Guidance for auditing disaster preparedness (draft)

INTOSAI WORKING GROUP ON THE ACCOUNTABILITYAND AUDIT OF DISASTER-RELATED AID

THE DRAFT GUIDELINES FOR AUDITING OF DISASTER PREPAREDNESS

October 2011

Antalya, TURKEY

Arife COSKUN - November 2010 version the draft guide for audit of disaster preparedness (0II.04)

Turkish Court of Accounts (TCA) Inonu Bulvari, No: 45, Balgat/ Ankara - Turkeye-mail: acoskun@sayistay.gov.tr Tel: +90 312 295 37 01

THE DRAFT GUIDELINES FOR AUDITING DISASTER PREPAREDNESS

CONTENT

Preamble

PART I: DISASTER PREPAREDNESS

1. Background

2. Purpose of the Guidelines

3. Issues to be Covered

Definitions of Disaster

Types of Disaster

Why Disaster Preparedness? Scope

of Disaster Preparedness

4. Specific Elements of Disaster Planning

5. Geographical Information Systems (GIS)

6. Government's Role

7. Role of SAIs

PART II: AUDIT OF DISASTER PREPAREDNESS

8. Introduction

9. Challenges for the auditor

10. Audit Mandate of SAIs

11. Types of Audit

12. Planning and carrying out audit work

Audit Approach/ Scope

i

Audit Objectives Audit

Methodology Audit

Criteria

Audit Findings and Recommendations

PART III: AUDIT PROGRAM FOR DISASTER PREPAREDNESS

13. Audit Program

14. Lessons Learned

ANNEXES

ANNEX 1: An example of governance structure - Canada ANNEX

2: Geographical Information Systems (GIS)

ANNEX 3: A case for understanding the organization and framework of authorities preparing for disaster

ANNEX 4: Audit Objectives - examples concerning disaster preparedness

ANNEX 5: Audit Criteria - examples concerning disaster preparedness

ANNEX 6: Audit Recommendations - examples concerning disaster preparedness

ii

Preamble

I. The INTOSAI Working Group on Accountability for and Audit of Disaster-related Aid (AADA) was

established as a successor to the INTOSAI Task Force on Tsunami Aid on which its knowledge was

based. The first meeting of the INTOSAI Working Group on the AADA was held by its chair, between

30 June and 2 July 2008 in Luxembourg. The participants at that meeting accepted the Work Program

(2008-2010), which was based on the Draft Work Plan for 2007-2010 and was drafted beforehand by

the Chair of the INTOSAI Task Force on the ADAA, taking into account the new developments in this

field.

II. In the Work Program (2008-2010), separate tasks and their descriptions were grouped into two work

packages in order to give a clear picture and develop a successful strategy for strengthening

accountability and creating an audit trail concerning audits of disaster-related issues. The first work

package deals with the development of guidance and good practice in the area of accountability; the

second one clarifies the development of guidance and good practice in this area by Supreme Audit

Institutions (SAIs). Work Package II is divided into nine different tasks that are to be prepared by sub-

groups. One of the tasks under Work Package II is the "Audit of disaster preparedness (0II.04)".

Turkey, Austria and Kenya are named as the SAIs responsible for this task. The Turkish Court of

Accounts (TCA) is leading the sub-group.

III. Firstly, a work plan for the study team was prepared, outlining the main activities and a timetable.

Then, literature was reviewed and samples of audit reports were examined. After the Working

Group's second meeting in Seoul, the audit of disaster preparedness team prepared a survey and

sent it to all INTOSAI members to gather information on their experience in this field so that it could

be reflected in these guidelines. A draft of the guidelines for auditing disaster preparedness was

prepared and circulated to members of the INTOSAI Working Group on the AADA for review and

comments after the third meeting in Lima, Peru. A second draft was improved in the light of the

feedback gathered. The current document is still a draft, and is not an official INTOSAI-endorsed

publication.

IV. The INTOSAI Working Group on the Accountability for and Audit of Disaster-related Aid (AADA)

wishes to express its appreciation for the contributions made by member Supreme Audit Institutions.

We would especially like to thank the following SAIs which replied to our survey.

1

The SAIs which replied to the survey

1. Australia European Court of Auditors 19. Lesotho 2 8 . Philippines2. Austria 11. Denmark 20. Macedonia 2 9 . Poland3. Bangladesh 12. Germany 21. Madagascar 3 0 . Saint Lucia4. Cameroon 13. Guatemala 22. Morocco 3 1 . Singapore5. Canada 14. Hungary 23. Netherlands 3 2 . Turkey6. Cape Verde 15. Japan 24. New Zealand 3 3 . Ukraine7. Czech Republic 16. Korea 25. Norway 3 4 . USA8. Egypt 17. Kyrgyz Republic 26. Papua New Guinea 3 5 . Yemen9. Estonia 18. Latvia 27. Peru

2

PART I: DISASTER PREPAREDNESS

1. Background

1.1 Disasters, most of which are natural, have occurred for centuries across the world. However,

owing to the risks arising from the advent of complex technologies and from dramatic

economic and social events in a chaotic environment, the world has been witnessing a new

type of disaster: the man-made disaster. Recent natural disasters, such as the Indian Ocean

Tsunami, Hurricane Katrina and the large-scale earthquakes and floods in Pakistan, Haiti and

China, as well as man-made disasters such as the Chernobyl Nuclear Accident and September

11 have thus affected many countries.

1.2 The global impact of natural and man-made disasters has dramatically increased over the last

few decades, owing to social, demographic, political, environmental and climatic factors. The

degree of vulnerability and exposure, leading to larger losses in the disasters, has also

increased considerably. Apart from the growth of urban development and population density

in exposed areas, the fact that large proportions of the world's population and assets are

concentrated near to the coast has also contributed to the rise in social and economic

devastation. The increasing uncertainty of weather patterns due to climate change and the

rise in terrorist attacks can be regarded as reasons, amongst others, for the big disasters.

1.3 200 million people are affected by natural disasters or technological accidents worldwide

every year. These catastrophes are responsible for huge losses of human life, homes and

livelihoods as well as for a vast number of injuries. In addition to the social damage they also

cause economic losses: 69 billion USD every year according to the EU Working paper on

"Disaster Preparedness and prevention (DPP): State of play and strategic orientations for EC

policy". The number of geophysical disasters reported over the last decade has remained fairly

steady, while hydro-meteorological disaster has increased since 1996. According to some

scientists this trend could further increase as a result of global climate change.

1.4 The growing impact of major disasters on economic and social life has led to demand for an in-

depth assessment of possible strategies to reduce their large-scale damaging effects. So,

international policies concerning natural and man-made disasters have been radically changed

over the last decade. Previous policies that allocated large resources to post-disaster relief and

reconstruction activities have proved inefficient without curbing the needs generated after the

disaster. The international community

3

has therefore altered the objectives of disaster policies in line with a strong determination to

reduce risks prior to any catastrophe. The Yokohama (1994) and Kobe (2005) Conferences and

the Hyogo Framework for Action (HFA) have set the new objectives, monitored by the UNISDR 4

(2000), for developing a Global Platform and demanding the formation of National Platforms,

the latter comprising not only the related official bodies but also NGOs and universities.

1.5 Despite the fact that some countries revised their disaster policies for risk mitigation after the

Global Platform (2007), which produced tenable results, many countries remain totally

opposed to the new policy. Most emergencies in the world are local in nature and are

managed at municipal or provincial/territorial level. However, certain risk factors increase the

potential for catastrophes to transcend geographical boundaries and to challenge the capacity

of federal and provincial/territorial governments, and sometimes the international

community, to manage emergencies. These risk factors include: increased urbanization, critical

infrastructure dependencies and interdependencies, terrorism, climate variability and change,

animal and human health diseases, and the increased mobility of people and goods around

the world. Taking measures against disasters concurrently is therefore important not only for

individual countries but also for countries in exposed areas.

1.6 However, risk reduction or mitigation policies call for new approaches, new methods and

expertise. The new policy requires a capacity for identifying various types of risks at different

levels, making projections of likely consequences, and also a capacity for devising methods to

avoid, reduce and share risks. This means recruiting an entirely different type of professional

expertise than that employed under the previous policies. Planners in particular are now

expected to have a dominant role to play under the aegis of a new global disaster policy. In

short, disaster preparedness that includes all these activities, such as risk mitigation and

prevention, requires a new management approach and, accordingly, a new audit approach.

1.7 In line with the emerging new disaster management approach, the INTOSAI Accountability for

and Audit of Disaster-related Aid (AADA) Working Group has tried to draw up guidelines so as

to improve the SAIs' auditing of disaster preparedness. Especially in times of a worldwide

financial crisis the effective and economic use of the financial resources put into disaster

preparedness deserves special attention. The financial resources at the governments' disposal

are becoming scarce, owing to the restricted spending policy of governments facing the

financial crisis. As a result of

4

4 The UN International Strategy for Disaster Reduction, "Hyogo Framework for Action 2005-2015: Building the Resilience of Nations and Communities to Disasters", http://www.unisdr.org/eng/hfa/hfa.htm, March 2010.

these developments, the audit of disaster preparedness has gained great importance for SAIs.

2. Purpose of the Guidelines

2.1 Guidance provided to SAIs for auditing disaster preparedness has an important objective:

encouraging SAIs and their auditees to take a more active role in preventing the impact of

natural events from turning into disasters.

• Lack of awareness of public entities that investing in disaster preparedness is more

efficient and effective than investing in disaster response. This lack of awareness/priority is

fostered by the fact that the added value of investing in disaster preparedness can only be

assessed when a disaster actually happens (and when it is in fact too late). Preparedness

costs, but its benefits may never occur (or in many years' time) or may not be clearly

visible.

• Lack of awareness of SAIs that they have a role which they should and can play in

prevailing upon governments to invest in disaster preparedness. This lack of

awareness/priority is exacerbated by the fact that we tend to look at ex-post events (after

disasters occur) and that we use public expenditure as the basis for selecting our audit

topics: if governments lack the priority for investing in disaster preparedness, they will not

invest in it and SAIs will not audit it.

• Complexity of assessing the quality of disaster risk assessment, disaster mitigation and

disaster prevention: this requires using other types of information (for instance,

geographical information, information about the probability of events, etc.) and

information from sources other than those normally used in audits (such as information

from more technical agencies, universities, international bodies). Examples from SAIs that

have experience in tackling this complexity can be very helpful for SAIs.

2.2 The purpose of this document is to give guidance to SAIs for auditing the preparedness of

governments for disaster and to help auditors draw up a framework for how to analyze

disaster preparedness. In this context a basic audit program has been developed. In order to

prepare this document, a questionnaire was compiled by the group and sent to the SAIs which

are members of INTOSAI. The information obtained from the questionnaire has been

incorporated into this paper, thus ensuring worldwide practicability. The SAIs may strengthen

their capacities in terms of methodology for auditing disaster preparedness; moreover, the

SAIs could be encouraged to initiate and implement concurrent and/or coordinated audits.

This document is expected to help the auditors and the SAIs with the following issues in this

field:

5

• Obtaining and documenting an understanding of disaster preparedness activities, the

organization and the framework of the authorities governing the actors;

• Establishing a preliminary view of the strengths and weaknesses of the overall control

environment;

• Providing information for our assessment of risk and the design of the audit studies;

• Establishing an effective and sound audit process;

• Forming a common basis for partnership audits among the SAIs.

2.3 Generally, it is expected that these guidelines will contribute to the efforts to reduce disaster-

related loss of life and loss of other social, economic and environmental assets worldwide. It is

also expected that forming a common basis for auditing disaster preparedness and actually

auditing these activities and the resources allocated to them will ensure that all parties, such

as governments, institutions, citizens and NGOs of donor and recipient countries, will support

disaster preparedness activities.

3. Issues to be Covered

Developing a more effective audit methodology requires good definition of the audit area. The starting

point is therefore to ask "what is disaster?" or, to put it differently, "What is disaster from the

SAIs' point of view?"

Definitions of Disaster

3.1 The UN International Strategy for Disaster Reduction (ISDR) defines disaster as: "A serious disruption of the functioning of a community or a society involving widespread human, material, economic or environmental losses and impacts, which exceeds the ability of the affected community or society to cope using its own resources."5 In many

international humanitarian aid policy documents, disaster is defined in a similar way to that of

the European Commission Humanitarian Aid Office (ECHO), the United Nations Office for the

Coordination of Humanitarian Affairs (UN-OCHA) and the Good Humanitarian Donorship

Initiative. In addition, the International Federation of Red Cross and Red Crescent Societies

(IFRC) adds that disasters, although often caused by nature, can be caused by human beings.

