Disaster Response: Agencies Should Assess Contracting Workforce Needs and Purchase Card Fraud Risk
Fast Facts
Contracts and purchase cards are 2 ways agencies can acquire goods and services to get urgently needed items after a disaster. We assessed selected agencies' planning for contracting workforce needs and purchase card fraud risks related to disaster response and found
Not all agencies planned for or assessed their contracting workforce needs for disaster response
Only 1 of the 6 agencies assessed how purchase card fraud risks change during disaster response
We recommended that agencies assess disaster contracting workforce needs and purchase card fraud risks to improve disaster response.
Canal debris in the Florida Keys following Hurricane Irma
Highlights
What GAO Found
The efforts of selected agencies to plan for disaster contracting activities and assess contracting workforce needs varied. The U.S. Forest Service initiated efforts to address its disaster response contracting workforce needs while three agencies—the U.S. Army Corps of Engineers (USACE), the U.S. Coast Guard, and Department of the Interior (DOI)—partially addressed these needs. The Environmental Protection Agency indicated it did not have concerns fulfilling its disaster contracting responsibilities. Specifically, GAO found the following:
USACE assigned clear roles and responsibilities for disaster response contracting activities, but has not formally assessed its contracting workforce to determine if it can fulfill these roles.
The Coast Guard has a process to assess its workforce needs, but it does not account for contracting for disaster response activities.
DOI is developing a strategic acquisition plan and additional guidance for its bureaus on how to structure their contracting functions, but currently does not account for disaster contracting responsibilities.
Contracting officials at all three of these agencies identified challenges executing their regular responsibilities along with their disaster-related responsibilities during the 2017 and 2018 hurricane and wildfire seasons. For example, Coast Guard contracting officials stated they have fallen increasingly behind since 2017 and that future disaster response missions would not be sustainable with their current workforce. GAO's strategic workforce planning principles call for agencies to determine the critical skills and competencies needed to achieve future programmatic results. Without accounting for disaster response contracting activities in workforce planning, these agencies are missing opportunities to ensure their contracting workforces are equipped to respond to future disasters.
The five agencies GAO reviewed from above, as well as the Federal Emergency Management Agency (FEMA), collectively spent more than $20 million for 2017 and 2018 disaster response activities using purchase cards. GAO found that two of these six agencies—Forest Service and EPA—have not completed fraud risk profiles for their purchase card programs that align with leading practices in GAO's Fraud Risk Framework. Additionally, five of the six agencies have not assessed or documented how their fraud risk for purchase card use might differ in a disaster response environment. DOI completed such an assessment during the course of our review. An Office of Management and Budget memorandum requires agencies to complete risk profiles for their purchase card programs that include fraud risk. GAO's Fraud Risk Framework states managers should assess fraud risk regularly and document those assessments in risk profiles. The framework also states that risk profiles may differ in the context of disaster response when managers may have a higher fraud risk tolerance since individuals in these environments have an urgent need for products and services. Without assessing fraud risk for purchase card programs or how risk may change in a disaster response environment, agencies may not design or implement effective internal controls, such as search criteria to identify fraudulent transactions.
Why GAO Did This Study
The 2017 and 2018 hurricanes and California wildfires affected millions of people and caused billions of dollars in damages. Extreme weather events are expected to become more frequent and intense due to climate change. Federal contracts for goods and services play a key role in disaster response and recovery, and government purchase cards can be used by agency staff to buy needed items.
GAO was asked to review federal response and recovery efforts related to recent disasters. This report examines the extent to which selected agencies planned for their disaster response contracting activities, assessed their contracting workforce needs, and assessed the fraud risk related to their use of purchase cards for disaster response.
GAO selected six agencies based on contract obligations for 2017 and 2018 disasters; analyzed federal procurement and agency data; reviewed agencies' policies on workforce planning, purchase card use, and fraud risk; and analyzed purchase card data. FEMA was not included in the examination of workforce planning due to prior GAO work.
