Hurricane Sandy Relief: Improved Guidance on Designing Internal Control Plans Could Enhance Oversight of Disaster Funding
Highlights
What GAO Found
In response to the Disaster Relief Appropriations Act, 2013, agencies prepared Hurricane Sandy disaster relief internal control plans based on Office of Management and Budget (OMB) guidance but did not consistently apply the guidance in preparing these plans. OMB Memorandum M-13-07 (M-13-07), Accountability for Funds Provided by the Disaster Relief Appropriations Act, directed federal agencies to provide a description of incremental risks they identified for Sandy disaster relief funding as well as an internal control strategy for mitigating these risks. Each of the 19 agencies responsible for the 61 programs receiving funds under the act submitted an internal control plan with specific program details using a template provided by OMB. Agencies' plans ranged from providing most of the required information to not providing any information on certain programs. For example, each of the 61 programs was required to discuss its protocol for improper payments; however, GAO found that 38 programs included this information, 11 included partial information, and 12 included no information.
OMB's guidance was an important step in the oversight of Sandy disaster funding, addressing internal controls, improper payments protocol, and unexpended grant funds. However, several weaknesses limited its effectiveness in providing a comprehensive oversight mechanism for these funds. Specifically, the guidance (1) focused on the identification of incremental risks without adequate linkages to demonstrate that known risks had been adequately addressed, (2) provided agencies with significant flexibility without requirements for documentation or criteria for claiming exceptions, and (3) resulted in certain agencies developing their internal control plans at the same time that funds needed to be quickly distributed. GAO found that OMB guidance:
Asked agencies to focus on mitigating incremental risk, so the resulting plans did not provide comprehensive information on all known risks and internal controls that may affect the programs that received funding. Linking the additional risks identified in the plans to the complete set of known risks and related internal controls can help agency management and Congress to provide effective oversight of the funds.
Allowed agencies significant flexibility in deciding whether they needed to design additional internal controls, and did not provide specific criteria for agencies to claim exemptions from requirements. GAO found that some agencies did not discuss certain additional internal controls in their plans, despite having identified incremental risks.
Did not require agencies to document their rationales for not including additional internal controls in their plans. As a result, it was not apparent from the internal control plans the extent to which the agencies considered the need for these additional internal controls.
Was developed and issued in a short time frame in response to the act. By the time that the agencies submitted their internal control plans on March 31, 2013, they reported that they had already obligated approximately $4.6 billion. Standard internal control guidance for disaster funding could help ensure that controls are designed timely.
Why GAO Did This Study
In late October 2012, Hurricane Sandy devastated portions of the Mid-Atlantic and northeastern United States, leaving victims of the storm and their communities in need of financial assistance for disaster relief aid. On January 29, 2013, the President signed the Disaster Relief Appropriations Act, 2013, which provided approximately $50 billion in supplemental appropriations, before sequestration, to 61 programs at 19 federal agencies for expenses related to the consequences of Hurricane Sandy. The act required agencies to submit internal control plans for the funds in accordance with OMB criteria by March 31, 2013.
The act mandated GAO to review the design of agencies' internal control plans. This report addresses the extent to which (1) the internal control plans prepared by federal agencies complied with OMB guidance and (2) OMB's guidance was effective for providing comprehensive oversight of the internal control risks for the programs receiving funds for Sandy disaster relief. To address these objectives, GAO reviewed agencies' Sandy disaster relief internal control plans; M-13-07; and relevant GAO, inspector general, and financial statement audit reports. GAO also reviewed the internal control plans and M-13-07 against internal control standards.
Recommendations
GAO recommends that OMB develop more robust guidance for agencies to design internal control plans for future disaster relief funding. OMB staff generally agreed with GAO's recommendation.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Office of Management and Budget |
Priority Rec.
To proactively prepare for oversight of future disaster relief funding, the Director of OMB should develop standard guidance for federal agencies to use in designing internal control plans for disaster relief funding. Such guidance could leverage existing internal control review processes and should include, at a minimum, the following elements: (1) robust criteria for identifying and documenting incremental risks and mitigating controls related to the funding and (2) requirements for documenting the linkage between the incremental risks related to disaster funding and efforts to address known internal control risks.
|
The Office of Management and Budget (OMB) stated that they generally agreed with our recommendation and requested additional information on the findings to inform future guidance. In July 2016, OMB issued the revised Circular A-123, Management's Responsibility for Enterprise Risk Management and Internal Control. The Circular requires agencies to implement enterprise risk management, which includes the development of a risk profile that analyzes the risks faced in achieving strategic objectives and identifies options for addressing them. In April 2017, OMB staff stated that they believe that the implementation of enterprise risk management through Circular A-123 satisfies the intent our recommendation. Because the responsibility for implementing enterprise risk management lies with agency management, Circular A-123 does not include specific guidance for identifying risks related to disaster funding. Additionally, the Bipartisan Budget Act of 2018, Sec. 21208(c) requires OMB to issue standard guidance for federal agencies to use in designing internal control plans for disaster relief funding to proactively prepare for oversight of future disaster relief funds. The Act states this guidance shall leverage existing internal control review processes and shall include, at a minimum, (1) robust criteria for identifying and documenting incremental risks and mitigating controls related to the funding, and (2) guidance for documenting the linkage between the incremental risks related to disaster funding and efforts to address known internal control risks. GAO reviewed OMB's actions to implement the law. In June 2019, we reported in GAO-19-479 that this 2013 recommendation remains open. Further, we reported that OMB did not have an effective strategy to ensure that agencies timely submitted internal control plans; and OMB's Memorandum M-18-14, Implementation of Internal Controls and Grant Expenditures for the Disaster-Related Appropriations lacked specific instructions to agencies on what to include in their internal control plans. As such, a new recommendation was warranted. As of March 2024, OMB did not indicate any change in its position. To address this recommendation, OMB should issue guidance on internal control for disaster relief funding, including criteria for identifying additional risks and mitigating controls related to the funding and a requirement to link these incremental risks to ongoing efforts to address known internal control risks. We will continue to monitor OMB's actions to address this priority recommendation.
|