Skip to main content
U.S. flag

An official website of the United States government

Government Website

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Safely connect using HTTPS

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Audits, Inspections, and Evaluations

Report Number Title Issue Date Fiscal Year
OIG-16-05-D FEMA requested our assistance in determining whether its preliminary proposal to provide permanent or semi-permanent housing construction to the Oglala Sioux Tribe of the Pine Ridge Indian Reservation is consistent with Federal statutes and regulations and FEMA guidelines. FEMA has begun disaster recovery efforts in response to a disaster declaration for severe storms, straight-line winds, and flooding that occurred in May 2015. In limited circumstances, section 408 of the Robert T. Stafford Disaster Relief and Emergency Assistance Act (Stafford Act) grants the Federal Emergency Management Agency (FEMA) the authority to provide individuals or households affected by a disaster permanent or semi­permanent housing. However, to ensure the integrity of the Individual Assistance program, FEMA should adequately document the facts and circumstances that justify this decision. FEMA should also ensure that its proposed actions are the most cost-effective solution to the Oglala Sioux Tribe’s unique housing problems as compared to other alternatives.

>FEMA's Plan to Provide Permanent or Semi-Permanent Housing to the Oglala Sioux Tribe of the Pine Ridge Indian Reservation in South Dakota 		2016
OIG-16-134 We sought to determine whether the Transportation Security Administration (TSA) has an intelligence-driven, risk-based security strategy that informs security and resource decisions across all transportation modes.

>Transportation Security Administration Needs a Crosscutting Risk-Based Security Strategy 		2016
OIG-16-102-D We issued this advisory report to notify the Federal Emergency Management Agency (FEMA) of an issue that requires its immediate attention. During our audit ofFEMA’s initial response to the 2015 wildfires in Northern California, we observed personnel mishandling Personally Identifiable Information (PII) at disaster relief sites. FEMA officials need to take quick action to ensure the protection of PII in future disasters.

>FEMA Continues to Experience Challenges in Protecting Personally Identifiable Information at Disaster Recovery Centers 		2016
OIG-16-70 Each year, our independent auditors identify component-level information technology (IT) control deficiencies as part of the DHS consolidated financial statement audit. This letter provides details that were not included in the fiscal year (FY) 2015 DHS Agency Financial Report.

>Information Technology Management Letter for the U.S. Citizenship and Immigration Services Component of the FY 2015 Department of Homeland Security Financial Statement Audit 		2016
OIG-16-38-D Oakwood Healthcare System, Inc. (Hospital), in Dearborn, Michigan, received a gross award of $15.2 million from the Michigan State Police Emergency Management and Homeland Security Division (Michigan), and FEMA grantee, for damages resulting from severe storms and flooding in August 2014. The Hospital did not always account for and expend FEMA grant funds according to Federal regulations and FEMA guidelines. Although the Hospital competitively awarded contracts for most non-exigent work, it did not always take the required affirmative steps to ensure the use of small and minority firms, women’s business enterprises, and labor surplus area firms when possible; and did not include all required contract provisions in its contracts. However, we did not question the costs because insurance proceeds covered essentially all the repair costs except for the insurance deductible. We also found that the Hospital did not initially account for labor costs properly. However, after we identified the improperly supported costs, Hospital employees corrected the records to reflect actual costs the Hospital incurred.

>Oakwood Healthcare System, Dearborn, Michigan, Needed Additional Assistance in Managing its FEMA Public Assistance Grant Funding 		2016
OIG-16-06 The independent public accounting firm KPMG LLP has issued an unmodified (clean) opinion on DHS' consolidated financial statements. In the independent auditors’ opinion, the financial statements present fairly, in all material respects, DHS’ financial position as of September 30, 2015. KPMG LLP issued an adverse opinion on DHS’ internal control over financial reporting of its financial statements as of September 30, 2015. The report identifies seven significant deficiencies in internal control; three of which are considered material weaknesses. The material weaknesses are in financial reporting; information technology controls and financial system functionality; and property, plant, and equipment. The report also identifies instances of noncompliance with four laws and regulations.

