Expedited Assistance for Victims of Hurricanes Katrina and Rita: 
FEMA's Control Weaknesses Exposed the Government to Significant  
Fraud and Abuse (13-FEB-06, GAO-06-403T).			 
                                                                 
As a result of widespread congressional and public interest in	 
the federal response to hurricanes Katrina and Rita, GAO	 
conducted an audit of the Individuals and Households Program	 
(IHP) under Comptroller General of the United States statutory	 
authority. Hurricanes Katrina and Rita destroyed homes and	 
displaced millions of individuals. In the wake of these natural  
disasters, FEMA faced the challenge of providing assistance	 
quickly and with minimal "red tape," while having sufficient	 
controls to provide assurance that benefits were paid only to	 
eligible individuals and households. In response to this	 
challenge, FEMA provided $2,000 in IHP payments to affected	 
households via its Expedited Assistance (EA) program. Victims who
received EA may qualify for up to $26,200 in IHP assistance. As  
of mid-December 2005, IHP payments totaled about $5.4 billion,	 
with $2.3 billion provided in the form of EA. These payments were
made via checks, electronic fund transfers, and a small number of
debit cards. GAO's testimony will provide the results to date	 
related to whether (1) controls are in place and operating	 
effectively to limit EA to qualified applicants, (2) indications 
exist of fraud and abuse in the application for and receipt of EA
and other payments, and (3) controls are in place and operating  
effectively over debit cards to prevent duplicate EA payments and
improper usage. 						 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-06-403T					        
    ACCNO:   A46737						        
  TITLE:     Expedited Assistance for Victims of Hurricanes Katrina   
and Rita: FEMA's Control Weaknesses Exposed the Government to	 
Significant Fraud and Abuse					 
     DATE:   02/13/2006 
  SUBJECT:   Accountability					 
	     Check disbursement or control			 
	     Data mining					 
	     Disaster relief aid				 
	     Eligibility determinations 			 
	     Erroneous payments 				 
	     Fraud						 
	     Hurricane Katrina					 
	     Hurricane Rita					 
	     Hurricanes 					 
	     Identity verification				 
	     Internal controls					 
	     Natural disasters					 
	     Program abuses					 
	     Expedited Assistance Program			 
	     Individuals and Households Program 		 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-06-403T

     

     * Summary
     * FEMA's Controls to Prevent Potentially Fraudulent Payments W
          * Pressure to Swiftly Deliver Aid Led to Approval of Expedited
          * FEMA Did Not Validate Identity of Registrants Who Applied fo
               * Control Weaknesses Enabled GAO to Obtain $2,000 Expedited As
          * Other Control Weaknesses Exacerbated Government Exposure to
     * Potentially Fraudulent Activities Resulting from Weak or Non
          * Case Study Examples Show That Control Weaknesses Have Been E
          * Data Mining Indicates Potential Fraud and Abuse Beyond Our C
               * Misuse of Social Security Numbers on Registrations
               * Same Social Security Numbers Used on Multiple Registrations
               * Multiple Payments Made to Different Registrations Containing
     * Controls over Debit Cards Were Ineffective in Preventing Dup
          * Debit Cards Issued to Individuals Providing Invalid Social S
          * Thousands of Debit Card Recipients Received Multiple Expedit
          * FEMA Debit Card Transactions
     * Conclusions
          * Contacts and Acknowledgements
     * Appendix I: Objectives, Scope, and Methodology
          * Order by Mail or Phone

Testimony

Before the Senate Committee on Homeland Security and Governmental Affairs

United States Government Accountability Office

GAO

For Release on Delivery Expected at 10 a.m. EST

Monday, February 13, 2006

EXPEDITED ASSISTANCEFOR VICTIMS OF HURRICANES KATRINA AND RITA

FEMA's Control Weaknesses Exposed the Government to Significant Fraud and
Abuse

Statement of Gregory D. Kutz, Managing Director Forensic Audits and
Special Investigations

GAO-06-403T

Chairman and Members of the Committee:

Thank you for the opportunity to discuss our ongoing forensic audit and
related investigations of assistance provided to individuals and
households related to hurricanes Katrina and Rita. The Individuals and
Households Program (IHP), a major component of the federal disaster
response efforts established under the Robert T. Stafford Disaster Relief
and Emergency Assistance Act (Stafford Act),1 is designed to provide
financial assistance to individuals and households who, as a direct result
of a major disaster, have necessary expenses and serious needs that cannot
be met through other means. As of mid-December 2005, the Federal Emergency
Management Agency (FEMA) had distributed nearly $5.4 billion in IHP
assistance on more than 1.4 million registrations. Hurricanes Katrina and
Rita destroyed homes and displaced individuals across the gulf coast
region. In the wake of these massive natural disasters, FEMA faced the
formidable challenge of providing at least some initial assistance to over
a million registrants quickly with minimal "red tape," while having
sufficient controls in place to provide assurance that benefits were paid
only to eligible individuals and households.

Disaster relief covered by IHP includes temporary housing assistance, real
and personal property repair and replacement, and other necessary expenses
related to a disaster. IHP assistance is generally delivered after an
inspection has been conducted to verify the extent of loss and determine
eligibility. Because of the tremendous devastation caused by hurricanes
Katrina and Rita, FEMA activated expedited assistance to provide fast
track money2-in the form of $2,000 in expedited assistance payments-to
eligible disaster victims to help with immediate, emergency needs of food,
shelter, clothing, and personal necessities. This swift response was vital
in helping victims of hurricanes Katrina and Rita. FEMA specified that
expedited assistance payments were to be provided only to individuals and
households who, as a result of hurricanes Katrina and Rita, were displaced
from their predisaster primary residences and were in need of shelter.
Typically a household3 can only receive one expedited assistance payment.
Exceptions are made in situations where household members are displaced to
separate locations, in which case more than one member of the household
may be eligible for payments. FEMA provided expedited assistance payments
related to hurricanes Katrina and Rita predominantly through electronic
funds transfer (EFT) and checks sent to the registrants' current
addresses.4 In addition, FEMA provided a limited amount of expedited
assistance via debit cards5 distributed at three locations in Texas.

1Pub. L. 93-288, 88 Stat. 143 (1974) (amended 2000).

2The expedited assistance process is not specifically authorized in the
Stafford Act. However, FEMA previously has asserted, and we have agreed,
that it has legal authority under the act to implement expedited, or fast
track, procedures. Disaster Assistance: Guidance Needed for FEMA's "Fast
Track" Housing Assistance Process, GAO-RCED-98-1 (Washington, D.C.: Oct.
1997).

As of mid-December 2005, FEMA data showed that the agency had delivered 44
percent ($2.3 billion) of the $5.4 billion in IHP aid through expedited
assistance to hurricanes Katrina and Rita registrants across at least 175
counties in 4 different states. Almost $1.6 billion went to individuals
with damaged addresses in Louisiana, more than $400 million to individuals
in Texas, and over $300 million to individuals in Alabama and Mississippi.
Registrants determined to be eligible for expedited assistance may also be
eligible to receive additional IHP payments up to the overall IHP cap of
$26,200.

