Skip to main content
.
Share with LinkedInShare with TwitterShare with facebook

Highlights

What GAO Found

Of the six agencies GAO selected for review, only the Department of Education submitted its internal control plan for disaster relief funds by the statutory deadline. The Department of Defense did not submit an internal control plan. The Departments of Agriculture, Homeland Security, and Housing and Urban Development and the Small Business Administration submitted the required internal control plans ranging from about 2 months to more than 7 months following the March 31, 2018, statutory deadline.

The Office of Management and Budget (OMB) did not have an effective strategy to ensure that agencies timely submitted internal control plans. OMB issued OMB Memorandum M-18-14 (M-18-14), Implementation of Internal Controls and Grant Expenditures for the Disaster-Related Appropriations, which contained guidance for agencies to use in developing their plans, on March 30, 2018, or 1 day before the statutory deadline for agencies to submit plans. Congress required OMB to issue standard guidance for agencies to use in designing internal control plans. The guidance was to include robust criteria for identifying and documenting incremental risks and mitigating controls related to disaster relief funding, and guidance for documenting the linkage between incremental risks related to disaster relief funding and efforts to address known internal control risks.

Selected agencies' plans did not include sufficient information for GAO to determine if the agencies met OMB directives in M-18-14 and federal internal control standards' documentation requirements. For example, two of the five plans GAO reviewed included information that demonstrated that the plans complemented the agencies’ existing risk management practices, while three plans lacked sufficient information to make such a determination. Further, M-18-14 lacked specific instructions to agencies on what to include in their internal control plans.

OMB did not have an effective outreach strategy to help ensure that agencies had proper guidance in developing and reporting their plans. OMB did not establish an external communication mechanism to ensure that internal control plans addressed key payment-integrity risks for disaster relief funds. OMB staff stated that OMB Circular No. A-123's enterprise risk management (ERM) requirements were sufficient for agencies to produce effective internal control plans, because agencies should consider disaster situations as part of their overall consideration of risk. However, while it is important that agencies develop an effective ERM process, Congress required agencies to communicate internal control plans associated with the supplemental funding provided. Federal internal control standards state that management should externally communicate necessary quality information to achieve the entity’s objectives. Without a clear OMB strategy for preparing for oversight of future disaster relief funding, there is an increased risk that agencies will not appropriately assess risks associated with disaster relief funding. As a result, Congress and others may not receive the necessary information about internal controls, which will affect Congress’s and others’ ability to provide effective oversight.

Why GAO Did This Study

Agencies must deliver disaster relief funding expeditiously. However, the risk of improper payments increases when agencies spend billions of dollars quickly. In 2017, Hurricanes Harvey, Irma, and Maria and the California wildfires created an unprecedented demand for federal disaster response and recovery resources. Congress passed three supplemental appropriations totaling over $120 billion in additional funding in response to these disasters. As part of the appropriations, Congress included an oversight framework that required federal agencies to submit internal control plans for spending these funds by March 31, 2018, in accordance with criteria to be established by OMB.

This report addresses the extent to which selected federal agencies’ internal control plans provided sufficient and timely external communication to Congress and others. To address this objective, GAO selected for review six agencies that together received $115 billion of the approximately $120 billion in supplemental appropriations for activities in response to the 2017 disasters. GAO reviewed these agencies’ internal control plans and M-18-14, evaluated the internal control plans against M-18-14 and internal control standards, and interviewed agency officials and OMB staff.

What GAO Recommends

GAO recommends that OMB develop a strategy for ensuring that agencies communicate timely and sufficient internal control plans for disaster relief funds. OMB did not agree that this recommendation is needed. GAO continues to believe the recommendation is appropriate and needed, as discussed in the report.

Recommendations

Recommendations for Executive Action

NumberAgencyRecommendation
1Executive Office of the President: Office of Management and Budget

The Director of OMB, after consulting with key stakeholders (e.g., the Chief Financial Officers Council), should develop a strategy for ensuring that agencies communicate sufficient and timely internal control plans for effective oversight of disaster relief funds. (Recommendation 1)

View recommendation(s) status

Introduction 


Congressional Requesters

The destruction that disasters cause must be addressed immediately, and agencies must deliver disaster relief funding expeditiously. However, the risk of improper payments increases when agencies spend billions of dollars quickly. In 2017, four sequential disasters—Hurricanes Harvey, Irma, and Maria and the California wildfires—created an unprecedented demand for federal disaster response and recovery resources. Congress passed, and the President signed, three supplemental appropriations acts providing for over $120 billion in additional funding for response and recovery activities related to these disasters.[1]

In these supplemental appropriations acts, Congress also provided an oversight framework related to internal control to limit improper payments of these funds. Congress included the following key payment-integrity provisions to help ensure that agencies spend disaster relief funding as efficiently and effectively as possible:

  • The Office of Management and Budget (OMB) is required to issue criteria for federal agencies to use in designing internal control plans for spending disaster relief funding.
  • Federal agencies are required to submit their plans for ensuring internal control over spending disaster relief funding to GAO, their respective inspectors general (IG), OMB, and Congress.

