Disaster Response: Agencies Should Assess Contracting Workforce Needs and Purchase Card Fraud Risk

GAO-21-42 Published: Nov 24, 2020. Publicly Released: Nov 24, 2020.
Jump To:
Fast Facts

Contracts and purchase cards are 2 ways agencies can acquire goods and services to get urgently needed items after a disaster. We assessed selected agencies' planning for contracting workforce needs and purchase card fraud risks related to disaster response and found

Not all agencies planned for or assessed their contracting workforce needs for disaster response

Only 1 of the 6 agencies assessed how purchase card fraud risks change during disaster response

We recommended that agencies assess disaster contracting workforce needs and purchase card fraud risks to improve disaster response.

Canal debris in the Florida Keys following Hurricane Irma

A debris-filled canal

Skip to Highlights
Highlights

What GAO Found

The efforts of selected agencies to plan for disaster contracting activities and assess contracting workforce needs varied. The U.S. Forest Service initiated efforts to address its disaster response contracting workforce needs while three agencies—the U.S. Army Corps of Engineers (USACE), the U.S. Coast Guard, and Department of the Interior (DOI)—partially addressed these needs. The Environmental Protection Agency indicated it did not have concerns fulfilling its disaster contracting responsibilities. Specifically, GAO found the following:

USACE assigned clear roles and responsibilities for disaster response contracting activities, but has not formally assessed its contracting workforce to determine if it can fulfill these roles.

The Coast Guard has a process to assess its workforce needs, but it does not account for contracting for disaster response activities.

DOI is developing a strategic acquisition plan and additional guidance for its bureaus on how to structure their contracting functions, but currently does not account for disaster contracting responsibilities.

Contracting officials at all three of these agencies identified challenges executing their regular responsibilities along with their disaster-related responsibilities during the 2017 and 2018 hurricane and wildfire seasons. For example, Coast Guard contracting officials stated they have fallen increasingly behind since 2017 and that future disaster response missions would not be sustainable with their current workforce. GAO's strategic workforce planning principles call for agencies to determine the critical skills and competencies needed to achieve future programmatic results. Without accounting for disaster response contracting activities in workforce planning, these agencies are missing opportunities to ensure their contracting workforces are equipped to respond to future disasters.

The five agencies GAO reviewed from above, as well as the Federal Emergency Management Agency (FEMA), collectively spent more than $20 million for 2017 and 2018 disaster response activities using purchase cards. GAO found that two of these six agencies—Forest Service and EPA—have not completed fraud risk profiles for their purchase card programs that align with leading practices in GAO's Fraud Risk Framework. Additionally, five of the six agencies have not assessed or documented how their fraud risk for purchase card use might differ in a disaster response environment. DOI completed such an assessment during the course of our review. An Office of Management and Budget memorandum requires agencies to complete risk profiles for their purchase card programs that include fraud risk. GAO's Fraud Risk Framework states managers should assess fraud risk regularly and document those assessments in risk profiles. The framework also states that risk profiles may differ in the context of disaster response when managers may have a higher fraud risk tolerance since individuals in these environments have an urgent need for products and services. Without assessing fraud risk for purchase card programs or how risk may change in a disaster response environment, agencies may not design or implement effective internal controls, such as search criteria to identify fraudulent transactions.

Why GAO Did This Study

The 2017 and 2018 hurricanes and California wildfires affected millions of people and caused billions of dollars in damages. Extreme weather events are expected to become more frequent and intense due to climate change. Federal contracts for goods and services play a key role in disaster response and recovery, and government purchase cards can be used by agency staff to buy needed items.

GAO was asked to review federal response and recovery efforts related to recent disasters. This report examines the extent to which selected agencies planned for their disaster response contracting activities, assessed their contracting workforce needs, and assessed the fraud risk related to their use of purchase cards for disaster response.

GAO selected six agencies based on contract obligations for 2017 and 2018 disasters; analyzed federal procurement and agency data; reviewed agencies' policies on workforce planning, purchase card use, and fraud risk; and analyzed purchase card data. FEMA was not included in the examination of workforce planning due to prior GAO work.

