This is the accessible text file for GAO report number GAO-12-499R 
entitled 'Management Report: Opportunities for Improvement in the 
Federal Housing Finance Agency's Internal Controls' which was released 
on May 16, 2012. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as 
part of a longer term project to improve GAO products' accessibility. 
Every attempt has been made to maintain the structural and data 
integrity of the original printed product. Accessibility features, 
such as text descriptions of tables, consecutively numbered footnotes 
placed at the end of the file, and the text of agency comment letters, 
are provided but may not exactly duplicate the presentation or format 
of the printed version. The portable document format (PDF) file is an 
exact electronic replica of the printed version. We welcome your 
feedback. Please E-mail your comments regarding the contents or 
accessibility features of this document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

GAO-12-499R: 

United States Government Accountability Office: 
Washington, DC 20548: 

May 16, 2012: 

Mr. Edward J. DeMarco: 
Acting Director: 
Federal Housing Finance Agency: 

Subject: Management Report: Opportunities for Improvement in the 
Federal Housing Finance Agency's Internal Controls: 

Dear Mr. DeMarco: 

In November 2011, we issued our opinion on the Federal Housing Finance 
Agency's (FHFA) fiscal years 2011 and 2010 financial statements. Our 
report also included our opinion on the effectiveness of FHFA's 
internal control over financial reporting as of September 30, 2011, 
and our evaluation of FHFA's compliance with provisions of selected 
laws and regulations for the fiscal year ended September 30, 2011. 
[Footnote 1] 

The Housing and Economic Recovery Act of 2008 (HERA) created FHFA and 
assigned it responsibility for, among other things, the supervision 
and regulation of the Federal National Mortgage Association (Fannie 
Mae), the Federal Home Loan Mortgage Corporation (Freddie Mac), the 12 
federal home loan banks, and the Office of Finance.[Footnote 2] 
Specifically, FHFA was assigned responsibility for ensuring that the 
regulated entities operate in a fiscally safe and sound manner, 
including maintenance of adequate capital and internal controls, in 
carrying out their housing and community development finance mission. 
HERA requires FHFA to annually prepare financial statements, and 
requires GAO to audit these statements. 

The purpose of this report is to present additional information on the 
financial reporting-related internal control issue we identified 
during our audit of FHFA's fiscal year 2011 financial statements and 
to provide our recommended action to address that issue. This report 
also discusses a continuing issue with respect to FHFA's information 
security that resulted in new weaknesses in information security 
control areas. In addition, we are providing an update on the status 
of recommendations we made to address internal control issues 
identified during our audits of FHFA's fiscal years 2010 and 2009 
financial statements as reported in our related management reports on 
internal controls and accounting procedures[Footnote 3] and our fiscal 
year 2009 report on controls related to information security.
[Footnote 4] 

In addition, because of the sensitive nature of our findings related 
to FHFA information security, we will present our findings and 
recommendations setting out corrective actions to address the new 
issues we identified concerning FHFA's internal control over 
information security in a separate letter to FHFA management with 
limited distribution. 

Results in Brief: 

During our audit of FHFA's fiscal years 2011 and 2010 financial 
statements, we identified one internal control issue and a continuing 
issue related to information systems controls that could adversely 
affect FHFA's ability to meet its internal control objectives. We do 
not consider these issues to represent material weaknesses or 
significant deficiencies in relation to FHFA's financial 
statements.[Footnote 5] Nonetheless, we believe they warrant 
management's attention and action. 

Specifically, we found: 

* FHFA did not establish effective controls to assess the risk of 
errors by its payroll service provider and determine if any 
compensating controls were necessary to ensure the accuracy of payroll 
calculations. 

* FHFA had not yet fully implemented its information security program, 
resulting in weaknesses in four information security control areas. 

These issues increase the risk to FHFA that 1) misstatements in its 
financial statements may not be promptly detected and corrected, 2) 
errors in the calculation of its payroll amounts may not be 
identified, 3) contractors or other users with privileged access could 
gain unauthorized access to or improperly use agency financial 
systems, applications, and information, and 4) unauthorized system 
changes could be implemented without FHFA's knowledge. 

At the end of our discussion of the payroll issue, we present our 
recommendation for strengthening FHFA's internal controls. Our 
recommendation is intended to improve management's oversight and 
controls and minimize the risk of misstatements in FHFA's accounts and 
financial statements. 

As of the completion of our fiscal year 2011 audit, FHFA had taken 
action to fully address 11 of the 19 internal control-related 
recommendations from our prior reports. (See enclosure I for a summary 
of the status of our prior recommendations related to FHFA internal 
controls and accounting procedures and enclosure II for a summary of 
the status of our prior recommendations related to FHFA controls over 
information security.) Overall, while FHFA took action to address the 
four internal control and accounting procedures-related 
recommendations that remain open, more work is needed to fully resolve 
the underlying control issues. Similarly, with respect to internal 
control weaknesses over information security that resulted from FHFA's 
inability to fully implement an overall information security program 
as we previously recommended, FHFA had actions in process. 