We have previously reported deficiencies related to OMB’s guidance for federal agencies to develop required internal control plans for funds received under the Disaster Relief Appropriations Act of 2013 and federal agencies’ creation of those plans in response to Hurricane Sandy.[2]

You requested that we evaluate the federal government’s preparedness, response, and recovery efforts related to the three hurricanes and California wildfires in 2017. As part of that effort , this report examines the extent to which selected federal agencies’ internal control plans for spending disaster relief funds provided timely and sufficient external communication to Congress and others and OMB's strategy for implementing statutory requirements for disaster relief internal control plans. In addition, we are conducting a broader body of work covering various disaster response and recovery issues.

To address our objective, we selected for review six of the 19 agencies that received supplemental appropriations for activities in response to the 2017 hurricanes and wildfires. We selected the six agencies that received the highest amounts of combined supplemental appropriations. Each of the six received in excess of $2 billion in supplemental disaster funding: together they received $115 billion of the approximately $120 billion in supplemental appropriations for activities in response to the 2017 disasters. The six agencies were the Departments of Agriculture (USDA), Defense (DOD), Education (Education), Homeland Security (DHS), and Housing and Urban Development (HUD) and the Small Business Administration (SBA). Because this was a nonprobability sample, our findings cannot be generalized to agencies we did not select.

We identified and reviewed relevant agency criteria included in OMB Memorandum M-18-14 (M-18-14), Implementation of Internal Controls and Grant Expenditures for the Disaster-Related Appropriations, and then evaluated whether the internal control plans submitted by the six agencies we selected included information to demonstrate that those agencies satisfied the OMB criteria.[3] We also evaluated whether the internal control plans satisfied minimum documentation requirements included in Standards for Internal Control in the Federal Government.[4]

We also reviewed whether agencies submitted the internal control plans on or before the statutory deadline of March 31, 2018, and whether agencies submitted the plans as required to OMB, GAO, their respective IGs, and the Committees on Appropriations for the U.S. Senate and House of Representatives. We interviewed OMB staff to understand their strategy for implementing statutory requirements for disaster relief internal control plans and their rationale behind guidance in M-18-14. We also interviewed agency officials to understand their processes for developing the internal control plans, including how they interpreted OMB guidance in M-18-14 and its effect, if any, on helping agencies to meet the statutory requirements.

We conducted this performance audit from April 2018 to June 2019 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective.

Background 


Supplemental Appropriations for 2017 Disaster Relief

Congress enacted three supplemental appropriations providing over $120 billion in funding for activities related to the 2017 disasters—Hurricanes Harvey, Irma, and Maria and the California wildfires. Figure 1 shows the distribution of 2017 disaster relief funding by agency.

Figure 1: Distribution of Funding Provided by the Supplemental Appropriations for the 2017 Disasters

The Additional Supplemental Appropriations for Disaster Relief Requirements Act, 2017, as amended by the Further Additional Supplemental Appropriations for Disaster Relief Requirements Act, 2018, required that each federal agency prepare an internal control plan, in accordance with OMB criteria, for funds provided by specified portions of these laws, and submit the plan to GAO, the agency’s IG, and the Committees on Appropriations of the U.S. Senate and House of Representatives by March 31, 2018. Congress also required OMB to issue standard guidance for agencies to use in designing internal control plans, leveraging existing internal control review processes, for disaster relief funding. The guidance was to include, at a minimum

  • robust criteria for identifying and documenting incremental risks and mitigating controls related to disaster relief funding and
  • guidance for documenting the linkage between the incremental risks related to disaster funding and efforts to address known internal control risks.

OMB Guidance

As noted above, the supplemental appropriations acts for 2017 disasters required OMB to establish criteria for agencies to use in developing their 2017 disaster relief internal control plans due March 31, 2018. OMB established the criteria in M-18-14, issued March 30, 2018. This OMB memorandum provides guidance to agencies to implement the internal control provisions of the 2017 disaster relief supplemental appropriations, and in particular, it explains agency responsibilities for managing disaster relief funds. M-18-14 notes that as required by OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control (Circular A-123), each agency has overall responsibility for establishing internal controls to manage the risk of fraud—one source of improper payments. [5] Additionally, OMB stated that agencies must use a risk-based approach to design and implement financial and administrative controls to identify and mitigate fraud risks.

