Audit Review of NFMC Action on Significant Compliance Issues

Transcription

1 Internal Audit Department NeighborWorks America Audit Review of NFMC Action on Significant Compliance Issues Project Number: NFMC.0212

2 Audit Review of the NFMC Action on Significant Compliance Issues Internal Audit Department Project # NFMC.0212 Table of Contents Project Completion Letter... 2 Function Responsibility and Internal Control Assessment... 3 Executive Summary of Observations, Recommendations and Management Responses... 4 BACKGROUND... 5 OBJECTIVE... 5 SCOPE... 5 METHODOLOGY... 6 OBSERVATIONS AND RECOMENDATIONS... 6 CONCLUSION... 6 Appendix A

3 May 4, 2012 To: NeighborWorks America Audit Committee Subject: Audit Review of the Action on Significant Compliance Issues Internal Audit Department Project: NFMC.0212 The Internal Audit Department conducted a review of NFMC s Action on Significant Compliance Issues activity as part of the 2012 Audit Plan. Enclosed is a copy of the recently concluded review of the overall processes in place to identify, escalate, resolve, and close significant compliance issues. Please review and let me know if you have any comments or questions. Frederick Udochi Director of Internal Audit Attachment cc: E. Fitzgerald M. Forster P. Kealey J. Bryson J. Fekade-Sellassie T. Sims S. LeGrand 2

4 Function Responsibility and Internal Control Assessment Audit Review of the Action on Significant Compliance Issues Business Function Responsibility Report Date Period Covered National Foreclosure Mitigation Program (NFMC) May 4, 2012 January 1, 2009 to July 31, 2011 Assessment of Internal Control Structure Effectiveness and Efficiency of Operations Generally Effective 1 Reliability of Financial Reporting Generally Effective Compliance with Applicable Laws and Regulations Not Applicable 1 Legend for Assessment of Internal Control Structure: 1. Generally Effective: The level and quality of the process is satisfactory. Some areas still need improvement. 2. Inadequate: Level and quality of the process is insufficient for the processes or functions examined, and require improvement in several areas. 3. Significant Weakness: Level and quality of internal controls for the processes and functions reviewed are very low. Significant internal control improvements need to be made. 3

5 Executive Summary of Observations, Recommendations and Management Responses Summarized Observation; Risk Rating Management Agreement with Observation (Yes/ No) Internal Audit Recommendation Summary Accept IA Recommendation (Yes/ No) Management s Response to IA Recommendation (Month/Year) Estimated Date of Implementation Internal Audit Comments on Management Response There are no observations to report with this review. N/A N/A N/A N/A N/A N/A Risk Rating: N/A 4

6 BACKGROUND Congress created the National Foreclosure Mitigation Counseling (NFMC) Program to address the mortgage foreclosure crisis by providing homeowner counseling and strengthening the nation s counseling capacity. The NFMC Program was created by the Consolidated Appropriations Act of 2008 in December 2007, and is now a $ million program. The legislation named NeighborWorks America to administer the program. As administrator of the National Foreclosure Mitigation Counseling (NFMC) program, NeighborWorks America provides grants to HUD-Approved Housing Counseling Intermediaries (Intermediaries), State Housing Finance Agencies (HFAs), and chartered members of the NeighborWorks Network (NWOs) to provide foreclosure counseling in all 50 states, its territories, and the District of Columbia. Given the national scope of the NFMC Program and the large number of grantees, sub-grantees, and vendors, it could be expected that significant issues could occasionally emerge regarding compliance to general terms and conditions of the program outlined in the Grant Agreement, Federal and State regulation, NFMC Funding Announcement, applicable OMB Circular, or other sources. The Default and Remedy Policy governs the handling of compliance and financial management matters of the NFMC program as outlined in the sources noted above. However, non-routine compliance matters may arise, which may not be addressed in the Policy and may require an alternative approach which would be much more context based. OBJECTIVE The audit engagement focused primarily on the evaluation of how cases of significant compliance issues have been identified, escalated (if necessary), resolved, mitigated, and closed. SCOPE The scope of the audit covered the following areas: 1. Policies and procedures which provided the guidelines for taking action on significant compliance issues/processes (documented and ad-hoc); 2. Issues identification, resolution, escalation, and closing; 3. Data logs containing issues for all types of assessments performed; and 4. Documentation pertaining to management actions on significant compliance issues identified. The actions upon significant compliance issues during the period of January 2009 July 2011 were in scope for this review. Significant compliance issues were defined as those compliance events that were significantly exceptional from other routine types of issues typically identified. 5

