Skip to main content
U.S. flag

An official website of the United States government

Government Website

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Safely connect using HTTPS

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Audits, Inspections, and Evaluations

Report Number Title Issue Date Sort ascending Fiscal Year
OIG-16-89 Each year, our independent auditors identify component-level information technology (IT) control deficiencies as part of the DHS consolidated financial statement audit. This letter provides details that were not included in the fiscal year 2015 DHS Agency Financial Report.

>Information Technology Management Letter for Other Department of Homeland Security Components of the FY 2015 Department of Homeland Security Financial Statement Audit
2016
OIG-16-90 KPMG LLP, under contract with the DHS Office of Inspector General, audited the U.S. Customs and Border Protection’s consolidated financial statements for fiscal year (FY) 2015. The resulting management letter contains 16 observations related to internal controls and other operational matters for management’s consideration. KPMG LLP noted internal control deficiencies and the need for improvement in several processes including control over settlement assets; the trade compliance measurement review process; review of Federal Employee Compensation Act Claims; controls in the seized and forfeited property inventory process; and reviews over the Performance and Accountability Report. These deficiencies did not meet the criteria to be reported in the Independent Auditors' Report on U.S. Customs and Border Protection’s FY 2015 Consolidated Financial Statements, dated March 21, 2016.These observations are intended to improve internal control or result in other operating efficiencies.

>Management Letter for the U.S. Customs and Border Protection's FY 2015 Consolidated Financial Statements Audit
2016
OIG-16-91 We conducted this audit to determine the extent to which the Transportation Security Administration (TSA) has the policies, processes, and oversight measures to improve security at the National Railroad Passenger Corporation (Amtrak). TSA has limited regulatory oversight processes to strengthen passenger security at Amtrak because the component has not fully implemented all requirements from Public Law 110–53, Implementing Recommendations of the 9/11 Commission Act of 2007 (9/11 Act). Federal regulations require Amtrak to appoint a rail security coordinator and report significant security concerns to TSA. Although the9/11 Act requires TSA to establish additional passenger rail regulations, the component has not fully implemented those regulations. Specifically, TSA has not issued regulations to assign rail carriers to high-risk tiers; established a rail training program; and conducted security background checks of frontline rail employees. In the absence of formal regulations, TSA relies on outreach programs, voluntary initiatives, and recommended measures to assess and improve rail security for Amtrak.

>TSA Oversight of National Passenger Rail System Security
2016
OIG-16-68 Each year, our independent auditors identify component-level information technology (IT) control deficiencies as part of the DHS consolidated financial statement audit. This letter provides details that were not included in the fiscal year (FY) 2015 DHS Agency Financial Report.

>Information Technology Management Letter for the FY 2015 U.S. Customs and Border Protection
2016
OIG-16-88 Our objective was to determine whether the Department of Homeland Security complied with the Improper Payments Elimination and Recovery Act of 2010 (IPERA). We also evaluated the accuracy and completeness of DHS’ improper payment reporting.

>Department of Homeland Security's FY 2015 Compliance with the Improper Payments Elimination and Recovery Act of 2010
2016
OIG-16-82 Each year, our independentauditors identify component-level information technology (IT) control deficiencies as part of the DHS consolidated financial statement audit. This letter provides details that were not included in the fiscal year 2015 DHS Agency Financial Report.

>Information Technology Management Letter for the Science and Technology Directorate Component of the FY 2015 Department of Homeland Security Financial Statement Audit
2016
OIG-16-84 Each year, our independent auditors identify component-level information technology (IT) control deficiencies as part of the DHS consolidated financial statement audit. This letter provides details that were not included in the fiscal year (FY) 2015 DHS Agency Financial Report.