Many countries have their own definitions of disaster that are based on their experiences and

their environment. For example, Austrian Development Cooperation defines disaster as: "A disaster is sudden disruption of a community caused by loss of human life and/or property and/or infrastructure including essential services, which the community concerned can no

6

5 The UN International Strategy for Disaster Reduction, "UNISDR terminology on disaster risk reduction (2009)", http://www.unisdr.org/eng/terminology/terminology-2009-eng.html, March 2010.

longer cope with on its own in spite of coordinated use of all locally and regionally available resources."6 The variety of definitions is a good illustration of the broad range of possible disasters

and their complexity.

3.2 The widespread human, economic and environmental losses and the tremendous volume of

resource needs are highlighted in each definition. To cope with all these matters, governmental

departments at all levels have to undertake activities and, consequently, all these activities will be

within the audit scope of SAIs.

Types of Disaster

3.3 There are various types of disaster, such as earthquakes, tsunamis, volcanic eruptions, etc. They are

generally categorized into two main types: natural and man-made disasters. A natural disaster is the

consequence of a natural hazard that affects human life. Man-made disasters are caused by human

activities or negligence or involve the failure of a system. Indeed, there are no clear-cut differences

between natural and man-made disasters since many natural events turn into disaster owing largely

to failure to take precautions in time and mismanagement.

HYDROLOGICAL/METEOROLOGICAL TECHNOLOGICAL

(Windstorms, floods, tornados, droughts, etc.)(Nuclear weapons, nuclear plant meltdown, etc.)

NATURAL

DISASTERS

7

SOCIOLOGICAL

(Desertification, freezing, etc.)

CLIMATOGICALGEOPHYSICAL

►BIOLOGICAL

(Plagues, Epidemics, etc.) (Terrorism, Famine, etc.)

www.entwicklung.at/uploads/.. ./PD_International_humanitarian_aid_03 .pdf.

8

countries. Identifying human-induced root causes, and advocating structural and political

changes to combat them, is long overdue. For example, destruction of the natural

environment because of logging or inappropriate land uses for short-term economic gain is

one of the major factors causing floods or mudslides. Similarly, migration of populations to

urban and coastal areas increases human vulnerability. Accordingly, population densities

increase, infrastructure becomes overloaded, living areas move closer to potentially

dangerous industries, and more settlements are built in fragile areas such as floodplains or

areas prone to landslides. By the same token, in general, mismanagement of the economy and

resources - especially turning cultivated areas into urban areas - leads to widespread famine.

As a result, natural disasters affect more people and economic losses increase.

3.5 Disaster risk arises when hazards interact with physical, social, economic and environmental

vulnerabilities. For example, despite the fact that seismic activity has remained constant over

recent years, the effects of earthquakes on the urban population appear to be increasing. The

large majority of disasters are events of hydro-meteorological origin such as floods, droughts

and windstorms. Events of geological origin such as earthquakes are secondary to these.

3.6 The precautions taken by government institutions and their activities will be determined by

the disaster type. Depending on this, the management risks arise in different areas. For

example, for some disasters, such as famine or terrorist attacks, control risks may come to the

fore. For others, like earthquakes and tsunamis, the coordination risk might rank higher among

the management risks. A sound knowledge of disaster types is therefore vital for those

auditing disaster preparedness.

Why Disaster Preparedness?

3.7 Disaster mainly leads to the disruption of normal life; human effects such as loss of life, injury,

hardship and adverse effect on health; effects on social structure such as the destruction of or

damage to government systems, buildings, communications and essential services; community

needs such as shelter, food, clothing, medical assistance and social care. Furthermore, disaster

also leads to significant loss of infrastructure, population and government facilities. Because of

the increase in disaster frequency and the effects in terms of casualties and damage, disaster

preparedness, more specifically disaster mitigation and prevention, has gained importance in

recent years. The core idea is that the impact of disasters can be minimized.

3.8 As mentioned above, international policies concerning disaster management have radically

changed in the last decade. Correspondingly, disaster preparedness has gained great

importance within this new policy. Since disaster management was previously organized in

accordance with policies that allocated large resources to

9

post-disaster relief and reconstruction activities, the new policy requires big changes not only

in governmental departments, but also in national and international society. The success of

this transformation is closely connected with redefining governments' organization, work and

planning processes; developing an awareness of society and good governance; strengthening

critical infrastructure and adopting economic policy tools in accordance with the needs of

disaster preparedness. All these changes will undoubtedly compel the SAIs to review their

auditing in this field and to develop ways of auditing more effectively.

3.9 A government's approach to disaster preparedness should be determined bearing these factors in

mind. Naturally, the government approach will change depending on disaster types and their

probability and risk impact. As shown in Graphic 1, if the probability and risk impact of

Preparedness

3.10 The definition and scope of disaster preparedness can shape the roles and responsibilities ascribed

to the government in managing and the SAIs in auditing. For the purposes of this document,

disaster preparedness includes disaster prevention and disaster mitigation. According to the

UN International Strategy for Disaster Reduction (ISDR), Disaster Risk Reduction (DRR)

comprises the actions of preparedness, mitigation and prevention.

• Disaster prevention involves disaster mitigation and containment of destruction in the

face of acute risk factors. Disaster prevention also includes disaster preparedness

measures.

• Disaster mitigation consists of activities taking place before the occurrence of

unavoidable disasters to minimize damage caused by impending risks. Disaster mitigation

measures also reduce risks by lessening the vulnerability of households, infrastructure and

natural or economic resources.

10

SAIs too should be concerned

with disaster preparedness and

give priority to this subject within

the strategic plan and annual audit

program."

disaster were high, the

government would have to specify

the approach and take the

necessary precautions. From the

standpoint of the SAIs, this can be

read as "the

Definition and Scope of Disaster

• Disaster preparedness includes activities that prepare communities for a possible disaster

and improve the reaction of the various actors to such an event. These measures, like

disaster mitigation measures, reduce the impact of the disaster. There is an essential

difference: disaster mitigation measures often involve a reduction in the disaster risks

themselves, whereas the aim of disaster preparedness is to ensure that the various

stakeholders are not caught unprepared by the disaster and that assistance is provided in

a coordinated manner.7

3.11 According to the EU working paper, disaster preparedness comprises "organizational activities

which ensure that the systems, procedures and resources required to confront a natural

disaster are available in order to provide timely assistance to those affected, using existing

mechanisms wherever possible (e.g. training, awareness raising, establishment of disaster

plans, evacuation plans, pre-positioning of stocks, early warning mechanisms, strengthening

indigenous knowledge)."

3.12 Disaster preparedness encompasses disaster

mitigation and disaster prevention. Disaster

mitigation describes measures taken before

disasters which are intended to reduce or eliminate

their impact on society and environment. These

measures reduce the physical vulnerability of

existing infrastructures or of vulnerable sites, which

directly endanger the population (e.g. retrofitting of

buildings, reinforcing "lifeline" infrastructure).

Disaster prevention comprises activities conceived

to ensure permanent protection against a disaster. They include engineering, physical

protection measures, legislative measures for the control of land use and codes of

construction. These activities reduce physical vulnerability and/or risk exposure by providing

new infrastructures, improving existing infrastructures and through sustainable development

practices. 8

3.13 In the light of these definitions, disaster preparedness may be seen as an umbrella concept

including risk assessment, disaster prevention and disaster mitigation. In reality, many actions

that are being taken with the aim of preparing for disaster at the pre-disaster stage consist of

a mix of both mitigation and prevention. The SAIs'

11

7 The European Commission on EU Strategy for Disaster Risk Reduction, 15/4-2008 and Austrian Development Cooperation, "International humanitarian aid policy document", Vienna, March 2009, p.9.

8 The European Commission on EU Strategy for Disaster Risk Reduction, 15/4-2008 and Austrian Development Cooperation, "International humanitarian aid policy document", Vienna, March 2009, p.9.

auditing of disaster preparedness therefore covers all activities that prepare communities, the

economy and the environment for a possible disaster.

4. Specific Elements of Disaster Planning

4.1 Carrying out disaster management activities (pre-disaster, during the disaster and post-

disaster) effectively is ensured by means of comprehensive and integrated planning and sound

risk assessment. These plans are the essential tools guiding the institutions with a role in the

disaster management process. They ensure that timely, proactive and forward-looking

precautions are taken. Broadly speaking, they are the tools for responding most appropriately

to every stage of disaster management. For disaster preparedness, the disaster plan is the

single most important tool. The auditor should therefore pay special attention to the disaster

plans in order to evaluate the activities and transactions of disaster management at the pre-

disaster stage.

Disaster Management Law

4.2 To take disaster preparedness measures before a disaster and to take the necessary action

during the disaster, it is first necessary to clearly determine who is responsible for what. In

order to clarify these issues, countries mostly enact a basic national law covering the general

framework of disaster management. Such a law generally includes the following provisions:

• Developing a national disaster

management policy,

• According to this national policy, preparing

national plans and programs,

• The general framework of

responsibilities and roles of the

institutions involved in the disaster

management and the arrangements for

coordination between these

institutions, etc.

National Disaster Plans

4.3 As mentioned above, most disaster management legislation includes provisions for the

preparation of a national plan9. These are often entitled "National Disaster Management Plan",

though their names differ from country to country. They generate national strategies including

a basis for setting priorities for all functions of

12

Canada: The Emergency Management Act of August 2007 governs the national leadership responsibility of the Ministry of Public Safety for emergency management and for conserving critical infrastructure. It also defines cooperation between the federal ministries.

Sri Lanka: The Disaster Management Act of May 2005 governs the establishment, responsibilities and duties of the National Council for Disaster Management and the Disaster Management Center and the preparation of disaster management plans.

9 Hereinafter "National Plans" are referred to as "National Disaster Plans".

disaster management by considering all national and international risks. The National Disaster

Plan covers all the actors and activities in the field and provides coordination between the

related institutions. By virtue of these features, national disaster plans are the main

documents for auditing disaster preparedness.

4.4 In many countries which are advanced in terms of disaster management, a national disaster

plan is prepared with the aim of drawing up a general framework for disaster management. In

addition to this plan, implementation plans, known as the specific plan, operation plan or

emergency plan, are made. On the other hand, in countries which are setting up disaster

management and especially in those that have a more simple governmental structure,

national disaster plans are rather like operation plans.

4.5 Disaster management activities including disaster preparedness are carried out at every level,

from the public sector to the private sector, from non-governmental organizations to

individuals. Generally, coordination provided as the main function of the primary organization/

institution responsible is envisaged in the national plan. How best to perform disaster

management activities in a coordinated manner is indicated in the national plans. Accordingly,

the primary components of a national plan include:

• National Strategy: When determining the national strategy, it is critically important to

assess the potential threats and weaknesses with which the country may be faced. Hazard

mapping, disaster databases and impact analysis are the tools available for making risk

assessments.

• Priorities: In the context of disaster management planning, priorities are also set by using

the results of risk assessments. When making national disaster plans, it is of prime

importance that priorities are determined

rationally, taking account of limited

resources.

• Coordination: Comprehensive

coordination at all stages of disaster

management -pre-disaster, during disaster and post-disaster - is essential for carrying out

the activities and fulfilling the responsibilities which are shared among many institutions.

National plans define the coordination tools, such as meetings and setting up committees.

• Governance structure: Governance is a key element in implementing disaster

preparedness properly and involves a set of relationships between different levels of

government. Governance also provides the structure through which the

13

In Canada strategies are determined and actionplans are designed for 10 sectors which areprioritized as "critical infrastructure".The sectors include Health, Information andCommunication, Technology, Energy andUtilities.

4.6 In addition to the National Disaster Plans, the institutions that are responsible for disaster

management functions make plans and programs related to their fields of responsibility. These plans

can vary

depending on the executive authorities and/or

disaster types. Some examples are as follows:

• Departmental/operational/ emergency management plans, made

by institutions/local authorities,

• Specific plans/strategies, designed for specific disasters to which countries attach importance,

• Business continuity plans which are related to disaster preparation, and

4.7

• Action plans which will be applied

during a disaster.