Our current audit and investigation is being performed under the statutory
authority given to the Comptroller General of the United States. Our audit
and investigation is conducted under the premise that while the federal
government needs to provide swift and compassionate assistance to the
victims of natural disasters, public confidence in an effective disaster
relief program that takes all possible steps to minimize fraud, waste, and
abuse needs to be preserved. Today, we will summarize the results from our
ongoing forensic audit and related investigations of the IHP program.6
This testimony will provide the results of our work related to whether (1)
controls are in place and operating effectively to limit expedited
assistance to qualified registrants, (2) indications exist of fraud and
abuse in the registration for and receipt of expedited assistance and
other payments, and (3) controls are in place and operating effectively
over debit cards to prevent duplicate payments and improper usage. We plan
to issue a detailed report with recommendations on the results of our
audit.

3The Act's implementing regulations define a household as all persons
(including adults and children) who lived in the predisaster residence, as
well as any other persons not present at the time but who are expected to
return during the assistance period. 44 C.F.R. S: 206.111.

4Current address refers to the address at which the disaster victim is
currently residing. Damaged addresses are the addresses which were
affected by the hurricanes.

5The debit card program is a pilot program implemented primarily to
provide expedited assistance to individuals and households housed at three
Texas shelters. The debit cards, which resemble credit cards and bear the
MasterCard logo, can be used at ATMs and at any commercial outlet that
accepts MasterCard.

6We are also releasing today the results of our limited investigation into
allegations that Military Meals, Ready-To-Eat rations intended for use in
the hurricane relief efforts were instead sold to the public on the
Internet auction site eBay. See GAO, Investigation: Military Meals,
Ready-To-Eat Sold on eBay, GAO-06-410R (Washington, D.C.: Feb. 13, 2006).

Thus far, our work has focused primarily on the IHP registration process
because individuals whose registrations are approved have access to
expedited assistance payments and subsequently the full range of IHP
benefits. To assess the design of controls, we performed walkthroughs of
FEMA's processes for accepting registrations and awarding expedited
assistance funds. To determine whether indications existed of fraud and
abuse in expedited assistance and other disbursements, we provided FEMA
data to the Social Security Administration (SSA) to verify against their
records of valid social security numbers (SSNs), and reviewed the FEMA
database of IHP registrations for other anomalies using data mining
techniques. To determine whether registrations resulted in potentially
fraudulent or improper payments, we selected a nonrepresentative selection
of 248 registrations from our data mining results for further
investigations. The 248 registrations represented 20 case studies-some
involving multiple registrants-that we linked together through identical
names, SSNs, damaged addresses and/or current addresses. Our analysis of
potentially fraudulent use of SSNs and other data mining efforts are
ongoing, and we plan to report on additional results in the future. For
purposes of this testimony, we did not conduct sufficient work to project
the magnitude of potentially fraudulent and improper IHP payments. We also
proactively tested the adequacy of controls over the registration process
for disaster assistance by submitting claims for relief using falsified
identities, bogus addresses, and fabricated disaster stories. These tests
were performed before FEMA provided us any information related to the
processes used to screen IHP registrations and preclude some fraudulent
registrations. Additional details on our scope and methodologies are
included in appendix I.

In the course of our work, we made numerous written requests for key
documents and sets of data related to the IHP, most dating back to October
2005. While FEMA officials promptly satisfied one key part of our
request-databases of IHP registrants and payments-the majority of what we
requested has not been provided. On January 18, 2006, the Department of
Homeland Security (DHS)7 Office of General Counsel did provide us with
well less than half of the documents that were requested. While the
database and other data provided by FEMA enabled us to design procedures
to test the effectiveness of FEMA's system of internal controls, it did
not enable us to fully determine the root causes of weak or non-existent
controls and formulate detailed recommendations. For example, as will be
discussed later, FEMA and the DHS had not provided us documentation to
enable us to conclusively determine the reason that FEMA submitted some
registrations, and did not submit other registrations, to identity
validation prior to issuing expedited assistance payments.

We conducted our audit and investigations from October 2005 through
January 2006. Except for restrictions discussed previously related to the
limitations that DHS placed on the scope on our audit work, we conducted
our audit work in accordance with generally accepted government auditing
standards and conducted investigative work in accordance with the
standards prescribed by the President's Council on Integrity and
Efficiency. Our findings today focus primarily on the results to date from
of our data mining and investigative techniques.

                                    Summary

We found weaknesses in the process that FEMA used to review registrations
for disaster relief and approve assistance payments. These weaknesses
leave the government vulnerable to fraud and abuse. Our work indicates
that FEMA put in place limited procedures designed to prevent, detect, and
deter certain types of duplicate and potentially fraudulent disaster
registrations. However, FEMA did not apply these limited procedures to
most registrations, thus leaving a substantial number of registrations
without any protection against fraud and abuse. Specifically, individuals
could apply for disaster assistance via the Internet or telephone. FEMA
subjected Internet registrations to a limited verification process whereby
a FEMA contractor used credit and other information to validate the
identity of registrants. Those who failed the Internet verification
process were advised to contact FEMA via telephone to reregister. However,
FEMA did not apply the identity validation process to any of the 1.5
million registrants who contacted FEMA and applied for assistance over the
telephone. Our data mining and investigations confirmed FEMA's
representation. For example, using falsified identities, bogus addresses,
and fabricated disaster stories, we applied for disaster assistance over
the telephone and obtained $2,000 expedited assistance payments.

7In 2002, FEMA became part of the Department of Homeland Security (DHS).
DHS officials required GAO to submit written requests for all
documentation to DHS Office of General Counsel.

Other control weaknesses further increased the government's exposure to
fraud and abuse. We found that FEMA instituted automated checks that
flagged hundreds of thousands of potentially duplicate registrations in
the computer system FEMA used to process and approve IHP registrations for
payments. FEMA officials informed us that these flagged registrations were
subjected to additional reviews to conclude whether they were, in fact,
duplicates. However, while the additional review process may have
prevented many potentially fraudulent and improper payments, it did not
prevent what appear to be other potentially fraudulent and improper
payments based on duplicate registrations. We also found that FEMA did not
implement procedures to validate whether damaged addresses used to
register for assistance were bogus, for either Internet or telephone
registrations.

With limited or nonexistent validation of registrants' identities and
damaged addresses, it is not surprising that our data mining and
investigations found substantial indicators of potential fraud and abuse
related to false or duplicate information submitted on disaster
registrations. For example, according to SSA data, FEMA made millions of
dollars in payments to thousands of registrants who submitted SSNs that
have not been issued or belonged to deceased individuals. Our data mining
also detected that FEMA made tens of thousands of payments to registrants
who provided other false or duplicate information on their registrations.
Specifically, in the 20 case studies we investigated, a majority-165 of
248-of registrations contained SSNs that according to the SSA were never
issued, belonged to deceased individuals, or did not match the name
provided. In addition, about 80 of the over 200 alleged disaster addresses
that we attempted to validate were bogus addresses. Also, our case study
registrants did not live in many of the remaining valid addresses. In one
specific case example, 17 individuals, some of whom shared the same last
name and current addresses, used 34 different SSNs that did not belong to
them and addresses that were bogus or not their residences to receive more
than $103,000 in FEMA payments. In addition, because the hurricanes had
destroyed many homes, we could not determine if approximately 15 of the
alleged disaster addresses had ever existed.

