel resourcing needs and that those personnel are allocated effectively to support HUD’s risk management program (IG FISMA metric 7).

HUD OCFO, in coordination with other appropriate program offices, should define and implement a process to document and allocate non-personnel risk management resources in a risk-based manner, to include but not limited to funding, processes, and technology (IG FISMA metric 7).

HUD OCIO should ensure that external systems, such as cloud systems and cloud service providers, have and maintain configuration management plans that are consistent with HUD’s defined configuration management requirements (IG FISMA metric 19).

HUD OCIO should define and implement metrics to monitor the effectiveness of ICAM program activities and assist in identifying areas for improvement (IG FISMA metric 26).

HUD OCIO should develop a comprehensive ICAM policy, strategy, process, and technology solution roadmap, including milestones, budget estimates, and appropriate technology solution details (IG FISMA metric 27). This recommendation replaces FY 2020 FISMA recommendation 11.

HUD OCIO should define policies and guidance for the use of system-specific access agreements (IG FISMA metric 29).