Recommendations
GAO is making 12 recommendations, including to three agencies to assess disaster response contracting needs in workforce planning, and to five agencies to assess fraud risk for purchase card use in support of disaster response.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Corps of Engineers | The Secretary of the Army should ensure that the Commanding General of the Army Corps of Engineers develops guidance to ensure that its district-level affordability determinations account for the agency's disaster response contracting activities. (Recommendation 1) |
The Department of Defense (DOD) agreed with this recommendation. In October 2020, DOD said that the U.S. Army Corps of Engineers (USACE) Director of Contracting will provide guidance to commanders to support completion of the USACE Annual Workforce Workload Assessment, which is an assessment to ensure that USACE districts have the capability to accomplish planned contracting workload and disaster response missions arising throughout the year. As part of the workload assessments, USACE districts and major subordinate commands assess effects of current workload and operations tempo impacting the contracting workforce determinations on enterprise contracting. In December 2021, USACE's Director of Contracting issued a request to USACE district commanders that they ensure district-level affordability determinations account for the agency's disaster response contracting activities and verify that Annual Workforce Workload Assessments provide commands with the capability to accomplish both planned contracting activities and disaster response missions that may arise throughout the year. In March 2023, USACE officials provided district-level affordability determinations for several USACE contracting divisions, each of which considered contracting support for disaster response missions as a part of their analysis.
|
United States Coast Guard | The Commandant of the U.S. Coast Guard should provide guidance or incorporate into existing guidance information to ensure that the Coast Guard's manpower requirements determination for its acquisition directorate accounts for the agency's disaster response contracting activities. (Recommendation 2) |
The U.S. Coast Guard agreed with this recommendation. The Coast Guard updated its Manpower Requirements Manual in November 2020, and in April 2021, produced its first ever Manpower Requirements Determination Tactics, Techniques, and Procedures document. Among other things, the Tactics, Techniques, and Procedures document outlines how manpower requirements should be determined in relation to seasonal and surge needs, including those related to disaster response. Additionally, in March 2023, the Coast Guard submitted an updated Manpower Requirements Plan to Congress, which outlines how the Coast Guard evaluates manpower requirements to determine the workforce size and composition necessary for mission execution. The plan includes discussion of a working group and a tool established to analyze the size and shape of the reserve force available for contingency operations, which would include disaster response. The plan states that, while the tool provided insights on Coast Guard's reserve force, the Coast Guard determined that conducting similar analyses for other workforce segments would be duplicative to existing manpower estimating processes.
|
Department of the Interior | The Secretary of the Interior should ensure that upcoming guidance directs bureaus to consider their disaster contracting activities when planning their contracting workforce, where appropriate. (Recommendation 3) |
The Department of the Interior (DOI) agreed with our recommendation. In March 2022, DOI's Director, Office of Acquisition and Property Management and Senior Procurement Executive issued a memo to DOI's Heads of Contracting Activity requesting that each bureau complete a workforce planning narrative and updated template that highlights several key workforce planning efforts, including planning for emergency acquisition personnel. In September 2022, DOI provided a completed template for one bureau that demonstrated how the bureaus had assessed its workforce planning with consideration of disaster response activities.
|
Corps of Engineers | The Secretary of the Army should ensure that the Commanding General of the Army Corps of Engineers updates its fraud risk profile for the purchase card program to include an assessment of how, if at all, the risk profile differs for purchase card use in support of disaster response. (Recommendation 4) |
The Department of Defense (DOD) agreed with this recommendation. In October 2020, DOD stated that the U.S. Army Corps of Engineers (USACE) Director of Contracting will work with the Headquarters USACE National Internal Control Program Manager to enhance USACE's fraud risk profile during the 2022 Risk Management and Internal Control Program (RMICP) cycle. DOD stated that the enhanced fraud risk profile will document how, if at all, the USACE risk profile for purchase card use differs in support of disaster response. In December 2021, the USACE Director of Contracting emailed USACE district-level staff stating that RMICP risk profiles should consider both fraud risk for normal purchase card use and fraud risk for purchase card use in support of disaster response. In June 2022, USACE issued guidance for the upcoming RMCIP cycle, including an updated template for the development of USACE's fraud risk profile, which includes purchase card use in contingency operations. In May 2023, USACE provided an updated fraud risk profile based on the RMCIP guidance for fiscal year 2022. The risk profile identified inherent risks to the government purchase card program more broadly and for disaster response activities. However, the profile did not identify the specific risks associated with purchase card use in a disaster response environment. In August 2023, USACE issued a memorandum and enclosure documenting an assessment of the potential fraud risks the purchase card program is exposed to during disaster response activities. The memorandum noted that purchase card use in a disaster response environment carries certain risks that are not otherwise present, or are increased, because of circumstances related to the nature of disaster response.