Similar to the control weaknesses over expedited assistance payments
distributed through checks and electronic funds transfers, we found that
FEMA did not validate the identities of debit card recipients at three
relief centers in Texas who registered via the telephone. Consequently,
FEMA issued $2,000 debit cards to over 60 registrants who provided SSNs
that were never issued or belonged to deceased individuals. We also found
that FEMA made multiple expedited assistance payments to over 5,000 of the
11,000 debit card recipients. That is, FEMA provided the registrant both a
$2,000 debit card and a $2,000 check or electronic fund transfer. Further,
at the time of debit card issuance, unlike the recipients who received
expedited assistance payments via checks or EFTs, FEMA did not issue
specific instructions to debit card recipients on the use of the cards. We
found that debit cards were used predominantly to obtain cash and thus are
unable to determine how the money was actually used. The majority of the
remaining debit card purchases were for food, clothing, and personal
necessities. However, in isolated instances, a few debit cards were used
for to pay for items or services that, on their face, do not seem
essential to satisfy disaster related needs. For example, these debit
cards were used in part to purchase adult entertainment, a .45 caliber
hand gun, jewelry, bail bond services, and to pay for prior traffic
violations.8

 FEMA's Controls to Prevent Potentially Fraudulent Payments Were Not Effective

We found weak or nonexistent controls in the process that FEMA used to
review disaster registrations and approve assistance payments that leave
the federal government vulnerable to fraud and abuse. In the critical
aftermath of hurricanes Katrina and Rita, FEMA moved swiftly to distribute
expedited assistance payments to allow disaster victims to mitigate and
overcome the effects of the disasters. In this context, the establishment
of an effective control environment was a significant challenge.
Specifically, we found that FEMA had implemented some controls prior to
the disaster to provide automated validation of the identity of
registrants who applied for assistance via the Internet. Our work thus far
indicates that this resulted in FEMA rejecting some registrants who
provided names and SSNs that did not pass the validation test. However,
FEMA did not implement the same preventive controls for those who applied
via the telephone. Our use of fictitious names, bogus addresses, and
fabricated disaster stories to obtain expedited assistance payments from
FEMA demonstrated the ease with which expedited assistance could be
obtained by providing false information over the telephone. Because
expedited assistance is a gateway to further IHP payments (up to $26,200
per registration), approval for expedited assistance payments potentially
exposes FEMA, and the federal government, to more fraud and abuse related
to temporary housing, home repair and replacement, and other needs
assistance.

8Under the Act's implementing regulations, FEMA may recover funds that it
determines were provided erroneously, that were spent inappropriately, or
were obtained through fraudulent means. 44 C.F.R. S: 206.116 (b)

Pressure to Swiftly Deliver Aid Led to Approval of Expedited Assistance Payments
with Minimal Verification

During the course of our audit and investigation, FEMA officials stated
that they did not verify whether registrants had insurance and whether
registrants were unable to live in their home prior to approving expedited
assistance payments. According to FEMA officials, the unprecedented scale
of the two disasters and the need to move quickly to mitigate their impact
led FEMA to implement expedited assistance. Expedited assistance differs
from the traditional way of delivering disaster assistance in that it
calls for FEMA to provide assistance without requiring proof of losses and
verifying the extent of such losses. Consequently, FEMA implemented
limited controls to verify eligibility for the initial expedited
assistance payments. According to FEMA officials, these controls were
restricted to determining whether the damaged residence was in the
disaster area and limited validation of the identity of registrants who
used the Internet. Registrants who FEMA thought met these qualifications
based on their limited assessments were deemed eligible for expedited
assistance.

FEMA Did Not Validate Identity of Registrants Who Applied for Assistance via
Telephone

FEMA implemented different procedures when processing disaster
registrations submitted via the Internet and telephone calls. Of the more
than 2.5 million registrations recorded in FEMA's database, i.e.,
registrations that were successfully recorded-60 percent (more than 1.5
million) were exempt from any identity verification because they were
submitted via the telephone. Prior to sending out expedited assistance
payments, FEMA did not have procedures in place for Internet or telephone
registrations that screened out registrations where the alleged damaged
address was a bogus address. The lack of identity verification for
telephone registrations and any address validation exposed the government
to fraud and abuse of the IHP program.

For registrations taken through FEMA's Web site, registrants were required
to first provide a name, SSN, and date of birth. This information was
immediately provided (in electronic format) to a FEMA contractor to
compare against existing publicly available records. While registrants
were waiting on the Internet, the FEMA contractor took steps to verify
registrants' identities. The verification steps involved confirming that
the SSN matched with a SSN in public records, that the name and SSN
combination matched with an identity registered in public records, and
that the SSN was not associated with a deceased individual. The FEMA
contractor was responsible for blocking any registrations for which any of
these three conditions was not met. Additionally, registrants who passed
the first gate had to provide answers to a number of questions aimed at
further corroborating the registrants' identities. Registrants who were
rejected via the Internet were advised to contact FEMA via telephone. Our
audit and investigative work indicated that this verification process
helped deter obviously fraudulent Internet registrations using false names
and SSNs. However, FEMA kept no record of the names, SSNs, and other
information related to the rejected registrations, and no record of the
reasons that the FEMA contractor blocked the registration from going
forward. FEMA acknowledged that it was conceivable that individuals who
were rejected because of false information submitted via the Internet
could get expedited assistance payments by providing the same false
information over the telephone.

Although the identity verification process appeared to have worked for
most Internet registrations, it did not identify a small number of
registrations with invalid SSNs. According to information we received from
the SSA, nearly 60 Internet registrants who received FEMA payments
provided SSNs that were never issued or belonged to individuals who were
deceased prior to the hurricanes. Results indicate that these individuals
may have passed the verification process because public records used to
verify registrants' identities were flawed. For example, one credit
history we obtained indicated that a registrant had established a credit
history using an invalid SSN.

Unlike the Internet process, FEMA did not verify the identity of telephone
registrants who accounted for over 60 percent of disaster registrations
recorded in FEMA's system. For registrants who registered only via
telephone, or registrants who called FEMA subsequent to being denied on
the Internet, FEMA did not have controls in place to verify that the SSN
had been issued, that the SSN matched with the name, that the SSN did not
belong to a deceased individual, or whether the registrants had been
rejected on prior Internet registrations. Because the identity of
telephone registrants was not subjected to basic verification, FEMA did
not have any independent assurance that registrants did not falsify
information to obtain disaster assistance. According to FEMA officials,
FEMA had a request in place to modify its computer system to allow for
identity verification for telephone registrations similar to those used
for the Internet. FEMA also represented to us that due to budget
constraints and other considerations, the change was not implemented in
time to respond to hurricanes Katrina and Rita. However, to date we have
not received documentation to validate these representations.

  Control Weaknesses Enabled GAO to Obtain $2,000 Expedited Assistance Checks

The lack of identity verification of phone registrants prior to disbursing
funds makes FEMA vulnerable to authorizing expedited assistance payments
based on fraudulent information submitted by registrants. Prior to
obtaining information on the control procedures FEMA used to authorize
expedited assistance payments, we tested the controls by attempting to
register for disaster relief through two portals: (1) the Internet via
FEMA's Web site and (2) telephone calls to FEMA. For both portals, we
tested FEMA's controls by providing falsified identities and bogus
addresses. In all instances, FEMA's Web site did not allow us to
successfully finalize our registrations. Instead, the Web site indicated
that there were problems with our registrations and advised us to contact
the FEMA toll-free numbers if we thought that we were eligible for
assistance. This is consistent with FEMA's representation that Internet
registrations were compared against third-party information to verify
identities.