In commenting on a draft of this report, FHFA agreed with our 
recommendation and described actions it has taken, or plans to take, 
to address the payroll-related control issue described in this report. 
At the end of our discussion of the payroll-related issue that we 
identified, we have summarized FHFA's related comments and corrective 
actions cited. We will evaluate the effectiveness of FHFA's corrective 
actions as part of our fiscal year 2012 audit. We have also reprinted 
FHFA's comments in their entirety in enclosure III. 

Scope and Methodology: 

As part of our audit of FHFA's fiscal years 2011 and 2010 financial 
statements, we evaluated FHFA's internal controls and tested its 
compliance with selected provisions of laws and regulations. We 
designed our audit procedures to test relevant controls over financial 
reporting, including those designed to provide reasonable assurance 
that transactions are properly recorded, processed, and summarized to 
permit the preparation of FHFA's financial statements in conformity 
with U.S. generally accepted accounting principles. 

We performed our audit of FHFA's fiscal years 2011 and 2010 financial 
statements in accordance with U.S. generally accepted government 
auditing standards. We believe that our audit provided a reasonable 
basis for our conclusions in this report. Further details on our audit 
methodology are presented in enclosure IV. 

Payroll Calculations: 

During our testing of payroll expense transactions conducted as part 
of our fiscal year 2011 audit, we found that FHFA did not have 
controls in place to ensure the integrity of payroll information 
processed by the U.S. Department of Agriculture's National Finance 
Center (NFC), FHFA's service provider for its payroll processing. 
Specifically, FHFA had not identified that NFC was not withholding 
Medicare taxes to be paid for FHFA employees' salaries during a 
portion of fiscal year 2011. 

NFC performs payroll/personnel processing for FHFA under the terms of 
an interagency agreement. Under the agreement, NFC is to (1) provide 
accurate and timely salary payments, (2) receive, review, and correct 
error conditions on submitted time and attendance (T&A) records and 
contact the agency if required to obtain necessary information, (3) 
record and maintain an official "system of record" for payroll and 
personnel data for all FHFA employees, (4) support and operate the 
interface with the Office of Personnel Management (OPM) to update the 
Central Personnel Data File and Enterprise Human Resources Integration 
Warehouse with personnel data for all of FHFA's employees,[Footnote 6] 
(5) design, develop, and implement program development services to 
ensure compliance with mandated regulations, enhancements, and 
modifications (i.e., annual pay raise, tax law changes, among others), 
and (6) receive, assign, monitor, and complete the processing of 
manual transactions initiated by FHFA within a specified timeframe 
based on complexity. Beginning in pay period 11 of 2011 (May 22 
through June 4, 2011) and continuing through pay period 21 (October 9 
through October 22, 2011), as the result of an issue with NFC's 
Special Payroll Processing System (SPPS), certain manual payments, 
such as wellness reimbursements, processed by SPPS, were not included 
in the calculation of the amount of Medicare tax to be withheld for 
FHFA employees who had met their annual Federal Insurance 
Contributions Act (FICA) maximum.[Footnote 7] As a result, NFC did not 
withhold any Medicare taxes, either the employee or employer portion, 
on the manual payments to those FHFA employees during these 2011 pay 
periods. FHFA was unaware of this issue until we identified it during 
our audit testing. 

Standards for Internal Control in the Federal Government states that 
management needs to comprehensively identify risks, considering all 
significant interactions between the entity and service providers at 
both the entity wide and activity level, and based upon the 
significance of the risk, decide what actions to take to manage the 
risk. In addition, the Office of Management and Budget's (OMB) 
Circular A-123 (A-123) and its related implementation guide require 
agencies to annually assess the effectiveness of their internal 
control over financial reporting and to provide a statement of 
assurance attesting to whether these internal controls are effective. 
The A-123 guide requires agencies to develop and document a thorough 
understanding of their financial reporting operations and how these 
operations are supported by automated systems. This includes 
determining which specific systems are involved in the financial 
reporting process, whether classes of transactions identified are 
significant to the financial reporting process, and determining 
whether each system is controlled by the agency or by an external 
service provider. For those systems that are controlled by an external 
service provider, agencies are to coordinate with the service provider 
to obtain an annual assurance statement that highlights key controls 
and the results of annual testing, and if available, to review the 
most recent report on the service provider's internal controls 
prepared in accordance with Statement on Standards for Attestation 
Engagements (SSAE) No. 16.[Footnote 8] For its financial reporting 
process, FHFA places extensive reliance on systems that are controlled 
by external service providers, including the processing of its payroll 
by NFC. The A-123 guide specifies that such systems are considered 
part of an entity's information system, and should therefore be 
considered in making an assessment of the effectiveness of the 
entity's internal control over financial reporting. The A-123 guide 
describes the nature of the procedures which could be used to monitor 
internal control over such service providers: 