|
Federal Emergency Management Agency | The Administrator of the Federal Emergency Management Agency should update its fraud risk profile for the purchase card program to include an assessment of how, if at all, the risk profile differs for purchase card use in support of disaster response. (Recommendation 5) |
The Department of Homeland Security (DHS) agreed with our recommendation. In fiscal year 2022, FEMA updated its fraud risk profile documenting risk assessments of its government purchase card program. As part of this update, the Federal Emergency Management Agency delineated controls in place for disaster-related purchase card transactions separately from non-disaster purchase card transactions, and identified a higher residual risk for disaster-related transactions.
|
Department of Agriculture | The Secretary of the U.S. Department of Agriculture should direct the Forest Service to update its fraud risk profile for the purchase card program to align with the leading practices in the Fraud Risk Framework and include an assessment of how, if at all, the risk profile differs for purchase card use in support of disaster response. (Recommendation 6) |
The U.S. Department of Agriculture agreed with our recommendation. In September 2022, the Forest Service updated its fraud risk profile documenting risk assessments of its government purchase card program. The fraud risk profile included information that generally aligns with leading practices in GAO's Fraud Risk Framework--containing detailed information assessing the likelihood and impact of risk factors, an evaluation of existing controls, and proposed risk response. The fraud risk profile also describes how fraud risk changes during disaster response.
|
United States Coast Guard | The Commandant of the U.S. Coast Guard should update its fraud risk profile for the purchase card program to include an assessment of how, if at all, the risk profile differs for purchase card use in support of disaster response. (Recommendation 7) |
The U.S. Coast Guard agreed with this recommendation. In March 2022, U.S. Coast Guard officials stated that they anticipate that an updated risk register which includes a natural disaster fraud risk analysis will be released in the fourth quarter of fiscal year 2022. In January 2023, officials noted that the fraud risk assessment is monitored and directed by the Department of Homeland Security (DHS). The Coast Guard submitted an updated recommendation to DHS on the fraud risk assessment and is awaiting notification from DHS. U.S. Coast Guard officials said that once received, the Coast Guard will provide an updated fraud risk assessment. In March 2024, Coast Guard officials described its improper payments program, but had not yet provided its updated fraud risk profile to GAO. There is no current anticipated completion date. GAO will continue to monitor the U.S. Coast Guard's progress in addressing this recommendation.
|
Environmental Protection Agency | The Administrator of the Environmental Protection Agency should take additional steps to complete and document a fraud risk profile for the purchase card program that aligns with the leading practices in the Fraud Risk Framework and includes an assessment of how, if at all, the risk profile differs for purchase card use in support of disaster response. (Recommendation 8) |
The Environmental Protection Agency (EPA) agreed with our recommendation. In October 2020, EPA said that the agency has begun preliminary work to determine and document the program's fraud risk profile based on GAO's leading practices. In May 2021, EPA said that the agency was in the process of reviewing EPA's purchase card program and assessing information collected from oversight tools to help populate EPA's Purchase Card Fraud Risk Framework. EPA noted that the new framework will help change the culture of the EPA's purchase card community by presenting information that demonstrates how the agency is committing, assessing, designing, implementing, evaluating, and adapting to annual performance of the framework requirements. In July 2021, EPA officials stated that EPA completed an analysis of current purchase card program practices, oversight, & control activities to better understand how to adopt the concepts and practices detailed in GAO's leading practices. In addition, EPA officials said that they developed a purchase card fraud risk questionnaire to survey purchase cardholders, approving officials, acquisition staff, managers, and transaction reviewers to gain further insight into EPA's purchase card fraud risk and better address fraud risk mitigation. In February 2022, EPA provided a purchase card fraud risk assessment report and fraud risk profile for its purchase card program. The purchase card fraud risk assessment report provided detailed information about the agency conducted assessment activities, which, among other things, EPA used to gain insight into fraud risk concerns, attitudes, and perceptions within the agency to address fraud risk mitigation. In addition, in alignment with the leading practices of GAO's Fraud Risk Framework, EPA"s fraud risk analysis contains detailed information assessing the likelihood and impact of inherent risk factors, an evaluation of existing controls, and proposed risk response for four separate risks associated with charge cards. The fraud risk profile also designates separate impacts, likelihoods, and proposed risk responses for EPA's disaster response activities.
