Senate Homeland Security and Governmental Affairs Subcommittee on Emergency Management, Intergovernmental Relations, and the District of Columbia…

Senate Homeland Security and Governmental Affairs Subcommittee on Emergency Management, Intergovernmental Relations, and the District of Columbia Hearing

Chairman Begich, Ranking Member Paul, and Members of the Subcommittee:

Thank you for inviting me here today to discuss the role my office plays in helping FEMA overcome or mitigate its ongoing challenges. We share FEMA's goal of reducing the risks these challenges present to FEMA's ability to prepare for, protect against, respond to, recover from, and mitigate against all hazards.

My testimony today will focus on some high-risk management challenges that we have identified in our recent audit reports and in our ongoing work at FEMA. I will also discuss our new, more proactive, audit business model designed to identify problems earlier in the disaster recovery cycle.

As you are keenly aware, FEMA faces a daunting task: to be ready for anything, anywhere in the United States and its territories. Whether it is flooding in Alaska, tornadoes in Kentucky, or hurricanes in the Gulf, FEMA must be ready to assist its response and recovery partners in saving lives and protecting property. Since the late 1980s, FEMA has experienced a dramatic rise in the number of declared disasters. In the 1980s, the President declared an average of only about 24 major disasters per year. That annual number has risen to an average of 65 major disasters in the last 10 years.

The amount FEMA spends on disaster response and recovery remains substantial. During fiscal years (FY) 2004-2011, the President received governors' requests for 629 disaster declarations and approved 539, or 86 percent. For these 539 disasters, FEMA obligated about $80 billion, or about $10 billion annually, from the Disaster Relief Fund. Hurricane Sandy, which made landfall in October 2012, will cost the fund many more billions of dollars.

To address this dramatic increase in declared disasters, both my office and the U.S. Government Accountability Office (GAO) issued reports assessing FEMA's disaster declaration process. These reports identified weaknesses in the damage assessment process that contributed to the increased number of declarations. The OIG report (OIG-12-79, issued May 2, 2012) concluded that FEMA has been using an outdated per capita amount as an indicator that a disaster might warrant Federal assistance. When FEMA selected the per capita amount of $1 in 1986 based on the national per capita income; it did not initially adjust the amount annually for the changes in income. FEMA later began adjusting the amount based on inflation in 1999.

On September 12th of that same year, GAO similarly concluded that the Public Assistance per capita indicator used in FEMA's Preliminary Damage Assessment is artificially low because it does not fully reflect the rise in per capita personal income since 1986 (GAO-12-838, issued September 12, 2012). By primarily relying on an artificially low indicator, FEMA's recommendations to the President are based on damage estimates that do not comprehensively assess a jurisdiction's capability to respond to and recover from a disaster on its own. Given the Federal government's economic and budgetary constraints, we recommended that FEMA revise the Public Assistance Preliminary Damage Assessment process to estimate a disaster's magnitude and economic impact more realistically. Furthermore, we recommended the agency reassess the criteria used to measure a state's capacity to respond to a disaster to better reflect changing economic conditions. Although FEMA generally agreed with our findings, they have not taken action on our recommendations.

Auditing FEMA'sPublic Assistance Program

Since Hurricane Katrina in 2005, FEMA has made significant improvements in its ability to lead the nation's response and recovery efforts. However, FEMA continues to experience challenges, especially in managing its Public Assistance program. According to FEMA, its Public Assistance program is immense with FEMA reporting over 100,000 applicants with projects worth approximately $50 billion. n1 In the past, my office has focused much of its efforts on auditing past transactions. This has led to more than a billion dollars in questioned costs and funds put to better use. Unfortunately, once money is spent, it is often too late to recover the funds or correct the underlying problems.

Looking at the past is no longer enough. Since 2013, my office has transitioned to a more balanced audit portfolio approach. This approach addresses problems before grant applicants have spent the majority of taxpayer funds, while focusing on the root causes of problems. We designed our new audit business model to help FEMA and the states develop solutions early, not just deal with the aftermath of our audit reports. FEMA officials, for their part, have welcomed our new approach. They have actively engaged my staff in finding solutions and have responded by creating a unit in FEMA'sOffice of Assistant Administrator for Recovery to address the systemic issues we identify in our reports.