Standards for Internal Control in the Federal Government

Federal internal control standards provide the overall framework for establishing and maintaining internal control in the federal government.[6] Internal control should be designed, implemented, and operating effectively to provide reasonable assurance that the operations, reporting, and compliance objectives of an entity will be achieved. The five components of internal control are as follows:

  • Control environment: The foundation for an internal control system. It provides the discipline and structure to help an entity achieve its objectives.
  • Risk assessment: Assesses the risks facing the entity as it seeks to achieve its objectives. This assessment provides the basis for developing appropriate risk responses.
  • Control activities: The actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system, which includes the entity’s information system.
  • Information and communication: The quality information management and personnel communicate and use to support the internal control system.
  • Monitoring: Activities management establishes and operates to assess the quality of performance over time and promptly resolve the findings of audits and other reviews.

Documentation is a necessary part of an effective internal control system. The level and nature of documentation vary based on the size of the entity and the complexity of the operational processes the entity performs. Documentation is required to demonstrate the design, implementation, and operating effectiveness of an entity’s internal control system. Federal internal control standards' minimum documentation requirements are as follows:

  • If management determines that a principle is not relevant, management supports that determination with documentation that includes the rationale of how, in the absence of that principle, the associated component could be designed, implemented, and operated effectively.
  • Management develops and maintains documentation of its internal control system.
  • Management documents in policies the internal control responsibilities of the organization.
  • Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues.
  • Management evaluates and documents internal control issues and determines appropriate corrective actions for internal control deficiencies on a timely basis.
  • Management completes and documents corrective actions to remediate internal control deficiencies on a timely basis.

Major Finding 

Selected Agencies’ Internal Control Plans Did Not Communicate Timely and Sufficient Information Because OMB Did Not Employ an Effective Strategy

Selected agencies did not submit their internal control plans timely and the plans lacked necessary information because OMB did not employ an effective strategy for timely submission and sufficient content. OMB issued guidance for agencies to use in designing internal control plans for disaster relief funding on March 30, 2018. This gave agencies 1 day to consult the guidance before their internal control plans were due on March 31, 2018. Only one of the six agencies we reviewed, Education, submitted its internal control plan by the statutory deadline. In addition, OMB did not have an effective strategy to communicate to agencies the information that they had to include in their internal control plans. For the six selected agencies, one had not submitted an internal control plan as of April 2019. For the five that submitted internal control plans, their plans did not include sufficient information for us to determine whether they were consistent with OMB guidance and federal internal control standards' minimum documentation requirements.

Five of Six Selected Agencies Did Not Timely Submit Internal Control Plans

The Additional Supplemental Appropriations for Disaster Relief Requirements Act, 2017, as amended, required that each federal agency receiving funds submit, no later than March 31, 2018, and in accordance with criteria to be established by OMB, an internal control plan for spending funds on activities related to the 2017 disasters. Our review of six selected agencies found that most did not meet this deadline. Specifically, we found the following:

  • Education was the only selected agency that submitted its internal control plan by the statutory deadline.
  • DOD had not submitted the required internal control plan related to 2017 disaster funding as of April 2019. We inquired with officials at the U.S. Army Corps of Engineers (USACE), a component of DOD that received most of DOD’s supplemental appropriations for 2017 disaster response, to determine the status of its internal control plan. USACE officials stated that a review of internal controls for funds received through 2017 disaster supplemental appropriations was incorporated in the financial statement audit that its independent public accountant conducted. However, we do not consider the financial statement audit to constitute an internal control plan for 2017 disaster relief funding because it does not describe the agency’s internal controls specific to that funding. Further, USACE officials provided us with a document labeled as an internal control plan for Hurricanes Harvey, Irma, and Maria disaster relief dated March 13, 2019. However, the officials stated that this was an internal document that had not been submitted to OMB or Congress, and that DOD had not requested an internal control plan from USACE for inclusion in a department-level internal control plan for 2017 disaster relief funds.
  • The other four selected agencies submitted the required internal control plans after the March 31, 2018, statutory deadline. Specifically, SBA, USDA, DHS, and HUD submitted their plans in May 2018, August 2018, October 2018, and November 2018, respectively.

OMB did not have an effective strategy to ensure that agencies submitted their internal control plans by the statutory deadline. Specifically, OMB issued M-18-14, which contains guidance for agencies to use in developing their internal control plans, on March 30, 2018, or 1 day before the agencies’ submission deadline. Officials at Education, which submitted its plan on time, stated that they relied on OMB’s Hurricane Sandy-related guidance in OMB Memorandum M-13-07 (M-13-07), Accountability for Funds Provided by the Disaster Relief Appropriations Act, to help develop their internal control plan in the absence of more timely guidance from OMB.[7]

Federal internal control standards state that management should externally communicate the necessary quality information to achieve the entity’s objectives.[8] As part of this process , management selects the appropriate methods of communication, such as a written document or meetings, to communicate quality information, such as criteria for internal control plans, on a timely basis. Because OMB did not establish an effective strategy for timely communicating requirements for agency reporting in internal control plans, federal agencies lacked the information needed to meet the statutory deadline. As a result, Congress and others did not timely receive agency internal control plans.