1. Perform tests of entity internal control over the activities of the 
service provider, 

2. Perform tests of internal control at the service provider, or: 

3. Review reports prepared on the service provider in accordance with 
applicable standards. 

While NFC is responsible for maintaining adequate controls to ensure 
the accuracy and completeness of the payroll transactions it processes 
for its customer agencies (including FHFA), it is important that 
customer agencies gain an understanding of NFC's control environment, 
assess the risk of errors occurring in that environment, and establish 
compensating controls to address those risks. In reviewing FHFA's A-
123 assessment documentation for fiscal year 2011, we did not find 
that FHFA performed any of the procedures noted above in assessing the 
effectiveness of NFC's internal controls. In addition, FHFA did not 
have procedures in place that would have enabled it to detect the 
errors that resulted from the systemic problem with NFC's SPPS. 

Without an assessment of the risk of errors in the financial 
information provided to FHFA by NFC and compensating controls to 
identify and correct any errors, the risk is increased that such 
errors could go undetected and result in misstatements to amounts 
reported for expenditures and accrued liabilities in FHFA's financial 
statements. 

Recommendation: 

To identify and address any NFC errors in processing FHFA payroll, we 
recommend that you direct the Chief Financial Officer to develop and 
implement a process to assess and address the risk to FHFA from any 
internal control issues at NFC including, as appropriate, any 
compensating controls commensurate with any identified risk. 

FHFA Comments and Our Evaluation: 

In its May 9, 2012, comments on our draft report, FHFA agreed with the 
recommendation and cited actions it has taken, or intends to take, to 
address the payroll-related internal control issue we identified. For 
example, FHFA stated that it had instituted a formal quality control 
process to verify withholdings on all SPPS payments prior to release 
in the NFC system. In addition, FHFA stated that it will include a 
review of payroll calculations as part of its annual review for 
compliance with OMB A-123. FHFA's stated actions, if effectively 
implemented, should reduce the risk of payroll-processing errors 
occurring and going undetected by FHFA. We will more fully evaluate 
the effectiveness of the agency's corrective actions during our fiscal 
year 2012 financial audit. 

Information Security Program: 

During our audit of FHFA's fiscal year 2011 financial statements, we 
found that FHFA had not fully implemented its information security 
program as we have recommended in previous reports, and this lack 
resulted in several new information systems vulnerabilities during the 
fiscal year.[Footnote 9] Specifically, as discussed in greater detail 
in the following sections, we found that FHFA had not consistently or 
fully implemented controls for (1) identifying and authenticating 
users, (2) authorizing access to resources, (3) managing system 
configurations, and (4) protecting system and network boundaries on 
information systems owned and operated by FHFA or on behalf of FHFA by 
service provider organizations. 

FISMA requires each agency to develop, document, and implement an 
agencywide information security program to provide information 
security for the information and information systems that support the 
operations and assets of the agency, including those provided or 
managed by another agency, contractor, or other source.[Footnote 10] 
In our review we found the following vulnerabilities. 

Identification and Authentication of Users: 

A computer system needs to be able to identify and authenticate each 
user so that activities on the system can be linked and traced to a 
specific individual. An organization does this by assigning a unique 
user account to each user, and in so doing, the system is able to 
distinguish one user from another--a process called identification. 
The system also needs to establish the validity of a user's claimed 
identity by requesting some kind of information, such as a password, 
that is known only by the user--a process known as authentication. The 
combination of identification and authentication--such as user account-
password combinations--provides the basis for establishing individual 
accountability and for controlling access to the system. However, our 
2011 review found FHFA did not ensure that appropriate password 
management controls were implemented on key systems we reviewed at 
both FHFA and an FHFA service provider. In addition, FHFA did not 
enforce disabling of inactive user accounts on one of its systems. As 
a result, an increased risk exists that FHFA accounts could be 
compromised and used by unauthorized individuals to access sensitive 
information. 

Authorization Controls: 

Authorization is the process of granting or denying access rights and 
permissions to a protected resource, such as a network, a system, an 
application, a function, or a file. A key component of granting or 
denying access rights is the concept of "least privilege." Least 
privilege is a basic principle for securing computer resources and 
data that means that users are granted only those access rights and 
permissions that they need to perform their official duties. However, 
our 2011 review found both FHFA and an FHFA service provider granted 
users excessive levels of access privileges and permissions that were 
not required to perform their job. As a result, FHFA data could be 
inappropriately modified, either inadvertently or deliberately. 

