U S Department of Housing and Urban Development Office of the Chief Financial Officer Special Attention of: Notice CFO 97-0001 All Headquarters Program Managers Program Comptrollers Issued: June 30, 1997 Program Audit Liaison Officers Expires: June 30, 1998 Field Program Managers Field Audit Liaison Officers Cross References: Subject: NOTICE - AUDITS MANAGEMENT SYSTEM 1. PURPOSE. This notice provides interim guidance pending the final revision of HUD Handbook 2000.06 and has been prepared primarily for the Department's Headquarters and Field Audit Liaison Officers (ALOs). These individuals have unique, important roles in the Department's audit resolution process, and this notice was specifically designed to meet their needs. Program and Field Comptrollers, OIG personnel, and managers involved in the audit process may also benefit from the information contained in this notice, so we encourage its broad distribution. 2. DEFINITIONS. In this section, we provide definitions for many of the concepts and factors involved in the audit resolution process, especially those areas where more clarity is needed. A) Internal Departmental Audit Categories: 1) Departmental and Financial Management: Cross cutting general management recommendations that affect more than one program area, such as financial management issues, Departmental resource management, or the impact of downsizing, audit resolution procedures, etc. 2) Program Management: Recommendations that affect, or are the direct responsibility of, program management, such as risk assessment processes and monitoring procedures over PHA's, or Housing's income verification program for Section 8, etc. F: Distribution: W-3-1 3) Information Technology: Recommendations related to information systems security, operations, development, program change control, etc. B) External Audit Categories: 1) Operational Issues: Recommendations relating to the on-site operational management of the audited entity (e.g., local government grant recipient), such as contracting procedures, training programs, policies and procedures, weak internal control procedures and practices, or accounting deficiencies, etc. 2) Cost Recovery: Recommendations relating to unsupported or ineligible costs, and their recovery. C) Appropriate Evidence to Close Recommendations: In addition to the closing certification from the Action Official, an ALO needs appropriate "evidence" to assure themselves that the corrective actions have actually occurred, before closing them in the Departmental Automated Audits Management System (DAAMS). The general rules are: - Keep paper to a minimum (e.g., only get the table of contents, not the whole P&P manual). - Statements that the corrective actions have been observed are fine. Either written or e-mail statements are acceptable. - Use your judgment and the circumstances of the recommendation to decide what is needed. Final action needs to be demonstrated to the ALO's satisfaction, not "proven beyond a reasonable doubt." D) Quality Control Review on Closed Recommendations: Normally, certain audits with closed recommendations are randomly selected for review. The Office of Internal Control and Audit Resolution (ICAR) will review the ALO's "audit resolution file" to evaluate the documentation and procedures followed. Normally, in addition to the Action Official's closing certification, there will be evidence that the corrective actions have actually taken place. E) Corrective Action Verification (CAV) Reviews: This is a formal review, which is carried out in accordance with a CAV program. It will entail obtaining an understanding of the audit area, review of the original audit and management decisions, evaluation of the actual corrective action taken, and may include site visits to confirm previously reported information relied upon to close the audit recommendation. The review process will be tailored to the circumstances and be designed to verify that the corrective action was taken and that the weakness has been corrected. F) Management Control Reviews: Management Control Reviews are conducted on targeted areas or functions where management wants the internal controls tested and verified, or believes that weaknesses may exist. These reviews will be conducted by a small staff directed by ICAR, and will follow an established methodology. The Chief Financial Officer will determine when these reviews are necessary and warranted, so they will only be conducted when specifically approved in advance. The concept is that they will be value-added, constructive, and provided as a service to management. The reviewers will plan the assignment, conduct preliminary interviews to gain an understanding of the processes under review, and then carry out testing and evaluation. The results will be first communicated internally to local management, and may or may not eventually go to higher levels of management. The purpose of these reviews is to provide management with early warning of potential problems and to provide assurance that controls are working effectively. Nevertheless, the OIG will always have access to copies of these reviews and work papers by way of their statutory authorities. We expect, however, that the OIG will welcome and support management for taking the initiative to monitor its controls and find its problems early, and use any information provided in a positive way to improve future OIG audit scope and plans. G) Risk Assessment: The assessment of risk is a