>Independent Auditors' Report on DHS' FY 2015 Financial Statements and Internal Control over Financial Reporting 		2016
OIG-16-135-D Hope Academy (Hope) in D’Iberville, Mississippi, received a Federal Emergency Management Agency (FEMA) Public Assistance award of $3.5 million for damages Hurricane Katrina caused in August 2005. Both FEMA and the Office of Inspector General had concerns about the eligibility of Hope as an applicant for assistance and about Hope’s purchase of land for permanent relocation of damaged properties.

>FEMA Should Recover $3.4 Million of the $3.5 Million Awarded to Hope Academy for Hurricane Katrina Damages 		2016
OIG-16-103-D The 2015 California wildfires caused severe damage to Lake County, California (County). County officials estimate that disaster-related costs may exceed $25 million. Our audit objective was to determine whether the County’s policies, procedures, and business practices are adequate to account for and expend FEMA Public Assistance Program grant funds according to Federal regulations and FEMA guidelines.

>Lake County, California, Should Continue to Improve Procurement Policies, Procedures, and Practices 		2016
OIG-16-71 The Chief Financial Officers Act of 1990 (Public Law 101-576) and the Department Of Homeland Security Financial Accountability Act (Public Law 108-330) require us to conduct an annual audit of the Department of Homeland Security’s (DHS) consolidated financial statements and internal control over financial reporting. For

>Office of Health Affairs’ Management Letter for DHS’ FY 2015 Financial Statements Audit 		2016
OIG-16-39 In fiscal year 2014, DHS spent a total of $12.5 billion using interagency agreements. Past Office of Inspector General audit reports found that a component used Intra/Interagency Reimbursable Work Agreements (RWA) to bypass key internal controls rather than properly implement Interagency Acquisitions. We conducted a department-wide audit to determine whether DHS’s use of RWAs is in compliance with statutory, regulatory, departmental, and component requirements. Components are not issuing RWAs in compliance with the Department’s policy. Specifically, 100 percent of the 43 RWAs we tested—totaling approximately $88 million—had not been reviewed by a Certified Acquisition Official (CAO). In January 2015, DHS issued a policy requiring components to have a CAO review RWAs to ensure they are being issued properly prior to obligating funds. The CAO plays a critical role in ensuring high-risk transactions receive proper oversight. However, 70 percent of the RWAs we tested did not include enough information for a CAO to make an informed decision. DHS did not ensure components updated their policies and procedures to reflect the new requirements. Without a CAO review, components may continue to improperly issue RWAs, circumventing acquisition controls.

>DHS Needs to Improve Implementation of OCFO Policy Over Reimbursable Work Agreements 		2016
OIG-16-07 DHS’ mission to protect the Nation entails a wide array of responsibilities. These range from facilitating the flow of commerce and travelers, countering terrorism, and securing and managing the border to enforcing and administering immigration laws and preparing for and responding to natural disasters. This report identifies major challenges that affect the Department as a whole, as well as its individual components, who work together to achieve this multi-faceted mission. We identified nine areas of most persistent concern for the Department: (1) DHS Management and Operations Integration; (2) Acquisition Management; (3) Financial Management; (4) Information Management and Technology; (5) Transportation Security; (6) Border Security and Immigration Enforcement; (7) Disaster Preparedness and Response; (8) Infrastructure Protection and Cybersecurity; (9) Employee Accountability and Integrity.

>Major Management and Performance Challenges Facing the Department of Homeland Security 		2016
OIG-16-136-D Calaveras County, California (County), received a $10.8 million grant for damages from the September 2015 Butte Fire. We conducted this audit early in the grant process to identify areas where the County may need additional technical assistance or monitoring to ensure compliance.

>Calaveras County, California, Needs Additional State and FEMA Assistance in Managing Its $10.8 Million FEMA Grant ( 		2016
OIG-16-104-D The Louisiana Office of Community Development (OCD) received $702.9 million in Federal Emergency Management Agency (FEMA) funds for hazard mitigation grant program (HMGP) work on 9,588 properties under Hurricanes Katrina and Rita. We received allegations that the timeliness of OCD payments was placing financial hardship on program contractors. Therefore, our objective was to determine whether OCD processed payments to contractors in a timely manner and according to Federal regulations, FEMA guidelines, and State laws. We did not verify the validity of costs claimed or completion of work.

