| FHFA Did Not Always Follow Federal Regulations and Its Policy for Employee Financial Disclosures During Fiscal Years 2020 and 2021 |
AUD-2022-011 |
2022-09-08 |
| FHFA Did Not Always Follow its Policies for Monetary Awards, Recruitment Bonuses, and Retention Allowances during Fiscal Years 2019 and 2020; FHFA’s Excellence Awards Were Not Included in Agency Policy |
AUD-2021-008 |
2021-06-17 |
| FHFA Did Not Always Follow its Procedures When Reviewing the Enterprises' Draft SEC Filings, But Plans to Take Corrective Action |
AUD-2022-007 |
2022-05-12 |
| FHFA Did Not Complete All Planned Supervisory Activities Related to Cybersecurity Risks at Freddie Mac for the 2016 Examination Cycle |
AUD-2017-011 |
2017-09-27 |
| FHFA Did Not Document Reviews of Desktop Appraisal Reports |
AUD-2024-001 |
2023-10-25 |
| FHFA Did Not Effectively Implement Controls Intended to Ensure the Integrity of Its Employee Transportation Benefits Program |
COM-2023-005 |
2023-06-21 |
| FHFA Did Not Effectively Implement Records Management Training Controls for Onboarding and Offboarding Personnel |
COM-2023-006 |
2023-08-23 |
| FHFA Did Not Follow All of its Contingency Planning Requirements for the National Mortgage Database (NMDB) or its Correspondence Tracking System (CTS) |
AUD-2022-003 |
2021-12-13 |
| FHFA Did Not Follow its Interim Directive on a Requirement to Use a FAR Clause Intended to Protect Whistleblower Rights of Contractor Employees, But Has Since Taken Corrective Action |
AUD-2021-015 |
2021-09-30 |
| FHFA Did Not Fully Comply with DHS Binding Operational Directives for Securing Its Public Websites and Publishing Its Vulnerability Disclosure Policy |
AUD-2022-010 |
2022-08-31 |
| FHFA Did Not Fully Implement Select Security Controls Over One of Its Cloud Systems as Required by NIST and FHFA Standards and Guidelines |
AUD-2023-002 |
2023-03-08 |
| FHFA Did Not Record, Track, or Report All Security Incidents to US-CERT; 38% of Sampled FHFA Users Did Not Report a Suspicious Phone Call Made to Test User Awareness of its Rules of Behavior |
AUD-2021-009 |
2021-06-25 |
| FHFA Effectively Blocked Phishing Emails, But Requires Improvement in Managing Vulnerabilities on Its Public Websites |
AUD-2023-008 |
2023-09-27 |
| FHFA Ensured that Fannie Mae Submitted Required Property Valuation Data to the Agency's Mortgage Loan Integrated System |
COM-2022-005 |
2022-05-31 |
| FHFA Examinations of CSS Include Review of the Board of Managers but Supervision Has a Key Person Dependency and Outdated Guidance |
EVL-2023-002 |
2023-03-20 |
| FHFA Examiners’ Lack of Assessment and Escalation of Shortcomings Identified by an Enterprise in its Servicer Fraud Risk Management Framework Limited the Agency’s Supervisory Oversight |
EVL-2020-002 |
2020-08-27 |
| FHFA Faces a Formidable Challenge: Remediating the Chronic and Pervasive Deficiencies in its Supervision Program Prior to Ending the Conservatorships of Fannie Mae and Freddie Mac |
OIG-2020-002 |
2020-03-30 |
| FHFA Failed to Complete Non-MRA Supervisory Activities Related to Cybersecurity Risks at Fannie Mae Planned for the 2016 Examination Cycle |
AUD-2017-010 |
2017-09-27 |
| FHFA Failed to Consistently Deliver Timely Reports of Examination to the Enterprise Boards and Obtain Written Responses from the Boards Regarding Remediation of Supervisory Concerns Identified in those Reports |
EVL-2016-009 |
2016-07-14 |
| FHFA Failed to Ensure Freddie Mac’s Remedial Plans for a Cybersecurity MRA Addressed All Deficiencies; as Allowed by its Standard, FHFA Closed the MRA after Independently Determining the Enterprise Completed its Planned Remedial Actions |
AUD-2018-008 |
2018-03-28 |
| FHFA Failed to Follow its Cloud-Based Computing Requirements when it Did Not Validate the Implementation of Minimum Security Requirements for Cloud-Based Tools and Did Not Include Required IT Security Provisions in Some of its Cloud Service Contracts |
AUD-2020-013 |
2020-09-17 |
| FHFA Followed Its Guidance When Making Conservatorship Decisions But Needs to Improve Retention of Decision Documentation and Update the Conservatorship Decision Policy and Procedures |
AUD-2023-003 |
2023-03-29 |
| FHFA Followed OMB Guidance in Implementing its Enterprise Risk Management Program But its 2020 Risk Profile Failed to Identify a Significant Action Underway to Address Acknowledged Supervision Risk |
AUD-2021-004 |
2021-03-17 |
| FHFA Generally Complied with its Updated Guidance for Procurement Peer Reviews |
COM-2022-001 |
2022-01-14 |
| FHFA Has Acted to Strengthen Its Oversight of Federal Home Loan Bank Members’ Compliance with Community Support Requirements |
COM-2024-001 |
2024-01-10 |
