FEDERAL
Sixth Semiannual Report to the Congress - Federal Housing ...
Sixth Semiannual Report to the Congress - Federal Housing ...
- No tags were found...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
and provide for financial consequences to those<br />
counterparties that fail to meet delivery deadlines;<br />
and (4) direct the enterprises to implement a control<br />
to consider time frames in state statutes of limitations<br />
in prioritizing, coordinating, and monitoring<br />
deficiency collection activity for borrowers with the<br />
ability to repay.<br />
FHFA provided comments agreeing with the<br />
recommendations in these reports.<br />
Action Needed to Strengthen FHFA Oversight<br />
of Enterprise Information Security and Privacy<br />
Programs (AUD-2013-009, August 30, 2013)<br />
Recent reports have emphasized the growing threat<br />
of cyber attacks against government and privatesector<br />
computers and networks. These attacks pose<br />
a significant risk to the safety and soundness of<br />
financial organizations, including the enterprises,<br />
which store personal protected information (PPI) for<br />
28 million active borrowers, as well as other sensitive<br />
financial information. If that PPI is compromised,<br />
the enterprises, FHFA, and Treasury could be exposed<br />
to significant financial risk; trust in the enterprises<br />
would also suffer greatly. The objective of this audit<br />
was to assess the effectiveness of FHFA’s oversight of<br />
enterprise information security and privacy programs.<br />
Key aspects of FHFA’s oversight of these programs<br />
were ineffective during our January 2010 to<br />
November 2012 audit period. The agency did<br />
not issue formal information security and privacy<br />
guidance to the enterprises, complete a risk<br />
assessment for information security and privacy<br />
necessary to support the annual examination plan,<br />
conduct ongoing monitoring of some key IT security<br />
issues, or address some previously identified findings<br />
regarding information security.<br />
Further, FHFA did not have an adequate process to<br />
support its reliance on the work of the enterprises’<br />
internal audit divisions related to information<br />
security. Although guidance states that FHFA<br />
examiners review outstanding issues and assess staff<br />
levels and skills of internal auditors, these activities<br />
alone are insufficient for establishing reliance. FHFA’s<br />
reliance on enterprise internal audit work—without<br />
properly establishing and documenting grounds for<br />
such reliance—increases the risk that examination<br />
analysis and results could be based on inaccurate or<br />
unsubstantiated work.<br />
To strengthen FHFA’s oversight of enterprise<br />
information security and privacy programs, we<br />
recommended that the agency: (1) establish formal<br />
program requirements, (2) implement a workforce<br />
plan for IT examination staffing, (3) complete<br />
required risk assessments, (4) consistently deploy<br />
tools for monitoring IT security activities, and<br />
(5) establish and document a process for relying on<br />
enterprise internal audit activities.<br />
FHFA agreed with these recommendations and stated<br />
that it has adopted a new approach to supervision<br />
activities.<br />
Evaluations<br />
Evaluation of Fannie Mae’s Servicer<br />
Reimbursement Operations for Delinquency<br />
Expenses (EVL-2013-012, September 18, 2013)<br />
This report evaluates Fannie Mae’s servicer<br />
reimbursement operations for delinquency expenses.<br />
Fannie Mae relies on servicers to make various<br />
payments on behalf of delinquent borrowers.<br />
Generally, these payments are for property<br />
preservation expenses, insurance, taxes, and<br />
foreclosure costs and expenses. Figure 4 (see page 12)<br />
provides examples of the line items covered by these<br />
payments. Fannie Mae uses a contractor to administer<br />
major aspects of the servicer reimbursement function,<br />
including manually processing claims.<br />
OIG assessed FHFA’s oversight of Fannie Mae’s<br />
servicer reimbursement operations.<br />
Semiannual Report to the Congress • April 1, 2013–September 30, 2013 11