>The Office of Community Development Paid Most Contractors in a Timely Manner for Hazard Mitigation Work on Louisiana Homes 		2016
OIG-16-72 The Chief Financial Officers Act of 1990 (Public Law 101-576) and the Department Of Homeland Security Financial Accountability Act (Public Law 108-330) require us to conduct an annual audit of the Department of Homeland Security’s (DHS) consolidated financial statements and internal control over financial reporting

>Federal Emergency Management Agency's Management Letter for DHS' FY 2015 Financial Statements Audit 		2016
OIG-16-40-D Colorado Springs Utilities, Colorado (Utilities), received a $937,367 Public Assistance grant for damages from storms occurring May through June 2015. We conducted this audit early in the grant process to identify areas where the Utilities may need additional technical assistance or monitoring to ensure compliance with Federal requirements. The Utilities has established policies, procedures, and business practices to account for and expend Federal Emergency Management Agency (FEMA) Public Assistance grant funds according to Federal regulations and FEMA guidelines. Therefore, if the Utilities follow those policies, procedures, and business practices, FEMA has reasonable assurance that the Utilities will properly manage its FEMA grant.

>Colorado Springs Utilities, Colorado, Has Adequate Policies, Procedures, and Business Practices to Effectively Manage Its FEMA Public Assistance Grant Funding 		2016
OIG-16-08 We reviewed the Department of Homeland Security’s (DHS) information security program in accordance with the Federal Information Security Modernization Act of 2014. Our objective was to determine whether DHS’ information security program is adequate, effective, and complies with FISMA requirements. DHS has taken actions to strengthen its information security program. For example, DHS developed and implemented the Fiscal Year 2015 Information Security Performance Plan to define the performance requirements, priorities, and overall goals of the Department. DHS has also taken steps to address the President’s cybersecurity priorities, such as Information Security Continuous Monitoring; Identity, Credential, and Access Management; and anti-phishing and malware defense. Nonetheless, the Department must ensure compliance with information security requirements in other areas.

>Evaluation of DHS' Information Security Program for Fiscal Year 2015 (Revised) 		2016
OIG-16-137-D At the time of our audit, FEMA estimated that the City of Eureka, Missouri (City), had sustained approximately $1.5 million in damages from flooding in December 2015. We conducted the audit early in the grant process to identify areas where the City may need additional technical assistance or monitoring to ensure compliance with Federal procurement requirements.

>City of Eureka, Missouri, Needs Additional Assistance and Monitoring to Ensure Proper Management of Its $1.5 Million FEMA Grant 		2016
OIG-16-105 Based on GSA’s eRETA system, between fiscal years 2003 and 2014, DHS and its components authorized more than 18,000 RWAs with GSA, totaling $4.1 billion. We conducted this audit to determine whether the Department’s use of RWAs was in compliance with statutory, regulatory, departmental, and component requirements.

>DHS' Use of Reimbursable Work Agreements with GSA 		2016
OIG-16-73 The Chief Financial Officers Act of 1990 (Public Law 101-576) and the Department Of Homeland Security Financial Accountability Act (Public Law 108-330) require us to conduct an annual audit of the Department of Homeland Security’s (DHS) consolidated financial statements and internal control over financial reporting. For

>National Protection and Programs Directorate's Management Letter for DHS' FY 2015 Financial Statements Audit 		2016
OIG-16-41 In 2011, the former FEMA Chief Security Officer hired two employees with criminal convictions in their backgrounds. Our analysis of employee records from 2011 to 2014 in the Office of the Chief Security Officer’s Fraud and Internal Investigations Division disclosed two more employees with criminal conduct in their backgrounds. FEMA’s Office of the Chief Security Officer no longer employs these four individuals. FEMA premium pay records from 2011 to 2014 for employees in the Fraud and Internal Investigations Division showed that division management allowed employees to violate FEMA’s premium pay policy for compensatory time in 2014; premium pay requests from the same period did not reveal any overtime violations. As a result of hiring employees with criminal backgrounds or conduct, the Office of the Chief Security Officer spent $349,944 unnecessarily. Finally, from 2013 to 2014, the Office of the Chief Security Officer misused the Disaster Relief Fund by allowing employees to perform non-disaster­related activities, which violates the Stafford Act and may also be a potential Antideficiency Act violation.