Selected Agencies' Internal Control Plans Did Not Include Sufficient Information

As stated previously, five of the six selected agencies submitted the required internal control plans to Congress and others, but these plans did not include sufficient information that would allow us to determine if the agencies met OMB directives and federal internal control standards' minimum documentation requirements. The internal control plans we reviewed varied in completeness and detail. For example, one agency's internal control plan was over 30 pages in length, and it included not just descriptions of risks and mitigation strategies for funded activities but also descriptions of the components of internal control and the agency's strategy for addressing them. Conversely, another agency's internal control plan was just over two pages in length. For its program receiving the largest amount of disaster funding, this agency's description of its internal control plan consisted of one paragraph that identified one incremental risk and mitigation strategy for that program. The agency did not describe other controls it used to ensure the integrity for the payment of funds in this program.

OMB did not provide specific instructions to agencies on what to include in their internal control plans. We reviewed selected agencies' internal control plans to determine whether they contained sufficient information to address the following directives in M-18-14 : (1) use a risk-based approach to design and implement financial and administrative controls to identify and mitigate fraud risks, (2) leverage existing enterprise risk management (ERM) processes in assessing risk in disaster situations, (3) weigh operational objectives against the objective of lowering the likelihood of fraud when determining risk tolerances in disaster situations, (4) provide reasonable assurance that the internal control plan specifically addresses disaster relief, and (5) describe how the plan complements existing risk management practices as directed in OMB Circular A-123.

Our review of the internal control plans found that agencies varied in the extent to which their plans communicated how they addressed the directives identified in M-18-14 and federal internal control standards. Specifically, our analysis of internal control plans found the following:

Use of a risk-based approach. M-18-14 states that in disaster situations, fraud risks are higher than under normal circumstances because the need to provide services quickly can hinder the effectiveness of existing controls and create additional opportunities for individuals to engage in fraud. Thus, agencies must use a risk-based approach to design and implement financial and administrative controls to identify and mitigate fraud risks. In four of the five plans we reviewed, agencies addressed elements of using a risk-based approach. Examples of risks the agencies identified included fraud involving construction and related-party transactions, inaccurate grantee data submissions, and misuse of grant funds. Examples of controls agencies described for identifying and mitigating fraud risks included use of data checks to verify eligibility status and conducting regular reviews of grantee performance and financial data. We were unable to determine based on information communicated in the remaining plan whether the agency addressed this directive in developing the plan. The agency did not identify any fraud risks or associated mitigating controls in its plan. Further, M-18-14 does not specify what key information agencies should communicate in their plans in order to demonstrate the use of a risk-based approach to designing and implementing controls to identify and mitigate fraud risks.

Leverage existing ERM processes. M-18-14 states that in assessing risk in disaster situations, agencies should leverage their existing ERM processes, including assessments that contribute to the development of initial risk profiles. In three of the five plans we reviewed, agencies included information related to how the agencies leveraged existing ERM processes to assess risk in disaster situations. For example, one agency's plan listed its relevant existing ERM risks and the potential effect of those risks on disaster programs. The remaining two agencies did not include sufficient information in their plans for us to determine that they addressed the directive in developing their plans. For example, one of the agencies included no reference to or description of ERM processes in its plan. Without such a description included in the plan, we were unable to determine if that agency had leveraged its ERM process to assess risk. Further, M-18-14 does not specify what information agencies should communicate in their plans in order to demonstrate that they leveraged ERM processes.

Weigh operational objectives. M-18-14 states that when determining risk tolerances in disaster situations, managers must weigh the program’s operational objectives against the objective of lowering the likelihood of fraud. In two of five plans we reviewed, agencies included information related to how, when determining risk tolerances in disaster situations, they weighed operational objectives against the objective of lowering the likelihood of fraud. For example, one agency's plan included a risk-appetite statement that described accepting higher fraud risk in order to provide more timely assistance to aid recipients. The remaining three agencies did not include sufficient information in their plans for us to determine how they addressed this directive in developing their plans. For example, while one agency included fraud-related risks and mitigation strategies in its plan, it did not include operational objectives or risk tolerances. Without such information included in the plan, we were unable to determine if that agency had weighed operational objectives or risk tolerances. However, M-18-14 does not specify that agencies communicate such information in their plans.