>Information Technology Management Letter for the National Protection and Programs Directorate Component of the FY 2015 Department of Homeland Security Financial Statement Audit
2016
OIG-16-87 We previously reported on deficiencies in information technology (IT) security controls of the Security Technology Integrated Program (STIP), a data management system that connects airport transportation security equipment (TSE) to servers. We conducted this audit to assess the current extent of the deficiencies and the actions the Transportation Security Administration (TSA) has taken to address them. Wha

>IT Management Challenges Continue in TSA's Security Technology Integrated Program (Redacted)
2016
OIG-16-70 Each year, our independent auditors identify component-level information technology (IT) control deficiencies as part of the DHS consolidated financial statement audit. This letter provides details that were not included in the fiscal year (FY) 2015 DHS Agency Financial Report.

>Information Technology Management Letter for the U.S. Citizenship and Immigration Services Component of the FY 2015 Department of Homeland Security Financial Statement Audit
2016
OIG-16-86-D The April 2013 fertilizer plant explosion devastated the City of West, Texas, killing 15 people and leveling homes in a 5-block radius. The West School Administration received a $5.1 million Federal Emergency Management Agency (FEMA) grant from the Texas Division of Emergency Management, a FEMA grantee, for emergency measures. Our audit objective was to determine whether West School Administration accounted for and expendedFEMA funds according to Federal requirements.

>The West School Administration Effectively Accounted for the FEMA Emergency Grant Funds Awarded for the West, Texas Fertilizer Plant Explosion
2016
OIG-16-85-D FROM: John E. McCoy II

Assistant Inspector General for Audits

SUBJECT: Office of Inspector General Emergency Management Oversight Team Deployment Audits

Audit Report Numbers OIG-13-84, OIG-13-117, OIG-13-124, OIG-14-50-D, OIG-14-111-D, OIG-15-92-D, OIG-15-102-D, OIG-15-105-D, OIG-16-53-D, OIG-16-85-D, OIG-16-106-D, OIG-17-37-D

After completing an internal review of our audits related to multiple Emergency Management Oversight Team (EMOT) projects, we have decided to permanently remove the subject reports from our public website.

Our internal review found the subject reports may not have adequately answered objectives and, in some cases, may have lacked sufficient and appropriate evidence to support conclusions. Answering objectives with sufficient and appropriate evidence is required under Government Auditing Standards or Quality Standards for Inspection and Evaluation. In an abundance of caution, we believe it best to recall the reports and not re-issue them.

Going forward, our EMOTs will deploy during the response phase of a disaster to identify and alert the Federal Emergency Management Agency (FEMA) and its stakeholders of potential issues or risks if they do not follow FEMA and other Federal requirements. The EMOT’s reviews will not be conducted under Government Auditing Standards. The teams will continue to observe and identify potential risk areas that will be addressed by future traditional audits, if necessary.

A complete list of the projects removed from our website is attached. You should not place any reliance on these reports.

Please contact me at (202) 254-4100 if you have any questions.

>FEMA's Initial Response to the 2015 Texas Spring Severe Storms and Flooding
2016
OIG-16-83 Each year, our independent auditors identify component-level information technology (IT) control deficiencies as part of the DHS consolidated financial statement audit. This letter provides details that were not included in the fiscal year 2015 DHS Agency Financial Report.

>Information Technology Management Letter for the Office of Financial Management and Office of Chief Information Officer Components of the FY 2015 Department of Homeland Security Financial Statement Audit
2016
OIG-16-81 The Chief Financial Officers Act of 1990 (Public Law 101-576) and the Department Of Homeland Security Financial Accountability Act (Public Law 108-330) require us to conduct an annual audit of the Department of Homeland Security’s (DHS) consolidated financial statements and internal control over financial reporting. For

>United States Secret Service's Management Letter for DHS' FY 2015 Financial Statements Audit
2016
OIG-16-76 The Chief Financial Officers Act of 1990 (Public Law 101-576) and the Department Of Homeland Security Financial Accountability Act (Public Law 108-330) require us to conduct an annual audit of the Department of Homeland Security’s (DHS) consolidated financial statements and internal control over financial reporting.