>Response to Allegations of Mismanagement in FEMA's Office of the Chief Security Office 		2016
OIG-16-09-D DeKalb County, Georgia, received a $3.3 million grant award from the Georgia Department of Emergency Management, a FEMA grantee, for damages resulting from a September 2009 flood. Our audit objective was to determine whether the County accounted for and expended FEMA funds according to Federal requirements. The County did not account for FEMA funds on a project-by-project basis as Federal regulations and FEMA guidelines require. We also identified $93,620 (Federal share $70,215) of unneeded project funding that FEMA can deobligate and put to better use. Finally, the County’s claim included $411,929 (Federal share $308,947) of unsupported or ineligible costs.

>FEMA Should Recover $505,549 of $3.3 Million in Public Assistance Grant Funds Awarded to DeKalb County, Georgia, for Damages from a September 2009 Flood 		2016
OIG-16-138 In 2012, we reported on DHS’ challenges in implementing an effective information technology (IT) management program. FITARA was enacted in 2014 to institutionalize IT reform across the Federal Government. We conducted this audit to determine the extent to which DHS has implemented FITARA to improve department-wide IT management and oversight.

>DHS’ Progress in Implementing the Federal Information Technology Acquisition Reform Act 		2016
OIG-16-106-D FROM: John E. McCoy II

Assistant Inspector General for Audits

SUBJECT: Office of Inspector General Emergency Management Oversight Team Deployment Audits

Audit Report Numbers OIG-13-84, OIG-13-117, OIG-13-124, OIG-14-50-D, OIG-14-111-D, OIG-15-92-D, OIG-15-102-D, OIG-15-105-D, OIG-16-53-D, OIG-16-85-D, OIG-16-106-D, OIG-17-37-D

After completing an internal review of our audits related to multiple Emergency Management Oversight Team (EMOT) projects, we have decided to permanently remove the subject reports from our public website.

Our internal review found the subject reports may not have adequately answered objectives and, in some cases, may have lacked sufficient and appropriate evidence to support conclusions. Answering objectives with sufficient and appropriate evidence is required under Government Auditing Standards or Quality Standards for Inspection and Evaluation. In an abundance of caution, we believe it best to recall the reports and not re-issue them.

Going forward, our EMOTs will deploy during the response phase of a disaster to identify and alert the Federal Emergency Management Agency (FEMA) and its stakeholders of potential issues or risks if they do not follow FEMA and other Federal requirements. The EMOT’s reviews will not be conducted under Government Auditing Standards. The teams will continue to observe and identify potential risk areas that will be addressed by future traditional audits, if necessary.

A complete list of the projects removed from our website is attached. You should not place any reliance on these reports.

Please contact me at (202) 254-4100 if you have any questions.

>FEMA Was Generally Effective in Its Initial Response to the Severe Wildfires in California 		2016
OIG-16-74 The Chief Financial Officers Act of 1990 (Public Law 101-576) and the Department Of Homeland Security Financial Accountability Act (Public Law 108-330) require us to conduct an annual audit of the Department of Homeland Security’s (DHS) consolidated financial statements and internal control over financial reporting. For

>Federal Law Enforcement Training Centers' Management Letter for DHS' FY 2015 Financial Statements Audit 		2016
OIG-16-42-D At the time of our audit, the Federal Emergency Management Agency (FEMA) estimated that the City of Colorado Springs, Colorado, (City) had sustained approximately $3.6 million in damages from storms in 2015. We conducted this audit early in the grant process to identify areas where the City may need additional technical assistance or monitoring to ensure compliance with Federal requirements. The City has established policies, procedures, and business practices to account for and expend FEMA Public Assistance grant funds according to Federal regulations and FEMA guidelines. Therefore, if the City follows those policies, procedures, and business practices, FEMA has reasonable assurance that the City will properly manage its FEMA grant.