Skip to Recommendations

Recommendations

GAO is making 12 recommendations, including to three agencies to assess disaster response contracting needs in workforce planning, and to five agencies to assess fraud risk for purchase card use in support of disaster response.

Recommendations for Executive Action

Agency Affected Recommendation Status
Corps of Engineers The Secretary of the Army should ensure that the Commanding General of the Army Corps of Engineers develops guidance to ensure that its district-level affordability determinations account for the agency's disaster response contracting activities. (Recommendation 1)
Open – Partially Addressed
The Department of Defense (DOD) agreed with this recommendation. In October 2020, DOD said that the U.S. Army Corps of Engineers (USACE) Director of Contracting will provide guidance to commanders to support completion of the USACE Annual Workforce Workload Assessment, which is an assessment to ensure that USACE districts have the capability to accomplish planned contracting workload and disaster response missions arising throughout the year. As part of the workload assessments, USACE districts and major subordinate commands assess effects of current workload and operations tempo impacting the contracting workforce determinations on enterprise contracting. In December 2021, USACE's Director of Contracting issued a request to USACE district commanders that they ensure district-level affordability determinations account for the agency's disaster response contracting activities and verify that Annual Workforce Workload Assessments provide commands with the capability to accomplish both planned contracting activities and disaster response missions that may arise throughout the year. In September 2022, USACE officials stated that they would provide an example of an Annual Workforce Workload Assessment to demonstrated how the guidance has been implemented.
United States Coast Guard The Commandant of the U.S. Coast Guard should provide guidance or incorporate into existing guidance information to ensure that the Coast Guard's manpower requirements determination for its acquisition directorate accounts for the agency's disaster response contracting activities. (Recommendation 2)
Open
The U.S. Coast Guard agreed with this recommendation. The Coast Guard said it updated the Manpower Requirements Manual in November 2020 and promulgated a new job-aid in April 2021, including guidance for assessing normal contingency workload and surge contingency workload, which covers the acquisition directorate's disaster response contracting activities. The Coast Guard noted that these documents refine and implement guidance for executing manpower requirement determinations. The Coast Guard anticipates an update to the Manpower Requirements Plan during its next periodic report to Congress, which the Coast Guard plans to provide to Congress by December 2022. According to the Coast Guard, the updated Manpower Requirements Plan will include time frames and milestones to complete manpower requirement analyses and determinations for multiple positions, units, and functions based on service priority, and will include consideration of disaster response activities per the updated Manpower Requirements Manual and job-aide.
Department of the Interior The Secretary of the Interior should ensure that upcoming guidance directs bureaus to consider their disaster contracting activities when planning their contracting workforce, where appropriate. (Recommendation 3)
Closed – Implemented
The Department of the Interior (DOI) agreed with our recommendation. In March 2022, DOI's Director, Office of Acquisition and Property Management and Senior Procurement Executive issued a memo to DOI's Heads of Contracting Activity requesting that each bureau complete a workforce planning narrative and updated template that highlights several key workforce planning efforts, including planning for emergency acquisition personnel. In September 2022, DOI provided a completed template for one bureau that demonstrated how the bureaus had assessed its workforce planning with consideration of disaster response activities.
Corps of Engineers The Secretary of the Army should ensure that the Commanding General of the Army Corps of Engineers updates its fraud risk profile for the purchase card program to include an assessment of how, if at all, the risk profile differs for purchase card use in support of disaster response. (Recommendation 4)
Open – Partially Addressed
The Department of Defense (DOD) agreed with this recommendation. In October 2020, DOD stated that the U.S. Army Corps of Engineers (USACE) Director of Contracting will work with the Headquarters USACE National Internal Control Program Manager to enhance USACE's fraud risk profile during the 2022 Risk Management and Internal Control Program (RMICP) cycle. DOD stated that the enhanced fraud risk profile will document how, if at all, the USACE risk profile for purchase card use differs in support of disaster response. In December 2021, the USACE Director of Contracting emailed USACE district-level staff stating that RMICP risk profiles should consider both fraud risk for normal purchase card use and fraud risk for purchase card use in support of disaster response. In addition, the Director of Contracting requested that staff verify that the local USACE Internal Control Administrator and Contracting Chief include these two separate risk items on RMICP risk profiles. In June 2022, USACE issued guidance for the upcoming RMCIP cycle, including an updated template for the development of USACE's fraud risk profile, which includes purchase card use in contingency operations. According to the June 2022 guidance, a completed fraud risk profile is expected in December 2022.