matter of judgment -- what is important, and what is not so important. This judgment should be objective, consistent, and based on the particular facts at hand. In private industry, assessments of high risk go to weaknesses that could result in material misstatements in the financial records, or to weaknesses that could lead to significant financial losses from the loss of assets. In addition to these general factors, we in Government must also consider the possible political impacts resulting from the weakness. For example, the potential financial loss from mistakenly reimbursing an employee for the use of their second home for one night while away on official business would not be a significant financial or misstatement risk. Thus, in private industry, weaknesses that could allow such a possibility would probably not be classified as important. However, in Government, if this situation were to occur for a high level executive or political appointee, the resulting public scrutiny and political damage to the Department may become severe and long lasting -- probably a weakness that should be classified as important. We assume that any recommendation the OIG believes important enough to be included in their audit reports are at least made to address a "reportable condition". Therefore, the purpose of management's risk assessment is to identify those recommendations which should be considered as addressing "key issues". Factors which should be considered in this risk assessment by the ALO, in conjunction with the Program Comptroller, are: 1) The auditor's assessment of the importance of the weakness. 2) The degree to which the Department may be harmed if the weakness became public knowledge. 3) The degree to which the weakness could result in losses or material misstatements in the financial statements. 4) The degree to which the weakness could allow a violation of fair housing laws to occur, or go undetected, when such compliance is within the Department's responsibility or knowledge. 5) The degree to which the weakness could prevent the Department from effectively carrying out its mission. 3. BACKGROUND. The Audits Management System (AMS) in the Department has been in existence for many years and is based on policy and requirements of OMB Circular A-50. Although this Circular has not been substantially revised since 1982, its audit resolution concepts and responsibilities remain applicable and authoritative. The Department has set forth its audit resolution policy and delegations within HUD Handbook 2000.6. In addition to the last proposed revision to the Handbook in 1994 (REV-3), which was not officially finalized, various audit resolution procedural changes have been made and communicated through various memoranda. It is our objective to make, as soon as possible, a comprehensive revision to the Handbook which will incorporate all of the recent changes and provide clarification where needed. Although the Office of the Chief Financial Officer (CFO) is currently revising the Department's AMS Handbook, in all probability, it will not be through final Departmental clearance and issued for several more months. Because of the importance of maintaining an effective audit resolution process, the CFO believes this notice should be issued in advance of the AMS Handbook as interim authority and procedural guidance. Therefore, we are providing this notice for your information, guidance, and use in carrying out your day-to-day audit resolution responsibilities and duties. By definition, this notice is brief and will not include all of the information that will be contained in the AMS Handbook. It does contain guidance about the most important elements of the audit resolution process from the perspective of the ALO. It should be noted that the procedures outlined in this notice do not apply to Contract Assistance Audits (i.e., interim and final cost audits, and pricing proposal evaluations). Management procedures for these audits are contained in HUD Handbook 2000.6 REV-2, Audits Management System. NOTE: When Revision 3 of the AMS Handbook is completed and issued, that Handbook will be official policy and guidance for the Department's Audit Management System. Upon its issuance, this notice will become obsolete. 4. OVERVIEW. In order to provide Department's senior management with the information they need to better focus on issues that directly relate to their areas of responsibility, we will now differentiate between "internal" and "external" audits within the audit resolution process. Audit recommendations are classified as internal when they relate primarily to issues internal to the Department's operations, whereas external recommendations relate primarily to audit issues of outside entities, such as local government grant recipients, PHA's, Housing Commissions, etc. A) SUMMARY OF INTERNAL AUDIT RECOMMENDATION PROCEDURES: Internal audit recommendations will be classified into one of three categories, and then a risk assessment applied, as follows: RECOMMENDATION CATEGORY RISK ASSESSMENT Key Issue Reportable Condition 1) Departmental and Financial Management X X 2) Program Management X X 3) Information Technology X X See Definitions, paragraph 2, for further explanation of these terms. The Audit Liaison Officer (ALO) responsibilities for internal Departmental audits are as follows: 1) Classifies (as Departmental and Program Management, Financial Management, or Information Technology) and identifies the risk (Key Issue or Reportable Condition) associated with each recommendation. 