>Colorado Springs, Colorado, Has Adequate Policies, Procedures, and Business Practices to Effectively Manage Its FEMA Public Assistance Grant Funding 		2016
OIG-16-10 The Federal Emergency Management Agency (FEMA) has taken steps to improve its IT management since our 2011 audit, but more remains to be done. Specifically, FEMA has developed numerous IT planning documents but has not effectively coordinated, executed, or followed through on these plans. Without effective IT planning, FEMA risks making limited progress improving IT needed to support the agency’s mission. Although FEMA has improved its IT governance through establishing an IT Governance Board, these efforts have not yet been fully effective. FEMA has struggled to implement effective agency-wide IT governance, in part because the Chief Information Officer has not had sufficient control and budget authority to effectively lead the agency’s decentralized IT environment. Without effective agency-wide IT governance, FEMA’s IT environment has evolved over time to become overly complex, difficult to secure, and costly to maintain.

>FEMA Faces Challenges in Managing Information Technology 		2016
OIG-16-140-D The Town of North Hempstead, New York, (Town) received a $36.6 million Federal Emergency Management Agency (FEMA) grant award for damages from Hurricane Sandy, which occurred in October 2012. We audited four projects totaling $20.9 million for debris removal and emergency protective services.

>FEMA Should Recover $9.9 Million of $36.6 Million Awarded to the Town of North Hempstead, New York, for Hurricane Sandy Damages 		2016
OIG-16-107-D At the time of our audit, FEMA had granted the Commission a $7.4 million grant for damages from severe storms, tornadoes, straight-line winds, and flooding that occurred in April and May 2014. We conducted this audit early in the grant process to identify areas where the Commission may need additional technical assistance or monitoring to ensure compliance with Federal requirements. What We

>The Baldwin County Commission Effectively Managed FEMA Grant Funds Awarded for Damages from Spring 2014 Storms 		2016
OIG-16-75 U.S. Customs and Border Protection’s (CBP) Office of Internal Affairs (IA) has oversight authority for all aspects of CBP operations, personnel, and facilities to ensure compliance with all CBP-wide programs and policies relating to corruption, misconduct, or mismanagement. From October 1, 2010, through March 12, 2015, CBP received 11,367 allegations of misconduct by its employees. IA investigated 6,524 of those allegations, of which 819 were classified as criminal.

>CBP Needs Better Data to Justify Its Criminal Investigator Staffing 		2016
OIG-16-43-D The Authority received an $8.04 million Public Assistance grant award from the Puerto Rico Emergency Management Agency (Puerto Rico), a FEMA grantee, for damages resulting from Hurricane Irene in August 2011. Our audit objective was to determine whether the Authority accounted for and expended FEMA funds according to Federal requirements. The Puerto Rico Electric Power Authority, Puerto Rico, (Authority) generally accounted for and expended Public Assistance grant funds according to Federal regulations and Federal Emergency Management Agency (FEMA) guidelines. However, the Authority did not comply with the Single Audit Act, which requires non-Federal entities that expend $500,000 or more in a year in Federal awards to obtain a single or program-specific audit for that year. Although the Authority did not take steps to ensure that it met the Single Audit Act requirements, Puerto Rico, as grantee, is responsible for ensuring that its subgrantee (the Authority) is aware of and complies with grant requirements. As a result of this deficiency, FEMA and Puerto Rico did not have an opportunity to review the Single Audit report that would have made them aware of any potential issues with the Authority’s administration of the FEMA grant.

