Federal Reports

The report objective was to emphasize the potential challenges that FEMA will face in providing Public Assistance funding for facilities that may have sustained damages from back-to-back disasters. Hurricanes Harvey, Irma, and Maria — some of the most catastrophic disasters in recent United States history — resulted in multiple disaster declarations and billions of dollars in damages to areas within several Gulf Coast and Southeast states, Puerto Rico, and the U.S. Virgin Islands. We noted many of the same designated disaster areas for Hurricanes Harvey and Irma overlapped areas also declared for incidents earlier in 2017 and 2016. As a result, many of the same facilities affected by an earlier incident may have also received damage under Hurricanes Harvey or Irma before repairs to the facility had been completed. To avoid obligating duplicate repair costs to an affected facility, FEMA will need to discern which incident caused damages to the facility and whether repairs necessitated by the previous incident were complete. Therefore, FEMA needs to make certain that it has effective controls in place to minimize the risk of funding duplicate or ineligible repair costs of facilities damaged by back-to-back incidents.

We determined that the Coast Guard does not have sufficient controls to adequately identify information technology (IT) acquisition programs. Although the Coast Guard approved the procurement of approximately $1.8 billion of IT investments between fiscal years 2014 and 2016, it does not know if almost 400 systems are receiving proper acquisition oversight. This occurs because the Coast Guard’s controls over IT investments lack synergy and create weaknesses that affect its ability to adequately identify, designate, and oversee non-major IT acquisition programs. As a result, the Coast Guard IT investments risk wasting money, missing milestones, and not achieving performance requirements We recommended that the Coast Guard conduct a comprehensive analysis of related acquisition and IT review processes to identify redundancies, gaps, and potential improvements; implement a verifiable process to identify non-major IT programs; evaluate and identify existing IT investments; and improve the quality of IT investment information and guidance. We made four recommendations that the Coast Guard concurred with and when implemented will improve the Coast Guard’s IT investment process.

During the financial statement audit, we assessed PBGC’s information security infrastructure for technical weaknesses in PBGC’s computer systems that may allow employees or outsiders to cause harm to, and/or impact, PBGC’s business processes and information. Current year testing found weaknesses in the areas of vulnerability management, software support, authentication, malicious traffic detection, and data protection. This report includes seven new and three repeat recommendations. This work was conducted by CliftonLarsonAllen LLP under contract with the OIG.The Office of Inspector General has determined that this report is for official use only. The report detailing the vulnerability assessment has been redacted in its entirety because it contains privileged and confidential information.

We determined that FEMA is not meeting its monitoring of Operation Stonegarden grantee responsibilities because it does not have accurate financial data to identify grantees that require additional monitoring. Also, FEMA has included just 4 of 79 Operation Stonegarden awards made during FYs 2011–14 in its financial monitoring reviews required under the Homeland Security Act of 2002, as amended. Additionally, FEMA and U.S. Customs and Border Protection (CBP) have not issued adequate guidance or conducted thorough reviews of proposed Operation Stonegarden spending. As a result, FEMA and CBP approved more than $14.6 million (or 72 percent of the amount audited) in overtime costs and more than $390,500 (or 4 percent of the amount audited) in equipment costs without addressing the risk of supplantation. Moreover, FEMA and CBP have not collected reliable program data or developed measures to demonstrate program performance resulting from the use of more than $531.5 million awarded under Operation Stonegarden since fiscal year 2008. We made seven recommendations, aimed at improving oversight of the Operation Stonegarden Program. FEMA and CBP concurred with six recommendations and non-concurred with one.

The auditors found that the fiscal years 2017 and 2016 financial statements are presented fairly, in all material respects, in accordance with accounting principles generally accepted in the United States of America. They identified two significant deficiencies in internal control over financial reporting: (1) controls over the Department’s modeling activities need Improvement, and (2) Department and Federal Student Aid management need to mitigate persistent information technology control deficiencies. They also identified one instance of reportable noncompliance with Federal law related to referring delinquent student loan debts to Treasury.

The auditors found that the fiscal years 2017 and 2016 financial statements are presented fairly, in all material respects, in accordance with accounting principles generally accepted in the United States of America. They identified two significant deficiencies in internal control over financial reporting: (1) controls over the Department’s modeling activities need Improvement, and (2) Department and Federal Student Aid management need to mitigate persistent information technology control deficiencies. They also identified one instance of reportable noncompliance with Federal law related to referring delinquent student loan debts to Treasury.