Configuration Management: 

Configuration management involves, among other things, (1) verifying 
the correctness of the security settings in the operating systems, 
applications, or computing and network devices and (2) obtaining 
reasonable assurance that systems are configured and operating 
securely and as intended. Patch management, a component of 
configuration management, is an important element in mitigating the 
risks associated with software vulnerabilities. When a software 
vulnerability is discovered, the software vendor may develop and 
distribute a patch or work-around to mitigate the vulnerability. 
Without the patch, an attacker can exploit a software vulnerability to 
read, modify, or delete sensitive information; disrupt operations; or 
launch attacks against systems at another organization. Nevertheless, 
servers for systems used by FHFA had not been consistently patched in 
a timely manner. In addition, FHFA devices were not always securely 
configured. Specifically, FHFA did not properly configure a test 
server, and network vulnerabilities existed on multiple network 
devices. Failing to apply critical patches and the appropriate 
configuration settings for systems and network devices increases the 
risk of exposing systems to vulnerabilities that could be exploited. 

Boundary Protection: 

Boundary protection involves the protection of a logical or physical 
boundary around a set of information resources and implementation of 
measures to prevent unauthorized information exchange across the 
boundary in either direction. Firewall devices represent the most 
common boundary protection technology at the network level. However, 
during our 2011 review, we found FHFA service-provider network 
firewalls did not sufficiently log network traffic across the devices. 
In addition, controls were insufficient to ensure firewalls operating 
on systems that we reviewed appropriately restricted access to the 
systems. These weaknesses increase the risk that malicious activity 
could occur and escape detection. 

The underlying cause of the vulnerabilities we identified in fiscal 
year 2011 is that FHFA has not fully implemented our previous 
recommendations related to FHFA's information security program. For 
example, we have previously reported that FHFA did not always 
effectively monitor its systems. This lack of monitoring contributes, 
in part, to the new control issues we identified in our 2011 review. 
These new and continuing control issues increase the risk that (1) 
contractors or other users with privileged access could gain 
unauthorized access to or improperly use agency financial systems, 
applications, and information, and (2) unauthorized system changes 
could be implemented. Until FHFA mitigates its control deficiencies by 
fully implementing an effective information security program, 
increased risk exists that its financial and support systems and the 
information they contain will be subject to unauthorized access, use, 
disclosure, disruption, modification, or destruction. 

Status of Prior Years' Audit Recommendations: 

At the beginning of our fiscal year 2011 financial audit, 19 
recommendations to improve FHFA's financial operations from our prior 
audits remained open and therefore required corrective action by FHFA. 
In the course of performing our fiscal year 2011 financial audit, we 
identified numerous actions taken by FHFA to address many of the 
internal control issues related to these recommendations. On the basis 
of our 2011 review of FHFA's actions, we closed 11 of our prior years' 
audit recommendations. 

Specifically, at the beginning of our 2011 audit, six recommendations 
related to accounting procedures remained open. As of the completion 
of our 2011 audit, FHFA had taken action to fully address two of the 
six recommendations. (See enclosure I.) However, more work is needed 
to fully resolve the underlying control issues for the remaining four 
accounting procedures related recommendations. The four 
recommendations that remained open as of the completion date of our 
fiscal year 2011 financial audit relate to invoice payment procedures, 
undelivered orders, and expense accruals. Although FHFA updated its 
Administrative Accounting Manual and developed additional documented 
procedures and training materials in response to our recommendations 
on invoice payment procedures and the calculation of undelivered 
orders balances and accruals, we continued to find problems during our 
audit testing with the mathematical accuracy of invoices, accurate 
reporting of undelivered order balances, and the calculation of year-
end accruals. The errors we identified in our 2011 audit were not 
material to the fiscal year 2011 financial statements, but the 
continuation of such errors indicates that further efforts are needed 
to routinely enforce procedures related to these areas. 

In addition, at the beginning of our fiscal year 2011 audit, 13 
recommendations related to information systems controls remained open. 
As of the completion of our audit, FHFA had taken action to fully 
address 9 of the 13 recommendations. (See enclosure II.) FHFA 
continues to take actions to establish an overall information security 
management program. However, more work is needed to fully resolve the 
control issues for the remaining four recommendations related to 
information systems controls. Specifically, the recommendations that 
remained open at the close of the fiscal year 2011 audit relate to 
logical access controls and FHFA's information security program. 
Although FHFA has made progress in addressing these recommendations, 
additional work is required before these issues are fully resolved. 
For example, FHFA completed continuous monitoring reports that 
summarize monitoring activities by the agency; however, it had not yet 
developed policies and procedures for monitoring third party service 
organization staff and contractors. In addition, FHFA had developed 
procedures for an annual risk assessment of FHFA contractor systems, 
but the procedures did not specifically address the assessment of 
security reviews and plans of action and milestones: 

developed by BPD and contractors.[Footnote 11] During our fiscal year 
2012 audit, we will assess the implementation of any new procedures 
developed by FHFA to address our recommendations related to 
information systems controls. 