As disaster management becomes more

important, disaster preparedness

activities figure largely in all types of

disaster plan. Consequently, in many

countries,

In Canada, a "Federal Emergency Response Management System" has been established

and, within this structure, the coordination tools and processes are defined. On the one hand, "the management team", which is composed of delegates of the institutions involved in disaster management, collects the needs of the performers. On the other hand, it issues guidance to them regarding cooperation and coordination.

14

objectives are set, and the means of attaining those objectives and monitoring performance

are determined. For this reason, it is essential to create a governance structure in which

corporate responsibility areas are defined exactly. National plans define the primary

functions of disaster management and the organizations that are responsible for performing

these functions. Indeed, there is no single, specific model of good governance for disaster

preparedness. Therefore, examining the legal, institutional and regulatory framework in the

light of the different models that exist helps the auditor identify some of the common

elements underlying good governance. (See Annex 1 for an example.)

Guidance: National disaster plans guide the responsible institutions in their disaster

management work. Within this scope, the corporate aims and goals, risk assessments, etc.

determined in the corporate disaster plans should be aligned with the national plan's

strategy. Therefore the planning, monitoring and reporting capability of the main institution

responsible for national disaster planning should be optimal, with additional resources

provided if necessary.

Sub-Plans

In Canada, a "National Disaster Mitigation Strategy" is prepared and the mitigation activities are carried out in accordance with this plan. Similarly, one of India's disaster preparedness plans is "Preventive/Protection and Mitigation from Risk of Tsunami".

operational plans are being developed along these lines and disaster preparedness activities

come to the fore. The common points of sub-plans can be summarized as follows:

• Coordination: As in the national disaster plans, coordination is the primary factor in the

sub-plans. Carrying out the activities of the institutions which have a broad array of roles

and responsibilities in the field is crucial for the sub-plans, which are operation oriented.

In order for there to be effective disaster management, including preparedness, activities

such as policy, planning, risk assessment, training, public awareness-outreach and

protection of critical infrastructure need to be carried out in a coordinated manner by the

stakeholders in the field. For example, the "Istanbul Provincial Disaster and Emergency

Directorate" was established and the main purpose of this body is to ensure coordination

and cooperation between the related institutions in this region. To do this, the Directorate

uses telecommunication tools and information systems.

• Risk assessment: The sub-plans specify probable risks - generally the risk assessment

tool for natural disasters is hazard mapping, for man-made disasters the appropriate tools

are monitoring and reporting - and, in addition, vulnerability assessments are made; for

the purposes of these assessments, preparedness

is tested through practical applications.

Training: Training is another important issue covered by

sub-plans. Many countries have a training unit which

organizes the training activities related to each stage

of disaster management. For example, the

Emergency Management Institute in Australia has such a training unit. Additionally, sub-

plans emphasize the need to prepare training programs concerning specific subjects. For

example, in Canada the "Emergency Management Training Program" and the "Chemical,

Biological, Radiological, and Nuclear (CBRN) First Responder Training Program" are

prepared to be used for training qualified personnel who will be employed in disaster

preparedness activities.

Public awareness: In the context of disaster preparedness, public awareness concerning

disaster should be raised in order to reduce the adverse affects of disasters. Raising public

awareness requires all the authorized institutions in this field, the private sector and NGOsIn Australia "Emergency Action Guides" are developed and

each action guide offers clear and concise information on how to be prepared for, what to do during, and what steps to take after a major hazard.

15

Tsunami Risk in India and the Tools for its Assessment

• Tsunami Hazard Map• Tsunami Vulnerability Assessment• Tsunami Risk Assessment• Practical Applications

to work in coordination and

cooperation. For this purpose, disaster

guidelines giving

information and advice about the actions to be taken pre-disaster, during disaster and post-

disaster are prepared- Public awareness-raising programs are also being arranged.

• Critical Infrastructure: This is a service, facility or a group of services or facilities, the loss

of which will have severe adverse effects on the physical, social, economic or

environmental well-being or safety of the community.10 The risks to critical infrastructures

have to be identified and managed in an appropriate way. To reinforce the critical

infrastructures by minimizing the risks affecting them, it is critically important that

governments, local governments and especially the critical infrastructure owners and

private business managers should work in cooperation.

• Measures: In operational plans, there are some general and specific measures that have

to be taken during the disaster management process. These are structural measures

especially for natural disasters, such as the reinforcement of existing buildings, the

construction of disaster-resistant buildings and evacuation of residential areas before

and/or during disaster.

India Specific Measures for Safety from Tsunamis

• Tsunami Effects and Design Solutions• Specific Design Principles for Tsunamis• Know the Tsunami Risk at the site• Avoid new developments in Tsunami Run-up Areas• Site Planning Strategies to reduce Tsunami Risk• Tsunami Resistant Buildings - New Developments• Protection of existing buildings and infrastructure - Assessment, Retrofit, Protection measures• Special Precautions in locating and designing infrastructure and critical facilities• Planning for Evacuation

4.8 Under the new global disaster policy and disaster preparedness management, planning is of crucial

importance. Auditors should therefore pay special attention to all types of disaster plans

during audit work on disaster preparedness. To evaluate the disaster plans, examining similar

plans at international level and making comparisons with them will provide good benchmarks

and will facilitate the auditors' work.

16

10 Critical Infrastructure Emergency Risk Management and Assurance Handbook, Australia 2004.

5. Geographical Information Systems (GIS)11

5.1 In general terms, Geographic Information Systems (GIS) are applications which integrate,

store, analyze, manage and present data that are

linked to location. They are used in various areas,

such as cartography, remote sensing, land

surveying, utility management, navigation,

geography, urban planning and emergency

management, etc. Like many disciplines, auditing

can also benefit from GIS technology. This is

because GIS technology enables users to create

their own searches and analyze spatial information,

edit data, maps, and present the results of all these

operations. For example, GIS might enable

emergency planners to easily calculate emergency response times in the event of a natural

disaster.

5.2 The ability of leaders and administrators to make sound disaster management decisions, to

analyze risks and decide upon appropriate counter-measures can be greatly enhanced by

cross-sector integration of information.13 GIS technology is used to combine information on

natural hazards, natural resources, population, and infrastructure, etc. easily, precisely and in a

timely manner. This combination of information can help to identify areas where further

hazard evaluations are required, areas where mitigation strategies should be prioritized and

less hazard-prone areas which are most suited to development activities.14 Basically, GIS can:

• improve the quality and analytical power of natural hazard assessments and risk

assessments,

• guide development activities, assist planners in selecting mitigation measures and in

implementing preparedness and response actions.15

17

GIS12 is an integrated collection of computer software and data used to view and manage information connected with specific locations, analyze spatial relationships, and model spatial processes. GIS technology integrates common database operations, such as query and statistical analysis, with the unique visualization and geographic analysis benefits offered by maps.

11 See Annex 2 for examples.12 ESRI, Geographic Information Systems and Pandemic Influenza and Response, s.6.13 Rego, Aloysius J, "National Disaster Management Information Systems & Networks: An Asian Overview",

Primer on Natural Hazard Management in Integrated Regional Development Planning, "Geographic Information Systems in Natural Hazard Management",http://www.oas.org/DSD/publications/Unit/oea66e/begin.htm#Contents, (06 May 2010).

15

Primer on Natural Hazard Management in Integrated Regional Development Planning, "Geographic Information Systems in Natural Hazard Management",http://www.oas.org/DSD/publications/Unit/oea66e/begin.htm#Contents, (06 May 2010).

5.3 All these characteristics make GIS one of the most important tools for effective disaster

management, development planning and decision making. Important in terms of auditing, GIS

include important tools for selecting samples in performance audit studies on disaster

preparedness.

Risk Assessment-Prediction

5.4 On the other hand, GIS technology can be used for natural hazard assessments to show where

hazardous natural phenomena are likely to occur. This, combined with information on natural

resources, population and infrastructure, can make it possible to assess the risk posed by

natural hazards and to identify critical elements in high-risk areas. This information can then

be used to formulate less vulnerable development activities and/or mitigation strategies to

lessen vulnerability to acceptable levels.16 Also, the auditors can benefit from this information

when assessing risk mitigation strategies and activities.

5.5 In the audit work on disaster preparedness, the evaluation of risk assessment, risk analysis and

vulnerability assessment will depend on whether GIS are used, and also on whether the

elements of GIS that exist are suitable for use in the process of disaster preparedness or not.

This is rather important to ensure in terms of efficiency and effectiveness.

Planning

5.6 With GIS, it is possible to analyze an almost unlimited number of factors associated with

historical events and present conditions, including present land use, presence of

infrastructure, etc. So planners can use GIS to draw up specific mitigation strategies for

disaster prevention activities. At national level, GIS can be used to provide general

familiarization with the possible disaster area, giving a reference to the overall hazard

situation and helping to identify areas that need further studies to assess the effect of natural

hazards on natural resource management and development potential17.

5.7 For example, in Indonesia, the GIS activities aim to develop risk maps at national, provincial

and district level. The national and provincial-level maps are used to determine priority

provinces and areas for disaster management activities, planning and installation of early

warning systems. The district-level maps are used for district contingency planning. Under this

system, a number of modules on Forest Fires,

18

Primer on Natural Hazard Management in Integrated Regional Development Planning, "GeographicInformation Systems in Natural Hazard Management",http://www.oas.org/DSD/publications/Unit/oea66e/begin.htm#Contents, (06 May 2010).17 Primer on Natural Hazard Management in Integrated Regional Development Planning, "GeographicInformation Systems in Natural Hazard Management",http://www.oas.org/DSD/publications/Unit/oea66e/begin.htm#Contents, (06 May 2010).

Earthquakes/Tsunami, Volcanic Eruption and Social Unrest have been developed for building a

database system in an internet mode.18

5.8 When known hazards and potential sources of disasters are mapped, better decisions and

plans can be made. The role of mapping has many aspects and influences the performance of

systems in many ways: 19

• It improves the ability of decision makers, planners, academics, researchers and care

professionals to organize and link thematic and spatial datasets.

• It makes it possible to create relations between datasets that may seem unrelated without

using the geographical dimension. These links help in discovering and creating new

knowledge which can be translated into action or policies.

• Mapping enables professionals to understand complex spatial relationships visually, and

as planning has an element of informed prediction, mapping can be a powerful tool for

forecasting and trend analysis.

5.9 As we know, planning underlies the activities of disaster preparedness. Hence, the auditors

should examine all kinds of plans and the process of planning. For evaluating the plans, GIS will

help both the auditors and the planners.

6. Government's Role

6.1 Disaster risks arise when hazards interact with physical, social, economic and environmental

vulnerabilities. In this context, disaster preparedness is a cross-cutting issue covering most

activities of government and is multi-sector and inter-disciplinary in nature. It is widely

acknowledged that efforts to get ready for disaster must be systematically integrated into

policies, plans and programs and supported by national and local governments, the

international community, the private sector, civil society and even private individuals.

Organizing and coordinating all these efforts and institutions requires great power. Only

governments have the power and capacity that is needed.

6.2 Governments play a major role in laying down policy, the institutional framework and

programs for disaster preparedness as part of disaster management. The tasks assigned to

governments in respect of the common organizational procedures of disaster preparedness

cover alarming, evacuation, supply and assessment of the situation. In this context,

governments should identify risks, assess and monitor them properly and develop a

governance model for all the actors concerned, consisting of government institutions, regional

and local organizations and civil society, including volunteers, the private sector and the

scientific community.

19

18 Rego Aloysius J, "National Disaster Management Information Systems & Networks: An Asian Overview",s.3.Al-Shorbaji, Najeeb: "Use and potential of geographic information systems for health mapping in theEastern Mediterranean Region", s.3.

6.3 Achieving disaster preparedness objectives requires the full commitment and involvement of all the

actors concerned. So following a more pro-active approach to informing, motivating and

involving people in all aspects of disaster preparedness will be important. The scarcity of

resources allocated specifically to disaster preparedness is also another important issue. To

ensure the effectiveness of disaster preparedness, governments should specify the needs and

make national and preparedness/mitigation/emergency plans and monitor all work

undertaken by the different sectors regularly. This means that governments are involved in all

activities concerning disaster preparedness.

7. Role of SAIs

7.1 The government's role may also vary according to the different ways a state can be affected by

disasters. The different roles also determine the government's scope of action, the tasks it has

to fulfill and, in consequence, the challenges for SAIs regarding their audit. The results of the

survey conducted among INTOSAI members show that the majority of SAIs, about 75 %, have

experience of auditing disaster-related aid. Approximately 43 % of this experience was in the

disaster preparedness field including disaster mitigation. SAIs have a significant role in

assisting governments in carrying out their role and responsibilities by auditing whether the

aid and funds allocated for disaster preparedness were used efficiently and effectively for the

purposes intended. So disaster preparedness should take greater place in the SAIs' audit work

programs.

