Federal Reports

We audited Flat Branch Mortgage, Inc., to evaluate its quality control (QC) program for originating and underwriting Single Family FHA-insured loans.  Our audit covered the period October 2020 through September 2022.  We selected Flat Branch for review based on its loan volume and delinquency rate and because its rate of self-reporting loans to HUD when it identified fraud, material misrepresentations, and other material findings that it could not mitigate was below average for more than a 5-year period.

We found that Flat Branch’s QC program for originating and underwriting FHA-insured loans was not sufficient.  Specifically, Flat Branch (1) did not select the proper number of loans for review and maintain complete and accurate data to document its loan selection process; (2) did not complete all loan reviews in a timely manner; (3) did not always complete key review steps and sometimes missed material deficiencies; and (4) did not adequately assess, mitigate, and report loan review findings, which included self-reporting loans to HUD when required.  These issues occurred because Flat Branch had insufficient controls over its QC program, was not always familiar with HUD requirements, and experienced staffing constraints.  As a result, HUD did not have assurance that Flat Branch’s QC program fully achieved its intended purposes, which include, among other things, protecting the FHA insurance fund and lender from unacceptable risk, guarding against fraud, and ensuring timely and appropriate corrective action.

We recommend that HUD require Flat Branch to (1) update its QC plan and related procedures to align with HUD requirements; (2) provide training to staff and management on HUD requirements for lender QC programs; (3) review the loans that it had not selected and take appropriate actions when applicable; (4) obtain credit reports and reverifications of borrower information for QC reviews in which it did not complete these steps and evaluate the risk of findings identified for these loans; and (5) evaluate its QC files for the loans in which it identified material findings to confirm whether it self-reported to HUD all findings of fraud or material misrepresentation, along with any other material findings that it did not acceptably mitigate.

To learn how communities across the nation responded to the pandemic, we initiated a multi-part review of six communities—two cities, two rural counties, and two Tribal reservations. This report is the sixth community-specific report and focuses on our work in Jicarilla Apache Nation Reservation in New Mexico, where we previously identified that recipients, including city government, small businesses, and individuals, received almost $80 million from 42 pandemic relief programs and subprograms. This report provides a closer look at ten pandemic programs and subprograms provided to Jicarilla Apache Nation Reservation by six federal departments.

The U.S. AbilityOne Commission (AbilityOne) Office of Inspector General (OIG) conducted an investigation of employee conduct in response to a complaint received.

Agency program officials, chief information officers, and inspectors general must annually review information security programs and report to the Department of Homeland Security and Congress on agency compliance with the Federal Information Security Modernization Act (FISMA). The OIG contracted with an independent public accounting firm, CliftonLarsonAllen LLP (CLA), to evaluate VA’s information security program for FY 2024. After assessing 49 major applications and general support systems hosted at 23 VA facilities and on the VA Enterprise Cloud, CLA concluded that VA continues to face significant challenges meeting FISMA requirements because of the nature and maturity of its information security program.

The audit found continuing deficiencies related to access controls, configuration management controls, security management controls, and service continuity practices designed to protect mission-critical systems from unauthorized access, alteration, or destruction. These deficiencies can be remedied by addressing security-related issues that contributed to the information technology material weakness reported in the FY 2024 audit of VA’s consolidated financial statements; improving the deployment of security patches, system upgrades, and system configurations; improving performance monitoring to ensure controls operate as intended; and communicating identified security deficiencies to appropriate personnel.

Of CLA’s 23 recommendations, VA concurred with 12 and did not concur with 11. Some of the 23 recommendations addressed repeat deficiencies from previous FISMA reports spanning multiple years. CLA will follow up on the outstanding recommendations and evaluate the adequacy of corrective actions in the FY 2025 audit of VA’s information security program.