Life Cycle Audits

The Office of Inspector General's Office of Emergency Management Oversight (EMO) plans to complete 74 disaster assistance audits in FY 2014. This includes 63 FEMA Public Assistance and Hazard Mitigation Grant Program audits, and 11 audits of FEMA programs and operations. Each year, FEMA provides state and local governments about $10 billion for disaster grants and other response and recovery operational needs. EMO audits about $1.2 billion of these costs per year. Based on historical information, EMO has generally determined that communities improperly spent about 23 percent of the grant funds audited. Therefore, we estimate that our FY 2014 disaster grant audits will identify or prevent about $300 million in improperly spent disaster assistance based on the grant funds audited.

We plan to continue our proactive approach that places greater emphasis on prevention and early detection, rather than reporting on improperly spent disaster assistance. This proactive audit approach mirrors the disaster assistance grant life cycle and has four phases.

. Disaster Deployment Teams -- The first phase includes audits that our Emergency Management Oversight Teams produce after they deploy to disasters. The teams accompany FEMA during its initial response to presidentially declared disasters. We expect to conduct about five of these deployments per year, depending on the number and severity of disasters that occur. The resulting audits assess FEMA's initial response to disasters and report weaknesses before they grow into significant problems.

For example, our recent disaster response report entitled FEMA's Initial Response to the Oklahoma Severe Storms and Tornadoes (OIG-14-50-D, issued March 19, 2014) concluded FEMA responded effectively to the massive tornado that devastated Moore, Oklahoma. This report identified FEMA's success in responding to the disaster as well as staffing challenges. Importantly, this work led to our reviews of FEMA Joint Field Office procurement advice (OIG-14-46-D, issued February 28, 2014), tornado safe room hazard mitigation measures, and FEMA's Reservist deployment and qualifications systems. The tornado safe room and qualification system reports should be issued soon.

. Capacity Audits -- We anticipate conducting about 20 "capacity audits" early in the recovery phase before applicants have spent significant amounts of Federal funding. These audits will assess whether communities and other applicants have established policies, procedures, and business practices to properly administer the grant funds. Our recommendations will focus on correcting weaknesses to prevent applicants from misspending Federal funds. Some communities will need additional FEMA and/or state assistance to ensure success.

Following Hurricane Sandy, we reviewed the policies, procedures, and business practices of subgrantees in both New York and New Jersey. For example, recently we issued the capacity report on the Village of Saltaire, New York (OIG-14-58-D, March 26, 2014), which concluded that the Village of Saltaire's policies, procedures, and business practices were adequate to account for and expend FEMA grant funds according to Federal regulations.

. Early Warning Audits -- We anticipate conducting about 20 "early warning audits" later in the recovery phase. These audits will determine whether applicants are, in fact, accounting for and expending FEMA grant funds correctly. The early reporting of non-compliance should enable communities to take actions to correct, or at least mitigate, the financial impact of non-compliance.

We recently issued Hurricane Sandy early warning audit reports on the debris removal activities of three New Jersey subgrantees - the Borough of Beach Haven, Little Egg Harbor Township, and Borough of Belmar (OIG-14-54, March 21, 2014; OIG-14-57, March 24, 2014; and OIG-14-72, April 22, 2014). In these audits we identified $1.6 million of unneeded funds and some unsupported and ineligible costs out of the $16.8 million in grants awarded. We recommended FEMA take action to deobligate the excess, unsupported or ineligible funding.

. Traditional Audits -- Finally, we anticipate conducting about 20 traditional disaster grant audits. We typically perform these audits after the applicant completes most disaster work. These audits serve two important roles. First, they assess whether communities complied with their financial and procurement responsibilities; and, second, they identify unspent funds that FEMA can deobligate and put to better use. For example, we issued a traditional audit report on funds awarded to St. Stanislaus College Preparatory school (OIG-14-95, issued May 22, 2014). This report identified $8 million in contracts that did not comply with Federal contracting requirements.

In addition to the grant life cycle audits, we anticipate conducting about 11 program audits that typically identify the cause of systematic problems and recommend solutions.

This multi-step approach is more labor intensive, but should do a better job of helping local governments and non-profits properly spend disaster assistance grant funds. Overall, we look forward to working closely with senior FEMA officials to identify opportunities where our audits can help FEMA identify weaknesses before applicants misspend tax dollars.