Provide reasonable assurance. M-18-14 states that agencies receiving disaster relief and emergency funding must provide reasonable assurance that their internal control plans specifically address disaster relief. In two of the five plans we reviewed, agencies included information related to providing reasonable assurance that their plans specifically addressed disaster relief. For example, two agencies’ plans identified the specific laws that provided these agencies with supplemental appropriations for disaster relief and described how the plans addressed requirements in those laws. The remaining three agencies did not include sufficient information in their plans for us to determine how they addressed this directive in developing their plans. For example, one of these three agencies described incremental risks and mitigation strategies in its plan, but did not communicate how the controls specifically addressed disaster relief. Without such a description, we were unable to determine how that agency would provide assurance that its plan specifically addressed disaster relief. However, M-18-14 does not specify that agencies include in their plans information demonstrating how they will provide reasonable assurance the plans address disaster relief.

Complement existing risk management practices. M-18-14 states that agencies’ internal control plans for disaster funds should complement risk-management practices as directed in OMB Circular A-123. In two of the five plans we reviewed, agencies included information that demonstrated that the plans complemented the circular's risk management practices. For example, one agency's plan included a risk-appetite statement and identified program objectives and risks to achieving those objectives, along with mitigating controls. The remaining three agencies did not include sufficient information in their plans for us to determine how the agencies addressed this directive in developing their plans. For example, while one of the agencies described its plan as a risk management plan, the agency did not specify program objectives and risks to achieving the objectives. Without such a description, we were unable to determine how the agency's internal control plan complemented its existing risk management practices. However, M-18-14 does not specify what information agencies should communicate in their plans in order to demonstrate that the plans complement Circular A-123 risk management practices.

Incorporate federal internal control standards. Federal internal control standards provide the overall framework for establishing and maintaining internal control in the federal government and consist of five components and 17 principles that are integral to an entity’s internal control system. While three of the five agencies’ internal control plans included information that related to most of the 17 principles, none of the agencies provided sufficient descriptions of how their internal control plans met all 17 principles of internal control or rationales for why specific principles were not relevant. For example, none of the internal control plans clearly communicated how the agency’s oversight body and management demonstrated a commitment to integrity and ethical values. M-18-14 did not specifically direct agencies to address the five components and 17 principles of internal control. However, M-18-14 states that agencies’ internal control plans should complement risk management practices as directed in Circular A-123, which prescribes requirements conforming with federal internal control standards.

OMB did not have an effective strategy to ensure that its guidance for disaster relief internal control plans would help agencies provide sufficient information to Congress and others. OMB issued M-18-14 in response to the statutory requirement to issue standard guidance for federal agencies to use in designing internal control plans. M-18-14 provided a general description of the process for developing the plans through Circular A-123 ERM requirements; however, the memorandum did not provide clear guidance to federal agencies on the purpose of internal control plans or the type of information that was expected to be included in those written plans.

OMB also did not have an effective outreach strategy to help ensure that agencies had proper assistance in developing and reporting these internal control plans. OMB did not establish an external communication mechanism with an entity such as the Chief Financial Officers Council to determine how agencies could externally communicate key payment-integrity risks that they must address for disaster funds.

OMB staff stated that the current guidance framework was sufficient for the internal control reporting requirements; that Circular A-123 ERM requirements were sufficient for agencies to produce effective internal control plans, because agencies should consider disaster situations as part of their overall consideration of risk. OMB staff also stated that agency managers must be able to prioritize risks, and by implementing ERM, Circular A-123 gives agency managers needed flexibility to address those risks that are most significant. OMB staff stated that risks associated with disaster aid funding may not rise to the same level as other risks that agencies face and thus additional controls may not be warranted. In addition, OMB staff stated that in order to provide flexibility to agencies, their guidance did not specify what key information should be conveyed in the internal control plans.

While it is important that agencies develop effective ERM processes, ERM does not negate the need for assuring effective internal controls over disaster funds. As part of its oversight framework for 2017 disaster funds, Congress specifically required agencies to communicate internal control plans associated with the supplemental funding provided. Congress further specified for the plans to identify and mitigate risks associated with the funding, and for the plans to document the linkage between the incremental risks related to disaster funding and efforts to address known internal control risks. This requirement served as a mechanism to provide transparency to Congress and others to assure that the agencies have properly evaluated their internal controls to help ensure the proper accountability over their funding. By including this requirement, Congress communicated its view that disaster funding carried specific risks that needed to be addressed by federal agencies. However, with OMB’s focus on ERM, it is possible for agencies to determine that disaster funding does not rise to the level of a significant risk; therefore, agencies’ internal control plans would not specifically address risks associated with disaster funding.

Further, absent clear reporting guidance, such as criteria specifying plan content or illustrative examples of completed plans, certain federal agencies had difficulties in developing their plans. Officials at Education, HUD, and SBA stated that they consulted OMB’s Hurricane Sandy–related guidance in M-13-07, which included an internal control plan template, to help them develop their internal control plans. Also, officials at certain agencies said that it might be helpful to hear from other agencies about the internal control risks they identified for 2017 disaster funds and how they addressed those risks.

