Develop a strategy to comprehensively assess and respond to fraud risks across NYCHA. The strategy should identify who within NYCHA is responsible for designing and overseeing activities to prevent and detect fraud. The strategy should also include how NYCHA will (1) assess fraud risks across NYCHA methodically and periodically, (2) create response plans for fraud risks that are identified, and (3) monitor and evaluate the effectiveness of fraud risk management activities. The strategy should also designate fraud risk responsibilities across NYCHA.

Based on the strategy, (1) complete an assessment of fraud risks across NYCHA, (2) create response plans for fraud risks that are identified, and (3) develop procedures to monitor and evaluate the effectiveness of fraud risk management activities.

Assess whether HUD’s other extra-large PHAs have mature fraud risk management programs and use the assessment to develop a strategy to reduce the fraud risk exposure to HUD. The strategy should include working with extra-large PHAs to implement appropriate fraud mitigation activities.

Work with HUD’s Chief Risk Officer to issue a notice to all PHAs explaining that PHAs are responsible for fraud risk management and play a role in fulfilling HUD’s requirement to identify and mitigate fraud risks. This notice should clearly indicate that PHAs should implement fraud risk management, which includes (1) completing an assessment of fraud risks, (2) creating response plans for fraud risks that are identified, and (3) developing procedures to monitor and evaluate the effectiveness of fraud risk management activities.

Provide evidence to support that the Authority corrected the 11 unit deficiencies for the 5 units and 7 building deficiencies for 4 buildings with outstanding deficiencies.

Determine the frequency of its quality control reviews of its inspections and work orders and update its quality control policy, training materials, and other resources as appropriate to ensure that its quality control process is consistently implemented.

Support that it has implemented its quality control policy for (1) monitoring the effectiveness of its unit and building inspections to ensure compliance with HUD’s and its own requirements and (2) reviewing work orders to ensure that cited deficiencies are corrected in accordance with HUD’s and its own requirements.

Provide evidence to support that the Authority corrected the four non-life-threatening deficiencies for the three units with outstanding deficiencies.

Implement adequate procedures and controls to ensure that the deficiencies identified during annual self-inspections are properly categorized and corrected in a timely manner.

Develop and implement a plan to manage and reduce its backlog of work orders. This plan should include but not be limited to (1) assessing and addressing staffing needs; (2) creating a timeline for completion of the work orders to ensure that its properties are maintained in decent, safe, and sanitary condition and in good repair; and (3) providing documentation showing that it is on track to meet the completion timeframe.

Implement adequate procedures and controls to ensure that inspection reports are uploaded to the Authority’s electronic filing system and work orders are created in a timely manner. This process should include but not be limited to providing training to its staff on the Authority’s systems, establishing timeframes for the creation of work orders, and monitoring the work order process.

Provide evidence to support that the Authority corrected the 3 non-life-threatening health and safety, and 19 non-health and safety deficiencies.

Develop and implement adequate procedures and controls to ensure that (1) the deficiencies identified during REAC inspections are corrected in a timely manner and (2) documentation is maintained to support that repairs were made.

Implement adequate controls to ensure that the Authority’s information system properly tracks the completion of work orders.

Implement adequate controls to ensure that the correction of life-threatening deficiencies is reported to HUD accurately and in a timely manner.

HUD OCIO should identify needs to address Federal requirements by performing a gap analysis on its zero trust architecture strategic plan.

HUD OCIO should establish a zero trust architecture implementation plan that includes milestones and resources to address all zero trust pillars.

HUD OCIO should develop system policies and procedures for dynamic access controls that include just-in-time and just-enough access tailored to individual actions and individual resource needs.

HUD OCIO should capture risks that are associated with zero trust architecture implementation and document these risks in its risk register.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.