Phase of Disaster Management that SAIs audit

7.2 More generally, a distinction can be made between whether the disaster preparedness aims to

cope with a disaster on the territory of the country itself or in another country. The tasks

naturally differ in the one case or the other.

• Disaster preparedness (limited dimension): the country is able to deal with the

consequences of the disaster on its own;

20

• Disaster preparedness (large-scale dimension): international help and aid are necessary,

raising questions regarding international cooperation and coordination;

• Disaster preparedness for the protection of citizens in a foreign country: actions of one

country are to be taken on the territory of another country hit by a disaster, if citizens of

the former are in danger (e.g. evacuation of the country's citizens);

• Disaster preparedness for participation in an international response to a national/regional

disaster.

Stakeholders will also vary in terms of their size and involvement is possible disaster. Taking this

into account, SAIs should design and conduct their audit and give assurance to all stakeholders

that the funds received have been utilized effectively, efficiently and economically. On the

other hand, audit of disaster preparedness requires a capacity for identifying various types of

risks at different levels, assessment of projections and plans for likely consequences and of

management tools and methods to avoid, reduce and share risks.

7.3 As we know, there is an intricate structure in the humanitarian sector, with multiple donors and

recipients at national and international levels. Many actors, such as national and local

governments, the international community, the private sector, civil society and even private

individuals are thus involved in and support disaster preparedness work. Each actor concerned

will be audited by different institutions and subject to a different audit process. This being so,

assuring accountability of funds allocated to disaster preparedness will be difficult. For these

reasons, SAIs should draw up a framework for efficient and effective auditing, taking into

account international measures to improve accountability and transparency in disaster

preparedness. This means that a good relationship and cooperation between SAIs and other

audit institutions, especially internal audit, has great importance in this area.

21

PART II: AUDIT OF DISASTER PREPAREDNESS

8. Introduction

8.1 Disaster mainly leads to disruption of normal life; the impact on human life consists in loss of

life, injury, hardship and adverse effects on health; the impact on social structure involves the

destruction of or damage to government systems, buildings, communication networks and

basic services; community needs such as shelter, food, clothing, medical assistance and social

care. Because of an increase in the frequency and effects of disasters, disaster preparedness,

including the activities of mitigation and prevention, has gained importance in recent years.

Briefly, the idea is that the impact of disasters can be minimized.

8.2 It is obvious that activities aimed at disaster preparedness will involve the fields of finance,

legislation, governance, education, management and society as a whole. Transparency and

accountability in these areas call for audit work to be carried out, especially as regards

performance and finance. As stated in the draft audit guidance on disaster-related aid of 2

June 2009, the great impact of disasters results in billions of US$ of emergency humanitarian

aid to the affected countries. Audit scope and type as well as cooperation between SAIs have

become more important because aid appears in many shapes and forms: from different donor

countries, national and international organizations, emergency relief organizations, etc.

9. Challenges for the auditor

9.1 The auditor needs to take disaster preparedness as an umbrella concept and keep in mind that in

reality many actions include a mix of both mitigation and prevention. In this framework, the

auditor should try to:

• Designate the organizational structure and main activities which ensure that the systems,

procedures and resources fulfill the disaster preparedness requirements such as training,

awareness raising, establishment of disaster plans, evacuation plans, pre-positioning of

stocks, early warning mechanisms and, lastly, strengthening local knowledge. This concept

includes, in particular, preparedness focused on enabling communities to help themselves

in the event of a disaster and financial preparedness in order to absorb the effects of a

disaster without creating undue macro-economic or budgetary problems (e.g. budgetary

provisions, contingency financing, stand-by agreements, risk assurance).

• Specify the measures taken before disaster which are intended to reduce or eliminate

their impact on society and environment. These measures reduce the physical

vulnerability of existing infrastructures or vulnerable sites which directly

22

endanger the population, e.g. retrofitting of buildings, reinforcing lifeline infrastructure.

• Determine the prevention activities conceived to ensure permanent protection against a

disaster, including engineering, physical protection measures, legislative measures for the

control of land use and codes of construction. These activities reduce the physical

vulnerability and/or exposure to risks through infrastructure.

10. Audit Mandate of SAIs

10.1 As mentioned above, many actors such as national and local governments, the international

community, the private sector, civil society, etc. are involved in disaster preparedness work. In

many countries, the SAIs' mandate does not cover all the activities and organizations involved

in disaster preparedness. To ascertain this fact, the adequacy of the audit mandate of SAIs was

assessed as part of the survey.

Part A Question 6: In your country, which disaster-related aid activities by funding source are considered as public domain that your SAI has a mandate to audit (you may select more than one options)?

Government Institutions 27 90,0%People/community 5 16,7%Organizations/private entities 5 16,7%Local Non-governmental Organizations (NGOs) 8 26,7%Foreign Governments 12 40,0%Foreign NGOs 4 13,3%International Institutions/donors 12 40,0%International Financial Institutions 13 43,3%Others 6 20,0%

According to the results of the survey carried out by the INTOSAI WG AADA, the SAIs mostly have a

mandate to audit government institutions; 40 % of them can audit the funds of foreign

governments, international financial and other institutions/donors. A few have a mandate to

audit NGOs and private entities, especially foreign ones. This means that the mandates of SAIs

do not cover all areas related to disaster preparedness as a whole. However, if the SAIs carried

out a joint audit, this gap could be overcome.

10.2 Not only the legislative body and government but also donors and stakeholders need

information on:

23

• Whether the funds are being used as intended,

• Whether the funds and aid provided have been spent in the most efficient and effective

manner.

However, one of the major problems in this area is the lack of a single and reliable information source,

thus hampering accountability and transparency. In addition, each actor concerned will be

audited by different institutions and be subject to a different audit process; thus, no single

audit institution has comprehensive and reliable information about the funds allocated and

activities concerning disaster preparedness.

10.3 The SAI is the only institution with the potential to audit all the structures concerning disaster

preparedness. If this is not yet the case, the SAI's mandate should therefore be extended and

broadened so as to involve all relevant institutions in its scope. The survey results collected by

the INTOSAI WG on the AADA show that approximately 40 % of the SAIs did not have access to

relevant audit reports such as those prepared by the governmental internal auditors, public

accounting firms, the provincial auditor general, the external audit function, the office of the

inspector general and special governmental commissions, etc.

The SAIs' right of access to audit reports prepared by the other institutions

SAIs should have full authority to access all kinds of information concerning the subject, including

internal and external audit reports, as well as having an audit mandate that covers all

activities. It is not possible to prepare a proper, sound audit report and to create trust in the

SAIs' work relating to disaster preparedness on the basis of unreliable and incomplete

information.

11. Types of Audit

11.1 When auditing disaster preparedness, the SAIs can perform all types of audit. Many SAIs

perform both financial and performance audits in the field of disaster

24

21%

21%

preparedness. In addition, a few SAIs perform a mixed type of audit, which does not conform

to INTOSAI auditing standards and guidelines. However, finding a common basis for this audit

will be extremely difficult.

11.2 SAIs have carried out financial and performance audits at almost the same rate. In the field of

disaster preparedness, the tendency is towards performance audit. The survey results show

that 61% of the disaster-related audits carried out by SAIs have been performance audits. Is

this type of audit more suitable and what types of audit should be conducted in the field of

disaster preparedness? This issue will be handled in the light of the INTOSAI auditing standards

and guidelines predominantly for performance audit.

Types of Audit at the Preparedness Stage

11.3 Financial audits are not directly performed on disaster preparedness transactions. Generally,

transactions concerning disaster preparedness are examined within/by routine and annual

financial audits of the governmental department/institutions. Occasionally, financial audits on

funds allocated to disaster preparedness or to foreign-aided projects are carried out directly

by SAIs. Financial audits therefore do not meet all donors' and stakeholders' needs. Unlike

financial audit, performance audit directly covers all aspects and activities of disaster

preparedness management and reports as a whole.

11.4 As stated before, in many countries, the SAIs' mandate does not cover all the activities and

organizations involved in disaster preparedness. 60 % of the SAIs have right of access to audit

reports prepared by other institutions. In spite of this, the SAIs20

have relatively extensive access to sources of information and data . It can therefore be said that

performance audit is more suitable for directly examining the disaster preparedness field and,

moreover, the activities and organizations that lie outside the SAIs' mandate can be shown by

performance auditing. However, the SAIs should

25

Performance 61%

Financial39% ,

20

See INTOSAI Auditing Standards, paragraph 1.0.33; "The SAI must have access to the sources of information and data as well as access to officials and employees of the audited entity in order to carry out properly its audit responsibilities. Enactment of legislative requirements for access by the auditor to such information and personnel will help minimise future problems in this area."

focus on the risks involved in disaster preparedness and decide on which type of audit will be applied in

accordance with the purpose of the audit.

12. Planning and carrying out the audit work

12.1 According to the INTOSAI Auditing Standards (AS 3.1.1), the auditor should plan the audit in a

manner which ensures that an audit of high quality is carried out in an economic, efficient and

effective way and in a timely manner. Especially in performance auditing, a well thought-out

plan is indispensable. Careful advance planning will prevent possible problems arising at a

later stage in the auditing. Before starting the audit study, it is consequently important to

define the audit objectives, the scope, and the methodology to achieve the objectives.21

12.2 After obtaining enough background information and knowledge about the audit environment,

the auditor should specify the risks to economy, efficiency and effectiveness (the 3Es).

Depending on disaster types and their probability and the risk impact, the management risks

to the 3Es will arise in different areas. Organization, planning, monitoring, control,

coordination, lack of a sound disaster management information system, etc. are principally the

risks to the 3Es in this field. Some of them might predominate, depending on the types of

disaster. They will show the auditors the gaps and unmanageable areas and issues regarding

disaster preparedness within disaster management.

12.3 As Figure 1 shows, there is a strong correlation between the risks to the 3Es and the audit

criteria and recommendations. For this reason, specifying the risks to the 3Es is very important

for designing a sound audit study on disaster preparedness. As we know, audit criteria show

"what should be". The risks to the 3Es indicate the area for setting the criteria, and also for

producing recommendations to resolve identified areas of poor practice.

26

21 INTOSAI Implementing Guidelines for Performance Auditing, Part 3 p. 3.3 July 2004. "What does planning of individual performance audits involve?"

Audit Approach/Scope

12.4 In the audit studies, for both financial and performance auditing the SAIs should apply

traditional audit approaches.22 For example, Turkey used a risk-based audit approach in the

performance audit study concerning disaster preparedness entitled "How well is Istanbul

getting prepared for the earthquake?" During their enquiries, the auditors tried in particular to

detect problems and drawbacks in the implementation. This audit approach helped the

auditors to determine the most risky activities and areas. On the other hand, Kenya's reports

in the financial audit field are based on a systems audit to establish the effectiveness of the

internal controls and an audit of the financial statements drawn up for the funds allocated to

disaster management. The reports on financial statements give an opinion as to the fairness

and truth of the financial statements.

12.5 As seen in these examples, the audit approach does not change in financial audits, because

transactions concerning disaster preparedness are examined as part of the routine and annual

financial audits of the governmental department/institutions. In contrast to financial auditing,

the audit approaches in performance auditing can change depending on the issues focused on.

For example, whilst using a risk-based audit approach may be more appropriate in an audit

study on natural disaster preparedness, a systems-based audit approach and/or a problem-

based audit

27

Figure 1: Correlation between risks/criteria/recommendations

22 INTOSAI Implementing Guidelines for Performance Auditing, Part 1, p. 1, 8 July 2004. "Are there differences in analytical ambitions and approaches?"

approach will be more suitable for examining preparedness for man-made disasters,23

such as nuclear accidents. Indeed, the risks identified by the auditor should be focused on, and then an

appropriate type of audit and audit approach according to these risks should be determined.

Audit Objectives

12.6 The most important step in drawing up any audit study is to define the specific issues to be

studied and the audit objectives. The way in which the audit objectives are determined will

change, depending on the type of audit. In financial auditing, the audit objectives are generally

defined by legislation. In financial audit, the SAIs audit the governmental

institutions/departments annually. These audits cover a review of the accounts and the

operation of the agency, including disaster-related accounts. It is conducted to ascertain

whether funds have been disbursed properly, the fairness and reliability of the agency's

financial position and compliance with laws, rules and regulations. In this context, the audit

objective might be specified as "to examine the management of the State Budget funds

earmarked from the State Budget for the protection against floods."