Sandy Recovery Improvement Act of 2013

As part of our commitment to proactive audits, we also plan to review FEMA's implementation of some key provisions of the Sandy Recovery Improvement Act of 2013 (SRIA). The passage of SRIA represents the most significant change to FEMA's authorities since the Post-Katrina Emergency Reform Act of 2006. The law authorizes several significant changes to the way that FEMA delivers disaster assistance. Notably, SRIA provides FEMA with greater flexibility in administering its Public Assistance program. The goal of the increased flexibility is to reduce administrative burdens and overall costs if grant applicants accept funding based on fixed, capped estimates. The new law holds promise for simplifying a complex and administratively burdensome process; however, developing accurate construction estimates has, and will likely continue to pose challenges and risks.

FEMA recognizes that new programs expose FEMA to a higher degree of risk. As a result, FEMA has asked us to assess its Public Assistance alternative procedures pilot program for implementing SRIA. We will start this assessment in the coming months. Other changes include debris removal alternative procedures, a new dispute resolution process, and a reassessment of the small project threshold. FEMA is moving forward to implement these changes and we will explore other opportunities to assist FEMA officials in assessing how they implement these significant changes.

Findings from Recent Audit Reports

In recent years, my office has identified problems with public assistance, hazard mitigation, disaster workforce development, preparedness grants, and information technology. Our reports also identified internal control deficiencies that, in aggregate, represented a material weakness in information technology controls and financial system functionality at the Department-wide level.

Public Assistance Grants

For many years my office has identified significant problems with FEMA's Public Assistance grant program. Our most recent capping report of disaster grant audits summarizes the results of 59 audit reports we issued in FY 2013 (see attached). Those reports contained 261 recommendations resulting in potential monetary benefits of $308 million. This amount included $266 million in questioned costs that we recommended FEMA disallow because the costs were ineligible or unsupported, and $42 million in unused funds that we recommended FEMA deobligate and put to better use. The $308 million represents 24 percent of the $1.28 billion we audited.

As stated in our four previous capping reports, we continue to find problems with grant management and accounting, ineligible and unsupported costs, and noncompliance with Federal contracting requirements. A significant issue this year was insufficient insurance required to protect grant recipients from future losses. We also noted a sharp increase in questioned costs for ineligible contracting procedures. As the table below shows, these results are typical of years past.

Potential Monetary Benefits from FYs 2009-2013

Capping Report Number FY Amount Audited (billions) Potential Monetary Benefits (millions) Percentage of Potential Monetary Benefits to Amount Audited

DS-11-01 2009 $0.93$138.4 15%

DD-11-17 2010 $1.23$165.3 13%

OIG-12-74 2011 $1.22$336.9 28%

OIG-13-90 2012 $1.25$415.6 33%

OIG-14-102-D 2013 $1.28$307.8 24%

Total $5.91$1,364.0 23%

FEMA's Corrective Actions -- FEMA officials have implemented corrective measures to address issues we identified in our past reports. FEMA recognizes that applicant noncompliance with Federal procurement standards continues to be a significant source of findings and questioned costs. As a result, FEMA has developed and is implementing a new Procurement Disaster Assistance Team. The team will provide assistance to applicants in advance of contract awards to reduce procurement violations. FEMA's goal is to help ensure that applicants comply with Federal procurement standards and spend Federal funds efficiently and effectively.

According to FEMA, the Procurement Disaster Assistance Team will:

. provide just-in-time and steady-state training;

. develop guidance on Federal procurement requirements;

. review applicant procurement policies and procedures; and

. review proposed applicant procurement actions to advise FEMA Public Assistance officials as to whether those actions comply with the Federal procurement requirements.

Finally, FEMA'sRecovery Directorate plans to establish a section dedicated to responding to, implementing, and learning from our audits. FEMA has already completed a 3-year retrospective analysis of our audits to help set policy priorities and plans to activate the new section by the end of FY 2014.

FEMA's Inherent Grants Management Challenges -- FEMA's Public Assistance grant program is FEMA's largest disaster recovery program. It provides billions of dollars in recovery money annually to states, tribal and local governments, and qualifying non-profit organizations. However, complying with grant requirements is not easy. Further, the very people responsible for administering the program (subgrantees) are themselves disaster survivors, many with little or no experience managing Federal grants. States, which usually serve as grantees, often do not take an active role in helping the applicants administer the grants, leaving the applicants to manage the grants on their own. Some large organizations are very sophisticated and experienced, whereas smaller ones often struggle.