>Science and Technology Directorate's Management Letter for DHS' FY 2015 Financial Statements Audit
2016
OIG-16-78-D The City of Evans, Colorado (City) received a $10.8 million grant from Colorado, a Federal Emergency Management Agency (FEMA) grantee, for damages from severe storms and flooding in September 2013. We conducted this audit early in the grant process to identify areas where the City may need additional technical assistance or monitoring to ensure compliance.

>Colorado Should Provide the City of Evans More Assistance in Managing FEMA Grant Funds
2016
OIG-16-79 The Chief Financial Officers Act of 1990 (Public Law 101-576) and the Department Of Homeland Security Financial Accountability Act (Public Law 108-330) require us to conduct an annual audit of the Department of Homeland Security’s (DHS) consolidated financial statements and internal control over financial reporting.

>United States Citizenship and Immigration Services' Management Letter for DHS' FY 2015 Financial Statements Audit
2016
OIG-16-77 The Chief Financial Officers Act of 1990 (Public Law 101- 576) and the Department Of Homeland Security Financial Accountability Act (Public Law 108-330) require us to conduct an annual audit of the Department of Homeland Security’s (DHS) consolidated financial statements and internal control over financial reporting.

>United States Coast Guard's Management Letter for DHS' FY 2015 Financial Statements Audit
2016
OIG-16-80 The Chief Financial Officers Act of 1990 (Public Law 101-576) and the Department Of Homeland Security Financial Accountability Act (Public Law 108-330) require us to conduct an annual audit of the Department of Homeland Security’s (DHS) consolidated financial statements and internal control over financial reporting.

>United States Immigration and Customs Enforcement's Management Letter for DHS' FY 2015 Financial Statements Audit
2016
OIG-16-69 Each year, our independent auditors identify component-level information technology (IT) control deficiencies as part of the DHS consolidated financial statement audit. This letter provides details that were not included in the fiscal year (FY) 2015 DHS Agency Financial Report

>Information Technology Management Letter for the United States Secret Service Component of the FY 2015 Department of Homeland Security Financial Statement Audit
2016
OIG-16-75 U.S. Customs and Border Protection’s (CBP) Office of Internal Affairs (IA) has oversight authority for all aspects of CBP operations, personnel, and facilities to ensure compliance with all CBP-wide programs and policies relating to corruption, misconduct, or mismanagement. From October 1, 2010, through March 12, 2015, CBP received 11,367 allegations of misconduct by its employees. IA investigated 6,524 of those allegations, of which 819 were classified as criminal.

>CBP Needs Better Data to Justify Its Criminal Investigator Staffing
2016
OIG-16-74 The Chief Financial Officers Act of 1990 (Public Law 101-576) and the Department Of Homeland Security Financial Accountability Act (Public Law 108-330) require us to conduct an annual audit of the Department of Homeland Security’s (DHS) consolidated financial statements and internal control over financial reporting. For

>Federal Law Enforcement Training Centers' Management Letter for DHS' FY 2015 Financial Statements Audit
2016
OIG-16-73 The Chief Financial Officers Act of 1990 (Public Law 101-576) and the Department Of Homeland Security Financial Accountability Act (Public Law 108-330) require us to conduct an annual audit of the Department of Homeland Security’s (DHS) consolidated financial statements and internal control over financial reporting. For

>National Protection and Programs Directorate's Management Letter for DHS' FY 2015 Financial Statements Audit
2016
OIG-16-72 The Chief Financial Officers Act of 1990 (Public Law 101-576) and the Department Of Homeland Security Financial Accountability Act (Public Law 108-330) require us to conduct an annual audit of the Department of Homeland Security’s (DHS) consolidated financial statements and internal control over financial reporting