Our investigative work also confirmed that the lack of similar controls
over telephone registrations exposed FEMA to fraud and abuse.
Specifically, in instances where we submitted via the telephone the same
exact information that had been rejected on the Internet, i.e., falsified
identities and bogus addresses, the information was accepted as valid.
Subsequently, the claims were processed and $2,000 expedited assistance
checks were issued. Figure 1 provides an example of an expedited
assistance check provided to GAO.

Figure 1: $2,000 Expedited Assistance Check Provided to GAO Based on Bogus
Registration

Additional case study investigations, which we discuss later, further
demonstrated that individuals not affected by the disasters could easily
provide false information to obtain expedited assistance and other IHP
payments from FEMA. Convictions obtained by the Department of Justice also
show that others have exploited these control weaknesses and received
expedited assistance payments. For example, one individual in a College
Station, Texas relief center pleaded guilty to false claims and mail fraud
charges related to IHP and expedited assistance. Despite never having
lived in any of the areas affected by the hurricane, this individual
registered for and received $4,358 ($2,000 in expedited assistance and
$2,358 in rental assistance) in hurricane Katrina IHP payments.

Other Control Weaknesses Exacerbated Government Exposure to Fraud and Abuse

We also found that FEMA instituted limited pre-payment checks in the
National Emergency Management Information System (NEMIS) to automate the
identification of duplicate registrations. However, the subsequent review
process used to resolve these duplicate registrations was not effective in
preventing duplicate and potentially fraudulent payments. We also found
that FEMA did not implement procedures to provide assurance that the
disaster address was not a bogus address, either for Internet or telephone
registrations.

FEMA's controls failed to prevent thousands of registrations with
duplicate information from being processed and paid. Our work indicates
that FEMA instituted limited automated checks within NEMIS to identify
registrations containing duplicate information, e.g., multiple
registrations with the same SSNs, duplicate damaged address telephone
numbers, and duplicate bank routing numbers. Data FEMA provided enabled us
to confirm that NEMIS identified nearly 900,000 registrations-out of 2.5
million total registrations-as potential duplicates. FEMA officials
further represented to us that the registrations identified as duplicates
by the system were "frozen" from further payments until additional reviews
could be conducted. The purpose of the additional reviews was to determine
whether the registrations were true duplicates, and therefore payments
should continue to be denied, or whether indications existed that the
registrations were not true duplicates, and therefore FEMA should make
those payments. It appeared from FEMA data that the automated checks and
the subsequent review process prevented hundreds of thousands of payments
from being made on duplicate registrations. However, FEMA data and our
case study investigations also indicate that the additional review process
was not entirely effective because it allowed payments based on duplicate
information.

We also found that FEMA did not implement effective controls for telephone
and Internet registrations to verify that the address claimed by
registrants as their damaged address existed. As will be discussed further
below, many of our case studies of potential fraud show that payments were
received based on claims made listing bogus damaged addresses. Our
undercover work also corroborated that FEMA provided expedited assistance
to registrants with bogus addresses.

 Potentially Fraudulent Activities Resulting from Weak or Nonexistent FEMA IHP
                                    Controls

With limited or nonexistent validation of registrants' identities and the
reported damaged addresses, it is not surprising that our data mining and
investigations found substantial indicators of potential fraud and abuse
related to false or duplicate information submitted on disaster
registrations. Our audits and investigations of 20 cases studies
comprising 248 registrations that received payments, and the undercover
work we discussed earlier, clearly showed that individuals can obtain
hundreds of thousands of dollars of IHP payments based on fraudulent and
duplicate information.9 These case studies are not isolated instances of
fraud and abuse. Rather, our data mining results to date indicate that
they are illustrative of the wider internal control weaknesses at
FEMA-control weaknesses that led to thousands of payments made to
individuals who provided FEMA with incorrect information, e.g., incorrect
SSNs and bogus addresses, and thousands more made to individuals who
submitted multiple registrations for payments.

Case Study Examples Show That Control Weaknesses Have Been Exploited

Our audits and investigations of 20 case studies demonstrate that the weak
or nonexistent controls over the registration and payment processes have
opened the door to improper payments and individuals seeking to obtain IHP
payments through fraudulent means. Specifically, a majority of our case
study registrations-165 of 248-contained SSNs that were never issued or
belonged to deceased or other individuals. About 20 of the 248
registrations we reviewed were submitted via the Internet. Further, of the
over 200 alleged damaged addresses that we tried to visit, about 80 did
not exist. Some were vacant lots, others turned out to be bogus apartment
buildings and units. Because the hurricanes had destroyed many homes, we
were unable to confirm whether about 15 additional addresses had ever
existed. We also identified other fraud schemes unrelated to the weak and
nonexistent validation and prepayment controls previously discussed, such
as registrants who submitted registrations using valid addresses that were
not their residences.

In total, the case study registrants of whom we conducted investigations
have collected hundreds of thousands of dollars in payments based on
potentially fraudulent activities. These payments include money for
expedited assistance, rental assistance, and other IHP payments. Further,
as our work progresses, we are uncovering evidence of larger schemes
involving multiple registrants that are intended to defraud FEMA. We found
these schemes because the registrants shared the same last names, current
addresses, and/or damaged addresses-some of which we were able to confirm
did not exist. While the facts surrounding the case studies provided us
with indicators that potential fraud may have been perpetrated, further
testing and investigations need to be conducted to determine whether these
individuals were intentionally trying to defraud the government or whether
the discrepancies and inaccuracies were the results of other errors.
Consequently, we are conducting further investigations into these case
studies. Table 1 highlights 10 of the 20 case studies we identified
through data mining that we investigated. In addition, some individuals in
the cases cited below submitted additional registrations but had not
received payments as of mid December 2005.

9We used various indicators such as identical names, SSNs, damaged
addresses, and current addresses to link multiple registrations together
into the 20 case studies.