The conditions we report related to ineligible and unsupported costs and noncompliance with Federal contracting requirements occur for many reasons. However, better grant management would undoubtedly improve subgrantees' compliance with Federal regulations and decrease ineligible costs. The amount of unneeded funding would also decrease sharply if FEMA and grantees more closely managed grant funds and deobligated unneeded funds faster.

Cost Estimating Challenges -- We have also identified significant problems with cost estimating under FEMA's "50 Percent Rule." We are working with FEMA headquarters to clarify its policy under the rule and will issue a report soon summarizing the key issues that need to be addressed. Applying FEMA's 50 percent repair or replace rule correctly can be very difficult and susceptible to error, misinterpretation, and manipulation. Our audit results have demonstrated that millions of dollars are at risk from incorrect decisions. In FYs 2012 and 2013, we recommended FEMA disallow over $100 million of costs that resulted from questionable 50 percent rule decisions. In those audits, we recommended that FEMA should have paid $226 million to repair facilities, instead of $327 million to replace them. In our discussions with FEMA officials, they acknowledged the difficulties in reversing replacement decisions after they communicated those decisions to grant recipients. The Sandy Recovery Improvement Act's provision on alternative procedures provides FEMA with greater flexibility in providing applicants grants that have a defined fixed amount. Therefore, it is imperative for FEMA to be able to overcome its cost estimating challenges.

Insurance Challenges -- Our grant reports have typically identified problems with property insurance. In FY 2013 we reported three instances totaling $84 million where subgrantees did not obtain and maintain sufficient flood insurance required as a condition for receiving Federal disaster assistance. Having insufficient coverage is not only a violation of Federal regulations and FEMA policy, but it also puts subgrantees at risk of not having adequate protection the next time disaster strikes. We have also encountered problems with how FEMA applies insurance proceeds to Public Assistance projects. FEMA is revising its policy on insurance to ensure applicants obtain and maintain the correct type and amount of insurance. Doing so will reduce applicants' reliance on Federal assistance in future disasters because they will have proper insurance coverage. FEMA plans to complete a revision of the draft policy in 2014.

Hazard Mitigation

We have been increasing our work on hazard mitigation in recent years and have identified some emerging issues. In our report FEMA Region VI Should Ensure the Cost Effectiveness of Texas Hazard Mitigation Grant Projects (DD-13-10, issued May 3, 2013), we audited $68 million of FEMA Hazard Mitigation Grant Program funds awarded to four subgrantees in Texas. We questioned $18 million, or 26 percent of the $68 million. The majority of our questioned costs related to projects that were not cost-effective and, therefore, did not meet FEMA eligibility requirements. For example, one of the four subgrantees used an unapproved benefit/cost analysis methodology that did not factor in the net present value of future benefits as FEMA requires. Using an approved benefit/cost analysis methodology would have proven that the project was not cost effective.

In August 2012, we reported that FEMA has made progress in the hazard mitigation planning program since the passage of the Disaster Mitigation Act of 2000, as amended (Survey of Hazard Mitigation Planning, OIG-12-109, issued August 9, 2012). The program is designed to encourage state, tribal, and local jurisdictions to (1) identify the natural hazards that affect them and (2) implement projects that will reduce losses from disasters, including development of land use and building code regulations. FEMA requires a state mitigation plan as a condition for receiving certain types of non-emergency disaster assistance, including funding for mitigation projects.

The program is voluntary, but all 50 states plus the District of Columbia and several territories have participated since its inception. More than 26,000 jurisdictions have also developed mitigation plans. Communities that participate comprise about 70 percent of the U.S. population. Despite the program's relative success, some communities have been reluctant to participate, particularly those in less populated areas that have not experienced recent disasters. FEMA is developing a system to monitor state, tribal, and local participation and to track planned or implemented mitigation projects.

Disaster Workforce Development

During our recent Emergency Management Oversight Team deployments between 2012 and 2013, n2 we discussed FEMA's disaster workforce with Joint Field Office officials. They told us they encountered significant problems obtaining enough qualified Reservists timely under the FEMA Qualification System process and that this impacted their ability to respond quickly and effectively to disasters. n3 (Reservists are FEMA employees who work intermittently in support of disaster operations.) We are currently assessing whether FEMA's Qualification System and Automated Deployment Database are effective in providing the requested number of qualified Reservists to disasters in a timely manner. We recognize that the transition to a fully qualified workforce will take time. Further, FEMA began implementing the FEMA Qualification System early while expecting to make course corrections along the way.

