Management Report: Opportunities for Improvement in the Federal Housing Finance Agency's Internal Controls
Highlights
What GAO Found
During our audit of FHFAs fiscal years 2011 and 2010 financial statements, we identified one internal control issue and a continuing issue related to information systems controls that could adversely affect FHFAs ability to meet its internal control objectives. We do not consider these issues to represent material weaknesses or significant deficiencies in relation to FHFAs financial statements. Nonetheless, we believe they warrant managements attention and action.
Specifically, we found:
- FHFA did not establish effective controls to assess the risk of errors by its payroll service provider and determine if any compensating controls were necessary to ensure the accuracy of payroll calculations.
- FHFA had not yet fully implemented its information security program, resulting in weaknesses in four information security control areas.
These issues increase the risk to FHFA that 1) misstatements in its financial statements may not be promptly detected and corrected, 2) errors in the calculation of its payroll amounts may not be identified, 3) contractors or other users with privileged access could gain unauthorized access to or improperly use agency financial systems, applications, and information, and 4) unauthorized system changes could be implemented without FHFAs knowledge.
Why GAO Did This Study
In November 2011, we issued our opinion on the Federal Housing Finance Agencys (FHFA) fiscal years 2011 and 2010 financial statements. Our report also included our opinion on the effectiveness of FHFAs internal control over financial reporting as of September 30, 2011, and our evaluation of FHFAs compliance with provisions of selected laws and regulations for the fiscal year ended September 30, 2011.
The Housing and Economic Recovery Act of 2008 (HERA) created FHFA and assigned it responsibility for, among other things, the supervision and regulation of the Federal National Mortgage Association (Fannie Mae), the Federal Home Loan Mortgage Corporation (Freddie Mac), the 12 federal home loan banks, and the Office of Finance. Specifically, FHFA was assigned responsibility for ensuring that the regulated entities operate in a fiscally safe and sound manner, including maintenance of adequate capital and internal controls, in carrying out their housing and community development finance mission. HERA requires FHFA to annually prepare financial statements, and requires GAO to audit these statements.
The purpose of this report is to present additional information on the financial reporting-related internal control issue we identified during our audit of FHFAs fiscal year 2011 financial statements and to provide our recommended action to address that issue. This report also discusses a continuing issue with respect to FHFAs information security that resulted in new weaknesses in information security control areas. In addition, we are providing an update on the status of recommendations we made to address internal control issues identified during our audits of FHFAs fiscal years 2010 and 2009 financial statements as reported in our related management reports on internal controls and accounting procedures and our fiscal year 2009 report on controls related to information security.
Recommendations
We present our recommendation for strengthening FHFAs internal controls. Our recommendation is intended to improve managements oversight and controls and minimize the risk of misstatements in FHFAs accounts and financial statements.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Federal Housing Finance Agency | To identify and address any National Finance Center (NFC) errors in processing FHFA payroll, the Acting Director of FHFA should direct the Chief Financial Officer to develop and implement a process to assess and address the risk to FHFA from any internal control issues at NFC including, as appropriate, any compensating controls commensurate with any identified risk. |
We reviewed the status of FHFA's corrective action plans, including FHFA's A-123 review of NFC errors and the quality control process to verify withholdings. In addition, for the past two years, as part of our detail testing of payroll samples at interim, we reviewed SPPS payments and found no exceptions that were not self-corrected by NFC. Therefore, we found this control deficiency to have been addressed and actions taken to be sufficient.
|