12.7 In performance auditing, however, the audit objectives will change depending on the disaster

preparedness issues that are focused on. In determining objectives, the auditor must take into

account the roles and responsibilities of the SAIs within the management of disaster

preparedness and the expected impact of the audit in this field. The disaster preparedness

area is a chaotic environment. There are a great number of interrelated activities, although

many actors perform their work separately. Audits therefore need to be well designed, as they

will be carried out in a complex and chaotic environment, and the audit scope should be

specified carefully.

12.8 The audit objectives should be defined within the audit scope. Otherwise, the chaotic

environment will be reflected in the audit studies and, as a result, a meaningful study will not

be achieved. Disaster preparedness contains a range of precautions taken against possible

disaster. These precautions are developed using different scenarios as a basis and form part of

the National Disaster Plans and/or the sub-plans. The disaster plans help auditors define audit

objectives.

12.9 In performance auditing, some examples of audit objectives are given below:

• Evaluation of distribution and use of resources from the disaster fund; decision-making

approaches, division of functions and coordination between federal, iander and local

authorities. (Preparedness-Mitigation/Austria)

28

23 For audit types and approaches, see INTOSAI Auditing Standards and INTOSAI Implementing Guidelines for Performance Auditing.

• To determine whether Public Safety Canada can demonstrate that it has exercised

leadership by coordinating emergency management activities, including critical

infrastructure protection in Canada; and to determine whether Public Safety Canada,

along with federal departments and agencies, can demonstrate progress in enhancing the

response to and recovery from emergencies in a coordinated manner. (Preparedness-

response/ Canada)

• To assess the effectiveness and operating efficiency of the recently established "National

Disaster Management Support System" (NDMSS); to provide an independent verification

of the reliability of the information contained in the NDMSS; and to examine the stock

management of relief goods and materials. (Preparedness/Korea)

• To determine factors affecting efficient distribution of food relief aid. (Mitigation/Lesotho)

• Audit as to whether the Minister of Home Affairs has fulfilled his responsibility for the

organization of disaster management in the Netherlands. (Preparedness/the Netherlands)

• To specify the risks faced during the short and medium-term preparatory work to

minimize the damage caused by a possible Istanbul earthquake and to identify the

measures to be taken. (Preparedness/Turkey)

• To determine whether the resources donated reached the intended beneficiaries and to

determine their impact in mitigating the effects of the famine. (Kenya)

29

Audit Methodology

12.10 Audit methodology is the set of techniques developed for data collection and the analysis

process. According to the INTOSAI Auditing Standards, to support the auditor's judgment and

conclusions regarding the activities under audit, competent,24

relevant and reasonable evidence should be obtained.

12.11 In financial audits, evidence is based on transactions, financial statements, project

implementation reports, physical verification, independent technical assessment, compliance

with tender/procurement procedures, etc.. In financial audit, the auditor focuses on the

following:

- review of internal controls and procedures,

- review of documents (disbursement and receipts of donations) and recording in the books of

accounts,

- test of accounting records,

- validation of beneficiaries on a sample basis.

12.12 Evidence in performance auditing is persuasive, and the way of obtaining it is for the auditor to

collect and analyze data, information and knowledge. When working in the field of disaster

preparedness, the auditor will have to seek data and information from different sources.

Developing methods for collecting data and information makes the auditor's work easier.

12.13 In performance auditing, the common methods used for data gathering are:

• File examination. In the disaster preparedness area, files contain a wide range of

documents, such as relevant guidance, protocols and legislation; disaster planning

documents and post-event reports of all levels of government, especially all the

documents of the institution responsible for disaster management. They should be

analyzed by the auditor. For example, for Turkey's audit study concerning earthquake

preparedness, building development planning, application works, ground condition

reports and the documents related to the reinforcement activities of Istanbul

Metropolitan Municipality and district municipalities were scrutinized on site.

• Site Visit. In order to observe and evaluate the work of the relevant institutions included

in the audit scope and to interview local key persons, a site visit is an important and

commonly used tool. It may be the only method possible for making observations at

distribution points and inspections of storage and transportation facilities.

30

24 See INTOSAI Auditing Standards, p. 3.5.1.

• Interview. Face-to-face in-depth interviews with key personnel, i.e. those that play a key

role in minimizing risks in the event of a likely disaster. These include authorized personnel

of disaster management institutions, heads and personnel of service groups and relevant

professionals taking part in disaster plans will help the auditor collect evidence. The

selected service groups are transportation, communication, rescue and debris removal,

first aid and health service groups, etc. Interviewing is an important tool for assessing

coordination and collaboration among levels of government, and the contribution of all

the parties concerned. Interviews with scientists and NGOs and other bodies concerned,

such as the Red Cross/Red Crescent, the Chamber of City and Regional Planners, local or

municipal governments, etc. known to have contributed to minimizing disaster risks, can

also help auditors formulate audit criteria and obtaining audit findings.

• Surveys/Questionnaire. To evaluate the activities of community preparedness and

training and to collect similar data from a vast number of different institutions, such as

ministries, municipalities, fire brigades and provinces, etc., surveys are the most

convenient tool. Surveys might also help the auditor evaluate public awareness to disaster

preparedness.

• Literature Review. Reviewing articles, studies, other audit reports and evaluations

concerning disaster preparedness will help in:

- understanding the overall control environment of disaster preparedness,

- specifying the different needs and approaches to disaster preparedness,

- formulating audit criteria,

- developing recommendations.

• Assessment of the adequacy of management tools. Carrying out activities related to

disaster preparedness depends on the adequacy of management tools such as disaster

plans, Geographic Information Systems (GIS), Remote Sensing (RS), Global Position System

(GPS), disaster information systems and other relevant software. The disaster plans should

therefore be analyzed and the adequacy of these systems should be assessed.

• Risk assessments. Disaster preparedness measures will be taken on the basis of risk

assessments and scenarios. For that reason, risk analysis should be evaluated in

performance audit studies.

• Observation and case studies. Observation and case studies are suitable tools for

evaluating the drills, training and education of professionals who are involved in disaster

preparedness activities.

31

• Sampling. Disaster preparedness generally covers too large an area and numerous

activities. In such a case, it is almost impossible to analyze all the work and sampling is a

useful and practical technique. GIS and/or similar tools help the auditor to select samples.

Audit Criteria

12.14 Audit criteria give direction to the assessment and help the auditor to determine whether the

activities/programs meet expectations or not. In financial audits, criteria are prefixed by the

legislation concerning financial management and establishing the audit entity. In performance

audits, audit criteria are generally formulated by the auditor. Thus, in performance auditing,

the general concepts of economy, efficiency and effectiveness should be interpreted in

relation to the subject; for that reason, criteria will vary from one audit to another.25

12.15 In performance auditing concerning disaster preparedness, the auditor should specify audit

criteria in accordance with the issues focused on. The general concepts of performance,

economy, efficiency and effectiveness should be turned into specific criteria relating to

disaster preparedness. Otherwise, the criteria do not give direction to the audit study and

might be vague.

Audit Findings and Recommendations

12.16 One of the important stages of performance audit is to determine audit findings and to draw

up audit conclusions and recommendations. As we know, audit findings are the specific

evidence gathered by the auditor to satisfy the audit objectives, to answer the audit questions

and to meet audit criteria. Audit findings show the current situation, i.e. "what is". The audit

program in Part III will help the auditor to determine audit findings.

12.17 The auditor should develop audit conclusions and recommendations by analyzing the causes

and effects of the findings carefully. As mentioned in paragraph 12.3, there is a strong

correlation between the risks to the 3Es and audit criteria and recommendations. When

producing recommendations, the auditor should not overlook the correlation between them.

Moreover, the auditor should pay special attention to recommendations that bring reasonable

solutions to identified areas of poor practice, i.e. the risks to the 3Es.

32

25 INTOSAI Implementation Guidelines for Performance Auditing, July 2004, p. 52.

PART III: AUDIT PROGRAM FOR DISASTER PREPAREDNESS

13. Audit Program

13.1 The audit of disaster preparedness should be predicated on a sound audit program focused on

understanding the operational environment of disaster preparedness. This includes the

organizational structure and resources of all the relevant authorities, as well as the overall

control environment. The aim is to design a sound audit study and to prepare a reliable audit

report with a high impact.

13.2 This audit program was based on an assessment of SAIs' audit reports and the disaster

management plans of various countries and the results of the survey which was prepared by

the INTOSAI WG on the AADA. It is intended to ensure a coherent and complete framework

for the audit of disaster preparedness. The program covers a broad range of possible

challenges for the auditor, clarifies definitions and presents different approaches by giving

best-practice examples from SAIs around the globe. Auditors should adapt this program and

specify which areas require particular attention and further development by taking into

account the conditions in the country being audited. The auditor should not expect to get an

answer to all the questions through this document. It is up to the auditor to develop the

program further in order to meet the specific tasks of their SAI and the particular needs of the

disaster.

13.3 This audit program is divided into seven parts:

• Identification of the disaster characteristics,

• Specifying and understanding the national strategy and action plans,

• Identification of the framework and organization of the authorities involved,

• Assessment of the adequacy of the coordination,

• Evaluation of disaster management tools,

• Evaluation of emergency exercises and training,

• Evaluation of disaster funds and grant administration.

Identification of the disaster characteristics

1. The auditor should first have knowledge of the following issues:

1.1 What types of disaster may occur in the country?

1.2 What is the probability of each type of disaster?

1.3 What could be the extent of loss or damage?

33

1.4 What is the government approach to such disasters?

1.5 Are there (updated) hazard maps and/or hazard analysis?

1.6 .........................................................................................................................................................

.......................................................................................(Please add your own questions)

Specifying disaster types and their probability should be the first step in auditing disaster preparedness. Government approach and policy preparedness activities depend on this probability. It should be noted that certain disaster risks may be so remote and/or unpredictable that preparation would be excessively costly and therefore it may be more efficient to deal with them after the event. The government approach to the potential disaster will determine the scope of audit study. In short, all these factors should be taken into account while undertaking and designing an audit of preparedness activities.

Specifying and understanding the national strategy and action plans

2. To understand the government approach to disaster preparedness, the auditor should carefully

examine the national disaster plan and/or substitute tools and assess the aims and targets:

2.1 Has a national disaster plan been prepared or are there any substitutes for a national disaster

plan?

2.2 Are the disaster plans/substitute tools updated regularly?

2.3 Are there procedures for systematically reviewing plans/substitute tools for timeliness,

completeness, consistency with existing guidelines and overall usefulness?

2.4 Which events/situations are accepted as disaster in the national disaster plan, or the

substitute tools?

2.5 Are the national disaster plans/substitute tools made by predicating on analyses like disaster

risk maps, risk assessment, etc.?

2.6 Which entity is responsible for coordination of disaster planning?

2.7 Have the goals, objectives and strategies defined by the disaster plan been integrated into the

annual budget process (emergency operations and grant application processes)?

2.8 Are the disaster preparedness planning efforts consistent and adequate? (General

preparedness plans as well as hazard-specific plans.)

2.9 What are the main activities for disaster preparedness within the plans/substitute tools?

2.10 Within the disaster plans/substitute tools, how are the roles and responsibilities defined and

allocated to each responsible unit?

34

2.11 Do these plans/substitute tools provide a good basis for timely, clear and organized actions -

as to when and who will perform such actions during an emergency or disaster?

2.12 Is the critical infrastructure determined on a national scale within the scope of disaster

plans/substitute tools?

2.13 What kinds of action plans and alternative plans are prepared?

2.14 Are the sub-plans (action plans, etc.) prepared in accordance with the national plan/ substitute

tools?

2.15 (Please add your own questions)

For the auditor, the national disaster plan (or a substitute tool) is one of the most important tools in the evaluation of disaster preparedness. The national disaster plan/substitute tool, which is prepared by the authority responsible for disaster management, along with event-specific and departmental plans, will guide the central government response to disasters. It should outline the processes and mechanisms to facilitate an integrated government response to a disaster. It should address specific threats, the response to international emergencies, and the National Emergency Response System which outlines a harmonized federal and provincial/territorial response to disaster. With a good national disaster plan, the auditor can identify and examine all activities related to disaster preparedness as a whole. Comparison between the national disaster plan and those of other countries exposed to similar disasters will help the auditor to evaluate the sufficiency of the disaster preparedness. Moreover, national disaster plans will be a good source for determining audit criteria because they identify what to do and to expect.