Federal internal control standards state that management should externally communicate necessary quality information to achieve the entity’s objectives.[9] For example, information communicated to oversight bodies includes significant matters relating to risks, such as with disaster relief spending, that Congress has required be mitigated and reported. This communication is necessary for the effective oversight of internal control. Without a clear OMB strategy for preparing for oversight of future disaster relief funding, there is an increased risk that agencies will not appropriately assess risks associated with disaster funding. Further, Congress and others may not be provided the necessary information about internal controls; this will affect their ability to provide effective oversight.

OMB Has Not Implemented Our Priority Recommendation on Disaster Funding Guidance

We have previously reported deficiencies related to OMB’s guidance for development of internal control plans related to disaster funds. Specifically, in 2013, we reported on several weaknesses in OMB’s guidance that limited agencies' effectiveness in providing a comprehensive oversight mechanism for disaster funds.[10] Specifically, the guidance (1) focused on identifying incremental risks without demonstrating that known risks had been adequately addressed; (2) provided agencies with significant flexibility as it did not require documentation or criteria for claiming exceptions, such as why the OMB requirements were not feasible or practicable; and (3) resulted in certain agencies developing their internal control plans at the same time that funds needed to be quickly distributed. We recommended that OMB develop more robust guidance for agencies to design internal control plans for future disaster relief funding. In commenting on the draft report, OMB staff generally agreed with our recommendation. On July 15, 2016, OMB issued the revised Circular A-123. The circular requires agencies to implement ERM, which includes developing a risk profile that analyzes risks to achieving strategic objectives and identifies options for addressing the risks. However, the revised circular did not include specific guidance for identifying risks related to disaster funding; thus, the recommendation remains open. We plan to continue monitoring OMB’s progress in implementing this priority recommendation.

Conclusions 


The destruction that disasters cause must be addressed immediately, and agencies must deliver disaster relief funding expeditiously. However, the risk of improper payments increases when agencies spend billions of dollars quickly. In mandating that agencies submit internal control plans for spending disaster relief funding in accordance with OMB guidance, Congress underscores the importance of establishing strong internal controls to help ensure that these funds are appropriately safeguarded. These plans serve as a critical transparency tool to provide Congress some assurance that agencies will establish effective and efficient controls over the disaster funds. Selected agencies did not communicate timely or sufficient information related to their internal control plans for disaster relief funds. While OMB directed agencies to use a risk-based approach to internal control in disaster situations, OMB did not have an effective strategy for ensuring that agencies communicated sufficient and timely internal control plans. As a result, Congress and others may not be able to fully assess the extent to which agencies achieve payment integrity objectives for the disaster relief funds.

Agency Comments and Our Evaluation 


We provided a draft of this report to OMB, DOD, DHS, Education, HUD, SBA, and USDA. OMB staff provided comments via email that disagreed with our recommendation, which we summarize below. Education provided comments, which are reproduced in appendix I. SBA provided comments via email, which are summarized below. DOD, DHS, HUD, and USDA informed us that they had no comments.

In its comments, OMB disagreed with our recommendation that it should develop a strategy for ensuring that agencies communicate sufficient and timely internal control plans for effective oversight of disaster relief funds. OMB staff stated that OMB did not believe the sufficiency or timeliness of control plans present material issues that warranted OMB action. While OMB acknowledged that almost all agency control plans were submitted after the statutory deadline, OMB staff stated that this delay in itself neither indicated the absence of controls nor the effectiveness of those controls. Further, OMB staff stated that it is agency management and not OMB that has responsibility for ensuring compliance with applicable laws and regulations.

While agencies were responsible for submitting their internal control plans, federal law placed the responsibility of establishing the criteria for the internal control plans with OMB. We found that OMB provided neither timely nor sufficient guidance to agencies for developing their internal control plans. Specifically, OMB issued M-18-14 1 day before agencies were required to submit their internal control plans. Further, M-18-14 provided a general description of the process for developing the plans through Circular A-123 ERM requirements, but it did not provide clear guidance on the purpose of internal control plans or the type of information that was expected to be included in the written plans. Because OMB did not establish an effective strategy for timely communicating requirements for agency reporting in internal control plans, federal agencies lacked the information needed to meet the statutory deadline. In addition, absent clear reporting guidance, such as criteria specifying plan content or illustrative examples of completed plans, certain federal agencies had difficulties in developing their plans.

OMB staff also stated that OMB believed its guidance, in particular Circular A-123, which OMB said implements GAO’s Standards for Internal Control in the Federal Government and GAO’s A Framework for Managing Fraud Risks in Federal Programs, provides the guidance needed to prepare agencies’ control plans. OMB staff stated that control plans in an effective system of internal control should be operational, iterative, living documents that should be updated in response to emerging risks.[11] According to OMB staff, internal control plans are not developed for external communications and are not the sources of assurances over disaster relief funds, which are published in agencies’ annual financial reports.