This report contains recommendations to you. The head of a federal 
agency is required by 31 U.S.C. � 720 to submit a written statement on 
actions taken on these recommendations. You should submit your 
statement to the Senate Committee on Homeland Security and 
Governmental Affairs and the House Committee on Oversight and 
Government Reform within 60 days of the date of this report. A written 
statement must also be sent to the House and Senate Committees on 
Appropriations with the agency's first request for appropriations made 
more than 60 days after the date of this report. 

This report is intended for use by FHFA management. We are sending 
copies of this report to the Chairman and Ranking Member of the Senate 
Committee on Banking, Housing, and Urban Affairs; the Chairman and 
Ranking Member of the House Committee on Financial Services; the 
Chairman of the Federal Housing Finance Oversight Board; the Secretary 
of the Treasury; the Secretary of Housing and Urban Development; the 
Chairman of the Securities and Exchange Commission; the Director of 
the Office of Management and Budget; and other interested parties. In 
addition, this report will be available at no charge on GAO's web site 
at [hyperlink, http://www.gao.gov]. 

We acknowledge and appreciate the cooperation and assistance provided 
by FHFA management and staff during our audit of FHFA's fiscal years 
2011 and 2010 financial statements. If you have any questions about 
this report or need assistance in addressing these issues, please 
contact Steven Sebastian at (202) 512-3406 or sebastians@gao.gov or 
Gregory Wilshusen at (202) 512-6244 or wilshuseng@gao.gov. Contact 
points for our Offices of Congressional Relations and Public Affairs 
may be found on the last page of this report. GAO staff who made: 

major contributions to this report are Peggy Smith, Assistant Director 
(FMA); Vijay D'Sousa, Assistant Director (IT); William E. Brown, 
Senior Analyst; and Shaunyce Wallace, Senior Analyst. 

Sincerely yours, 

Signed by: 

Steven J. Sebastian:
Managing Director:
Financial Management and Assurance: 

Signed by: 

Gregory C. Wilshusen:
Director:
Information Security Issues: 

Enclosures - 4: 

[End of section] 

Enclosure I: Status of Prior Recommendations: 

This enclosure presents the status of the six remaining open 
recommendations initially reported in GAO's April 29, 2011 and June 3, 
2010 management reports.[Footnote 12] The recommendations are grouped 
according to deficiency areas specified in the management reports. 

Table 1: Status of Recommendations from GAO's 2010 and 2009 Management 
Reports at the end of GAO's Audit of the Federal Housing Finance 
Agency's (FHFA) Fiscal Year 2011 Financial Statements. 

Audit area: Disposal of capitalized property and equipment. 

1. Establish a mechanism to monitor compliance with policies and 
procedures surrounding the proper disposal of capitalized property and 
equipment; 
Year initially reported: 2010; 
Status of corrective action: Completed. 

2. Update the Property Management Policy to include procedures for how 
to properly document approval before disposal of FHFA assets; 
Year initially reported: 2010; 
Status of corrective action: Completed. 

Audit area: Invoice payment procedures. 

3. Enhance FHFA's Invoice and Payment Desktop Procedures to include 
detailed instructions on how to verify the accuracy of invoice amounts 
prior to payment; 
Year initially reported: 2010; 
Status of corrective action: In progress. 

Audit area: Undelivered orders. 

4. Enhance the Administrative Accounting Manual by incorporating 
specific, detailed steps for the contracting officer technical 
representatives (COTR) review of contract balances, including the use 
of the open obligations report provided by the Bureau of the Public 
Debt in the COTR review process; 
Year initially reported: 2009; 
Status of corrective action: In progress. 

5. Enhance the Administrative Accounting Manual by including specific, 
detailed steps on when and how to properly account for obligating and 
deobligating contract amounts; 
Year initially reported: 2009; 
Status of corrective action: In progress. 

Audit area: Expense accruals. 

6. Enhance training materials related to accruals to include examples 
of expenses that should and should not be accrued at the end of an 
accounting period; 
Year initially reported: 2009; 
Status of corrective action: In progress. 

Source: GAO analysis of FHFA data. 

[End of table] 

[End of section] 

Enclosure II: Status of Prior Recommendations from GAO's Fiscal Year 
2009 Information Security Management Report: 

This enclosure presents the status of the 13 remaining open 
recommendations initially reported in GAO's April 30, 2010 information 
security management report.[Footnote 13] The recommendations are 
grouped according to deficiency areas specified in that management 
report. 

Table 2: Status of Recommendations from GAO's 2009 Information 
Security Management Report at the end of GAO's Audit of the Federal 
Housing Finance Agency's (FHFA) Fiscal Year 2010 Financial Statements. 

Audit Area: Logical access controls. 

1. Maintain network access authorizations for every agency network 
user; 
Year initially reported: 2009; 
Status of corrective action: In progress. 

2. Review current access to network files and directories containing 
confidential information and restrict access to personnel with an 
authorized need to access that information; 
Year initially reported: 2009; 
Status of corrective action: In progress. 

Audit Area: Controls over physical access. 