2) Assists the Action Official, as necessary, to negotiate with OIG to reach an acceptable Management Decision. The ALO will ensure that the mandated time-frames for reaching a management decision are met or will facilitate the referral to the next level of management. 3) Ensures that all proposed revisions to accepted management decisions are submitted to OIG for review and comment. 4) Updates DAAMS monthly (using "Comment - Comments Maintenance" at the recommendation level), by the last business day of each month, with the current status of corrective actions for all Key Issue recommendations. 5) When the Action Official completes corrective actions and so certifies, the ALO reviews supporting evidence to ensure corrective actions, as agreed to in the management decision, were actually taken. When satisfied, the ALO closes the recommendation in DAAMS. 6) Performs Corrective Action Verification (CAV) reviews on all completed Key Issue recommendations, and on a sample of completed Reportable Condition recommendations, as assigned by ICAR. Note that ICAR may assign these reviews to internal CFO staff or a contractor, instead of the ALO, depending upon the circumstances. 7) Maintains adequate audit resolution files for two years after closure, and subsequently archives the files. The Office of the CFO will accomplish its audit resolution oversight responsibilities through its Office of Internal Control & Audit Resolution (ICAR). For internal Departmental audits, ICAR: 1) Monitors and reports monthly the status of corrective actions for all Key Issue recommendations to the Management Committee. 2) Ensures Corrective Action Verification (CAV) reviews are performed (by ALO's, internal CFO staff, or independent contractors) on all Key Issue recommendations, and a sample of Reportable Condition recommendations, after closure. 3) Performs management control reviews of functional areas, as deemed necessary by the CFO, to evaluate management control effectiveness. B) SUMMARY OF EXTERNAL AUDIT RECOMMENDATION PROCEDURES: To help Field Program Management focus on timely resolution, external audit recommendations will be classified into one of the following two categories: 1) Operational Issues 2) Cost Recovery See Definitions, paragraph 2, for further explanation of these terms. The Audit Liaison Officer (ALO) responsibilities for external Departmental audits are as follows: 1) Classifies recommendations (Operational Issues or Cost Recovery). 2) Assists Action Official, as necessary, to negotiate with OIG to reach an acceptable Management Decision. The ALO will ensure that the mandated time-frames for reaching a management decision are met or will facilitate the referral to the next level of management. 3) Ensures that all proposed revisions to accepted management decisions are submitted to OIG for review and comment. 4) Monitors the status of corrective actions for all recommendations. The ALO will follow up with responsible officials, including the Headquarters Program ALOs, to facilitate timely management decisions as mandated by policy. 5) When the Action Official completes corrective actions and so certifies, the ALO reviews supporting evidence to ensure corrective actions were actually taken. When satisfied, the ALO closes the recommendation in DAAMS. 6) Maintains adequate audit resolution files for two years after closure, and subsequently archives the files. The Office of the CFO will accomplish its audit resolution oversight responsibilities through its Office of Internal Control & Audit Resolution (ICAR). For external Departmental audits, ICAR: 1) Monitors status through the DAAMS system, and reports summary statistics monthly to the Management Committee, or as required. 2) Analyzes audit resolution trends, reopened audit recommendations, and historical data, and makes recommendations to improve audit resolution to the CFO for follow-up with Program management and/or the Management Committee. 3) On a periodic basis, selects a random sample of closed audit recommendations and requests the Program ALO, or designee, to send in the audit resolution files for a quality control review. 5. THE AUDIT RESOLUTION PROCESS - DETAIL A) Applicability The guidance provided in this notice is applicable to all external and internal audit recommendations contained in audit reports issued by the OIG except, as stated above, those associated with Contract Assistance Audits. B) Issuance of Audit Reports When the audit report is issued by the OIG, the issuer shall send the original to the addressee (Action Official) and, at a minimum, one copy to the applicable ALO and Program Comptroller. The Office of ICAR will maintain a current listing of ALO's and distribute that listing to the OIG offices whenever it changes. Upon receipt of an audit report, the Action Official will establish the official audit file. NOTE: For external audits, the action official should contact the external entity within 15 calendar days after the audit report issuance date, and obtain its written response as to planned corrective actions. C) Initial Entries Into DAAMS The OIG will enter into DAAMS all pertinent audit report data, including the classification of the recommendation as internal or external, identification of the action official, description of the findings and recommendations, and the due date for each required management decision. NOTE: The OIG may