Table 1: Examples of Potential Fraudulent and Duplicate Registrations That
Received FEMA Payments

                                   Number of                                  
                                       Bogus 
             Number of            Properties 
         Registrations               Used to 
        with Payments/  Payments     Receive 
Case           SSNs Receiveda   Paymentsb Case Details
1             36/36  $103,000 At least 10    o  Seventeen individuals      
                                                received payments on 36       
                                                registrations using 34 SSNs   
                                                that were not theirs.         
                                                o  Of the 17 addresses we     
                                                visited, 13 were from the     
                                                same apartment building, of   
                                                which 6 did not exist.        
                                                o  4 additional addresses     
                                                were also invalid.            
                                                o  Payments included 31       
                                                expedited assistance payments 
                                                totaling $62,000, and 18 in   
                                                other payments, including     
                                                rental payments.              
2             15/15   $41,000  At least 8    o  One individual received    
                                                payments on 15 different      
                                                SSNs-only one of which        
                                                belonged to that person.      
                                                o  Investigative work also    
                                                showed that 3 addresses were  
                                                valid but were not addresses  
                                                of the registrant.            
                                                o  Payments included 13       
                                                expedited assistance payments 
                                                totaling $26,000 and $15,000  
                                                in other assistance,          
                                                including housing.            
                                                o  The individual may have    
                                                committed bank fraud by using 
                                                an invalid SSN to open an     
                                                account.                      
                                                o  The individual had         
                                                established credit using 2    
                                                SSNs that did not belong to   
                                                the individual.               
3               8/1   $16,000        None    o  One individual received 8  
                                                expedited assistance payments 
                                                using the same name, SSN, and 
                                                current address.              
                                                o  Of the 8 addresses         
                                                declared as damaged, two      
                                                appeared to belong to the     
                                                individual.                   
                                                o  FEMA's automated edits     
                                                identified at least 7         
                                                registrations as duplicates,  
                                                nevertheless payments were    
                                                issued.                       
4             23/23   $46,000 At least 14    o  Two individuals received   
                                                expedited assistance payments 
                                                on 23 SSNs - 21 of which were 
                                                not theirs.                   
                                                o  Public records indicate    
                                                that the individuals did not  
                                                live at any of the 9 valid    
                                                addresses.                    
                                                o  Payments included 22       
                                                expedited assistance payments 
                                                and 1 housing assistance      
                                                payment.                      
5             38/38   $76,000 At least 10    o  Six individuals received   
                                                38 payments on different      
                                                SSNs-only 1 of which was      
                                                traced back to them.          
                                                o  Payments included 37       
                                                expedited assistance payments 
                                                totaling $74,000 and over     
                                                $2,000 in other assistance.   
6             18/18   $36,000 At least 12    o  Individual received 18     
                                                expedited assistance payments 
                                                using the same name and 18    
                                                different SSNs-only 1 of      
                                                which belonged to the person. 
                                                o  Investigative work and     
                                                public records also indicate  
                                                that the individual had never 
                                                lived at any of the 6         
                                                remaining valid addresses.    
7             31/30   $92,000 At least 22    o  A group of 8 individuals   
                                                received payments on 31       
                                                registrations using 26 SSNs   
                                                that did not belong to them.  
                                                o  22 of the registrations    
                                                were for addresses that did   
                                                not exist. The remaining      
                                                addresses were not validated. 
                                                o  Payments include 32        
                                                payments for expedited        
                                                assistance and over $28,000   
                                                for other assistance          
                                                including housing assistance. 
8               6/6   $23,000        None    o  Six apparent members of    
                                                the same household registered 
                                                6 times using the same        
                                                damaged addresses.            
                                                o  Five of the 6 individuals  
                                                also shared the same current  
                                                address.                      
                                                o  Payments included 5        
                                                expedited assistance payments 
                                                and $13,000 in other payments 
                                                including housing assistance. 
9               7/7   $15,000        None    o  Seven apparent members of  
                                                the same household received   
                                                payments using the same       
                                                damaged address.              
                                                o  One family member used a   
                                                SSN that did not belong to    
                                                the family member.            
                                                o  Six of the 7 individuals   
                                                also shared the same current  
                                                address.                      
                                                o  Payments included 7        
                                                payments for expedited        
                                                assistance.                   
10              7/7   $80,000        None    o  Seven apparent members of  
                                                the same household registered 
                                                using the same damaged        
                                                address.                      
                                                o  Payments included 6        
                                                expedited assistance payments 
                                                and $68,000 in other          
                                                assistance.                   

Source: GAO analysis and investigation of FEMA data.

aAmount reflects total payments for IHP, which includes expedited
assistance, temporary housing assistance, payments for repair and
replacement of real and personal property, and payments for other needs
such as medical, transportation, and other necessities.

bOne address could be associated with multiple registrations.

The following provides illustrative detailed information on several of the
cases.

           o  Case number 1 involves 17 individuals, several of whom had the
           same last name, who submitted at least 36 registrations claiming
           to be disaster victims of both Katrina and Rita. All 36
           registrations were submitted through the telephone, using 36
           different SSNs and 4 different current addresses. These
           individuals used their own SSNs on 2 of the registrations, but the
           remaining 34 SSNs were never issued or belonged to deceased or
           other individuals. The individuals received over $103,000 in IHP
           payments, including $62,000 in expedited payments and $41,000 in
           payments for other assistance, including temporary housing
           assistance. Our analysis shows that the individuals claimed 13
           different damaged addresses within a single apartment building,
           and 4 other addresses within the same block in Louisiana. However,
           our physical inspection of these addresses revealed that 10 of the
           addresses were bogus addresses. Further audit and investigative
           work also shows that these individuals may not have lived at any
           of the valid disaster addresses at the time of hurricanes Katrina
           and Rita. We are conducting additional investigations on this
           case.

           o  Case number 2 involves an individual who used 15 different
           SSNs-one of which was the individual's own-to submit at least 15
           registrations over the telephone. The individual claimed a
           different damaged address on all 15 registrations, and used 3
           different current addresses-including a post office box, where the
           individual received payments. The individual received 16 payments
           totaling over $41,000 on 15 of the registrations. In all, the
           individual received 13 expedited assistance payments, 2 temporary
           housing assistance payments, and another payment of $10,500.
           Further investigative work disclosed that the individual may have
           committed bank fraud by using a false SSN to open a bank account.
           Other publicly available records indicate that the individual had
           used 2 SSNs that were issued to other people to establish credit
           histories.

           o  Case number 3 relates to a group of 8 registrations that
           resulted in 8 payments totaling $16,000. According to FEMA data,
           an individual registered for Rita disaster assistance at the end
           of September 2005. About 10 days later, the same individual
           submitted at least 7 additional registrations claiming 7 different
           disaster addresses, 2 of which we were able to confirm belonged to
           the individual and may be rental properties that the individual
           owns. However, because the FEMA database showed that these
           addresses were entered as the individual's primary residence-a
           primary requirement for IHP-the individual received 8 expedited
           assistance payments instead of just the one that he may have
           qualified for. We also found that the automated edits established
           in NEMIS identified these registrations as potential duplicates.
           In spite of the edit flags, FEMA cleared the registrations for
           improper expedited assistance payments.

           o  Case number 4 involves 2 individuals who appear to be living
           together at the same current address in Texas. These 2 individuals
           received payments for 23 registrations submitted over the
           telephone using 23 different SSNs-two of which belonged to them-to
           obtain more than $46,000 in disaster assistance. The information
           the registrants provided related to many of the disaster addresses
           appeared false. The addresses either did not exist, or there was
           no proof the individuals had ever lived at these addresses.

           o  Case number 8 relates to 6 registrants with the same last name
           who registered for disaster assistance using the same damaged
           address, with 5 of the 6 using the same current address. FEMA
           criteria specify that individuals who reside together at the same
           address and who are displaced to the same address are entitled to
           only one expedited assistance payment. However, all 6 possible
           family members received 12 payments totaling over $23,000-$10,000
           in expedited assistance and more than $13,000 in other assistance,
           including rental assistance.