Identification of the framework and organization of the authorities involved

3. To design a sound audit of disaster preparedness and to understand the organization, the auditor

should focus on these points: (The word entity here covers institutions/agencies/private organizations and other participants.)3.1 What are the applicable laws/directives/national/local initiatives in that respect?

3.2 Which entity has the main responsibility for disaster preparedness?

3.3 Which entities are related to disaster preparedness at each level? (evaluate the organization

structure as a whole)

3.4 Are the organizational structures and systems well defined and designed to facilitate

successful disaster preparedness activities?

3.5 Are the relevant functions of these entities formulated clearly and sufficiently?

3.6 Are authority and responsibility clearly assigned?

35

3.7 Is there a reliable and effective internal control for the activities of disaster preparedness?

3.8 Does the main entity responsible have capable and sufficient human resources?

3.9 What are the staffing profiles? Is the staffing appropriate in order to coordinate and carry out

the activities of disaster preparedness?

3.10 Does the main entity responsible have a complete and detailed overview of the resources

allocated to disaster preparedness activities?

3.11 In which areas within the disaster preparedness process do non-governmental and other

organizations act?

3.12 Could the main entity responsible provide the facilities and support necessary for the activities

of the non-governmental actors?

3.13 Is a monitoring mechanism established with a view to following extra-budgetary funds and the

activities of non-governmental actors?

3.14 (Please add your own questions)

As stated before, there are many institutions and agencies in this field. Coordination among them can assist the completion of the interrelated activities without duplication and in a timely manner. For this reason, the auditor should have a comprehensive knowledge of the legal framework and organizational structure which includes entities that are out of and within the SAIs' jurisdiction. Defining their roles, responsibilities and how to ensure cooperation among them will help the auditor to assess where and how to collect data, who is responsible for what actions, etc. Additionally, it is beneficial to answer questions like "is there a sufficient legal framework?; are the activities well-coordinated?; what is the governance structure like?". (See Annex 3 for an example.)

Assessment of the adequacy of coordination

4. To assess the sufficiency of coordination with actors at regional, national and international level, the

auditor should examine the following issues:

4.1 Are the relevant participants included in the coordination mechanisms?

4.2 Is there any monitoring mechanism providing information to help ensure collaboration and

cooperation, as appropriate, with different bodies and actors at regional, national and

international level?

36

4.3 Does the existing coordination serve to foster the collaboration, to avoid the duplication and

overlap of activities in the field, to make the most efficient use of resources and to raise

awareness of the risk of disaster?

4.4 Are different forms of cooperation such as technical assistance, consultancy, equipment and

supplies, etc. for disaster preparedness activities specified in accordance with the nature, role

and work of different participants in this field?

4.5 Is a sound management system and governance structure established to provide26

coordination between the authorized institutions and agencies?

4.6 Are the critical infrastructures (see 4.7 on page 16) which assign the priorities of the

infrastructures according to the vulnerability to a disaster, designated with the

cooperation of the private sector and the public sector?

4.7

(Please add your own questions)

Recent events, such as Katrina, the tsunami and earthquakes in Pakistan and Haiti, have shown that the management of large-scale disasters is a matter that concerns not only the government, but also other stakeholders including businesses and individuals exposed to disaster risks. Therefore, the evaluation of coordination between all stakeholders is becoming more important in audit studies. In fact, the coordination should encompass intergovernmental bodies, such as regional organizations, as well as national bodies and institutions, and non-governmental organizations at national and international level.

The national disaster Act and the national disaster plan, along with event-specific and departmental plans, are the main tools for evaluating the coordination. Additionally, the auditor should pay special attention to the activities of the main authority responsible for the coordination and examine its management system and governance structure.

Evaluation of disaster management tools

5. To evaluate the sufficiency of the management tools used to accomplish the goals for disaster

preparedness, the auditor should assess the following:

5.1 Is there an updated disaster management information system?

37

26

See Annex 1 giving Canada's governance structure as an example. Canada FERPMS - the management system components: Governance Structure, Management, Government Operations Centre, Primary Functions, and Federal-Regional Component.

5.2 What are the components of the disaster management system? Are they sufficient, applicable

and beneficial for the user?

5.3 Did the main authority responsible establish a reliable and updated database containing

enough information for the disaster preparedness activities and training?

5.4 If so, was this database designed in a way that helped the main authority responsible to lead

the other entities and to ensure cooperation between them?

5.5 Has the main authority responsible developed the instruments that will effectively direct the

other entities in an appropriate manner to make the risk assessment in their own areas in

accordance with the national strategy and policies?

5.6 Is an appropriate geographical information system (GIS) used? How?

5.7 The questions below will help the auditor (as well as the planners) assess the needs for and

use of a GIS in disaster preparedness:1

• What planning decisions need to be made?

• Which decisions involve the use of mapped information and information susceptible to

map display?

• What information cannot be managed efficiently with manual techniques?

• What information management activities will be supported by the proposed GIS?

• What types of decisions will be supported with a GIS?

• Is the GIS principally appropriate for analysis? Is cartographic quality output needed?

• To what extent will a GIS help achieve the desired objectives?

5.8 To assess the suitability of the GIS, the following questions can help the auditor:

• What kind of GIS is it?

• What sort of hardware and software are used?

• Who are the current users? To what extent is the current user network compatible with

the network envisaged? What data does it contain?

• Are its capabilities compatible with the needs of the new users?

• Is the in-house technical expertise capable of serving the new users?

• What are the institutional arrangements that would enable the appropriate use of

this GIS?

5.9 In order to evaluate the sustainability of the GIS, the following questions can help the auditor:

• Who will be the users of the information generated with a GIS?

1Primer on Natural Hazard Management in Integrated Regional Development Planning, "Geographic Information Systems in Natural Hazard Management",http://www.oas.org/DSD/publications/Unit/oea66e/begin.htm#Contents, (06 May 2010).

38

• In terms of information, time, and training needs, what is required to obtain the desired

results?

• Is there budget and staff support?

• What agencies are participating in similar projects?

• To what extent would a GIS help to attract the interest of other agencies and facilitate

cooperation?

5.10 Are hazard maps prepared taking into consideration the environmental plans, the land use

planning and the building development scheme, etc.?

5.11 Are there any special tools intended to mitigate disaster risks and impacts?

5.12 Do the primarily authorized institutions perform the risk assessment and vulnerability

assessment activities?

5.13 ................................................................................................................................................

(Please add your own questions)

Geo-science technologies are in widespread use for disaster preparedness. GIS is a tool that can be used in all disaster types to collect different types of data. The structuring of GIS differs from country to country according to the disaster risks faced. For example, to understand the full short and long-term implications of floods and to plan accordingly, an analysis needs to be made of combined data on "meteorology, topography, soil characteristics, vegetation, hydrology, settlements, infrastructure, transportation,

28population, socioeconomics and material resources". These aspects, which vary in the field of disaster management, are easily processed with the help of GIS for risk analysis and carrying out the planning efforts.

GIS, and similar instruments such as Remote Sensing (RS) and Global Positioning System (GPS), are mostly used by planners. Before deciding to acquire or use a system, planners need to make a meticulous evaluation of their needs. This must include a definition of how their planning activities and decisions will be assisted by using a GIS. Specific objectives and applications of the GIS should be defined. For a GIS, planners need to carefully assess if the amount of spatial calculations and analysis to be performed justifies automating the process. So, the auditor has to scrutinize the GIS and planning process well in order to audit the disaster preparedness.

39

28 Rego, Aloysius J: "National Disaster Management Information Systems & Networks: An Asian Overview",

s.1.

Effective use of GIS in disaster preparedness will depend on the reliability, accuracy and adequacy of data and elements of these systems. At the same time, the benefit to be had from the data gathered by using GIS effectively is closely related to the extent to which these data have contributed to the planning process. The hazard maps, zone maps and risk assessments which are obtained by using GIS should be submitted to decision makers at the appropriate level and on time; and also these data should be used in the planning process. In this context, the auditors should determine whether a mechanism which transfers the technical data produced at this stage to the planning process is established or not.

Additionally, the GIS will increase communication and improve cooperation among the users of the information. GIS is an important tool for the auditor to evaluate the adequacy of communication among the relevant entities. In performance audits of disaster preparedness, the adequacy of the disaster management information system and especially GIS have to be evaluated carefully.

Evaluation of emergency exercises and training

6. To assess the planning and implementation of the emergency exercises and training and community

preparedness, the auditor should examine the following:

6.1 Have training requirements and effective training plans and coordination mechanisms been

defined and are they being modified as appropriate?

6.2 Do programs provide organizations and individuals with the necessary knowledge and skills to

effectively respond and quickly recover from various types of disaster?

6.3 Is it ensured that training functions and activities are not unnecessarily duplicated or

overlapping?

6.4 Is there a contingency plan for external collaboration mechanisms in an emergency situation?

• Formal structures?

• Collaboration at national, regional and local level?

6.5 Is the collaboration and coordination among the various municipal departments (fire

department, police, hospitals, etc.) as well as business and non-profit organizations, the Red

Cross/Red Crescent and others planned and implemented?

6.6 Are there plans for disaster preparedness training for the public and/or public education

campaigns in order to raise public awareness? Are these executed according to plan?

40

6.7 Is there any specific program for training/ emergency exercises for particularly vulnerable

people? (Patients in hospitals, students in schools)

6.8 Is the execution of plans monitored?

6.9

(Please add your own questions)

For large-scale disasters (involving international aid) an enhanced relationship between the national and international mechanisms would foster a better understanding of the situation in the field, thus contributing to better monitoring and implementation of disaster preparedness activities and aid. It would also promote national participation and ownership of disaster preparedness activities. Large parts of national and international funds, especially for exercises and training and community preparedness, are mostly used by various actors such as the NGOs. Therefore, the possibility of duplication in these activities will be particularly high. To give all stakeholders assurance, the auditor should examine all training activities carefully. Also, it should be assessed whether or not the organizations and individuals have, through training, gained the necessary knowledge and skills to effectively respond to and quickly recover from various types of disaster. In these subjects, the SAIs should pay special attention to promoting public accountability.

Evaluation of disaster funds and grant administration

7. To evaluate the sufficiency and management of the funds for disaster preparedness activities, the

auditor should examine the following:

7.1 Does central government and/or the authority responsible for disaster preparedness have a

complete overview of the funds allocated by all relevant entities to disaster preparedness

activities?

7.2 Is the national disaster plan prepared on the basis of realistic cost estimates?

7.3 From which sources are the funds provided for disaster preparedness? (Government institutions, people/community, organizations/private entities, local nongovernmental organizations (NGOs), foreign governments, foreign or local NGOs, international institutions/donors, international financial institutions (IFIs), etc.)

7.4 By whom are the funds from these sources used?

7.5 What are the legal arrangements for using the funds?

41

7.6 Have effective administrative processes been conceived for the application and processing of

grants? (Although in principle the administrative procedures for the allocation and use of

public funds should ensure timeliness, in the case of urgent

42

disaster preparedness activities these may not be sufficient. Therefore specific administrative

arrangements should be in place to allow maximum flexibility.)

7.7 By which instruments, such as projects/programs, etc., are the funds used?

7.8 Are the projects/programs completed on time and within the budget?

7.9 ................................................................................................................................................

(Please add your own questions)

The social and economic costs of disasters vary widely and are difficult to estimate on a global basis. The most expensive disasters in purely financial and economic terms are floods, earthquakes and windstorms. The precautions taken before disaster will decrease the devastation and economic impact. Less developed countries with limited economic diversity and poor infrastructure need mostly external funds when preparing for disaster. Conversely, in developed economies, governments, communities and individuals have greater capacities to cope. However, disaster will adversely affect all economies and societies in both developed and developing countries. Therefore, the national and external funds allocated to disaster preparedness should be used in an economic, efficient and effective manner.

For this reason international policies concerning disaster management have moved towards more emphasis on disaster preparedness. The financial procedure, specified in accordance with previous policies that allocated large resources to post-disaster relief and reconstruction activities, needs to be redefined in accordance with these changing policies. The auditor should pay special attention to whether the financial process is redefined in parallel with the new policy.

In order to contribute to improved economy, efficiency and effectiveness in this area, the auditor should carefully examine the costs of all projects/investments. For this, the auditor should handle the following matters:

In order to plan realistic needs and resources for disaster preparedness:

• A national disaster plan and sub-plans taking into account realistic cost estimates should be prepared.

