Foreign Assistance: USAID Should Strengthen Risk Management in Conflict Zones
Fast Facts
The U.S. Agency for International Development has standard processes to manage risks to its delivery of assistance in countries worldwide. But in countries affected by violent conflict, dangerous conditions can limit USAID's ability to directly oversee its assistance—increasing the risk of fraud or corruption.
We reviewed how USAID manages risks, particularly in 3 countries currently experiencing violent conflict: Nigeria, Somalia, and Ukraine. We found that USAID didn't comprehensively assess and document relevant fraud risks in these countries. Doing so can help safeguard assistance.
We recommended that USAID take these and other actions.
Food Deliveries in Ukraine
Highlights
What GAO Found
The U.S. Agency for International Development (USAID) has standard processes to assess risks to its delivery of assistance in countries worldwide. In countries affected by violent conflict, factors such as attacks on aid facilities can complicate delivery of assistance. Certain USAID processes target specific types of risk, including fiduciary risks such as fraud, counterterrorism- or sanctions-related risks, and security risks. However, GAO found that, contrary to leading practices, USAID did not comprehensively assess or document, in fraud risk profiles, the relevant fraud risks affecting its assistance in the three conflict-affected countries GAO selected for its review—Nigeria, Somalia, and Ukraine. As a result, USAID cannot ensure it has identified and is mitigating all relevant fraud risks in these countries.
Funding Obligated by Selected USAID Bureaus and Missions, Fiscal Year 2023
Note: Selected bureaus are the Bureau for Humanitarian Assistance and the Bureau for Conflict Prevention and Stabilization. Amounts shown have been rounded to the nearest million.
USAID bureaus and missions providing assistance overseas have controls to prevent and detect fiduciary, counterterrorism- or sanctions-related, and security risks, but their ability to conduct direct oversight in conflict zones is limited. Therefore, they rely largely on remote techniques, such as third-party monitoring for oversight. However, an absence of guidance for using third-party monitoring to detect risks has led to varying use and knowledge of this method. In addition, while the Nigeria and Ukraine missions conduct financial reviews to detect fiduciary risks, the Somalia mission has not. Additional oversight in conflict zones would strengthen USAID's ability to detect risks of misuse or diversion.
USAID's Bureaus for Humanitarian Assistance and for Conflict Prevention and Stabilization have formal mechanisms to share lessons learned about risk management in conflict zones, but USAID does not have such a mechanism for its missions in conflict-affected countries. The bureaus share these lessons through risk-focused groups, among other means. USAID missions primarily identify lessons learned from staff's prior experiences in conflict zones. Without a mechanism to systematically share lessons learned across conflict zones, conflict-affected missions will not benefit from valuable practices employed in other conflict zones and may unnecessarily make or repeat mistakes.
Why GAO Did This Study
In 2023, USAID obligated about $26 billion to assist 19 countries experiencing violent conflict. Limitations on USAID's ability to directly oversee its assistance in conflict-affected areas increase the risk of misuse or diversion. USAID has documented its commitment to protect the integrity of foreign assistance, steward taxpayer funds, and manage risks of fraud and corruption.
GAO was asked to review USAID's risk management in conflict zones. This report evaluates the extent to which USAID has processes for assessing risks to assistance delivery in conflict zones; controls to prevent and detect such risks; and mechanisms for sharing lessons learned about risk management in conflict zones.
GAO reviewed documents and interviewed agency officials. GAO also conducted site visits and reviewed a sample of USAID-funded awards for Nigeria, Somalia, and Ukraine. GAO based its selection of these countries on factors such as the prevalence of conflict. In addition, GAO compared USAID's processes and controls to guidance for fraud risk management in federal programs, USAID policies and guidance, and standards for internal control in the federal government.
Recommendations
GAO is making nine recommendations to USAID, including that it comprehensively assess and document fraud risks, provide guidance on third-party monitoring of risks, and develop a mechanism for systematically sharing risk-related lessons learned for use in conflict zones. USAID concurred with these recommendations.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| U.S. Agency for International Development | The USAID Administrator should ensure that BHA conducts comprehensive assessments of fraud risks relevant to its responses in Nigeria, Somalia, and Ukraine and develops response-specific fraud risk profiles based on those assessments. (Recommendation 1) |
In its response to our report, USAID agreed with this recommendation. As of October 2024, BHA is in the process of assessing context-specific fraud risks and developing comprehensive response risk profiles for Nigeria, Somalia, and Ukraine. BHA plans to complete these fraud risk assessments and profiles by March 2025. We will continue to monitor USAID's implementation of this recommendation and provide updated information on its progress.