While it is important that agencies implement Circular A-123, which directs agencies to develop effective ERM processes, we believe that ERM does not negate the need for assuring effective internal controls over disaster relief funds. As we noted in our report, with OMB’s focus on ERM, it is possible for agencies to determine that disaster funding does not rise to the level of a significant risk; therefore, agencies’ internal control plans would not specifically address risks associated with disaster funding. In addition, while it is important for agencies to update their internal control plans in response to emerging risks, Congress specifically required agencies to communicate internal control plans for the supplemental funds provided for activities related to the 2017 disasters. These plans, when provided timely and with sufficient information, could serve as a critical transparency tool to provide lawmakers some assurance that agencies will establish effective and efficient controls over the disaster funds. Therefore, we believe that our recommendation is warranted.

In its written comments, Education acknowledged that developing and implementing effective internal control plans is essential to assessing the risks associated with federal disaster relief funding. Education disagreed with our assessment that its internal control plan did not provide sufficient information for the following OMB directives in M-18-14:

  • weigh operational objectives against the objective of lowering the likelihood of fraud when determining risk tolerances in disaster situations,
  • provide reasonable assurance that the internal control plan specifically addresses disaster relief, and
  • describe how the plan complements existing risk management practices as directed in OMB Circular A-123.

We did not see sufficient evidence in Education's plan to demonstrate that it addressed the three directives noted above. We acknowledge that in our meetings with them, Education officials discussed with us how the steps described in their plan related to M-18-14 directives. However, in determining whether agencies' plans communicated sufficient information, we considered for purposes of this report only that information that agencies included in the plans themselves.

As previously stated, Education was the only agency in our scope to submit its internal control plan before the March 31, 2018, statutory deadline. Because OMB issued M-18-14 1 day before the plans were due, Education had little time to review directives in M-18-14 and still submit its plan by the due date. As previously mentioned, Education officials stated that in the absence of more timely guidance from OMB, they relied on OMB's previous guidance in M-13-07 to help develop their internal control plan. As discussed in our report, OMB has not developed a strategy for ensuring that agencies, such as Education, communicate sufficient and timely internal control plans for effective oversight of disaster relief funds. Without such a strategy and guidance, Congress and others may not be able to fully assess the extent to which agencies achieve payment integrity objectives for disaster relief funds.

In addition, Education stated that its internal control plan addressed, in part, all five components as outlined in the federal internal control standards, and it believed that our assessment did not take into account the extent to which these components are integrated into its internal control plan. However, federal internal control standards consist of five components, as well as 17 principles, all of which are integral to an entity's internal control system. Our evaluation of internal control plans found that none of the agencies—including Education—provided sufficient descriptions of how their internal control plans met all 17 principles of internal control or rationales for why any particular principles were not relevant. For example, none of the internal control plans clearly communicated how the agencies addressed principle 1, which states the oversight body and management should demonstrate a commitment to integrity and ethical values.

Education also commented that at a meeting held May 8, 2019, we noted that in some cases its plan was deemed insufficient because of either the level of detail or formatting concerns. We disagree with this comment. Our evaluation of the internal control plans focused on whether the plans included sufficient information to demonstrate that they satisfied the OMB directives and federal internal control standards, and not concerns about formatting.

The SBA liaison—Program Manager, Office of Congressional and Legislative Affairs—stated that SBA's Office of Disaster Assistance did not have any comments regarding the content of our draft report. In its email, SBA stated that it has in place a comprehensive, robust system of internal control for its ongoing disaster response operations. SBA stated that its established system of internal control covered the higher risks of improper payments and fraud that come with a larger volume of transactions following a series of large disasters. SBA further stated that its internal control system has proven effective during disasters of all sizes, and that a larger volume of transactions does not fundamentally change its internal control system. In addition, SBA stated that writing a supplementary comprehensive plan on risks and controls for an existing disaster response program would be both duplicative and of low value, and that this would seem to contradict the effort to reduce the burden on federal agencies in order for them to operate more effectively and efficiently to comply with the President’s Management Agenda.

As part of our audit, we did not evaluate the extent to which SBA’s internal control system was effective in preventing improper payments and fraud. Rather, we evaluated whether selected agencies—including SBA—met Congress's statutory mandate to timely submit internal control plans with sufficient information to demonstrate that agencies met OMB directives and federal internal control standards requirements. Despite SBA's concern that such plans for existing disaster response programs would be duplicative and of low value, Congress, as part of its oversight framework for 2017 disaster funds, specifically required agencies to communicate internal control plans for the supplemental disaster relief funding it provided. This requirement served as an external communication mechanism to provide transparency to Congress and others to assure that the agencies have properly evaluated their internal controls to help ensure accountability over their funding.