7 METHODOLOGY The audit project was launched with an introductory meeting on November 14, 2011 to discuss the audit objective(s), obtain a preliminary overall understanding of the actions on significant compliance issues process, discuss project timeline, and project scope including any possible potential limitations in scope. The initial meeting was followed by a walkthrough of policies available on inside.nw.org (i.e. NeighborWorks intranet) and a review of related documentation, including the Default and Remedy Policy (updated on June 2011), funding announcements, and grant agreements. Subsequent to the walkthrough, Internal Audit submitted a risk assessment questionnaire to NFMC and held a meeting on January 11, 2012 to discuss the questionnaire. After the meeting, Internal Audit proceeded to develop a document request list and a work program to test the steps performed by NFMC once a significant compliance issue event had been identified. The test procedures were created utilizing the framework of problem management best practices which are: identification, escalation, resolution, and closing. Finally, IA requested supporting documentation for 3 previous cases of organizations that have had significant compliance issues, and and inspected documentation to support how those cases were handled (See Appendix A). OBSERVATIONS AND RECOMENDATIONS Based on the review conducted by Internal Audit, there were no significant observations to report at this time. CONCLUSION At the time of our review, Internal Audit noted that NFMC had hired a Consultant to re-organize and better streamline the structure of the Default and Remedy Policy and to incorporate lessons learned. The updated version will be completed in June 2012 and it will also address the observations provided by the NeighborWorks Audit Committee Board Staff Review performed in December Based upon our review we are of the opinion that the NFMC program has designed robust processes to identify, escalate, resolve, and close issues arising from significant compliance issues. Internal Audit noted that although the Default and Remedy policy cannot account for every conceivably possible event; the ad hoc process in some situations and multi-disciplinary approach undertaken, were adequate and consistently applied in all three cases reviewed. Given the uncertainty and unstructured nature of these significant compliance issues, the process allowed for flexibility and efficiency on resolution of cases. Internal Audit was able to verify that the identified significant compliance issues were treated in a similar fashion from the beginning and end of each cycle despite the differences in nature of each of the problems identified. In all cases, the problems were outlined, communicated to client, escalated to senior management, resolved using the knowledge of an expert(s), and closed by a preestablished deadline with an acknowledgement from the client. After reviewing all the documentation provided and performing the testing of processes in place to identify, escalate, 6

8 resolve, and close significant compliance issues in the scope of this review, Internal Audit can attest that the processes utilized to manage significant compliance issues were found to be adequate. See Appendix A. 7

9 Appendix A Procedures Organizations Assessment Identification Problem identification 1. Determine if there is a set of policies and procedures? 2. Were there any processes in place to identify significant issues? NFMC applies the "Events of Default and Remedies Policy" to significant compliance issues. Although there were no specific procedures to address the event, the Policy provided guidance on the adopted practice. The risk management process has established standard compliance reviews (completed for each round), random compliance testing (completed for each round, beginning in R5) based on a scaled rating above pre-determined thresholds. Agencies such as the U.S. Department of HUD provides notifications, or other investigations reported by the grantee or other external parties. NFMC applies the "Events of Default and Remedies Policy" to significant compliance issues. Although there were no specific procedures to address the event, the Policy provided guidance on the adopted practice. The risk management process has established standard compliance reviews (completed for each round), random compliance testing (completed for each round, beginning in R5) based on a scaled rating above predetermined thresholds. Agencies such as the U.S. Department of HUD provide notifications, or other investigations reported by the grantee or other external parties. NFMC applies the "Events of Default and Remedies Policy" to significant compliance issues. Although there were no specific procedures to address the event, the Policy provided guidance on the adopted practice. The risk management process has established standard compliance reviews (completed for each round), random compliance testing (completed for each round, beginning in R5) based on a scaled rating above pre-determined thresholds. Agencies such as the U.S. Department of HUD provide notifications, or other investigations reported by the grantee or other external parties. 3. Is there any evidence of defined roles and responsibilities for managing the process? NFMC does have formal roles and responsibilities in the risk management process. Given the uncertainty and unstructured nature of cases, The NFMC program sometimes relies on a multidisciplinary group with relevant expertise. This process allows for flexibility and efficiency for resolution NFMC does have formal roles and responsibilities in the risk management process. Given the uncertainty and unstructured nature of cases, The NFMC program sometimes relies on a multi-disciplinary group with relevant expertise. This process allows for flexibility and efficiency for resolution of cases. For instance; the NFMC does have formal roles and responsibilities in the risk management process. Given the uncertainty and unstructured nature of cases, The NFMC program sometimes relies on a multidisciplinary group with relevant expertise. This process allows for flexibility and efficiency for resolution 8