>Federal Emergency Management Agency's Management Letter for DHS' FY 2015 Financial Statements Audit
2016
OIG-16-71 The Chief Financial Officers Act of 1990 (Public Law 101-576) and the Department Of Homeland Security Financial Accountability Act (Public Law 108-330) require us to conduct an annual audit of the Department of Homeland Security’s (DHS) consolidated financial statements and internal control over financial reporting. For

>Office of Health Affairs’ Management Letter for DHS’ FY 2015 Financial Statements Audit
2016
OIG-16-61 Each year, our independent auditors identify component-level information technology (IT) control deficiencies as part of the DHS consolidated financial statement audit. This letter provides details that were not included in the fiscal year 2015 DHS Agency Financial Report.

>Information Technology Management Letter for the U. S. Immigration and Customs Enforcement Component of the FY 2015 Department of Homeland Security Financial Statement Audit
2016
OIG-12-48 Department of Homeland Security's Compliance with the Improper Payments Elimination and Recovery Act of 2010 (Revised) 2012
OIG-16-66-D The Municipality of Villalba, Puerto Rico (Municipality), received a $2.58 million grant awar from the Puerto Rico Emergency Management Agency (Puerto Rico), a Federal Emergency Management Agency (FEMA) grantee, for damages resulting from Hurricane Irene in August 2011.

>FEMA Should Disallow $1.30 Million of $2.58 Million in Public Assistance Grant Funds Awarded to the Municipality of Villalba, Puerto Rico, for Hurricane Irene Damages
2016
OIG-16-67-D The Town of Lyons, Colorado (Town), received a $36 million Public Assistance grant for damages from a September 2013 flood. We conducted this audit early in the grant process to identify areas where the Town may need additional technical assistance or monitoring to ensure compliance with Federal requirements.

>Lyons and Colorado Officials Should Continue to Improve Management of $36 Million FEMA Grant
2016
OIG-16-65 The Chief Financial Officers Act of 1990 (Public Law 101- 576) and the Department Of Homeland Security Financial Accountability Act (Public Law 108-330) require us to conduct an annual audit of the Department of Homelan Security’s (DHS) consolidated financial statements and internal control over financial reporting.

>Office of Financial Management's Management Letter for DHS' FY 2015 Financial Statements Audit
2016
OIG-16-63-D San Bernardino County,California (County), receive a $16.5 million Public Assistance grant award for damages resulting from California wildfires that occurred from October 2007 through March 2008. We audited $14.3 million of the $16.5 million gross award.

>San Bernardino County, California, Generally Accounted for and Expended FEMA Public Assistance Funds Properly
2016
OIG-16-64 We conducted this review of the Secret Service as part of an overall review of the Secret Service’s presidential protective function to determine whether in three incidents the Secret Service followed its own protective policies, what actions were taken to correct identified deficiencies, and whether these corrections are adequate.

>2014 White House Fence Jumping Incident (Redacted)
2016
OIG-16-62 The Chief Financial Officers Act of 1990 (Public Law 101-576) and the Department Of Homeland Security Financial Accountability Act (Public Law 108-330) require us to conduct an annual audit of the Department of Homeland Security’s (DHS) consolidated financial statements and internal control over financial reporting.

>Management Directorate's Management Letter for DHS' FY 2015 Financial Statements Audit
2016
OIG-16-60-D The Municipality of Jayuya, Puerto Rico (Municipality), received a $4.46 million grant award from the Puerto Rico Emergency Management Agency (Puerto Rico), a Federal Emergency Management Agency (FEMA) grantee, for damages resulting from Hurricane Irene in August 2011. We audited projects totaling $3.54 million to determine whether the Municipality accounted for and expended FEMA funds according to Federal requirements. For the projects we reviewed, the Municipality generally accounted for and expended FEMA funds according to Federal requirements. However, we did identify $267,960 (Federal share $200,970) of costs that FEMA should disallow. These costs consisted of $237,695 of duplicate benefits and $30,265 of unsupported project costs.