3. Secure areas that contain information technology equipment and 
sensitive information; 
Year initially reported: 2009; 
Status of corrective action: Completed. 

4. Complete sufficient physical security policies to address 
protection of agency assets, including incident response, access 
authorizations, and environmental safety controls; 
Year initially reported: 2009; 
Status of corrective action: Completed. 

5. Perform physical security risk assessments at key facilities; 
Year initially reported: 2009; 
Status of corrective action: Completed. 

6. Develop, document, and implement monitoring procedures to ensure 
that physical access authorizations to secure areas containing 
sensitive computer resources, including server rooms and sensitive 
information, are current and controlled; 
Year initially reported: 2009; 
Status of corrective action: Completed. 

7. Develop, document, and implement monitoring procedures and install 
appropriate equipment to ensure that FHFA can detect and respond to 
potential physical security incidents; 
2009; 
Status of corrective action: Completed. 

8. Increase employees' awareness of the need to enforce physical 
security safeguards; 
Year initially reported: 2009; 
Status of corrective action: Completed. 

Audit Area: Improvements to FHFA's information security program. 

9. Develop, document, and implement procedures enforcing separation of 
incompatible duties among personnel; 
Year initially reported: 2009; 
Status of corrective action: Completed. 

10. Finalize, approve, and implement configuration management policies 
and procedures; 
Year initially reported: 2009; 
Status of corrective action: Completed. 

11. Approve and test continuity of operations and disaster recovery 
plans; 
Year initially reported: 2009; 
Status of corrective action: Completed. 

12. Develop, document, and implement procedures to monitor access to 
agency financial information by the Bureau of the Public Debt (BPD) 
and Oracle Corporation staff and contractors; 
Year initially reported: 2009; 
Status of corrective action: In progress. 

13. Develop, document, and implement procedures to assess all security 
reviews and plans of action and milestones developed by BPD and Oracle 
Corporation staff and contractors; 
Year initially reported: 2009; 
Status of corrective action: In progress. 

Source: GAO analysis of FHFA data. 

[End of table] 

[End of section] 

Enclosure III: Comments from the Federal Housing Finance Agency: 

Federal Housing Finance Agency: 
Constitution Center: 
400 7th Street, S.W. 
Washington, D.C. 20024: 
Telephone: (202) 649-3800: 
Facsimile: (202) 649-1071: 
[hyperlink, http://www.fhfa.gov]: 

May 9, 2012: 

Mr. Steven J. Sebastian: 
Managing Director: 
Financial Management and Assurance: 
Government Accountability Office: 
441 G Street, NW: 
Washington, DC 20548: 

Dear Mr. Sebastian: 

Thank you for the opportunity to review and comment on the Management 
Report: Opportunities for Improvement in the Federal Housing Finance 
Agency's Internal Controls. We appreciate GAO's efforts in completing 
this year's review of the Federal Housing Finance Agency's internal 
controls and accounting procedures. I am pleased that GAO found FHFA's 
fiscal year 2011 and 2010 financial statements were fairly presented 
in all material respects and that FHFA had effective internal control 
over financial reporting. 

During the course of the FY 2011 financial statement audit, GAO 
identified opportunities for improvements related to FHFA's internal 
controls. FHFA agrees that GAO's recommendations will strengthen our 
internal controls. To that end, FHFA has complied with all of GAO's 
recommendations contained in the Management Report as discussed below. 

Payroll Calculations: 

GAO Recommendations: 

The Chief Financial Officer should: 
Develop and implement a process to assess and address the risk to FHFA 
from any internal control issues at National Finance Center (NFC) 
including, as appropriate, any compensating controls commensurate with 
any identified risk. 

FHFA Response: 

FHFA agrees with the recommendations. FHFA held discussions with the 
Office of Human Resource Management (OHRM) and NFC regarding the 
$17.40 wellness issue that was processed in the Special Payroll 
Processing System (SPPS) and discovered during the FY 2011 audit. FHFA 
emphasized the importance for proper SPPS system coding to ensure 
withholdings are correct and the timeliness of customer notifications 
from NFC to FHFA as issues arise. FHFA will institute a formal quality 
control check prior to the release of payments processed in SPPS. 
Additionally, FHFA will include a review of payroll calculations as 
part of the annual A-123 Appendix A review and testing. 

Status: 

Held conference call with OHRM and NFC staff on April 26, 2011 to 
discuss $17.40 wellness issue processed in SPPS. 

Instituted a formal quality control process to verify withholdings on 
all SPPS payments prior to release in NFC system on May 2, 2012. 

Included a review of sample second quarter payroll calculations as 
part of the annual A-123 Appendix A review and testing which will be 
completed by June 30, 2012. 

Information Security Program: 

GAO Comment: 

Due to the sensitive nature of GAO's findings related to FHFA 
information security, GAO will present their findings and 
recommendations setting out corrective actions to address the new 
issues they identified concerning FHFA's internal control over 
information security in a separate letter to FHFA management with 
limited distribution. 