- - - - - - - - - - -

We are sending copies of this report to the appropriate congressional committees; the Secretaries of Agriculture, Defense, Education, Homeland Security, and Housing and Urban Development; the Administrator of the Small Business Administration; the Director of the Office of Management and Budget; and other interested parties. In addition, the report is available at no charge on the GAO website at http://www.gao.gov.

If you or your staff have any questions about this report, please contact me at (202) 512-2623 or davisbh@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made key contributions to this report are listed in appendix II.

Beryl H. Davis

Director

Financial Management and Assurance

Congressional Addressees

The Honorable Michael Enzi
Chairman
Committee on the Budget
United States Senate

The Honorable Ron Johnson
Chairman
The Honorable Gary C. Peters
Ranking Member
Committee on Homeland Security and Governmental Affairs
United States Senate

The Honorable Rand Paul, MD
Chairman
Subcommittee on Federal Spending, Oversight and Emergency Management
Committee on Homeland Security and Governmental Affairs
United States Senate

The Honorable Marco Rubio
Chairman
Committee on Small Business and Entrepreneurship
United States Senate

The Honorable Maxine Waters
Chairwoman
Committee on Financial Services
House of Representatives

The Honorable Sean Duffy
Ranking Member
Subcommittee on Housing, Community Development and Insurance
Committee on Financial Services
House of Representatives

The Honorable Al Green
Chairman
Subcommittee on Oversight and Investigations
Committee on Financial Services
House of Representatives

The Honorable Bennie Thompson
Chairman
Committee on Homeland Security
House of Representatives

The Honorable Elijah Cummings
Chairman
The Honorable Jim Jordan
Ranking Member
Committee on Oversight and Reform
House of Representatives

The Honorable Nydia Velázquez
Chairwoman
Committee on Small Business
House of Representatives

The Honorable Peter DeFazio
Chairman
The Honorable Sam Graves
Ranking Member
Committee on Transportation and Infrastructure
House of Representatives

The Honorable Emanuel Cleaver, II
House of Representatives

The Honorable Michael McCaul
House of Representatives

The Honorable Gary J. Palmer
House of Representatives

The Honorable Ann Wagner
House of Representatives

Appendixes 


Appendix I: Comments from the Department of Education

Appendix II: GAO Contact and Staff Acknowledgments

GAO Contact

Beryl H. Davis, (202) 512-2623 or davisbh@gao.gov

Staff Acknowledgments

In addition to the contact named above, Matthew Valenta (Assistant Director), Daniel Flavin (Auditor in Charge), Anthony Clark, John Grobarek, Diana Lee, and Angela Wills made key contributions to this report.

References

Figures

  1. Figure 1: Distribution of Funding Provided by the Supplemental Appropriations for the 2017 Disasters
  2.  

Abbreviations

AbbreviationDescription
DHSDepartment of Homeland Security
DODDepartment of Defense
EducationDepartment of Education
ERMenterprise risk management
HUDDepartment of Housing and Urban Development
IGinspector general
OMBOffice of Management and Budget
SBASmall Business Administration
USACEU.S. Army Corps of Engineers
USDADepartment of Agriculture

End Notes

Contacts

Beryl H. Davis

Director, Financial Management and Assurance, DavisBH@gao.gov, (202) 512-2623

Congressional Relations

Orice Williams Brown, Managing Director, williamso@gao.gov, (202)-512-4400
U.S. Government Accountability Office
441 G Street NW, Room 7125, Washington, DC 20548

Public Affairs

Chuck Young, Managing Director, youngc1@gao.gov, (202)-512-4800
U.S. Government Accountability Office
441 G Street NW, Room 7149, Washington, DC 20548

Strategic Planning and External Liaison

James-Christian Blockwood, Managing Director, spel@gao.gov, (202)-512-4707
U.S. Government Accountability Office
441 G Street NW, Room 7814, Washington, DC 20548

Download a PDF Copy of This Report

Download a PDF copy of this report at no cost.

Obtaining Copies of GAO Reports and Testimony

The fastest and easiest way to obtain copies of GAO documents at no cost is through our website. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence on our website. You can also subscribe to GAO’s e-mail updates to receive notification of newly posted products.

Order by Phone

The price of each GAO publication reflects GAO’s cost of production and distribution. Pricing and ordering information is posted on our website.

To Report Fraud, Waste, and Abuse in Federal Programs

Website: https://www.gao.gov/fraudnet/fraudnet.htm
Automated answering system: (800) 424-5454 or (202) 512-7470

Connect with GAO

Connect with GAO on Facebook, Flickr, LinkedIn, Twitter, and YouTube. Subscribe to our RSS Feeds or E-mail updates. Listen to our Podcasts. Visit GAO on our website and read the Watchblog.

GAO’s Mission

The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability.

Copyright

This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately.

(102711)