Federal Emergency Management Agency The Administrator of the Federal Emergency Management Agency should update its fraud risk profile for the purchase card program to include an assessment of how, if at all, the risk profile differs for purchase card use in support of disaster response. (Recommendation 5)
Open
The Department of Homeland Security (DHS) agreed with our recommendation. In June 2022, FEMA officials stated that FEMA's OCFO was in the process of updating its fraud risk profile for its purchase card program, and that the fraud risk profile will include an assessment of purchase card use for disaster and non-disaster response activities. FEMA officials expected the fraud risk profile to be completed by September 2022.
Department of Agriculture The Secretary of the U.S. Department of Agriculture should direct the Forest Service to update its fraud risk profile for the purchase card program to align with the leading practices in the Fraud Risk Framework and include an assessment of how, if at all, the risk profile differs for purchase card use in support of disaster response. (Recommendation 6)
Open
The U.S. Department of Agriculture agreed with our recommendation. In September 2021, USDA told us that the agency has created internal controls sufficient to mitigate risks and will update its fraud risk profile for the purchase card program. In addition, the assessment will include how the risk profile differs for purchase card use in support of disaster response, if applicable. USDA estimated this assessment to conclude December 31, 2022.
United States Coast Guard The Commandant of the U.S. Coast Guard should update its fraud risk profile for the purchase card program to include an assessment of how, if at all, the risk profile differs for purchase card use in support of disaster response. (Recommendation 7)
Open
The U.S. Coast Guard agreed with this recommendation. In March 2022, U.S. Coast Guard officials stated that they anticipate that an updated risk register which includes a natural disaster fraud risk analysis will be released in the fourth quarter of fiscal year 2022. GAO will continue to monitor the U.S. Coast Guard's progress in addressing this recommendation.
Environmental Protection Agency The Administrator of the Environmental Protection Agency should take additional steps to complete and document a fraud risk profile for the purchase card program that aligns with the leading practices in the Fraud Risk Framework and includes an assessment of how, if at all, the risk profile differs for purchase card use in support of disaster response. (Recommendation 8)
Closed – Implemented
The Environmental Protection Agency (EPA) agreed with our recommendation. In October 2020, EPA said that the agency has begun preliminary work to determine and document the program's fraud risk profile based on GAO's leading practices. In May 2021, EPA said that the agency was in the process of reviewing EPA's purchase card program and assessing information collected from oversight tools to help populate EPA's Purchase Card Fraud Risk Framework. EPA noted that the new framework will help change the culture of the EPA's purchase card community by presenting information that demonstrates how the agency is committing, assessing, designing, implementing, evaluating, and adapting to annual performance of the framework requirements. In July 2021, EPA officials stated that EPA completed an analysis of current purchase card program practices, oversight, & control activities to better understand how to adopt the concepts and practices detailed in GAO's leading practices. In addition, EPA officials said that they developed a purchase card fraud risk questionnaire to survey purchase cardholders, approving officials, acquisition staff, managers, and transaction reviewers to gain further insight into EPA's purchase card fraud risk and better address fraud risk mitigation. In February 2022, EPA provided a purchase card fraud risk assessment report and fraud risk profile for its purchase card program. The purchase card fraud risk assessment report provided detailed information about the agency conducted assessment activities, which, among other things, EPA used to gain insight into fraud risk concerns, attitudes, and perceptions within the agency to address fraud risk mitigation. In addition, in alignment with the leading practices of GAO's Fraud Risk Framework, EPA"s fraud risk analysis contains detailed information assessing the likelihood and impact of inherent risk factors, an evaluation of existing controls, and proposed risk response for four separate risks associated with charge cards. The fraud risk profile also designates separate impacts, likelihoods, and proposed risk responses for EPA's disaster response activities.
Federal Emergency Management Agency The Administrator of the Federal Emergency Management Agency should ensure that the agency has adequate data to allow it to conduct analysis of purchase card use in support of disaster response, including both the disaster event supported and sufficient vendor information to allow fraud risk analysis. (Recommendation 9)