|
Federal Emergency Management Agency | The Administrator of the Federal Emergency Management Agency should ensure that the agency has adequate data to allow it to conduct analysis of purchase card use in support of disaster response, including both the disaster event supported and sufficient vendor information to allow fraud risk analysis. (Recommendation 9) |
The Department of Homeland Security (DHS) agreed with this recommendation. In October 2020, DHS officials told us that the Federal Emergency Management Agency's (FEMA) Office of the Chief Financial Officer would develop a data collection methodology, in coordination with Citibank, to include both the disaster event supported and sufficient vendor information to allow more comprehensive fraud risk analysis. As a result of this effort, officials told us that the FEMA Finance Center interface was able to capture purchase card data by disaster and merchant for purchases starting in December 2020, and FEMA provided us a report of purchase card transactions for September through October 2021. The data provided included FEMA's purchase card spending over that time period, vendor information, and codes that could be linked to the disaster event supported (e.g., Hurricanes Harvey and Maria)-adequate data to conduct fraud risk analysis of purchase card use in support of disaster response.
|
Corps of Engineers | The Secretary of the Army should ensure that the Commanding General of the Army Corps of Engineers ensures that the agency has adequate data to allow it to conduct analysis of purchase card use in support of disaster response, including both the disaster event supported and sufficient vendor information to allow fraud risk analysis. (Recommendation 10) |
DOD agreed with our recommendation. In December 2020, DOD issued a memorandum directing the Heads of Contracting Activity to issue component-level guidance on recording and retaining purchase card information when National Interest Action codes--which allow agencies to track data on contract actions related to national emergencies--are issued for applicable operations. In December 2021, the U.S. Army Corps of Engineers (USACE) Director of Contracting emailed USACE district-level staff stating that USACE commands should be using National Interest Action codes when issued for disaster response events. In addition, the Director of Contracting stated that by entering the appropriate information on the funding document and in the purchase card's Electronic Access System purchase log, the system can help provide a list of purchase card transactions by supported disaster response with sufficient vendor information for fraud analyses. In July 2022, USACE provided a report of USACE's disaster response purchase card transactions from March 2020 through December 2021, which showed USACE's disaster-related purchase card spending by disaster and vendor--data elements key to ensuring the agency has adequate data to allow for fraud risk analysis of purchase card use in support of disaster response.
|
United States Coast Guard | The Commandant of the U.S. Coast Guard should ensure that the agency has adequate data to allow it to conduct analysis of purchase card use in support of disaster response, including both the disaster event supported and sufficient vendor information to allow fraud risk analysis. (Recommendation 11) |
The U.S. Coast Guard agreed with this recommendation. In January 2023, U.S. Coast Guard officials said that the Coast Guard's data migration to the Financial Systems Modernization Solution was complete, which was a necessary step prior to detailing actions and milestones for fully implementing this recommendation. However, Coast Guard continued to refine how the system captures and displays data. For example, Coast Guard requested that the system include a credit card transaction description field associated with each listed transaction. By adding the description field, purchase cardholders and Approving Officials could then identify if the transaction was COVID/natural disaster-related at the transaction-level. U.S. Coast Guard officials said that this data could then be submitted to DHS for access by program offices. In August 2023, Coast Guard officials told us that the system, which will allow cardholders and approving officials to add details in the description field about what was purchased, such as disaster response-related purchases, was still under development. In July 2024, Coast Guard officials told us that these system changes will be implemented as part of an overall purchase card redesign effort, with an estimated completion date of November 2024. GAO will continue to monitor the U.S. Coast Guard's progress in addressing this recommendation.
|
Environmental Protection Agency | The Administrator of the Environmental Protection Agency should ensure that the agency has adequate data to allow it to conduct analysis of purchase card use in support of disaster response, including both the disaster event supported and sufficient vendor information to allow fraud risk analysis. (Recommendation 12) |
The Environmental Protection Agency (EPA) agreed with our recommendation. In October 2020, EPA said that through the collaborative work of the Agency's Office of the Chief Financial Officer and Office of Mission Support, EPA would pursue improvements to existing emergency response financial and purchase card use tracking procedures to ensure financial and purchase card transaction reporting systems provide accurate, accessible data in order to conduct fraud analysis in accordance with the mandated framework, including analysis specific to disaster response. In July 2021, EPA stated they are using a process that includes: retrieving data from multiple data systems and review of electronic records maintained by purchase cardholders. As part of this process, EPA officials said that they are able to obtain the data needed to conduct analysis of purchase card use in support of disaster response, including the disaster event, such as hurricane, and vendor information to allow for fraud analysis. EPA provided a report of EPA's fiscal year 2020 disaster response purchase card transactions, which showed EPA's disaster-related purchase card spending by disaster and vendor.
|