>FEMA Should Recover $267,960 of $4.46 Million in Public Assistance Grant Funds Awarded to the Municipality of Jayuya, Puerto Rico, for Hurricane Irene Damages
2016
OIG-16-57 KPMG LLP, under contract with the DHS Office of Inspector General, audited the Domestic Nuclear Detection Office’s (DNDO) financial statements and internal control over financial reporting for fiscal year (FY) 2015. The management letter contains one observation related to internal controls and other operational matters for management’s consideration. KPMG LLP noted an internal control deficiency and the need for improvement in the undelivered order process. The deficiency is not considered significant and was not required to be reported in the Independent Auditors’ Report on DHS’ FY 2015 Financial Statements and Internal Control over Financial Reporting, dated November 13, 2015, included in the DHS FY 2015 Agency Financial Report.

>Domestic Nuclear Detection Office's Management Letter for DHS' FY 2015 Financial Statements Audit
2016
OIG-16-58 On March 4, 2015, Congress enacted Public Law 114–4, Consolidated Appropriations Act, 2015. According to Section 518(a), the Secretary of Department of Homeland Security (DHS) shall submit a report not later than October 15, 2015, to the Office o Inspector General, listing all grants and contracts awarded by any means other than full and open competition during fiscal year (FY) 2015. As required, we reviewed the report and assessed departmental compliance with applicable laws, regulations, and departmental procedures.

>DHS Contracts and Grants Awarded through Other Than Full and Open Competition FY 2015
2016
OIG-16-59 Public Law 110-53, Implementing Recommendations of the 9/11 Commission Act of 2007, requires the Department of Homeland Security (DHS) Office of Inspector General (OIG) to audit individual states’ management of Homeland Security Grant Program (HSGP) awards. We audited the State of Maryland, which was awarded $35 million from FEMA for fiscal years 2011–13. In most instances, Maryland distributed and spent the HSGP awards in compliance with applicable laws and regulations; however, the State lacked adequate controls over more than $10.8 million in grant funds we reviewed. This occurred because FEMA and the State did not ensure adequate management and oversight of HSGP funds.

>Maryland's Management of Homeland Security Grant Program Awards for Fiscal Years 2011-13
2016
OIG-16-51 We conducted this review to determine whether U.S. Customs and Border Protection (CBP) has implemented the Department of Homeland Security’s (DHS) Prison Rape Elimination Act of 2003 (PREA) regulations. The DHS PREA regulations set standards for CBP to prevent, detect, and respond to sexual abuse and assault. The regulations also require CBP to complete audits of holding facilities that “house detainees overnight” by July 2018. Since DHS issued its PREA regulations, CBP has taken measures, including issuing its zero-tolerance policy and designating a full-time Prevention of Sexual Assault Coordinator, to ensure its offices, stakeholders, and managers are aware of CBP’s roles and responsibilities. However, CBP’s implementation actions lack adequate planning, a budget, a component-wide policy to coordinate the efforts of all offices and personnel, and criteria to determine which facilities should be defined as overnight facilities and therefore subject to audits. Further, at the time of our review, CBP had not determined the feasibility of securing a joint PREA audit contract with U.S. Immigration and Customs Enforcement. These problems may hinder CBP’s implementation of the DHS PREA regulations and ultimately, its ability to meet PREA’s goal to prevent, detect, and respond to sexual abuse and assault.

>CBP Needs to Better Plan Its Implementation of the DHS Prison Rape Elimination Act Regulations
2016
OIG-16-55 We contracted with the independent public accounting firm KPMG LLP (KPMG) to audit DHS’ fiscal year (FY) 2015 consolidated financial statements and internal control over financial reporting. KPMG expressed an unmodified (clean) opinion on the consolidated financial statements, and issued an adverse opinion on DHS’ internal control over financial reporting for FY 2015. The management letter contains 89 observations related to internal control and other operational matters for management’s consideration. KPMG noted deficiencies and the need for improvement in certain processes. These deficiencies did not meet the criteria to be reported in the Independent Auditors’ Report on DHS’ FY 2015 Financial Statements and Internal Control over Financial Reporting, dated November 13, 2015, included in the DHS FY 2015 Agency Financial Report.