• The projects to be implemented within the scope of the plans should be determined by means such as cost-benefit analysis.

Disaster preparedness activities can continue over several years. The sustainability of the projects/investments in the field of disaster preparedness needs to be assessed as follows:

• Resource planning must be performed and future financing models must be developed.

43

• In view of the high cost of investments such as GIS and its sustainability, alternative financing must be taken into account, and a system to ensure the utilization of the equipment beyond the actual need should be established

To prevent the duplication of actions/projects and investments, national and sub-plans should be prepared. By evaluating the capacities of the relevant entities, the needs should be identified. In order to prevent unnecessary investment in this field and to use the resources more efficiently, a mechanism should be established to monitor the physical and financial implementation of the action, projects and investments. This should help the decision-makers take timely corrective decisions. The institution which is responsible for coordination should establish a system that ensures the monitoring of the project on the basis of time/cost.

8. This section is for any other contribution to this program or any other comments on the audit of

disaster preparedness.

44

14.Lessons Learned

• Performance audit is more suitable for the audit of disaster preparedness. The activities and

expenditure related to disaster preparedness extend over several years and are carried out by

different entities. Financial audit is usually annual and covers the transactions of only one entity. As

many activities in this field do not require capital resources, and since many organizations are

outside the SAIs' jurisdiction, the contribution of financial audit will remain limited and not add

value to the management of disaster preparedness. Activities and funds extending over several

years and the different institutions that have responsibility in the disaster preparedness field can,

however, be audited within the scope of performance audit and under an audit study at the same

time. In addition, in order to prepare a sound and comprehensive disaster preparedness audit

report, auditors can also obtain relevant information from persons29

and institutions outside the SAIs' jurisdiction . Also, it should be borne in mind that the purpose of the

audit in this field will depend on the type of audit to be applied.

• The data obtained need to be reliable, accurate and updated. One important issue in the

audit of disaster preparedness is the reliability, accuracy and timeliness of data. In these audits,

data and information need to be obtained from many organizations, some of which are not under

the jurisdiction of the SAI. Auditors should therefore carefully collect, cross-check and analyze the

evidence, as well as establishing their own database that includes reliable and accurate data and

updating it during the study. Geographical Information Systems (GIS) could be used to complement

such a database.

• Special attention should be paid to tools such as GIS. Duplication and lack of coordination

among relevant entities in introducing new IT equipment are common problems. This is the same

in the area of disaster preparedness. GIS could easily be another area of duplicate investment if

they are developed separately by different stakeholders. According to the survey, the utilization

level of the "National Disaster Management Support System" (NDMSS) was much lower than

expected, but it was very difficult to conclude that there was overinvestment.

• Cooperation among SAIs should be developed. The country carrying out the disaster

preparedness activities and the country that provides funding are often different. If the SAIs of

donor and recipient countries do not collaborate with each other, their audits may not cover all

aspects of disaster preparedness. In addition, if cooperation and coordination between the parties

involved both domestically and worldwide are not

45

29

See INTOSAI Auditing Standards p. 2.2.19 "The legal mandate should provide for full and free access by the SAI to all premises and records relevant to audited entities and their operations and should provide adequate powers for the SAI to obtain relevant information from persons or entities possessing it."

enhanced, the SAIs would not be able to contribute to improving activities or strengthening

accountability in the disaster preparedness area. Such cooperation may range from the simple

exchange of information, which is already intrinsically beneficial, to much closer cooperation in the

form of coordinated or joint audits, allowing the direct use of audit results amongst SAIs. The latter

scenario requires a common understanding of the audit methodology to be applied and of the

relevant audit criteria to be followed. To this end, an agreement (e.g. memorandum of

understanding or protocol) may be developed to define the scope, extent and form of the

intended cooperation among the relevant SAIs.

• Joint audits by donor and recipient country SAIs might be helpful for good governance and accountability in the field of disaster preparedness. Disaster preparedness is usually the

responsibility of the national government and therefore the SAI of that country will be tasked with

the audit of disaster preparedness. If disaster preparedness activities are (co-)funded by donors,

the SAIs of such donors will also have an interest in the audit of the disaster preparedness activities

thus funded. The perspective of a donor country SAI might differ from that of the SAI of a recipient

country. However, the SAI of the donor country should consider the possibility of relying on the

audit carried out by the recipient country's SAI for its own purposes. An alternative option is to

carry out a joint audit by both SAIs, serving the purposes of both. To the same end, SAIs of donor

countries might join forces in a joint or parallel audit of disaster preparedness of one or several

recipient countries. Similarly, the SAIs of the recipient countries can use the tools of joint or parallel

audits, thus saving resources and learning from each other. Joint audits might also solve the

problem mentioned on p. 10 (pages 24-25) regarding the lack of the SAIs' audit mandate.

• Relationship between the SAIs and the other audit institutions should be improved. Many

entities audit the different aspects or phases of disaster management: for example, the

government's internal auditors, state/regional/local government auditors, inspectors of specific

agencies, private accounting firms. Approximately half of the SAIs in the survey do not have access

to the audit reports on disaster-related aid issued by such entities. Nevertheless these reports are

an important tool for obtaining information in fields outside the SAIs' audit mandate. For that

reason, the relationship between the SAIs and the other audit institutions should be formally laid

down.

46

ANNEXES

ANNEX 1: An example of governance structure - Canada

Governance2

Put simply, governance means the "rules, processes and behavior that affect the way in which

powers are exercised at any level, particularly as regards openness, participation,31

accountability, effectiveness and coherence." An analysis of governance focuses on the formal and

informal actors involved in decision-making and implementing the decisions made and the formal

and informal structures that have been put in place to arrive at and implement the decision.

Government is one of the actors in governance. Other

actors involved in governance vary, depending on the

level of government that is under examination. For

example, other actors may include NGOs, research

institutes, international donors, finance institutions,

political parties, etc. All these may play a role in decision-

making or in influencing the decision-making process.

Generally, good governance has five major

characteristics: participation, accountability,

effectiveness, coherence and openness. It is clear that

good governance is an ideal which is difficult to achieve.

However, to ensure sustainable development, action must be taken to work towards this ideal with

the aim of making it a reality.

An example: The Federal Emergency Response Management System Governance Structure -Canada3

Canada's Federal Emergency Response Plan (FERP) includes the Federal Emergency Response Management

System (FERMS) that is a comprehensive management system for an integrated

2 Prepared by examining http://www.unescap.org/pdd/prs/ProiectActivities/Ongoing/gg/governance.asp, 27.8.2010; "European governance - a white paper", Commission of the European Communities, Brussels, 25.7.2001 COM(2001) 428 final.; OECD Principles of Corporate Governance 2004, www.oecd.org/dataoecd/32/18/31557724.pdf3 Federal Emergency Response Plan, CANADA, Federal Emergency Response Plan, CANADA, http://www.publicsafety.gc.ca/prg/em/ferp, (March 2010).

47

31 "European governance - a white paper", Commission of the European Communities, Brussels, 25.7.2001COM(2001) 428 final.

response to emergencies. This system provides the governance structure and the operational facility (the

Government Operations Centre) to respond to emergencies. The following figure describes the governance

structure:

The Federal Emergency Response Management System Governance Structure

48

GOVERNANCE

Governance

Governance here refers to the management structures and processes that are in place during non-

emergency and emergency circumstances. The Committee of Cabinet, the Deputy Ministers'

Committee, the Federal Coordinating Officer and the Assistant Deputy Ministers' Emergency

Management Committee are identified as the highest level decision-makers. These committees are at

ministerial level to coordinate the Government of Canada's response. For the disaster preparedness

phase, the Committee of Cabinet coordinates the government's agenda, including legislation, planning

and management issues. It also provides a forum to address public safety, national security and

intelligence issues and discuss emergency management and readiness.

Management

At the second level, there is a management team that is responsible for the actions and functions of

FERMS. The management team conducts the completion of the objectives set for each operational

period. The management team consists of the Director-General of the Operations Directorate, who

leads the management team, and four representatives.

• The Operations Directorate is part of the coordinating department of the Minister of Public Safety.

It is responsible for management functions and working together with the Government Operations

Centre.

• Another representative from the Department of Justice or other related institutions provides

support and advice on legal issues.

• As a member of the management team, the Associate Director-General provides support for

communication issues.

• The primary departments, designated in accordance with the nature of the emergency, are a

federal department related to a key element of an emergency. The primary departmental

representatives inform the management team of the support needs based on the nature of the

emergency, the Director-General of the Operations Directorate, in consultation with the Federal

Coordinating Officer, will determine which departments will provide a primary departmental

representative to support response within the GOC.

• Within the management team, four directors from the Operations Directorate are responsible for

the primary functions. The directors guide departmental representatives through the process.

Government Operations Centre (GOC)

Public Safety Canada, which is responsible for disaster management, has an operations centre (the

Government Operations Centre or GOC) to coordinate the national response. The Government

Operations Centre is the hub of a network of operations centers run by a variety

49

of federal departments and agencies including the Royal Canadian Mounted Police (RCMP), Health

Canada, Foreign Affairs and International Trade Canada, the Canadian Security Intelligence Service

(CSIS) and National Defence. The GOC also maintains contact with the provinces and territories as well

as international partners such as the United States and NATO. The GOC's primary functions are

providing coordination between federal emergency response partners and guiding them for their

authorities.

The GOC communicates the FERP engagement and the response level to the government's emergency

response partners. Three response levels are intended to provide a logical progression of activity from

enhanced monitoring and reporting to an integrated federal response. At level 1, there is an incident or

event which has the potential to require an integrated federal response. At this level, the GOC collects

a wide range of information about the incident, and then it evaluates and shares this information with

the federal emergency response partners. Finally, it is expected that the GOC's information and

enhanced reporting efforts should support federal partners' planning and response activities. A level 2

response requires full understanding of an incident and, as it unfolds and the requirement for a federal

response appears more likely, a risk assessment is performed. This assessment identifies vulnerabilities,

aggravating external factors and potential impacts, and may be formalized in an Incident Risk Analysis

Report. At level 3, there should be an integrated response activity and this level includes the previous

two levels' activities. The GOC maintains coordination and constant communication with the federal

activated centers. It also provides regular situation reports for ministers and senior officials.

Primary Functions

Public Safety Canada carries out six primary functions to integrate federal response:

• Operations,

• Situational awareness,

• Risk assessment,

• Planning,

• Logistics,

• Finance and administration.The scope of the emergency will determine the scale and level of engagement of each of these

functions. Within the GOC, subject matter experts and liaison officers from government departments,

NGOs, and the private sector organize and perform the primary functions. For disaster preparedness

activities, operations, situational awareness, risk assessment and planning functions are of vital

importance.

50

Federal-Regional Component

Federal organization has regional components to communicate with provincial/ territorial authorities.

These regional components provide direction on emergency management planning and preparedness

activities. It also manages the flow of information and requests for federal assistance within the region.

Thus, disaster preparedness activities are provided in a more effective and timely manner.

51

ANNEX 2: Geographical Information Systems (GIS)

Before making the decision to acquire a GIS, planners need to determine what planning activities could be

supported with the system and carefully assess if the amount of spatial calculations and analysis to be

performed justifies automating the process. Before deciding to acquire or use a system, planners need to

make a meticulous evaluation of their GIS needs. This must include a definition of how their planning

activities and decisions will be assisted by using a GIS. Specific objectives and applications of the GIS should

be defined. Answers to the questions outlined in the33

box below can help.

Since GIS is a tool that can be used for all disaster types, the collection of different types of data and the

features of different technical structures are discussed according to the characteristics of the disaster.

Because of that fact, the structuring of GIS differs from country to country according to the disaster risks

which the countries face.

To understand the full short-term and long-term implications of "floods" and to plan accordingly, combined

data on "meteorology, topography, soil characteristics, vegetation, hydrology, settlements, infrastructure,

transportation, population, socioeconomics and material resources" need to be analyzed. As seen in the

example, the resources necessary for analyzing floods vary from case to case, but differ from those required

for other types of disaster. These resources vary, and in the field of disaster management they are easily

processed with the help of GIS and are used in areas such as making a "risk and threat analysis" and carrying

out the "planning" efforts.