           The case studies we identified and reported are not isolated
           instances of potential fraud and abuse. Rather, our data mining
           results show that they are indicative of fraud and abuse beyond
           these case studies, and point directly to the weaknesses in
           controls that we have identified. The weaknesses identified
           through data mining include ineffective controls to detect (1)
           SSNs that were never issued or belonged to deceased or other
           individuals, (2) SSNs used more than once, and (3) other duplicate
           information.

           Our data mining and case studies clearly show that FEMA's controls
           over IHP registrations provided little assurance that registrants
           provided FEMA with a valid SSN. Under 42 U.S.C. S: 408, submitting
           a false SSN with the intent to deceive in order to obtain a
           federal benefit or other payment is a felony offense. Based on
           data provided by the SSA, FEMA made expedited assistance payments
           to thousands of registrants who provided SSNs that were never
           issued or belonged to deceased individuals. Further, SSA officials
           who assisted GAO in analyzing FEMA's registrant data informed us
           that tens of thousands more provided SSNs that belonged to other
           individuals. This problem is clearly illustrated in case 2, where
           FEMA made payments totaling over $41,000 to an individual using 15
           different SSNs. According to SSA records, the individual received
           payments on 4 SSNs that belonged to deceased individuals and 10
           SSNs that did not match with the names provided on the
           registrations. As previously discussed, further testing and
           investigations need to be conducted to determine whether this
           individual was intentionally trying to defraud the government or
           whether the discrepancies and inaccuracies were the results of
           other errors.

           Our data mining and case studies clearly show that FEMA's controls
           do not prevent individuals from making multiple IHP registrations
           using the same SSN. We found thousands of SSNs that were used on
           more than one registration associated with the same disaster.
           Because an individual can receive disaster relief only on his or
           her primary residence and a SSN is a unique number assigned to an
           individual, the same SSN should not be used to receive assistance
           for the same disaster. This problem is illustrated in case 3
           above, where an individual registered for IHP 8 times using the
           same name, same SSN, and same current address-and thus could have
           qualified for only 1 expedited assistance payments-but instead
           received expedited assistance payments of $2,000 for 8 different
           registrations.

           Our data mining and case studies also show that the IHP controls
           to prevent duplicate payments did not prevent FEMA from making
           payments to tens of thousands of different registrants who used
           the same key registration information. FEMA's eligibility criteria
           specify that individuals who reside together at the same address
           and who are displaced to the same address are typically entitled
           to only one expedited assistance payment. FEMA policy also
           provides for expedited assistance payments to more than one member
           of the household in unusual circumstances, such as when a
           household was displaced to different locations. However, both our
           investigations and data mining found thousands of instances where
           FEMA made more than one payment to the same household that shared
           the same last name and damaged and current addresses. As
           illustrated in case 8, 5 of 6 individuals with the same last name,
           the same damaged address, and the same current address received
           multiple expedited assistance payments, instead of just one for
           which they qualified. While not all of the registrations that used
           the same key information were submitted fraudulently, additional
           investigations need to be conducted to determine whether or not
           the entire family was entitled to expedited and other IHP
           assistance.

           Similarly, our data mining also determined that FEMA made payments
           to tens of thousands of IHP registrants who provided different
           damaged addresses but the same exact current address. As shown in
           case study 4 above, some registrations that fell into this
           category contained bogus addresses or addresses that were not the
           registrants' residences. Under 18 U.S.C. S: 1001, a person who
           knowingly and willfully makes any materially false, fictitious, or
           fraudulent statement or representation shall be fined or
           imprisoned up to 5 years, or both.

           Our data mining also found that FEMA made duplicate expedited
           assistance payments to tens of thousands of individuals for the
           same FEMA registration number. FEMA policy states that registrants
           should only receive one expedited assistance payment. However, in
           some cases, FEMA paid as many as four $2,000 expedited assistance
           payments to the same FEMA registration number. As discussed later,
           we also found that FEMA issued expedited assistance payments to
           more than 5,000 registrants who had already received debit cards.
           FEMA officials represented to us that they traced some of these
           obviously duplicate payments to a computer error that
           inadvertently caused the duplicate payments. However, they
           provided no supporting documentation.

           In the days following hurricane Katrina, FEMA experimented with
           the use of debit cards to expedite payments of $2,000 to about
           11,000 disaster victims at three Texas shelters10 who, according
           to FEMA, had difficulties accessing their bank accounts. Figure 2
           is an example of a FEMA debit card.

           Figure 2: FEMA Debit Card

           The debit card program was an effective means of distributing
           relief quickly to those most in need. However, we found that
           because FEMA did not validate the identity of debit card
           recipients who registered over the telephone, some individuals who
           supplied FEMA with SSNs that did not belong to them also received
           debit cards. We also found that controls over the debit card
           program were not effectively designed and implemented to prevent
           debit card recipients from receiving duplicate expedited
           assistance payments, once through the debit card and again through
           check or EFT. Finally, unlike the guidance provided to other IHP
           registrants, at the time FEMA distributed the debit cards, FEMA
           did not provide instructions informing them that the funds on
           their cards must be used for appropriate purposes.

           As discussed previously, FEMA did not verify the identity of
           individuals and/or households who submitted disaster registrations
           over the telephone. This weakness occurred in the debit card
           program as well. FEMA required the completion of a disaster
           registration prior to a household or individual being able to
           receive a debit card. According to FEMA officials, registrants at
           the three centers applied for assistance via the telephone and
           Internet. Therefore, to the extent that registrations for the
           debit card were taken over the telephone, FEMA did not subject the
           identity of the registrants to a verification process.
           Consequently, we identified 50 debit cards issued to registrants
           listing SSNs that the SSA had no record of issuing, and 12 cards
           issued to registrants using SSNs belonging to deceased
           individuals. For example, one registrant used an invalid SSN to
           receive a $2,000 debit card and used about $500 of that money to
           pay prior traffic violations to reinstate a driver's license. In
           another case, a registrant used the SSN of an individual who died
           in 1995 to receive a $2,000 debit card. FEMA subsequently
           deposited an additional $7,554 in IHP payments to that debit card
           account for additional claims submitted by that individual. This
           registrant withdrew most of the $9,554 deposited into the debit
           card account by obtaining ATM cash withdrawals.

           Based on a comparison of FEMA's IHP payments and the list of debit
           card recipients, we found that over 5,000 of the 11,000 debit card
           recipients received more than one $2,000 expedited assistance
           payment because they received a debit card and another form of
           payment (check or EFT). According to FEMA officials, they were
           aware that several individuals had already registered for IHP
           assistance and that some payments had already been made prior to
           issuance of a debit card. However, FEMA officials stated that
           individuals in the three shelters in Texas would not have access
           to their home addresses or bank accounts and therefore needed
           immediate assistance in the form of debit cards. Our review of
           FEMA data disproved FEMA's belief that only a few individuals who
           received debit cards also received other disaster assistance
           payments. Instead, thousands, or nearly half, of the individuals
           who received debit cards also received checks or EFTs that were
           made several days after the debit cards had been issued. The
           result was that FEMA paid more than $10 million dollars in
           duplicate expedited assistance payments to individuals who had
           already received their $2,000 of expedited assistance.