10 4. How was the problem identified? of cases. For instance; the Sr. Program Manager, handles the whistle blower case and also reviews spreadsheet with financial and A-133 audit results. NFMC assigned staff to log in financial audit and A-133 results. OAD staff reviews and assign a risk rating to A-133 and financial audits. had 2 problems: 1) The branch had 100% of its files (12 files tested) missing required documentation during a compliance review for Rounds 2 and 3. This problem was identified during the routine standard compliance review testing. 2) Whistleblower case. There was an anonymous call and the caller identified self f as a employee and external source. Sr. Program Manager, handles the whistle blower case and also reviews spreadsheet with financial and A-133 audit results. NFMC assigned staff to log in financial audit and A-133 results. OAD staff reviews and assign a risk rating to A-133 and financial audits. The problems were initially identified during HUD's OIG audit and shared with NFMC. of cases. For instance; the Sr. Program Manager, handles the whistle blower case and also reviews spreadsheet with financial and A-133 audit results. NFMC assigned staff to log in financial audit and A-133 results. OAD staff reviews and assign a risk rating to A-133 and financial audits. NFMC identified the issues during a routine standard compliance review. Escalation - The goal of escalation process is to identify issues that could have a significant impact on the organization if not properly addressed. 1. Are there any procedures in place to assess the severity of the problem and if yes, has that step been documented? Yes, there are procedures to identify and assess the severity of the problems. IA obtained and inspected supporting documentation. IA identified and validated 3 processes performed by NFMC to identify problems: 1) Standard compliance reviews. Yes, there are procedures to identify and assess the severity of the problems. IA obtained and inspected supporting documentation. IA identified and validated 3 processes performed by NFMC to identify problems: 1) Standard compliance reviews. Yes, there are procedures to identify and assess the severity of the problems. IA obtained and inspected supporting documentation. IA identified and validated 3 processes performed by NFMC to identify problems: 1) Standard compliance reviews. 9

11 2) Random compliance testing. 3) HUD notifications or other investigations. NFMC performs a risk rating scale that is used during the standard compliance testing to determine if a grantee receives an on-site or remote testing. This risk rating includes but is not limited to; size of award, number of sub-grantees, A-133 Findings, experience participating in HUD, etc. This risk rating assigns points to each grantee. Based on the cumulative points there is a determination made of on-site or remote review. A similar process is in place for the random reviews of grantees with scaled rating above a certain threshold are considered to have significant issues. Any exceptional issues outside of file reviews, random file reviews, and A- 133 are escalated. Examples would include whistleblower cases and complex issues that require General Counsel or Officers final ruling. Significant compliance issues are discovered through the standard compliance reviews (completed for each round) random compliance testing (completed for each round beginning in R5), The U.S. Department of HUD notifications or other investigations as reported by the grantee or other parties. 2) Random compliance testing. 3) HUD notifications or other investigations. NFMC performs a risk rating scale that is used during the standard compliance testing to determine if a grantee receives an on-site or remote testing. This risk rating includes but is not limited to; size of award, number of sub-grantees, A-133 Findings, experience participating in HUD, etc. This risk rating assigns points to each grantee. Based on the cumulative points there is a determination made of on-site or remote review. A similar process is in place for the random reviews of grantees with scaled rating above a certain threshold are considered to have significant issues. Any exceptional issues outside of file reviews, random file reviews, and A- 133 are escalated. Examples would include whistleblower cases and complex issues that require General Counsel or Officers final ruling. Significant compliance issues are discovered through the standard compliance reviews (completed for each round) random compliance testing (completed for each round beginning in R5), The U.S. Department of HUD notifications or other investigations as reported by the grantee or other parties. 2) Random compliance testing. 3) HUD notifications or other investigations. NFMC performs a risk rating scale that is used during the standard compliance testing to determine if a grantee receives an on-site or remote testing. This risk rating includes but is not limited to; size of award, number of sub-grantees, A-133 Findings, experience participating in HUD, etc. This risk rating assigns points to each grantee. Based on the cumulative points there is a determination made of on-site or remote review. A similar process is in place for the random reviews of grantees with scaled rating above a certain threshold are considered to have significant issues. Any exceptional issues outside of file reviews, random file reviews, and A- 133 are escalated. Examples would include whistleblower cases and complex issues that require General Counsel or Officers final ruling. Significant compliance issues are discovered through the standard compliance reviews (completed for each round) random compliance testing (completed for each round beginning in R5), The U.S. Department of HUD notifications or other investigations as reported by the grantee or other parties. 10