|
| U.S. Agency for International Development | The USAID Administrator should ensure that CPS conducts a comprehensive assessment of fraud risks relevant to its program in Ukraine and develops a program-specific fraud risk profile based on that assessment. (Recommendation 2) |
In its response to our report, USAID agreed with this recommendation. As of October 2024, CPS is in the process of developing a comprehensive response risk assessment for its Ukraine program. CPS plans to complete this assessment and develop a program-specific fraud risk profile by February 2025. We will continue to monitor USAID's implementation of this recommendation and provide updated information on its progress.
|
| U.S. Agency for International Development | The USAID Administrator should ensure that the USAID Nigeria mission conducts comprehensive assessments of fraud risks relevant to its programs and develops program-specific fraud risk profiles based on those assessments. (Recommendation 3) |
In its response to our report, USAID agreed with this recommendation. As of October 2024, USAID is updating its Enterprise Risk Management policies to incorporate fraud risk considerations and improving guidance on how missions can develop their annual risk profiles and conduct comprehensive risk assessments of fraud risks relevant to their programs. The USAID Nigeria mission plans to conduct a comprehensive fraud risk assessment and develop a fraud risk profile by June 2025. We will continue to monitor USAID's implementation of this recommendation and provide updated information on its progress.
|
| U.S. Agency for International Development | The USAID Administrator should ensure that the USAID Somalia mission conducts comprehensive assessments of fraud risks relevant to its programs and develops program-specific fraud risk profiles based on those assessments. (Recommendation 4) |
In its response to our report, USAID agreed with this recommendation. As of October 2024, USAID is updating its Enterprise Risk Management policies to incorporate fraud risk considerations and improving guidance on how missions can develop their annual risk profiles and conduct comprehensive risk assessments of fraud risks relevant to their programs. The USAID Somalia mission plans to conduct a comprehensive fraud risk assessment and develop a fraud risk profile by September 2025. We will continue to monitor USAID's implementation of this recommendation and provide updated information on its progress.
|
| U.S. Agency for International Development | The USAID Administrator should ensure that the USAID Ukraine mission conducts comprehensive assessments of fraud risks relevant to its programs and develops program-specific fraud risk profiles based on those assessments. (Recommendation 5) |
In its response to our report, USAID agreed with this recommendation. As of October 2024, USAID is updating its Enterprise Risk Management policies to incorporate fraud risk considerations and improving guidance on how missions can develop their annual risk profiles and conduct comprehensive risk assessments of fraud risks relevant to their programs. The USAID Ukraine mission plans to conduct a comprehensive fraud risk assessment and develop a fraud risk profile by October 2025. We will continue to monitor USAID's implementation of this recommendation and provide updated information on its progress.
|
| U.S. Agency for International Development | The USAID Administrator should ensure that the USAID Somalia mission develops a risk-based process for conducting financial reviews. (Recommendation 6) |
In its response to our report, USAID agreed with this recommendation. In October 2024, USAID shared plans for the USAID Somalia mission to adopt a risk-based process for conducting financial reviews by September 2025. We will continue to monitor USAID's implementation of this recommendation and provide updated information on its progress.
|
| U.S. Agency for International Development | The USAID Administrator should ensure that the Assistant to the Administrator of the Bureau for Planning, Learning, and Resource Management updates its third-party monitoring guidance to incorporate methods for detecting fiduciary, counterterrorism- or sanctions-related, and security risks into third-party monitoring contracts. (Recommendation 7) |
In its response to our report, USAID agreed with this recommendation. In October 2024, USAID shared plans for its Bureau for Planning, Learning, and Resource Management; Bureau for Management; and Office of Security to update the agency's third-party monitoring guidance to provide information on risk detection methods in nonpermissive environments. USAID plans to update this guidance by September 2025. We will continue to monitor USAID's implementation of this recommendation and provide updated information on its progress.
|
| U.S. Agency for International Development | The USAID Administrator should ensure that the Assistant to the Administrator of the Bureau for Planning, Learning, and Resource Management creates guidance based on a review of available remote monitoring tools for USAID missions to detect fiduciary, counterterrorism- or sanctions-related, and security risks in nonpermissive environments. (Recommendation 8) |
In its response to our report, USAID agreed with this recommendation. In October 2024, USAID shared plans for its Bureau for Planning, Learning, and Resource Management; Bureau for Management; and Office of Security to update existing guidance with information on remote monitoring tools that could assist risk detection methods in nonpermissive environments. USAID plans to update this guidance by September 2025. We will continue to monitor USAID's implementation of this recommendation and provide updated information on its progress.
|
| U.S. Agency for International Development | The USAID Administrator should develop a mechanism for systematically sharing lessons learned among conflict-affected missions related to the management of risks that are common across conflict zones. (Recommendation 9) |
In its response to our report, USAID agreed with this recommendation. In October 2024, USAID shared plans to capture and share lessons learned among conflict-affected missions through written reports, learning events, and internal platforms, among other mechanisms. USAID plans to address this recommendation by September 2025. We will continue to monitor USAID's implementation of this recommendation and provide updated information on its progress.
|