           In general, once FEMA receives a disaster registration, FEMA sends
           a package containing IHP information and detailed instructions,
           including instructions on how to follow up on benefits, how to
           appeal if denied benefits, and the proper use of IHP payments.
           However, FMS and FEMA officials informed us that FEMA did not
           specifically provide instructions on how the debit cards should
           only be used for necessary expenses and serious needs related to
           the disasters at the same time the debit cards were distributed.
           We found that in isolated instances, debit cards were used for
           adult entertainment, to purchase weapons, and for purchases at a
           massage parlor that had been previously raided by local police for
           prostitution.

           Our analysis of debit card transaction data provided by JP Morgan
           Chase found that the debit cards were used predominantly to obtain
           cash which did not allow us to determine how the money was
           actually used. The majority of the remaining transactions was
           associated with purchases of food, clothing, and personal
           necessities. Figure 3 shows a breakdown of the types of purchases
           made by cardholders.

           Figure 3: Breakdown of Purchases Made with FEMA Debit Cards

           We found that in isolated instances, debit cards were used to
           purchase goods and services that did not appear to meet serious
           disaster related needs as defined by the regulations. In this
           regard, FEMA regulation provides that IHP assistance be used for
           housing-related needs and items or services that are essential to
           a registrant's ability to overcome disaster related hardship.
           Table 2 details some of the debit cards activities we found that
           did not appear to be for essential disaster related items or
           services.

           Table 2: Purchases that Did Not Appear Necessary to Satisfy
           Immediate Emergency Needs

           Source: GAO analysis of debit card transactions and additional
           investigations.

           FEMA has a substantial challenge in balancing the need to get
           money out quickly to those who are actually in need and sustaining
           public confidence in disaster programs by taking all possible
           steps to minimize fraud and abuse. Based on our work to date, we
           believe that more can be done to prevent fraud through validation
           of identities and damage addresses and enhanced use of automated
           system verification intended to prevent fraudulent disbursements.
           Once fraudulent registrations are made and money is disbursed,
           detecting and pursuing those who committed fraud in a
           comprehensive manner is more costly and may not result in
           recoveries. Further, many of those fraudulently registered in the
           FEMA system already received expedited assistance and will likely
           receive more money, as each registrant can receive as much as
           $26,200 per registration.

           Another key element to preventing fraud in the future is to ensure
           there are consequences for those that commit fraud. For the fraud
           cases that we are investigating, we plan to refer them to the
           Katrina Fraud Task Force for further investigation and, where
           appropriate, prosecution. We believe that prosecution of
           individuals who have obtained disaster relief payments through
           fraudulent means will send a message for future disasters that
           there are consequences for defrauding the government.

           Madam Chairman and Members of the Committee, this concludes my
           statement. I would be pleased to answer any questions that you or
           other members of the committee may have at this time.

           For further information about this testimony, please contact
           Gregory D. Kutz at (202) 512-7455 or [email protected] . Contact
           points for our Offices of Congressional Relations and Public
           Affairs may be found on the last page of this testimony.

           To assess controls in place over the Federal Emergency Management
           Agency (FEMA)'s Individuals and Households Program (IHP), we
           interviewed FEMA officials and performed walkthroughs at the
           National Processing Service Center in Winchester, Va. We reviewed
           the Stafford Act, Pub. L. 93-288, the implementing regulations,
           and FEMA's instructions to disaster registrants available via the
           Internet. In addition, to proactively test controls in place, we
           applied for assistance using falsified identities, bogus
           addresses, and fictitious disaster stories to determine if IHP
           payments could be obtained based on fraudulent information.
           Because of several key unanswered requests for documentation from
           the Department of Homeland Security (DHS), information needed to
           fully assess the expedited assistance program was limited. For
           example, FEMA and DHS had not provided us documentation to enable
           us to conclusively determine the reason that FEMA submitted some
           registrations, and did not submit other registrations, to identity
           validation prior to issuing expedited assistance payments.
           Consequently, our work was limited to our analysis of the FEMA
           databases, investigations we conducted, data widely available to
           the public via the Internet, and information FEMA officials orally
           provided to us.

           To determine the magnitude and characteristics of IHP payments, we
           obtained the FEMA IHP database as of December 2005. We validated
           that the database was complete and reliable by comparing the total
           disbursements against reports FEMA provided to the Senate
           Appropriations Committee on Katrina/Rita disbursements. We
           summarized the amounts of IHP provided by type of assistance and
           by location of disaster address.

           To determine whether indications existed of fraud and abuse in
           expedited assistance and other disbursements, we provided FEMA
           data to the Social Security Administration (SSA) to verify against
           their records of valid social security numbers (SSNs). We also
           used data mining and forensic audit techniques to identify
           registrations containing obviously false data, such as multiple
           registrations containing the same name, same current or damaged
           address, but different SSNs, and registrations containing
           duplicate information, such as duplicate names and SSNs. To
           determine whether registrations from our data mining resulted in
           potentially fraudulent and/or improper payments, we used a
           nonrepresentative selection of 248 registrations representing 20
           case studies (case studies included multiple individuals and
           registrations) for further investigation. We restricted our case
           studies to registrations that received payments as of mid-December
           2005, and noted that some registrants within our case studies also
           submitted additional registrations-for which they may receive
           future payments. We also identified instances where groups of
           registrants may have been involved in schemes to defraud FEMA. We
           found these schemes because the registrants provided the same
           SSNs, last names, current addresses, and/or damaged addresses on
           their registrations. Our macro analysis of potentially fraudulent
           use of SSNs and other data mining are ongoing, and we plan to
           report additional results at a future date. For purposes of this
           testimony, we did not conduct sufficient work to project the
           magnitude of potentially fraudulent and improper payments of IHP.
           We also visited over 200 of the claimed damaged addresses related
           to our case studies to determine whether or not the addresses were
           valid.

           To assess the types of purchases made with FEMA debit cards
           distributed at relief centers, we reviewed a database of
           transactions provided by JP Morgan Chase, the administrating bank
           for the debit cards. SSA also assisted us to compare cardholder
           data with SSA records to determine whether registrants receiving
           debit cards had provided valid identities. We performed data
           mining on debit card transactions to identify purchases that did
           not appear to be indicative of necessary expenses as defined by
           the Stafford Act's implementing regulations. Finally, we validated
           specific transactions identified in the database by obtaining
           information on actual items purchased from the vendors.

           In the course of our work, we made numerous written requests for
           key documents and sets of data related to the IHP, most dating
           back to October 2005. While FEMA officials promptly complied with
           one key part of our request-that is FEMA made available databases
           of IHP registrants and payments-the majority of items requested
           have not been provided. On January 18, 2006, the Department of
           Homeland Security Office of General Counsel provided us with well
           less than half of the documents that were requested. For example,
           FEMA and the DHS had not provided us documentation to enable us to
           conclusively determine the reason that FEMA submitted some
           registrations, and did not submit other registrations, to identity
           validation prior to issuing expedited assistance payments. While
           the database and other data provided by FEMA enabled us to design
           procedures to test the effectiveness of the FEMA's system of
           internal controls, it did not enable us to comprehensively
           determine the root causes of weak or non-existent controls.

           During the course of our audit work, we identified multiple cases
           of potential fraud. For cases that we investigated and found
           significant evidence of fraudulent activity, we plan to refer our
           cases directly to the Hurricane Katrina Fraud Task Force. Except
           for scope limitations due to a lack of documentation provided by
           DHS, we performed our work from October 2005 through January 2006
           in accordance with generally accepted government auditing
           standards and quality standards for investigations as set forth by
           the President's Council on Integrity and Efficiency.