12 2. Was there a register with the escalation action, name of manager, and date and expected outcome? All documentation related to problems that are escalated is kept in a file created and named after the client. All documentation related to problems that are escalated is kept in a file created and named after the client. All documentation related to problems that are escalated is kept in a file created and named after the client. 3. Was there a follow up with documentation detailing the issue? Yes, NFMC Folders are maintained for each grantee (hard copy and electronic) and all documentation received and correspondence is maintained within the folders. IA obtained electronic files and confirmed the existence of appropriate documentation related to the risk event. Yes, NFMC Folders are maintained for each grantee (hard copy and electronic) and all documentation received and correspondence is maintained within the folders. IA obtained electronic files to confirm the existence of appropriate documentation related to the risk event. Yes, NFMC Folders are maintained for each grantee (hard copy and electronic) and all documentation received and correspondence is maintained within the folders. IA obtained electronic files and binders to confirm the existence of appropriate documentation related to the risk event. Resolution - Problems are monitored and managed to solution 1. Was there a plan defining what needs to be achieved to resolve the problem and a timeline? An action plan document was created by NFMC as an initial was sent to the agency communicating all the findings and actions needed to remedy the findings. The also included corrective actions with a deadline for implementing actions and providing supporting evidence to NFMC. Yes, there was a plan ( ) outlining the steps needed for resolution of original findings and date for submission of supporting documentation to remedy/correct the findings. Yes, NFMC identified corrective actions that should be taken and communicated them to trough letters that have been examined by IA. The letters to also contained deadlines by which the supporting documentation to findings must be submitted. 11

13 2. Were corrective actions to address issues identified? Yes, on an sent to the client NFMC management outlined the following corrective measures: 1. Respond to the client file findings, 2. perform a third party provided audit over 50 files on locations determined by NFMC, 3. Provide written report with findings from independent auditor, 4. Oversight P&P, 5. Written statement regarding fraudulent signature, 6. Training protocol, 7. Referral list, 8. Fee for service, and 9. Documentation protocol. Yes, there was a plan ( ) outlining the steps needed for resolution of original findings. Yes, NFMC identified corrective actions that should be taken to correct findings. 3. If applicable, were any other people in the organization with expert knowledge involved in resolution of the problem? Yes, NFMC has collaborated with several people in order to resolve significant compliance issues such as the whistleblower case. i.e. OAD, CFO, OGC, and CEO. Not applicable. Senior management at NFMC has the expertise needed to deal with the case. Yes, NFMC has collaborated with several people in order to resolve significant compliance issues such as the whistleblower cases. i.e. CFO, OGC, and CEO. 4. Was the client communicated of possible consequences that could result from problem identified? Yes. NFMC informed the organization that all payments would be suspended until resolution of findings on the initial sent to the agency. Yes, client was informed of amounts they needed to reimburse HUD. Yes, the client was communicated about consequences of not providing documentation on the memos sent by NFMC. Closing - Closing includes the formal acceptance of the problem solution and the ending thereof. 1. Problems resolved with acceptance of parts involved. Yes, the organization accepted NFMC finding and worked together to resolve programmatic findings and the Yes, the client accepted the findings and created a Preliminary Plan of Corrections. IA received a copy of the Yes, IA examined documentation to support the resolution of the findings. 12

14 2. Was the problem resolved within the previously determined dates? whistleblower case. Yes, the issues were cured within the timeframe determined on the initial communication. corrections plan with all the changes implemented to cure the findings. In addition, NFMC provided IA copy of from Office of Director at HUD. Yes, IA obtained the Action Plan where there was evidence of the findings being cured within the established deadline in addition to evidence from HUD s acceptance of the resolution. Yes, the majority of issues were cured with one exception. The one issue that was not cured will be deobligated $375 from round 2 grant award. 3. Was the resolution documented and stored? Yes, resolution on the problem including all communication between parts was documented and stored. Yes, resolution on the problem including all communication between parts was documented and stored. Yes, resolution on the problem including all communication between parts was documented and stored. 13