FEMA needs better IT systems to cut risk of double-dipping, auditors say
FEMA pays out billions in disaster aid without the means to guard against double-dipping, according to a new audit.
The Federal Emergency Management Agency is at high risk of paying duplicate benefits to disaster victims because of limitations in its business processes and information technology systems, according to a new audit released by an inspector general.
The IG of FEMA's parent department, the Homeland Security Department, hired the KPMG LLP accounting firm to review $22.7 billion worth of disaster aid distributed by FEMA under the National Flood Insurance Program and in the Individuals and Households Program from August 2005 to August 2006, according to the report published Oct. 30.
Duplication of benefits can occur in several ways, including recipients of flood insurance also receiving homeowners’ insurance payments, or recipients of cash grants for housing also receiving government-supplied motel rooms, trailers or home repair funding.
Because of limitations in FEMA's IT systems, KPMG said it was not able to determine a specific amount of duplicate payments. For example, applicant data may be entered into one of several FEMA processing systems, which are not interconnected, and the result is significant data inconsistency.
However, KPMG auditors concluded that the risk of double-dipping is substantial.
“FEMA’s risk of paying duplicate benefits is high because of limitations in how FEMA’s business processes and systems collect and maintain disaster assistance data,” the audit states. “The process and system limitations reduce FEMA’s ability to operate sound management controls to identify and prevent duplicate payments.”
The auditors recommend that FEMA implement improved business processes and IT systems and correct data inconsistencies. FEMA officials agreed with the recommendations.
It is not the first time FEMA has been criticized for weak business controls. In April, DHS Inspector General Richard Skinner pointed out problems with FEMA's information security controls.
NEXT STORY: Two cases for the cloud