classify recommendations as internal, even though they relate to, or were derived from, field audits. Normally, the action officials for internal recommendations that affect departmental policy will be Headquarters' management. In addition, ALOs may decide that an originally classified external recommendation needs to be reclassified as an internal recommendation for tracking and resolution. D) Audit Classification and Risk Assessment The ALO will ensure that all internal audit recommendations are classified into one of the following three categories: 1) Departmental and Financial Management 2) Program Management 3) Information Technology Usually, the classifications are readily apparent from the scope of the audit and the identified action official. All internal audit recommendations will also be assessed and their risk identified as either "Key Issue" or "Reportable Condition". The ALO, in conjunction with the Program Comptroller, will assess the risk of each recommendation at the time the audit report is first issued. The ALO will classify all external audit recommendations as either "operational issues" or "cost recovery." Note: In order to accommodate these newly identified data elements within DAAMS, we are currently evaluating possible systems modifications that may be needed. The relevant new DAAMS data entry procedures will be communicated to DAAMS users when available. E) Monitoring Progress and Reporting Status The ALO will monitor the progress of all recommendations within their area of responsibility and contact the action officials to offer assistance, as deemed necessary. For each "Key Issue" internal audit recommendation, the ALO will closely monitor progress and update DAAMS (using "Comment - Comments Maintenance" at the recommendation level), at least monthly, with its current status. F) Obtaining a Management Decision It is the responsibility of the action official to propose a management decision to the OIG audit report issuer within 120 calendar days after the report issuance date, which is the Departmental goal to ensure meeting the statutory requirement of a maximum of 180 calendar days. The ALO will provide assistance as requested by Program management or Action Officials. The ALO will follow up with responsible officials including the Headquarters Program ALOs to facilitate timely management decisions as mandated by policy. Existing Departmental policy remains in effect for audit referrals to the next level of management for resolution. The ALO will ensure that the mandated time-frames for reaching a management decision are met or will facilitate the referral to the next level of management. The action official's proposed management decision must be in writing and include the identification of tasks and sub-tasks to be taken to correct the problem and target date for completion of all corrective actions, the amount of allowed/disallowed costs with target dates for recovery, the amount of any cost savings projected to result from implementation of the recommendations and the types of documentation which will be used to evidence that action is completed. A management decision occurs when the OIG audit report issuer concurs with the action official's written determination of the corrective action needed and the documentation required. The OIG audit report issuer will enter the date of the management decision and the final action target date into DAAMS. NOTE: HUD management is responsible for maintaining DAAMS after the management decision has occurred, through final action completion and closure. This includes updating the recovery of disallowed costs, revising final action target dates, maintaining current comments relating to recommendations and the audit report, etc. G) Completing Final Action Final action occurs when all corrective actions, including recovery and/or write-off of disallowed costs, are in fact completed. When the action official is assured that all action has been completed, they shall prepare a certification package, including the supporting documentation as agreed to in the management decision. The action official should send the certification and appropriate supporting documentation (see the Definitions, Paragraph 2, for an explanation) to the applicable ALO for their review and supporting concurrence that the recommendation is ready to be closed. While management has the authority to decide when final action has occurred and a recommendation should be closed, the ALO adds value to the audit resolution process by acting as a supporting concurrence. For example, the ALO may notice a requirement in the original management decision that was overlooked and not adequately addressed, even though management believed, in good faith, that all appropriate corrective actions had already taken place. Or, management may be so knowledgeable and confident about the actual corrective actions taken, that they do not think it necessary to check the specific management decision requirements for supporting documentation, before closure. Thus, the ALO will assist management by ensuring that the details have been checked, the documentation is sufficient, and helping to resolve any possible additional steps that should be taken before closure. The ALO will update DAAMS to reflect final action completion using the "MDFA" screen, and will maintain the required documentation in their Audit Resolution Files for two years for possible future quality control and/or OIG review. Following