Strengthening workforce readiness has been an ongoing challenge for FEMA since Hurricane Katrina. In our report, Federal Emergency Management Agency Needs To Improve Its lnternal Controls Over the Use of Disaster Assistance Employees (OIG-13-13, issued November 29, 2012), we reported that FEMA paid approximately 1,600 individuals $36 million more than they would have received if FEMA had enforced its limitation on using Disaster Assistance Employees (now Reservists) no more than 18 months in a 2-year period.

Information Technology

In our Information Technology Management Letter for the Federal Emergency Management Agency Component of the FY 2013 Department of Homeland Security Financial Statement Audit (OIG-14-76, issued April 24, 2014), we reported that FEMA took corrective action to address prior year information technology control deficiencies. For example, FEMA made improvements over designing and implementing certain configuration management and security authorization controls over FEMA information systems. FEMA also strengthened and improved controls over vulnerability management and logical access controls.

However, during FY 2013, we continued to identify general information technology deficiencies related to controls over security management, access control, configuration management, segregation of duties, and contingency planning and associated general support system environments. Collectively, the information technology control deficiencies limited FEMA's ability to ensure that it maintained critical financial and operational data in such a manner to ensure confidentiality, integrity, and availability. In addition, these deficiencies negatively impacted FEMA's internal controls over financial reporting and its operations. We consider these deficiencies, in aggregate, to contribute to the information technology material weakness at the Department level under American Institute of Certified Public Accountants standards.

The majority of findings resulted from noncompliance with DHS Sensitive Systems Policy Directive 4300A, Information Technology Security Program, requirements and National Institute of Standards and Technology guidance. Specifically, the findings stemmed from:

1. Improper or incomplete security authorization activities and supporting artifacts and documentation;

2. Insufficient logging of system events and monitoring of audit logs;

3. Inadequately designed and ineffective access control policies and procedures relating to the management of logical access to financial applications, databases, and support systems;

4. Patch, configuration, and vulnerability management control deficiencies within systems;

5. Inadequately designed and ineffective configuration management policies and procedures; and

6. The lack of alternate processing capabilities.

These deficiencies may increase the risk that the confidentiality, integrity, and availability of system controls and FEMA financial data could be exploited. As a result, the deficiencies compromised the integrity of FEMA financial data that management uses and reports in FEMA's and the Department's financial statements.

Finally, in April 2011, we reported that FEMA's information technology systems did not support disaster response activities effectively. n4 At that time, FEMA did not have a comprehensive information technology strategic plan with clearly defined goals and objectives. Without this, the agency is challenged to establish an effective approach to modernizing its infrastructure and systems. As a result of the report, FEMA has taken corrective action including developing an information technology strategic plan and completing its enterprise systems inventory and agency-wide budget planning process. Although we have resolved most of the findings from this report, we continue to work with FEMA officials to address our concerns. Specifically, FEMA has yet to establish a consolidated modernization approach for its mission-critical information technology systems, to include DHS plans for integrated asset management, financial, and acquisition solutions.

Conclusion

I am excited about the OIG's plans for helping FEMA achieve its mission to assist the nation in responding to disasters. I am confident that our shift to a more balanced audit portfolio and greater emphasis on prevention will yield substantial benefits in the coming years.

Mr. Chairman, this concludes my prepared statement. I welcome any questions you or other Members of the Subcommittee may have.

n1 http://www.fema.gov/media-library/assets/documents/28344, updated May 5, 2014.

n2 The Emergency Management Oversight Teams prepared the following four reports related to deployments: OIG-13-84 (DR-4080-LA), OIG-13-117 (DR-4086-NJ), OIG-13-124 (DR-4085-NY), and OIG-14-50-D (DR-4117-OK).

n3 The Emergency Management Oversight Teams deployed to Hurricane Isaac DR-4080-LA; Hurricane Sandy DR-4086-NJ and DR-4085-NY; Oklahoma Severe Storms and Tornadoes DR-4117-OK; Colorado Severe Storms, Flooding, Landslides, and Mudslides DR-4145-CO; and Washington Flooding and Mudslides DR-4168-WA.

n4 Federal Emergency Management Agency Faces Challenges in Modernizing Information Technology, OIG-11-69, issued April 1, 2011.

Read this original document at: http://www.hsgac.senate.gov/download/?id=f4578fb5-6c68-406e-815d-f2a82fcc0d31