FHFA Response: 

FHFA will provide comments to the draft report entitled Information 
Security: FHFA Needs to Improve Controls over Financial Systems and 
Data by May 17, 2012 as requested by GAO. 

If you have any questions, please contact Michele Horowitz, Deputy 
Chief Financial Officer at (202) 649-3782 or Debbie Olejnik, Manager 
Financial Management Operations and Systems at (202) 649-3792. 

Sincerely, 

Signed by: 

Mark Kinsey: 
Chief Financial Officer: 

[End of section] 

Enclosure IV: Audit Scope and Methodology: 

To fulfill our responsibilities as auditor of the financial statements 
of the Federal Housing Finance Agency (FHFA), our audit work included 
the following: 

* examined, on a test basis, evidence supporting the amounts and 
disclosures in the financial statements; 

* assessed the accounting principles used and significant estimates 
made by FHFA management; 

* evaluated the overall presentation of the financial statements; 

* obtained an understanding of the entity and its operations, 
including its internal control over financial reporting; 

* considered FHFA's process for evaluating and reporting on internal 
control over financial reporting that FHFA is required to perform by 
31 U.S.C. � 3512 (c), (d), commonly known as the Federal Managers' 
Financial Integrity Act of 1982; 

* assessed the risk that a material misstatement exists in the 
financial statements and the risk that a material weakness exists in 
internal control over financial reporting; 

* evaluated the design and operating effectiveness of internal control 
over financial reporting based on the assessed risk; 

* tested relevant internal control over financial reporting; 

* tested compliance with selected provisions of the following laws and 
their related regulations: 31 U.S.C. � 3902 (a), (b), (f) - Interest 
penalties under the Prompt Payment Act; 31 U.S.C. � 3904 - Limitations 
on Discount Payments Under the Prompt Payment Act; 5 U.S.C. � 5313 - 
Positions at level II; 12 U.S.C. � 4515 - Personnel; 12 U.S.C. � 
4517(h) - Appointment of accountants, economists, and examiners; 
Continuing Appropriations Act, 2011, as amended by Continuing 
Appropriations and Surface Transportation Extensions Act, 2011; 
Presidential Memorandum on Freezing Federal Employee Pay Schedules and 
Rates That Are Set by Administrative Discretion, 75 Fed. Reg. 81829 
(Dec. 29, 2010); Federal Employees' Retirement System Act of 1986, as 
amended; Social Security Act of 1935, as amended; Federal Employees 
Health Benefits Act of 1959, as amended; 12 C.F.R. Part 1206 - 
Assessments; and Federal Housing Enterprises Financial Safety and 
Soundness Act of 1992, as amended by the Housing and Economic Recovery 
Act of 2008; and: 

* evaluated information security controls based on our Federal 
Information System Controls Audit Manual[Footnote 14] which contains 
guidance for reviewing information systems. 

[End of section] 

Footnotes: 

[1] GAO, Financial Audit: Federal Housing Finance Agency's Fiscal 
Years 2011 and 2010 Financial Statements, [hyperlink, 
http://www.gao.gov/products/GAO-12-161] (Washington, D.C.: Nov. 15, 
2011). 

[2] Pub. L. No. 110-289, 122 Stat. 2654 (July 30, 2008). 

[3] GAO, Management Report: Opportunities for Improvements in FHFA's 
Internal Controls and Accounting Procedures, [hyperlink, 
http://www.gao.gov/products/GAO-11-398R] (Washington, D.C.: Apr. 29, 
2011). GAO, Management Report: Opportunities for Improvements in 
FHFA's Internal Controls and Accounting Procedures, [hyperlink, 
http://www.gao.gov/products/GAO-10-587R] (Washington, D.C.: June 3, 
2010). 

[4] GAO, Information Security: Opportunities Exist for the Federal 
Housing Finance Agency to Improve Controls, [hyperlink, 
http://www.gao.gov/products/GAO-10-528] (Washington, D.C.: Apr. 30, 
2010). 

[5] A material weakness is a deficiency, or a combination of 
deficiencies, in internal control such that there is a reasonable 
possibility that a material misstatement of the entity's financial 
statements will not be prevented, or detected and corrected on a 
timely basis. A significant deficiency is a deficiency, or combination 
of deficiencies, in internal control that is less severe than a 
material weakness, yet important enough to merit attention by those 
charged with governance. A deficiency in internal control exists when 
the design or operation of a control does not allow management or 
employees, in the normal course of performing their assigned 
functions, to prevent, or detect and correct, misstatements on a 
timely basis. 