>The Puerto Rico Electric Power Authority Effectively Managed FEMA Public Assistance Grant Funds Awarded for Hurricane Irene in August 2011 		2016
OIG-16-11 Since 2001, FEMA provided first responder organizations with more than $9 billion through the AFG and Staffing for Adequate Fire and Emergency Response (SAFER) programs. According to FEMA, it began using the eGrants system in 2003 to manage the funds awarded through these programs. However, the eGrants system does not comply with Department of Homeland Security (DHS) information system security requirements. Specifically, access to the eGrants system is not controlled or limited because FEMA instructs grantees to share usernames and passwords within the grantee’s organization and with contractors who manage grants. As a result, someone other than the primary point of contact can take action or make changes in eGrants without the grantee’s knowledge. Additionally, in June 2014, DHS’s Office of Cyber Security advised FEMA it should not authorize eGrants to operate because it poses an unacceptable level of risk to the agency. FEMA’s Chief Information Officer acknowledged the high level of risk posed by system deficiencies and vulnerabilities. Despite the known system deficiencies and risks, FEMA authorized the continued use of the system.

>Security Concerns with Federal Emergency Management Agency's eGrants Grant Management System 		2016
OIG-16-141 The Reducing Over- Classification Act requires Federal Government Inspectors General of departments that make original classification determinations to conduct no less than two evaluations of their agencies’ classification policies, procedures, rules, and regulations. The Department of Homeland Security (DHS) implemented the two recommendations from our first evaluation. In this second evaluation, we assessed DHS’ progress in its classification management program after implementing the recommendations. What We

>DHS Has Not Trained Classified Network Users on the Classification Management Tool 		2016
OIG-16-108 Management Advisory - DHS Should Better Evaluate the Performance of Its Working Capital Fund 2016
OIG-16-76 The Chief Financial Officers Act of 1990 (Public Law 101-576) and the Department Of Homeland Security Financial Accountability Act (Public Law 108-330) require us to conduct an annual audit of the Department of Homeland Security’s (DHS) consolidated financial statements and internal control over financial reporting.

>Science and Technology Directorate's Management Letter for DHS' FY 2015 Financial Statements Audit 		2016
OIG-16-44 We contracted with the independent public accounting firm KPMG, LLP to perform the audit of the consolidated financial statements of the U.S. Department of Homeland Security for the year ended September 30, 2015. KPMG, LLP evaluated selected general IT controls and business process application controls at the United States Coast Guard (Coast Guard). KPMG, LLP determined that Coast Guard took corrective actions to address one prior-year IT control deficiency. Specifically, Coast Guard made improvements over implementing certain account management and audit log controls. KPMG, LLP continued to identify general IT controls deficiencies related to access controls, segregation of duties, and configuration management of Coast Guard’s core financial and feeder systems. In many cases, new control deficiencies reflected weaknesses over controls and systems that were new to the scope of the FY15 audit Such deficiencies limited Coast Guard’s ability to ensure that critical financial and operational data were maintained in such a manner to ensure confidentiality, integrity, and availability.

>Information Technology Management Letter for the United States Coast Guard Component of the FY 2015 Department of Homeland Security Financial Statement Audit 		2016
OIG-16-12-D The City of Birmingham, Alabama, received a Public Assistance award of $13.2 million from the Alabama Emergency Management Agency, a FEMA grantee, for damages resulting from tornadoes and severe storms in April 2011. We audited projects totaling $11.3 million to determine whether the City accounted for and expended FEMA funds according to Federal requirements. For the projects we reviewed, the City generally accounted for and expended FEMA Public Assistance grant funds according to Federal requirements.

>FEMA The City of Birmingham, Alabama, Generally Managed FEMA Grant Funds for April 2011 Tornadoes and Severe Storms Properly 		2016
OIG-16-139-D Time is of the essence in establishing a Joint Field Office (JFO) as the nexus of disaster response and recovery efforts. FEMA needs to implement consistent JFO selection guidance so its disaster response is effective, efficient and economical. This audit was conducted as a follow up to our prior report on the JFO Selection in New Jersey and as part of our 2015 disaster deployment efforts in Texas and South Carolina.