>Management Letter for the Audit of DHS' FY 2015 Financial Statements and Internal Control over Financial Reporting
2016
OIG-16-56 We contracted with the independent public accounting firm KPMG, LLP to perform the audit the consolidated financial statements of the U.S. Department of Homeland Security for the year ended September 30, 2015. KPMG evaluated select general information technology controls (GITCs), entity level controls, and business process application controls at the Federal Law Enforcement Training Center (FLETC). KPMG determined that FLETC took corrective action to address certain prior IT control deficiencies. For example, FLETC made improvements by designing and consistently implementing controls related to the separation and termination of contractors. However, KPMG continued to identify GITC deficiencies related to access controls and configuration management for FLETC’s core financial systems. The conditions supporting our findings collectively limited FLETC’s ability to ensure that critical financial and operational data were maintained in such a manner as to ensure their confidentiality, integrity, and availability.

>Information Technology Management Letter for the Federal Law Enforcement Center Component of the FY 2015 Department of Homeland Security Financial Statement Audit
2016
OIG-16-50 KPMG, LLP evaluated selected general IT controls and business process application controls at the Transportation Security Administration (TSA). KPMG, LLP determined that TSA made improvements over consistently implementing certain technical account security controls and audit log reviews. However, KPMG continued to identify general IT control deficiencies (GITCs) related to access controls for TSA’s core financial and feeder systems. New control deficiencies reflected weaknesses over controls for systems that were new to the scope of testing GITCs for the FY 2015 audit. The conditions supporting our findings collectively limited TSA’s ability to ensure that critical financial and operational data were maintained in such a manner to ensure confidentiality, integrity, and availability.

>Information Technology Management Letter for the Transportation Security Administration Component of the FY 2015 Department of Homeland Security Financial Statement Audit
2016
OIG-16-53-D FROM: John E. McCoy II

Assistant Inspector General for Audits

SUBJECT: Office of Inspector General Emergency Management Oversight Team Deployment Audits

Audit Report Numbers OIG-13-84, OIG-13-117, OIG-13-124, OIG-14-50-D, OIG-14-111-D, OIG-15-92-D, OIG-15-102-D, OIG-15-105-D, OIG-16-53-D, OIG-16-85-D, OIG-16-106-D, OIG-17-37-D

After completing an internal review of our audits related to multiple Emergency Management Oversight Team (EMOT) projects, we have decided to permanently remove the subject reports from our public website.

Our internal review found the subject reports may not have adequately answered objectives and, in some cases, may have lacked sufficient and appropriate evidence to support conclusions. Answering objectives with sufficient and appropriate evidence is required under Government Auditing Standards or Quality Standards for Inspection and Evaluation. In an abundance of caution, we believe it best to recall the reports and not re-issue them.

Going forward, our EMOTs will deploy during the response phase of a disaster to identify and alert the Federal Emergency Management Agency (FEMA) and its stakeholders of potential issues or risks if they do not follow FEMA and other Federal requirements. The EMOT’s reviews will not be conducted under Government Auditing Standards. The teams will continue to observe and identify potential risk areas that will be addressed by future traditional audits, if necessary.

A complete list of the projects removed from our website is attached. You should not place any reliance on these reports.

Please contact me at (202) 254-4100 if you have any questions.