[6] The Central Personnel Data File is an automated information system 
containing individual records for most Federal civilian employees. The 
system's primary objective is to provide a readily accessible database 
for meeting the workforce information needs of the White House, the 
Congress, OPM, other Federal agencies, and the public. OPM's 
Enterprise Human Resources Integration (EHRI) Program's Data Warehouse 
is the Government's premier source for integrated Federal workforce 
information. The system currently collects, integrates, and publishes 
data for 2.0 million Executive Branch employees on a bi-weekly basis, 
supporting agency and governmentwide analytics. 

[7] Federal Insurance Contributions Act (FICA) taxes are comprised of 
social security and Medicare taxes. Most employees and employers each 
pay a specified percentage (in 2011 social security tax rate was 4.2 
percent and Medicare was 1.45 percent) of payroll wages for social 
security and Medicare taxes. The social security tax is only applied 
on an employee's salary up to a maximum amount. When an employee 
reaches the maximum payment, social security taxes are no longer 
deducted until the next calendar year. However, there is no maximum 
amount for earnings subject to the Medicare taxes portion of FICA. 

[8] SSAE 16 reports refer to reports typically prepared by an 
independent auditor based on a review of the controls relevant to user 
entities' internal control over financial reporting as discussed in 
the American Institute of Certified Public Accountants' Statement on 
Standards for Attestation Engagements (SSAE) No. 16, Reporting on 
Controls at a Service Organization. A service organization provides 
services to the entity whose financial statements are being audited. 

[9] GAO, Information Security: Opportunities Exist for the Federal 
Housing Finance Agency to Improve Controls, [hyperlink, 
http://www.gao.gov/products/GAO-10-528] (Washington, D.C.: April 30, 
2010). 

[10] Information security means protecting information and information 
systems from unauthorized access, use, disclosure, disruption, 
modification or destruction in order to provide (1) integrity, which 
means guarding against improper information modification or 
destruction, and includes ensuring information non-repudiation and 
authenticity; (2) confidentiality, which means preserving authorized 
restrictions on access and disclosure, including means for protecting 
personal privacy and proprietary information; and (3) availability, 
which means ensuring timely and reliable access to and use of 
information. 

[11] FHFA outsources its financial management services to the 
Department of the Treasury Bureau of the Public Debt Administrative 
Resource Center. Oracle Corporation staff serve as database and 
systems administrators and provide backup and recovery services for 
FHFA's financial information. 

[12] GAO, Management Report: Opportunities for Improvements in FHFA's 
Internal Controls and Accounting Procedures, [hyperlink, 
http://www.gao.gov/products/GAO-11-398R] (Washington, D.C.: Apr. 29, 
2011). GAO, Management Report: Opportunities for Improvements in 
FHFA's Internal Controls and Accounting Procedures, [hyperlink, 
http://www.gao.gov/products/GAO-10-587R] (Washington, D.C.: June 3, 
2010). 

[13] GAO, Information Security: Opportunities Exist for the Federal 
Housing Finance Agency to Improve Controls, [hyperlink, 
http://www.gao.gov/products/GAO-10-528] (Washington, D.C.: Apr. 30, 
2010). 

[14] GAO, Federal Information System Controls Audit Manual (FISCAM), 
[hyperlink, http://www.gao.gov/products/GAO-09-232G] (Washington, 
D.C.: February 2009). 

[End of section] 

GAO�s Mission: 

The Government Accountability Office, the audit, evaluation, and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the 
performance and accountability of the federal government for the 
American people. GAO examines the use of public funds; evaluates 
federal programs and policies; and provides analyses, recommendations, 
and other assistance to help Congress make informed oversight, policy, 
and funding decisions. GAO�s commitment to good government is 
reflected in its core values of accountability, integrity, and 
reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO�s website [hyperlink, http://www.gao.gov]. Each 
weekday afternoon, GAO posts on its website newly released reports, 
testimony, and correspondence. To have GAO e-mail you a list of newly 
posted products, go to [hyperlink, http://www.gao.gov] and select �E-
mail Updates.� 

Order by Phone: 

The price of each GAO publication reflects GAO�s actual cost of 
production and distribution and depends on the number of pages in the 
publication and whether the publication is printed in color or black 
and white. Pricing and ordering information is posted on GAO�s 
website, [hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or 
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card, 
MasterCard, Visa, check, or money order. Call for additional 
information. 

Connect with GAO: 

Connect with GAO on facebook, flickr, twitter, and YouTube.
Subscribe to our RSS Feeds or E mail Updates. Listen to our Podcasts.
Visit GAO on the web at [hyperlink, http://www.gao.gov]. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 
Website: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]; 
E-mail: fraudnet@gao.gov; 
Automated answering system: (800) 424-5454 or (202) 512-7470. 

Congressional Relations: 

Katherine Siggerud, Managing Director, siggerudk@gao.gov, (202) 512-4400
U.S. Government Accountability Office, 441 G Street NW, Room 7125
Washington, DC 20548. 

Public Affairs: 
Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800
U.S. Government Accountability Office, 441 G Street NW, Room 7149 
Washington, DC 20548.