>FEMA Should Implement Consistent Joint Field Office Guidance 		2016
OIG-16-109-D We prepared this report to assist recipients and subrecipients (grantees and subgrantees) of Federal Emergency Management Agency (FEMA) disaster assistance grants. We have updated this guide to include information on FEMA’s Public Assistance Program and Policy Guide (PAPPG) that supersedes many of the Public Assistance publications and individual policy documents. The PAPPG is effective for all emergencies and major disasters declared on or after January 01, 2016.

>Audit Tips For Managing Disaster-Related Project Costs 		2016
OIG-16-77 The Chief Financial Officers Act of 1990 (Public Law 101- 576) and the Department Of Homeland Security Financial Accountability Act (Public Law 108-330) require us to conduct an annual audit of the Department of Homeland Security’s (DHS) consolidated financial statements and internal control over financial reporting.

>United States Coast Guard's Management Letter for DHS' FY 2015 Financial Statements Audit 		2016
OIG-16-45 KPMG LLP evaluated selected general IT controls, IT entity-level controls, and business process application controls at DHS components. KPMG determined that the DHS components had made progress in remediating certain IT deficiencies we reported in FY 2014. Approximately 48 percent of the prior year IT deficiencies identified were repeated. The majority of the deficiencies identified by KPMG resulted from a lack of properly documented, fully designed and implemented, adequately detailed, and consistently implemented financial system controls to comply with requirements of DHS Sensitive Systems Policy Directive 4300A, Information Technology Security Program, and National Institute of Standards and Technology guidance. The deficiencies collectively limited DHS’ ability to ensure that critical financial and operational data were maintained in such a manner as to ensure their confidentiality, integrity, and availability. The deficiencies at Customs and Border Protection, the United States Coast Guard, the Federal Emergency Management Agency, and U.S. Immigration and Customs Enforcement adversely impacted the internal controls over DHS’ financial reporting and its operation, and collectively represent a material weakness reported in the FY 2015 DHS Agency Financial Report.

>Information Technology Management Letter for the FY 2015 Department of Homeland Security Financial Statement Audit 		2016
OIG-16-13 We conducted this audit to determine whether the Federal Emergency Management Agency (FEMA) and the Colorado Division of Homeland Security and Emergency Management (DHSEM) were sufficiently monitoring the Emergency Management Performance Grant (EMPG) program to ensure that funds were used in accordance with grant program guidelines and other applicable state and Federal laws. DHSEM needs to improve its grants management and internal controls over its financial systems. In addition, it needs to improve its maintenance of supporting documentation for all EMPG transactions, and monitoring of subgrantees. Without adequate grants management, financial controls, and retention of detailed supporting documentation for transactions and EMPG expenditures were not always recorded timely; inaccurate amounts were recorded; grants were improperly closed out; and financial reports submitted to FEMA were inaccurate.

>Oversight of the Colorado Emergency Management Performance Grant Program Needs Improvement 		2016
OIG-16-110-D The Minneapolis Park and Recreation Board (Board) received a $2.4 million award in Federal Emergency Management Agency (FEMA) grant funds for damages in Minneapolis, Minnesota, from severe storms, straight-line winds, and flooding in June 2013. Our audit objective was to determine whether the Board accounted for and expended FEMA funds according to Federal regulations and FEMA guidelines.

>Minneapolis Park and Recreation Board, Minneapolis, Minnesota, Generally Accounted For and Expended FEMA Grant Funds Properly 		2016
OIG-16-78-D The City of Evans, Colorado (City) received a $10.8 million grant from Colorado, a Federal Emergency Management Agency (FEMA) grantee, for damages from severe storms and flooding in September 2013. We conducted this audit early in the grant process to identify areas where the City may need additional technical assistance or monitoring to ensure compliance.

>Colorado Should Provide the City of Evans More Assistance in Managing FEMA Grant Funds 		2016
OIG-16-46 KPMG, LLP evaluated selected general IT controls and business process application controls at the Federal Emergency Management Agency (FEMA). KPMG, LLP determined that FEMA took corrective actions to address certain prior-year IT control deficiencies. For example, FEMA made improvements by designing and consistently implementing certain account management and configuration management controls. However, KPMG, LLP continued to identify general IT control deficiencies related to security management, access controls, segregation of duties, configuration management, and contingency planning for FEMA’s core financial and feeder systems. Collectively, these deficiencies limited FEMA’s ability to ensure that critical financial and operational data were maintained in such a manner as to ensure their confidentiality, integrity, and availability.