Closed – Implemented
The Department of Homeland Security (DHS) agreed with this recommendation. In October 2020, DHS officials told us that the Federal Emergency Management Agency's (FEMA) Office of the Chief Financial Officer would develop a data collection methodology, in coordination with Citibank, to include both the disaster event supported and sufficient vendor information to allow more comprehensive fraud risk analysis. As a result of this effort, officials told us that the FEMA Finance Center interface was able to capture purchase card data by disaster and merchant for purchases starting in December 2020, and FEMA provided us a report of purchase card transactions for September through October 2021. The data provided included FEMA's purchase card spending over that time period, vendor information, and codes that could be linked to the disaster event supported (e.g., Hurricanes Harvey and Maria)-adequate data to conduct fraud risk analysis of purchase card use in support of disaster response.
Corps of Engineers The Secretary of the Army should ensure that the Commanding General of the Army Corps of Engineers ensures that the agency has adequate data to allow it to conduct analysis of purchase card use in support of disaster response, including both the disaster event supported and sufficient vendor information to allow fraud risk analysis. (Recommendation 10)
Closed – Implemented
DOD agreed with our recommendation. In December 2020, DOD issued a memorandum directing the Heads of Contracting Activity to issue component-level guidance on recording and retaining purchase card information when National Interest Action codes--which allow agencies to track data on contract actions related to national emergencies--are issued for applicable operations. In December 2021, the U.S. Army Corps of Engineers (USACE) Director of Contracting emailed USACE district-level staff stating that USACE commands should be using National Interest Action codes when issued for disaster response events. In addition, the Director of Contracting stated that by entering the appropriate information on the funding document and in the purchase card's Electronic Access System purchase log, the system can help provide a list of purchase card transactions by supported disaster response with sufficient vendor information for fraud analyses. In July 2022, USACE provided a report of USACE's disaster response purchase card transactions from March 2020 through December 2021, which showed USACE's disaster-related purchase card spending by disaster and vendor--data elements key to ensuring the agency has adequate data to allow for fraud risk analysis of purchase card use in support of disaster response.
United States Coast Guard The Commandant of the U.S. Coast Guard should ensure that the agency has adequate data to allow it to conduct analysis of purchase card use in support of disaster response, including both the disaster event supported and sufficient vendor information to allow fraud risk analysis. (Recommendation 11)
Open
The U.S. Coast Guard agreed with this recommendation. In August 2021, Coast Guard officials stated that the Director of Financial Operations-Comptroller continues to be scheduled to begin migrating financial systems in October 2022, which they anticipate will alleviate some inconsistencies, as transactions and supplemental data are linked and stored in the new system. Further, according to Coast Guard officials, data migration to the new financial system is on schedule for completion in December 2022, after which detailed actions and milestones for fully implementing this recommendation can be developed.
Environmental Protection Agency The Administrator of the Environmental Protection Agency should ensure that the agency has adequate data to allow it to conduct analysis of purchase card use in support of disaster response, including both the disaster event supported and sufficient vendor information to allow fraud risk analysis. (Recommendation 12)
Closed – Implemented
The Environmental Protection Agency (EPA) agreed with our recommendation. In October 2020, EPA said that through the collaborative work of the Agency's Office of the Chief Financial Officer and Office of Mission Support, EPA would pursue improvements to existing emergency response financial and purchase card use tracking procedures to ensure financial and purchase card transaction reporting systems provide accurate, accessible data in order to conduct fraud analysis in accordance with the mandated framework, including analysis specific to disaster response. In July 2021, EPA stated they are using a process that includes: retrieving data from multiple data systems and review of electronic records maintained by purchase cardholders. As part of this process, EPA officials said that they are able to obtain the data needed to conduct analysis of purchase card use in support of disaster response, including the disaster event, such as hurricane, and vendor information to allow for fraud analysis. EPA provided a report of EPA's fiscal year 2020 disaster response purchase card transactions, which showed EPA's disaster-related purchase card spending by disaster and vendor.

Full Report

GAO Contacts