this two year period, the ALO will archive the files. NOTE: The above procedures apply to all audit recommendations. However, OIG concurrence is necessary before final action can be considered complete when it is necessary to take or make: actions other than those concurred in by the OIG at the time of management decision; changes in the amount of ineligible or unsupported costs; or decisions on actions that will be made as part of the final action, such as in cases where it is agreed that pilot procedures will be developed, or a task force will review the issue. H) Performing Corrective Action Verification Reviews (CAV) The completed corrective actions for all internal audit recommendations rated as "key issues", will need to be verified through a CAV. This is because of their importance to the Department and the requirements of OMB Circular A-50, which requires the audit follow-up official ensure that "corrective actions are actually taken." ICAR will approve the assignment of the CAV to either the ALO, internal CFO staff, or an outside contractor, depending on the circumstances. If the OIG decides that they will perform a CAV on a particular audit, ICAR will not assign a duplicate CAV. The CAV is a formal review carried out in accordance with a scope and process determination made in advance, i.e. a "CAV Program". In addition to thoughtful planning to ensure that the review is efficiently carried out, the primary thrust of a CAV is to evaluate whether the underlying weakness or problem has been corrected. In other words, the official management decision may have listed certain actions thought to be sufficient to address the weakness, but in fact additional actions really were necessary. A properly performed CAV would disclose that, even though the actions in the original management decision may have been completed, additional corrective actions are needed before the weakness can be considered corrected. I) Revising Final Action Target Dates The action official is responsible for monitoring the timely implementation of action to correct the findings. On occasion, a revision to a final action target date may be necessary. The action official, with the concurrence of the Program Area Comptroller in Headquarters, may extend the final action target date when the extended date falls within one year from the management decision date. However, this authority does not include recommendations under a valid repayment plan, which require the prior written approval of the Departmental ALO in Headquarters. Final action target dates may not be extended beyond one year from the management decision date except for those recommendations which are under a valid repayment plan or are under judicial, investigative, or judicial review. After appropriate approval is received, the action official should send a copy of the approval to the applicable ALO, who will update DAAMS using screen "MDFA". J) Recovery of Disallowed Costs Due HUD/Due Program When the OIG agrees to the management decision, they enter both the management decision and the amount of any disallowed costs into DAAMS. When the action official receives evidence of the recovery of disallowed costs due HUD, they should send a copy to the applicable ALO for updating DAAMS using screen "Cost - Cost Transactions". NOTE: All other dollar values in DAAMS (e.g., reversals, write-offs, etc.) must be revised by the OIG. K) Entering Comments Into DAAMS The action official must ensure that DAAMS contains a statement on each audit report with management decisions open one year or more prior to either March 31 or September 30 of each year, the reporting deadlines for the OIG's Semiannual Report to Congress. The statements should reflect a brief description of the status of the management decision action(s) to be taken. The comments can be entered into DAAMS by the action official or the applicable ALO, using the "Adcomnt - Audit Comments" or the "Comment - Comments Maintenance" screens, as appropriate. L) Quality Control Process An effective Audits Management System is critically important to the long-term success of the Department's mission. The system we have developed is flexible, decentralized, and involves many employees throughout the entire organization. Therefore, we need to ensure that it runs smoothly, efficiently, and in accordance with the required policy and procedures. We accomplish this through the following quality control process: 1) ICAR makes a selection of audits with closed recommendations and calls for the "audit resolution files" from the applicable ALO's. 2) The files are reviewed to evaluate the audit resolution process that recently took place, including an examination of the adequacy of the documentation evidencing that the actions were completed before closure. 3) ICAR provides feedback to the ALO's after the quality control reviews are completed. 4) ICAR analyzes trends that may be evident from these quality control reviews, and, when deemed necessary, recommends improvements to management. In addition, ICAR will conduct management control reviews when deemed appropriate and necessary by the Chief Financial Officer. These reviews will be targeted at areas where management wants the internal controls tested and verified, or where they believe weaknesses in the control systems may exist. The purpose of these reviews is to provide management with constructive value-added analysis and recommendations for improving targeted areas.