Hurricane Sandy Relief:
Improved Guidance on Designing Internal Control Plans Could Enhance Oversight of Disaster Funding
GAO-14-58: Published: Nov 26, 2013. Publicly Released: Nov 26, 2013.
What GAO Found
In response to the Disaster Relief Appropriations Act, 2013, agencies prepared Hurricane Sandy disaster relief internal control plans based on Office of Management and Budget (OMB) guidance but did not consistently apply the guidance in preparing these plans. OMB Memorandum M-13-07 (M-13-07), Accountability for Funds Provided by the Disaster Relief Appropriations Act, directed federal agencies to provide a description of incremental risks they identified for Sandy disaster relief funding as well as an internal control strategy for mitigating these risks. Each of the 19 agencies responsible for the 61 programs receiving funds under the act submitted an internal control plan with specific program details using a template provided by OMB. Agencies' plans ranged from providing most of the required information to not providing any information on certain programs. For example, each of the 61 programs was required to discuss its protocol for improper payments; however, GAO found that 38 programs included this information, 11 included partial information, and 12 included no information.
OMB's guidance was an important step in the oversight of Sandy disaster funding, addressing internal controls, improper payments protocol, and unexpended grant funds. However, several weaknesses limited its effectiveness in providing a comprehensive oversight mechanism for these funds. Specifically, the guidance (1) focused on the identification of incremental risks without adequate linkages to demonstrate that known risks had been adequately addressed, (2) provided agencies with significant flexibility without requirements for documentation or criteria for claiming exceptions, and (3) resulted in certain agencies developing their internal control plans at the same time that funds needed to be quickly distributed. GAO found that OMB guidance:
Asked agencies to focus on mitigating incremental risk, so the resulting plans did not provide comprehensive information on all known risks and internal controls that may affect the programs that received funding. Linking the additional risks identified in the plans to the complete set of known risks and related internal controls can help agency management and Congress to provide effective oversight of the funds.
Allowed agencies significant flexibility in deciding whether they needed to design additional internal controls, and did not provide specific criteria for agencies to claim exemptions from requirements. GAO found that some agencies did not discuss certain additional internal controls in their plans, despite having identified incremental risks.
Did not require agencies to document their rationales for not including additional internal controls in their plans. As a result, it was not apparent from the internal control plans the extent to which the agencies considered the need for these additional internal controls.
Was developed and issued in a short time frame in response to the act. By the time that the agencies submitted their internal control plans on March 31, 2013, they reported that they had already obligated approximately $4.6 billion. Standard internal control guidance for disaster funding could help ensure that controls are designed timely.
Why GAO Did This Study
In late October 2012, Hurricane Sandy devastated portions of the Mid-Atlantic and northeastern United States, leaving victims of the storm and their communities in need of financial assistance for disaster relief aid. On January 29, 2013, the President signed the Disaster Relief Appropriations Act, 2013, which provided approximately $50 billion in supplemental appropriations, before sequestration, to 61 programs at 19 federal agencies for expenses related to the consequences of Hurricane Sandy. The act required agencies to submit internal control plans for the funds in accordance with OMB criteria by March 31, 2013.
The act mandated GAO to review the design of agencies' internal control plans. This report addresses the extent to which (1) the internal control plans prepared by federal agencies complied with OMB guidance and (2) OMB's guidance was effective for providing comprehensive oversight of the internal control risks for the programs receiving funds for Sandy disaster relief. To address these objectives, GAO reviewed agencies' Sandy disaster relief internal control plans; M-13-07; and relevant GAO, inspector general, and financial statement audit reports. GAO also reviewed the internal control plans and M-13-07 against internal control standards.
What GAO Recommends
GAO recommends that OMB develop more robust guidance for agencies to design internal control plans for future disaster relief funding. OMB staff generally agreed with GAO's recommendation.
For more information, contact Beryl H. Davis at (202) 512-2623 or firstname.lastname@example.org.
Recommendation for Executive Action
Comments: The Office of Management and Budget (OMB) stated that they generally agreed with our recommendation. In fiscal year 2014, OMB staff informed us that OMB plans to address our recommendation as part of its ongoing efforts to revise Circular No. A-123, "Management's Responsibility for Internal Control." During the summer of 2015, we provided comments to OMB on the disaster relief section of its draft A-123 guidance. We anticipated that OMB's forthcoming revised A-123 guidance would address this recommendation. On July 15, 2016, OMB issued the revised Circular A-123, "Management's Responsibility for Enterprise Risk Management and Internal Control" however the updated guidance did not address our recommendation. We will continue to assess OMB's efforts to address our recommendation.
Recommendation: To proactively prepare for oversight of future disaster relief funding, the Director of OMB should develop standard guidance for federal agencies to use in designing internal control plans for disaster relief funding. Such guidance could leverage existing internal control review processes and should include, at a minimum, the following elements: (1) robust criteria for identifying and documenting incremental risks and mitigating controls related to the funding and (2) requirements for documenting the linkage between the incremental risks related to disaster funding and efforts to address known internal control risks.
Agency Affected: Executive Office of the President: Office of Management and Budget