           The Government Accountability Office, the audit, evaluation and
           investigative arm of Congress, exists to support Congress in
           meeting its constitutional responsibilities and to help improve
           the performance and accountability of the federal government for
           the American people. GAO examines the use of public funds;
           evaluates federal programs and policies; and provides analyses,
           recommendations, and other assistance to help Congress make
           informed oversight, policy, and funding decisions. GAO's
           commitment to good government is reflected in its core values of
           accountability, integrity, and reliability.

           The fastest and easiest way to obtain copies of GAO documents at
           no cost is through GAO's Web site ( www.gao.gov ). Each weekday,
           GAO posts newly released reports, testimony, and correspondence on
           its Web site. To have GAO e-mail you a list of newly posted
           products every afternoon, go to www.gao.gov and select "Subscribe
           to Updates."

           The first copy of each printed report is free. Additional copies
           are $2 each. A check or money order should be made out to the
           Superintendent of Documents. GAO also accepts VISA and Mastercard.
           Orders for 100 or more copies mailed to a single address are
           discounted 25 percent. Orders should be sent to:

           U.S. Government Accountability Office 441 G Street NW, Room LM
           Washington, D.C. 20548

           To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax:
           (202) 512-6061

           Contact:

           Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail:
           [email protected] Automated answering system: (800) 424-5454 or
           (202) 512-7470

           Gloria Jarmon, Managing Director, [email protected] (202) 512-4400
           U.S. Government Accountability Office, 441 G Street NW, Room 7125
           Washington, D.C. 20548

           Paul Anderson, Managing Director, [email protected] (202)
           512-4800 U.S. Government Accountability Office, 441 G Street NW,
           Room 7149 Washington, D.C. 20548

Data Mining Indicates Potential Fraud and Abuse Beyond Our Case Studies

  Misuse of Social Security Numbers on Registrations

  Same Social Security Numbers Used on Multiple Registrations

  Multiple Payments Made to Different Registrations Containing the Same Key
  Information

Controls over Debit Cards Were Ineffective in Preventing Duplicate Payments and
                                  Improper Use

10The shelters were located in Dallas, Houston, and San Antonio.

Debit Cards Issued to Individuals Providing Invalid Social Security Numbers

Thousands of Debit Card Recipients Received Multiple Expedited Assistance
Payments

FEMA Debit Card Transactions

Vendors              Location        Nature of Transaction          Amount 
Elliot's Gun Shop    Jefferson, LA   .45 caliber pistol             $1,300 
D Houston            Houston, TX     Gentlemen's club                1,200 
Friedman's Jewelers  Plano, TX       Diamond engagement ring         1,100 
Argosy Casino        Baton Rouge, LA 7 ATM withdrawals within one    1,000 
                                        day at a gambling institution  
Tim Fanguy Bail      Houma, LA       Partial bail bond payment       1,000 
Bonds                                                               
Department of Public Baton Rouge, LA Payment of prior traffic          700 
Safety                               violations for driver's        
                                        license reinstatement          
Cat Tattoo           Addison, TX     Tattoo on arm                     450 
Swedish Institute    Irving, TX      Massage parlor                    400 
Tiger Beer and Wine  Dallas, TX      Alcohol beverages                 200 
Condoms To Go        Dallas, TX      Adult erotica products            150 

                                  Conclusions

Contacts and Acknowledgements

Appendix I: Objectives, Scope, and Methodology

(192201)

This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.

GAO's Mission

Obtaining Copies of GAO Reports and Testimony

Order by Mail or Phone

To Report Fraud, Waste, and Abuse in Federal Programs

Congressional Relations

Public Affairs

www.gao.gov/cgi-bin/getrpt? GAO-06-403T .

To view the full product, including the scope

and methodology, click on the link above.

For more information, contact Gregory Kutz at (202) 512-7455 or
[email protected].

Highlights of GAO-06-403T , a testimony before the Senate Committee on
Homeland Security and Governmental Affairs

February2006

EXPEDITED ASSISTANCE FOR VICTIMS OF HURRICANES KATRINA AND RITA

FEMA's Control Weaknesses Exposed the Government to Significant Fraud and
Abuse

As a result of widespread congressional and public interest in the federal
response to hurricanes Katrina and Rita, GAO conducted an audit of the
Individuals and Households Program (IHP) under Comptroller General of the
United States statutory authority.

Hurricanes Katrina and Rita destroyed homes and displaced millions of
individuals. In the wake of these natural disasters, FEMA faced the
challenge of providing assistance quickly and with minimal "red tape,"
while having sufficient controls to provide assurance that benefits were
paid only to eligible individuals and households. In response to this
challenge, FEMA provided $2,000 in IHP payments to affected households via
its Expedited Assistance (EA) program. Victims who received EA may qualify
for up to $26,200 in IHP assistance. As of mid-December 2005, IHP payments
totaled about $5.4 billion, with $2.3 billion provided in the form of EA.
These payments were made via checks, electronic fund transfers, and a
small number of debit cards.

GAO's testimony will provide the results to date related to whether (1)
controls are in place and operating effectively to limit EA to qualified
applicants, (2) indications exist of fraud and abuse in the application
for and receipt of EA and other payments, and (3) controls are in place
and operating effectively over debit cards to prevent duplicate EA
payments and improper usage.

We identified significant flaws in the process for registering disaster
victims that leave the federal government vulnerable to fraud and abuse of
EA payments. For Internet applications, limited automated controls were in
place to verify a registrant's identity. However, we found no independent
verification of the identity of registrants who registered for disaster
assistance over the telephone. To demonstrate the vulnerability inherent
in the call-in applications, we used falsified identities, bogus
addresses, and fabricated disaster stories to register for IHP. Below is a
copy of one of the $2,000 checks that we received to date for our bogus
telephone applications.

We also found that FEMA's automated system frequently identified
potentially fraudulent registrations, such as multiple registrations with
identical social security numbers (SSN) but different addresses. However,
the manual process used to review these registrations did not prevent EA
and other payments from being issued. Other control weaknesses include the
lack of any validation of damaged property addresses for both Internet and
telephone registrations.

Given the weak or non existent controls, it is not surprising that our
data mining and investigations to date show the potential for substantial
fraud and abuse of EA. Thousands of registrants misused SSNs, i.e., used
SSNs that were never issued or belonged to deceased or other individuals.
Our case study investigations of several hundred registrations also
indicate significant misuse of SSNs and the use of bogus damaged property
addresses. For example, our visits to over 200 of the case study damaged
properties in Texas and Louisiana showed that at least 80 of these
properties were bogus-including vacant lots and nonexistent apartments.

We found that FEMA also made duplicate EA payments to about 5,000 of the
nearly 11,000 debit card recipients-once through the distribution of debit
cards and again by check or electronic funds transfer. We found that while
debit cards were used predominantly to obtain cash, food, clothing, and
personal necessities, a small number were used for adult entertainment,
bail bond services and weapons purchase, which do not appear to be items
or services that are essential to satisfy disaster related essential
needs.
*** End of document. ***