>FEMA's Initial Response to the Severe Storms and Flooding in South Carolina
2016
OIG-16-52-D The Pueblo of Jemez, New Mexico (Pueblo), received a Public Assistance grant award of $1.6 million from the New Mexico Department of Homeland Security and Emergency Management (New Mexico), a Federal Emergency Management Agency (FEMA) grantee, for damages from severe storms, flooding, and mudslides that occurred in September 2013. The Pueblo accounted for disaster costs on a project-by-project basis. However, the Pueblo did not follow Federal procurement standards in awarding five contracts totaling $312,117. As a result, full and open competition did not occur and FEMA has no assurance that small and minority businesses and women’s business enterprises had sufficient opportunities to bid on federally funded work. In some instances, FEMA also has no assurance that costs were reasonable.

>FEMA Should Recover $312,117 of $1.6 Million Grant Funds Awarded to the Pueblo of Jemez, New Mexico
2016
OIG-16-54 In the independent auditors’ opinion, the financial statements present fairly, in all material respects, CBP’s financial position as of September 30, 2015. The report identifies four significant deficiencies in internal control, two of which are considered material weaknesses. The material weaknesses are in drawback of duties, taxes, and fees and information technology. The two other significant deficiencies were in internal control in the entry process and entity-level controls.

>Independent Auditors' Report on U.S. Customs and Border Protection's FY 2015 Consolidated Financial Statements
2016
OIG-16-49 FEMA’s Homeland Security Grant Program (HSGP) provides funds to state, territorial, local, and tribal governments to enhance their ability to prepare for, prevent, protect, respond to, and recover from terrorist attacks, major disasters, and other emergencies. FEMA has not adequately analyzed recurring Office of Inspector General recommendations to implement permanent changes to improve its oversight of HSGP. This occurred because FEMA has not clearly communicated internal roles and responsibilities, and does not have policies and procedures for conducting substantive trend analysis of audit recommendations. Without sufficiently analyzing audit findings and recommendations, FEMA may not be able to develop proactive solutions to recurring and systemic problems, resulting in missed opportunities to improve the management and oversight of its HSGP.

>Analysis of Recurring Audit Recommendations Could Improve FEMA's Oversight of HSGP
2016
OIG-16-48 Since 2005, USCIS has worked to transform its paper-based processes into an integrated and automated immigration benefits processing environment. As we previously reported, past automation attempts have been hampered by ineffective planning, multiple changes in direction, and inconsistent stakeholder involvement. Current USCIS efforts to automate immigration benefits processing also could be improved. Although USCIS deployed the Electronic Immigration System (ELIS) in May 2012, to date only two of approximately 90 types of immigration benefits and services are available for online customer filing. The current ELIS approach also has not ensured stakeholder involvement, performance metrics, system testing, or user support needed for ELIS to be effective. As it struggles to address these issues, USCIS now estimates that it will take three more years—over four years longer than estimated—and an additional $1 billion to automate all benefit types as expected. Until USCIS fully implements ELIS with all the needed improvements, the agency will remain unable to achieve its workload processing, customer service, and national security goals.

>USCIS Automation of Immigration Benefits Processing Remains Ineffective
2016
OIG-16-47 FEMA does not provide adequate oversight of the WYO program under the National Flood Insurance Program (NFIP). Specifically, FEMA is not using the results from its Financial Control Plan reviews to make program improvements; is not performing adequate oversight of the Special Allocated Loss Adjustment Expense reimbursement process; and does not have adequate internal controls to provide proper oversight of the appeals process. These conditions exist because FEMA does not have adequate guidance, resources, or internal controls. As a result of this inadequate oversight, FEMA is unable to ensure that WYO companies are properly implementing the NFIP and is unable to identify systemic problems in the program. Furthermore, without adequate internal controls in place, FEMA’s NFIP funds may be at risk for fraud, waste, abuse, or mismanagement.