An example: Turkey, Marmara Region Earthquake Preparedness Activities

An earthquake disaster which caused big losses over a wide area occurred in the Marmara Region of Turkey

in 1999. For this reason, the earthquake movements in this region have been monitored regularly by the

"Prime Ministry Head of Disaster and Emergency Management" which is the body responsible for disaster

management across the country. In May 2010, an "earthquake danger and risk analysis" was made within a

100 km radius area. It estimated that, over a 10-year period, the probability of an earthquake with a

magnitude of 6 occurring is 83.8 %.

These data, produced with the help of GIS, are used for regional planning. The protection band, which is

seventy-five widths from each side of the fault zone, has changed by twenty five each, so total 50m.

protection band is identified.

The actual benefit to be had from the data which are gathered by using GIS effectively is closely related to

the extent to which these data contribute to the planning process. The hazard maps, zone maps and risk

assessments which are obtained by using GIS should be submitted to the

52

33 Primer on Natural Hazard Management in Integrated Regional Development Planning, "Geographic Information Systems in Natural Hazard Management",http://www.oas.org/DSD/publications/Unit/oea66e/begin.htm#Contents, (06 May 2010).

decision-makers at the appropriate level and on time, and these data should also be used in the planning

process. In this context, at the stage of disaster preparedness, auditors should determine whether a

mechanism which transfers the technical data produced at this stage to the planning process is established

or not.

Other Examples: India and China

India and China are among the countries suffering from the most severe natural hazards in the world. In

order to keep the information flowing smoothly into the networks for earthquake preparedness and

rescuing, their governments have started a series of programs to set up digital networks; these digital

networks, based on GIS, GPS and RS, incorporate a lot of new achievements in earthquake engineering and

information science. The examples of India and China are given below.

53

34 Rego Aloysius J., "National Disaster Management Information Systems & Networks: An Asian Overview",s.4.35 http://www.gisdevelopment.net/application/natural_hazards/earthquakes/ma03135b.htm

Examples of using GISVulnerability Atlas of India China GIS ActivitiesIn 1997, a "Vulnerability Atlas" was prepared, taking into account the three natural hazards which are the most damaging to India: earthquakes, cyclones and floods. The zoning maps at macro level for the three hazards are available in small scale for the whole country. These maps were prepared in larger scale, showing each administrative unit, the district boundaries, for easy identification of the areas covered by the zones of various intensity levels. The Vulnerability Atlas is an important input into State-level Disaster Management Planning and it contains the following information for each State and34

Union Territory of India:• seismic hazard map• cyclone and wind hazard map• flood prone area map• housing stock vulnerability table for each district, indicating for each house type,

In recent years, as one part of "Digital Earth" and China's National Information Infrastructure (CNII) project, earthquake disaster mitigation system has taken in a great deal of information on the whole country. This includes the geological structure, past earthquakes, buildings and population distribution. Most cities with a population of over 500,000 have built themselves an information system for reducing earthquake disasters and hazards. These contain almost all the infrastructure information in urban areas, such as the water-supply network, power systems, telecommunications network, traffic systems, etc.35. The latest achievements in earthquake engineering continually add to this system, such as earthquake risk analysis methods, new anti-seismic criteria or codes, new knowledge and

the level of risk to which it could be subjected sometime in the future.

experience in pre- and post-earthquake36

emergencies.

54

' http://www.gisdevelopment.net/application/natural_hazards/earthquakes/ma03135b.htm

55

ANNEX 4: Audit Objectives - examples concerning disaster preparedness

ANNEX 3: A case for understanding the organization and framework of authorities preparing for disaster

TURKEY - audit report: "How well is Istanbul getting prepared for the earthquake?'

According to Turkey's current legal arrangements, the main authority responsible for disaster preparedness

is the Turkey Emergency Management Directorate General (TEMAD) attached to the Prime Ministry. This

was charged with preparing and executing disaster plans and taking the necessary measures to provide

effective emergency management nationwide and to coordinate all the bodies involved. The other

organizations responsible for disaster activities are:

• the Ministry of the Interior, which has set up regional centers for relief and emergency operations.

• the Independent National Earthquake Council.

• local authorities, whose responsibilities for disaster mitigation were extended after the TCA report

recommendations.

The activities of Turkish NGOs, such as the Turkish Red Crescent, the Association of Social and Economic

Solidarity with Pacific Countries, the Turkish Blue Crescent Association, the Foundation for Human Rights

Humanitarian Relief and other governmental institutions, are all coordinated by TEMAD.

In this framework, the TCA audited earthquake preparedness via the following questions:

• Does the organizational structure charged with earthquake preparedness for Istanbul measure up to

the needs?

• How does the organizational structure prepare Istanbul for an earthquake?

• How are resources allocated for earthquake preparedness?

• Is effective coordination and cooperation established?

• Are activities properly planned and executed?

• Is there sufficient work related to post-earthquake fires that increase initial damage?

• How well do service groups prepare their emergency plans?

56

Country Background/Title Audit Type/ Disaster Phase Audit ObjectiveAustria Prevention of Natural Hazards: Use of

resources from the disaster fundPreparedness-Mitigation/

Performance

Evaluation of distribution and use of resources from the disaster fund; decision making approaches, division of functions and coordination between federal, länder and local authorities.

Canada Fall 2009 Emergency Management - Public Safety Canada

Preparedness-response/ Performance

The objectives of this audit were to determine whether Public Safety Canada can demonstrate that it has exercised leadership by coordinating emergency management activities, including critical infrastructure protection in Canada; and determine whether Public Safety Canada, along with federal departments and agencies, can demonstrate progress in enhancing the response to and recovery from emergencies in a coordinated manner.

Czech Republic Funds spent on anti-flood measures and prevention in areas endangered by adverse climate changes. The audit is focused on finance for flood prevention and flood protection (meteorology and hydrology systems, proneness to landslides and rock collapses, mapping of flooding areas, mapping of proneness to landslides and rock collapses, evaluation of floods).

Preparedness/ compliance-performance

Economy, effectiveness, efficiency of finance for flood protection.

Lesotho The Distribution of Food Relief Aid Mitigation/ Performance To determine factors affecting efficient distribution of food relief aid.

57

ANNEX 4: Audit Objectives - examples concerning disaster preparedness

Netherlands Preparation for disaster management.

Preparedness/ Performance Audit as to whether the Minister of Home Affairs has fulfilled his responsibility for the organization of disaster management in the Netherlands.

Turkey How Well Is Istanbul Getting Prepared for the Earthquake?

Preparedness/Performance To specify the risks faced during the short and medium-term preparatory work to minimize possible Istanbul earthquake damage and to identify the measures to be taken.

58

ANNEX 59: Audit Criteria - examples concerning disaster preparedness

Canada - Fall 2009 Emergency Management - Public Safety Canada

• We expected that Public Safety Canada would exercise leadership by coordinating federal emergency

management activities, as described in legislation and policies.

• We expected that Public Safety Canada would coordinate federal emergency management activities with those

of the provinces and territories to provide timely and coordinated support to communities in an emergency.

• We expected that Public Safety Canada would regularly test and exercise federal emergency

management plans.

• We expected that Public Safety Canada would have a risk-based plan to lead and coordinate critical

infrastructure protection efforts, and to reduce vulnerability to cyber attacks and accidents, by:

S adopting an all-hazards approach

S agreeing upon roles and responsibilities for the federal government and others

S determining what critical infrastructure should be protected

S assessing the threats and risks to these assets

S prioritizing risks and resources to protect critical infrastructure

S implementing protective programs

S developing measures to monitor and assess effectiveness.

• We expected that Public Safety Canada and selected federal entities would use a risk-based approach to

identify the resources needed and to coordinate the response to and recovery from emergencies.

• We expected that Public Safety Canada would promote a common approach to emergency

management, including the adoption of standards and best practices.

• We expected that Public Safety Canada, together with its federal partners, would provide emergency

management training, based on a needs assessment and a risk-based plan.

The Netherlands - Lessons on the accountability, transparency and audit of Tsunami-related aid, 2008

• Central government policy should be implemented by municipalities.

• The Minister of Home Affairs should be active in encouraging municipalities and other entities to be prepared

for disasters and to cooperate in a coordinated manner.

• Agencies should be involved in disaster management cooperation.

• Risk assessment and analysis should be conducted in a structured and systematic manner.

• Disaster management plans should be developed based on risk assessment.

• Disaster management plans should be kept up to date.

• Relevant professionals should be trained properly.

• Disaster management plans should be tested in practice (via drills, etc.).

• The Minister of Home Affairs should have enough management information to be able to monitor the disaster

preparedness of municipalities and other entities.

The Netherlands

• A good procedure should be in place to transform a threat into an alert.

• That procedure should be implemented (does it work in practice?).

• The system related to other projects and procedures should be well-designed without overlap or blind spots.

Turkey - How Well Is Istanbul Getting Prepared for the Earthquake?

• There should be one single institution initially responsible for the planning, coordination and execution of the

activities regarding earthquake preparations, which has the authority to use the budget, staff and instruments

and that is authorized to provide cooperation among the institutions.

• Activities should be managed according to the data obtained from the Disaster Management Information

System. The data have to be up to date, clear, accurate, precise, integrated and easily accessible. The results

obtained should be reported after being analyzed periodically. In disaster preparation plans, the issue of who

will do what, where, when and how should be clearly defined, and adequate staff training should be provided.

• Precautions that will diminish fire danger should be given priority; in this context, early warning and emergency

intervention systems should be established as soon as possible.

• In the Building Development Plans and their modifications, the selection of settlement areas should be based on

ground surveys.

• Istanbul's buildings should be inventoried, earthquake risk analysis should be done in conjunction with ground

surveys and buildings inventories; based on this analysis, the reaction of the buildings in the face of a possible

earthquake should be determined.

60

ANNEX 6: Audit Recommendations - examples concerning disaster preparedness

The Netherlands - Lessons on the accountability, transparency and audit of Tsunami-related aid, 2008

Management Information System

• The Minister should improve the quality of the disaster management policy by making it more specific and by

monitoring and supervising the implementation. The Minister needs to enhance his management information

system so as to be able to monitor and supervise the implementation of disaster management and to intervene

when necessary. This management information system should also serve for accountability.

Coordination

• The Minister should enhance structural cooperation between relevant agencies with specific measures.

Turkey - How Well Is Istanbul Getting Prepared for the Earthquake?

A New Management Approach

• To organize Istanbul's preparedness for a possible earthquake in the best possible way and to minimize the

likely damage, there is a need for a new management approach. To this end, the desired outputs that are to be

achieved in the short, medium and long term should be clearly set and, at the same time, the institutions that

have a role and function in obtaining these outcomes should work in cooperation.

Coordination

• Achieving targeted results depends on the development of cooperation among public institutions based on

accountability relations. In cooperation established on the grounds of accountability, who will be responsible for

what and how long, resource needs and allocations, commitments and expectations should be clearly

determined.

Planning

61

• Public institutions should start working in cooperation within the framework of accountability, relevant public

institutions should set their objectives and develop strategies and action plans in order to reach set objectives.

Additionally, Istanbul should be integrated into the strategic plan.

• Necessary measures should be taken to carry out damage assessment and designation of beneficiaries properly

and within the shortest possible time.

Technical Personnel

• A sufficient number of technical personnel who are to carry out damage assessment activities and designate

beneficiaries should be trained beforehand.

Ukraine - International Coordinated Audit of Chernobyl Shelter Funds, 2007-08

• Establish specific performance benchmarks for the project that need to be met before additional pledges of

funds are made in the future;

• Facilitate accountability and transparency while financing the Project by the EBRD;

• Perform auditing of contract awards, planning, implementation, acceptance and invoicing under the criteria of

regularity and performance in order to evaluate the effectiveness of CSF's mission performance.

Canada - Fall 2009 Emergency Management - Public Safety Canada

• The Privy Council Office and Public Safety Canada should ensure that all components of the Federal Emergency

Response Plan are completed and should obtain government approval for the plan

• As stipulated in the Emergency Management Act, Public Safety Canada should establish policies and programs

and provide advice for departments to follow when identifying risks and developing their emergency

management plans

• As stipulated in the Emergency Management Act, Public Safety Canada should ensure that its coordination role

for the federal response to an emergency is well defined and that the operational policies and plans that

departments will follow are updated and consistent

• Based on the responsibilities outlined in the Emergency Management Act, Public Safety Canada should provide

policies and guidance for departmental sector heads to determine their infrastructure and assess its criticality,

based on risk and its significance for the safety and security of Canadians; it should establish policies and

programs to prepare plans to protect the infrastructure.

62

63