>Information Technology Management Letter for the Federal Emergency Management Agency Component of the FY 2015 Department of Homeland Security Financial Statement Audit 		2016
OIG-16-14 The Department of Homeland Security’s (DHS) Port Security Grant Program (PSGP), which is administered by the Federal Emergency Management Agency (FEMA), provides funding to port authorities, facility operators, and other eligible entities to help protect critical port infrastructure from terrorism. FEMA awarded the Lower Mississippi River Port-wide Strategic Security Council (Council) approximately $108 million in PSGP grant funds from fiscal years 2008 to 2013. We determined whether the Council managed, distributed, and spent PSGP funds in compliance with Federal laws, regulations, and guidance. About 73 percent of the nearly $108 million awarded to the Council to protect critical port infrastructure remains unspent. In addition, we identified more than $9.2 million in questioned costs. This occurred because the Council did not always follow Federal laws, regulations, or grant guidance; and FEMA failed to provide proper oversight. As a result, major Lower Mississippi River ports may be less prepared in the event of a terrorist attack.

>Lower Mississippi River Port-wide Strategic Security Council Did Not Always Properly Manage, Distribute, or Spend Port Security Grant Funds 		2016
OIG-16-142 Title IV, Section 406 of the Cybersecurity Act of 2015 requires Inspectors General to assess agency National Security Systems (NSS) and other systems that provide access to personally identifiable information (PII). We reviewed information security policies and practices for logical access and data protection at the Department of Homeland Security in four key areas, asrequired by the Act.

>Review of the Department of Homeland Security's Implementation of the Cybersecurity Act of 2015 		2016
OIG-16-111-VR Verification Review of Transportation Security Administration's Screening of Passengers by Observation Techniques/Behavior Detection and Analysis Program 2016
OIG-16-79 The Chief Financial Officers Act of 1990 (Public Law 101-576) and the Department Of Homeland Security Financial Accountability Act (Public Law 108-330) require us to conduct an annual audit of the Department of Homeland Security’s (DHS) consolidated financial statements and internal control over financial reporting.

>United States Citizenship and Immigration Services' Management Letter for DHS' FY 2015 Financial Statements Audit 		2016
OIG-16-47 FEMA does not provide adequate oversight of the WYO program under the National Flood Insurance Program (NFIP). Specifically, FEMA is not using the results from its Financial Control Plan reviews to make program improvements; is not performing adequate oversight of the Special Allocated Loss Adjustment Expense reimbursement process; and does not have adequate internal controls to provide proper oversight of the appeals process. These conditions exist because FEMA does not have adequate guidance, resources, or internal controls. As a result of this inadequate oversight, FEMA is unable to ensure that WYO companies are properly implementing the NFIP and is unable to identify systemic problems in the program. Furthermore, without adequate internal controls in place, FEMA’s NFIP funds may be at risk for fraud, waste, abuse, or mismanagement.

>FEMA Does Not Provide Adequate Oversight of Its National Flood Insurance Write Your Own Program 		2016
OIG-16-15 We reviewed the Department of Homeland Security’s (DHS) information security program for intelligence systems in accordance with the Federal Information Security Modernization Act. The objective of our review was to determine whether DHS’ information security program and practices are adequate and effective in protecting the information and the information systems that support DHS’ intelligence operations and assets. We assessed DHS programs for continuous monitoring, configuration management, identity and access management, incident response and reporting, risk management, security training, plans of actions and milestones, remote access management, contingency planning, and contractor systems.

>Fiscal Year 2015 Evaluation of DHS' Compliance with FISMA Requirements for Intelligence Systems 		2016

*NDAA, Pub. L. 117-263, section 5274 Response Received. View responses

Return to top of page