>FEMA Does Not Provide Adequate Oversight of Its National Flood Insurance Write Your Own Program
2016
OIG-16-46 KPMG, LLP evaluated selected general IT controls and business process application controls at the Federal Emergency Management Agency (FEMA). KPMG, LLP determined that FEMA took corrective actions to address certain prior-year IT control deficiencies. For example, FEMA made improvements by designing and consistently implementing certain account management and configuration management controls. However, KPMG, LLP continued to identify general IT control deficiencies related to security management, access controls, segregation of duties, configuration management, and contingency planning for FEMA’s core financial and feeder systems. Collectively, these deficiencies limited FEMA’s ability to ensure that critical financial and operational data were maintained in such a manner as to ensure their confidentiality, integrity, and availability.

>Information Technology Management Letter for the Federal Emergency Management Agency Component of the FY 2015 Department of Homeland Security Financial Statement Audit
2016
OIG-16-45 KPMG LLP evaluated selected general IT controls, IT entity-level controls, and business process application controls at DHS components. KPMG determined that the DHS components had made progress in remediating certain IT deficiencies we reported in FY 2014. Approximately 48 percent of the prior year IT deficiencies identified were repeated. The majority of the deficiencies identified by KPMG resulted from a lack of properly documented, fully designed and implemented, adequately detailed, and consistently implemented financial system controls to comply with requirements of DHS Sensitive Systems Policy Directive 4300A, Information Technology Security Program, and National Institute of Standards and Technology guidance. The deficiencies collectively limited DHS’ ability to ensure that critical financial and operational data were maintained in such a manner as to ensure their confidentiality, integrity, and availability. The deficiencies at Customs and Border Protection, the United States Coast Guard, the Federal Emergency Management Agency, and U.S. Immigration and Customs Enforcement adversely impacted the internal controls over DHS’ financial reporting and its operation, and collectively represent a material weakness reported in the FY 2015 DHS Agency Financial Report.

>Information Technology Management Letter for the FY 2015 Department of Homeland Security Financial Statement Audit
2016
OIG-16-44 We contracted with the independent public accounting firm KPMG, LLP to perform the audit of the consolidated financial statements of the U.S. Department of Homeland Security for the year ended September 30, 2015. KPMG, LLP evaluated selected general IT controls and business process application controls at the United States Coast Guard (Coast Guard). KPMG, LLP determined that Coast Guard took corrective actions to address one prior-year IT control deficiency. Specifically, Coast Guard made improvements over implementing certain account management and audit log controls. KPMG, LLP continued to identify general IT controls deficiencies related to access controls, segregation of duties, and configuration management of Coast Guard’s core financial and feeder systems. In many cases, new control deficiencies reflected weaknesses over controls and systems that were new to the scope of the FY15 audit Such deficiencies limited Coast Guard’s ability to ensure that critical financial and operational data were maintained in such a manner to ensure confidentiality, integrity, and availability.

>Information Technology Management Letter for the United States Coast Guard Component of the FY 2015 Department of Homeland Security Financial Statement Audit
2016
OIG-16-43-D The Authority received an $8.04 million Public Assistance grant award from the Puerto Rico Emergency Management Agency (Puerto Rico), a FEMA grantee, for damages resulting from Hurricane Irene in August 2011. Our audit objective was to determine whether the Authority accounted for and expended FEMA funds according to Federal requirements. The Puerto Rico Electric Power Authority, Puerto Rico, (Authority) generally accounted for and expended Public Assistance grant funds according to Federal regulations and Federal Emergency Management Agency (FEMA) guidelines. However, the Authority did not comply with the Single Audit Act, which requires non-Federal entities that expend $500,000 or more in a year in Federal awards to obtain a single or program-specific audit for that year. Although the Authority did not take steps to ensure that it met the Single Audit Act requirements, Puerto Rico, as grantee, is responsible for ensuring that its subgrantee (the Authority) is aware of and complies with grant requirements. As a result of this deficiency, FEMA and Puerto Rico did not have an opportunity to review the Single Audit report that would have made them aware of any potential issues with the Authority’s administration of the FEMA grant.

>The Puerto Rico Electric Power Authority Effectively Managed FEMA Public Assistance Grant Funds Awarded for Hurricane Irene in August 2011
2016